If a NumberConstant can be represented as a Smi, then lower it to a
IntPtrConstant node during simplified lowering. Thanks to this, all backends can
match Smi values that can also be encoded as immediates in the instruction
selector. Additionally, we can apply the same lowering to the CodeAssembler for
the snapshot.
As a result, we can remove `mov` instructions generated because Int32Matcher and
Int64Matcher didn't not recognize Smis:
For 32-bit target, it's common for Smis also be immediates: "if (a < 100) {}"
~~~
mov r1, #200 -> cmp r0, #200
cmp r0, r1 -> blt <>
blt <> ->
~~~
On Arm64 particularly, we lose opportunites to use `cbz`: "if (a == 0) {}"
~~~
movz x0, #0x0 -> cbz x1 <>
cmp x1, x0 ->
b.eq <> ->
~~~
Overall, we do not see an impact on benchmarks such as webtooling. However, we
do see noteworthy code size reduction, from 0.5% to 1.5%.
Bug:
Change-Id: I7fbb718ad51b9036c3514fa31c1326bdd6f2b0e6
Reviewed-on: https://chromium-review.googlesource.com/848814
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/master@{#50569}
Instead of passing four arguments to the runtime function, just pass
one pointer to a struct containing all information. This makes it much
easier to implement memory tracing in Liftoff in a follow-up CL.
Also fix a few other minor things like the namespace and the include
guards.
R=titzer@chromium.org
Change-Id: I47d8827cbb896a581585947f594af52f42bdb37c
Reviewed-on: https://chromium-review.googlesource.com/863673
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50568}
The fast variants set got the same as no variants after crankshaft
deprecation and there is no plan to extend it again. Hence we remove
the modifier now.
TBR=yangguo@chromium.org
Bug: v8:7264
Change-Id: Ib577542741841b5b9542327b90afea8d5a62c879
Reviewed-on: https://chromium-review.googlesource.com/866496
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50566}
For JSCreate nodes with constant inputs we cannot simply assume that the
new.target input is a JