This adds support for deoptimizing into the JSConstructStub after the
receiver instantiation but before the actual constructor invocation.
Such a deoptimization point is needed for cases where instantiation
might be observed (e.g. when new.target is a proxy) and hence might
trigger a deopt.
We use this new deoptimization point for the "after" frame-state the
inliner attaches to {JSCreate} nodes being inserted when constructor
calls are being inlined.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-5638b
BUG=v8:5638
Change-Id: I7c72c807ee8fb76d12e0e9ccab86d970ab1a0efd
Reviewed-on: https://chromium-review.googlesource.com/440125
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43149}
Previously, accumulators and registers each had a single element cache,
distinct from the local register cache. This meant that
a) Dead accumulator state nodes were not re-used if the accumulator
became live.
b) Functions with only one parameter (the this object) or only one
local register could not reuse the single-valued state value node
of the accumulator.
This patch introduces heavier re-use of state-value nodes, decreasing
memory use when building the graph and decreasing the number of nodes
created overall.
Change-Id: Ie3cc6913483aab0819d99be382eb2cb42de8c3d2
Reviewed-on: https://chromium-review.googlesource.com/440926
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43148}
If exactly one byte in the upper half of the pushed 8-byte value is
set, use a smaller code sequence to push this value on the stack.
Before, we did
movq r10,<constant>
push r10
Now, we do
push 0x0
movb [rsp+<offset>],<byte>
The old sequence had 12 bytes, the new one has 7.
Pushing such values is used a lot for stack frame markers, which are
small numbers (1-17) encoded as SMIs.
Review-Url: https://codereview.chromium.org/2685213004
Cr-Commit-Position: refs/heads/master@{#43146}
Windows won't create empty .lib files, and will subsequently fail to
find the library other rules expect
R=machenbach@chromium.org
BUG=
Change-Id: I8b848834a6957c2164f0eafc853587d39ccb6ca9
Reviewed-on: https://chromium-review.googlesource.com/440244
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43141}
We cannot skip the @@hasInstance lookup in instanceof depending on a
global protector cell, as the lookup of the property is observable
via proxies or accessors. So remove the global protector and properly
implement CSA::InstanceOf via GetPropertyStub, with an appropriate
fast-path for Function.prototype[@@hasInstance] where we call the
builtin code object directly if the function matches, skipping all
the checks from the call sequence, and also avoid the redundant
ToBoolean conversion on the result.
R=yangguo@chromium.orgTBR=ulan@chromium.org
BUG=v8:5958
Review-Url: https://codereview.chromium.org/2684033012
Cr-Commit-Position: refs/heads/master@{#43137}
Use private symbols to mark default promise handler, instead of calling out to default
handlers defined in JS. We check for this symbol in PromiseHandle and perform the
appropriate behavior as the default handlers.
Catch prediction logic is updated to account for a symbol.
BUG=v8:5343
Review-Url: https://codereview.chromium.org/2695593002
Cr-Commit-Position: refs/heads/master@{#43135}
Reason for revert:
Due to security issue described in review thread.
Original issue's description:
> [typedarrays] move %TypedArray%.prototype.copyWithin to C++
>
> - Removes shared InnerArrayCopyWithin JS builtin from src/js/array.js
> - Implements %TypedArray%.prototype.copyWithin as a C++ builtin, which
> relies on std::memmove rather than accessing individual eleements.
> - Fixes the case where copyWithin is invoked on a TypedArray with a
> detached buffer.
> - Add tests to ensure that +/-Infinity (for all 3 parameters) is handled correctly by the
> algorithm
>
> The C++ version gets through the benchmark more than 25000 times as
> quickly as the JS implementation.
>
> BUG=v8:5925, v8:5929, v8:4648
> R=cbruni@chromium.org, adamk@chromium.org, littledan@chromium.org
>
> Review-Url: https://codereview.chromium.org/2671233002
> Cr-Commit-Position: refs/heads/master@{#42975}
> Committed: 0f1c626d55TBR=cbruni@chromium.org,adamk@chromium.org,bmeurer@chromium.org,cwhan.tunz@gmail.com,caitp@igalia.com
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5925, v8:5929, v8:4648
Review-Url: https://codereview.chromium.org/2693753002
Cr-Commit-Position: refs/heads/master@{#43132}
These intrinsics are no longer required, but their runtime call pendants
are still in use. So remove support for those from all compilers.
BUG=v8:5049
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2694623002
Cr-Commit-Position: refs/heads/master@{#43131}
A couple of the builtins in src/js/typedarray.js still depends on these
intrinsics, so if we don't want to regress all of them, we'll have to
support these trivial intrinsics until the JS builtins are migrated.
R=yangguo@chromium.org
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2695553002
Cr-Commit-Position: refs/heads/master@{#43130}
It reduces the add operation for certain checked load/stores by pre-do
the add in compiling phase.
BUG=
Review-Url: https://codereview.chromium.org/2593483002
Cr-Commit-Position: refs/heads/master@{#43128}
Do not allow that holey properties are defined in Array sort.
Throw a type error if the array is not extensible and there are holey
properties in the middle of the array.
BUG=v8:4888
Review-Url: https://codereview.chromium.org/2664173002
Cr-Commit-Position: refs/heads/master@{#43126}
If a job was already enqueued, EnqueueAndStep would still step the job one
more step. However, since it didn't take the job out of the
pending_background_jobs pool, the job could get picked up by a background
thread which would try to step it, but it the job is now at a step which
can't be run on the background.
BUG=v8:5203,chromium:685515
Change-Id: I2cee2a33625ba455aca49a8037601be9ff8bb73f
Reviewed-on: https://chromium-review.googlesource.com/441084
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43121}
The heuristic checks for "(function", and now it also checks for
"(async function".
BUG=v8:4230
Review-Url: https://codereview.chromium.org/2682173005
Cr-Commit-Position: refs/heads/master@{#43120}
We have different modes of tracing: recording, event callback and
filtering. The cpu profiler should not be enabled when tracing is
enabled with filtering mode.
BUG=688651
Review-Url: https://codereview.chromium.org/2676403002
Cr-Commit-Position: refs/heads/master@{#43119}
This roll includes the SharedArrayBuffer tests (skipping for now)
but doesn't include the $ renaming.
This is a reland; previously, I reverted because I was confused about why
the rename of $ to $262 didn't break tests; it now seems that the
previous patch left it as an alias. This patch does not do the renaming
yet, as the renaming usage has not landed upstream yet.
R=adamk
Review-Url: https://codereview.chromium.org/2685603003
Cr-Commit-Position: refs/heads/master@{#43118}
Since preparser creates different scopes than the parser, the invariant "at most one rest parameter" doesn't hold when the rest param is a destructuring param.
No new tests added; the problem is visible w/ existing tests with FLAG_lazy_inner_functions on.
R=vogelheim@chromium.org
BUG=chromium:690919
Change-Id: I525b8dfee92acd0733702c5a940a1a83a94712df
Reviewed-on: https://chromium-review.googlesource.com/440925
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43117}
Don't block on inner function compilation before competing outer function
compilation. Instead wait for the compilation to complete when the function
is called.
BUG=v8:5203
Review-Url: https://codereview.chromium.org/2686673002
Cr-Commit-Position: refs/heads/master@{#43116}
Removes handles from bytecode generation, instead storing
un-internalized AstValues (and other, similar values such as Scopes and
AstRawStrings) in the constant array builder.
This will allow us in the future to generate the bytecode before
internalizing the AST.
BUG=v8:5832
Change-Id: I3b8be8f7329a484eb1e5d12808b001d3475239da
Reviewed-on: https://chromium-review.googlesource.com/439326
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43115}
The --ignition-filter hasn't worked properly for a while due to some functions
only being supported by Ignition. Remove it and add a --print-bytecode-filter
to allow the main use-case of limiting bytecode printing to a particular
function.
BUG=chromium:685476,v8:5203
Change-Id: Id41eeb3083ae9f713433d3a30227cd4c5d0d47dd
Reviewed-on: https://chromium-review.googlesource.com/441047
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43113}
Avoid reinserting the ast constant string values into the string_table_ of
each AstValueFactory that is created, instead clone an initial copy created
in AstStringConstants.
BUG=686658
Review-Url: https://codereview.chromium.org/2687933003
Cr-Commit-Position: refs/heads/master@{#43112}
When running main-thread compiler-dispatcher jobs, ensure that we enter the
correct Context. Also adds a test for compiling an extension in the compiler
dispatcher to ensure that idle tasks enter the correct context before
finalizing the compilation.
BUG=v8:5203
Review-Url: https://codereview.chromium.org/2679193004
Cr-Commit-Position: refs/heads/master@{#43111}
Port 79570f87a1
Original Commit Message:
The use of setjmp/longjmp makes the cctests in test-run-wasm and
test-run-wasm-64 flaky on Windows, and I think that it is better not
to use it. With this CL I replace it as follows:
Similar to the setjmp/longjmp implementation we still call a C
function when a trap happens. However, instead of calling longjmp in
this C function we just set a flag which indicates that a trap
happened and then return. After we return from the C function we leave
the frame of the current wasm function and return with a RET
instruction. At the end of a test the wasm test runner checks the flag
to see if a trap happened.
Please take a special look at the LeaveFrame function on arm64.
R=ahaas@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Review-Url: https://codereview.chromium.org/2685303003
Cr-Commit-Position: refs/heads/master@{#43110}
This introduces new maps to track whether we have created at most one
closure. If we have created just one closure, Turbofan will
specialize the code to its context.
Review-Url: https://codereview.chromium.org/2680313002
Cr-Commit-Position: refs/heads/master@{#43108}
In order to compile eager inner functions on a background thread we need to
keep the handles created during parsing and scope analysis alive until the
background compilation is complete. In order to do that, we allocate the
handles in a deferred handle scope and keep the deferred handles alive with
a shared_ptr in the ParseInfo and CompileInfo respectively.
BUG=v8:5203
Review-Url: https://codereview.chromium.org/2650883002
Cr-Commit-Position: refs/heads/master@{#43107}
Reason for revert:
Reverting due to causing Word64AndWithImmediateWithWord64Sh to fail locally (but not on the bot).
BUG=v8:5956
Original issue's description:
> [arm64] A shift of 0 is not allowed in ubfx.
>
> R=bmeurer@chromium.org, v8-arm-ports@googlegroups.com
> BUG=v8:5951
>
> Review-Url: https://codereview.chromium.org/2685943003
> Cr-Commit-Position: refs/heads/master@{#43090}
> Committed: c46ccef921TBR=bmeurer@chromium.org,v8-arm-ports@googlegroups.com,martyn.capewell@arm.com,ahaas@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5951
Review-Url: https://codereview.chromium.org/2687373002
Cr-Commit-Position: refs/heads/master@{#43105}
Alternative approach to https://codereview.chromium.org/2667983004/, which
does not depend on implicit control flow changes from
https://codereview.chromium.org/2664083002
- Remove handling for `async function` from Parser::RewriteReturn(). This functionality
is moved to BytecodeGenerator::BuildAsyncReturn(). This ensures that promise resolution
is deferred until all finally blocks are evaluated fully.
- Add a new deferred command (CMD_ASYNC_RETURN), which instructs ControlScope to
generate return code using BuildAsyncReturn rather than BuildReturn.
- Parser has a new `NewReturnStatement()` helper which determines what type of return
statement to generate based on the type of function.
BUG=v8:5896, v8:4483
R=littledan@chromium.org, neis@chromium.org, rmcilroy@chromium.org, adamk@chromium.org, gsathya@chromium.org
Review-Url: https://codereview.chromium.org/2685683002
Cr-Commit-Position: refs/heads/master@{#43104}
This fixes the case where the index passed to {HMaybeGrowElements} used
to derive the new capacity for the elements backing store does not fit
into Smi range. Such an overflow would fail the capacity check and cause
growing to be skipped. Subsequent keyed stores would potentially go out
of bounds.
R=mvstanton@chromium.org
TEST=mjsunit/regress/regress-crbug-686427
BUG=chromium:686427
Review-Url: https://codereview.chromium.org/2686263002
Cr-Commit-Position: refs/heads/master@{#43101}
Also make them use the helpers that I introduced recently.
BUG=v8:5636
Review-Url: https://codereview.chromium.org/2684343004
Cr-Commit-Position: refs/heads/master@{#43100}
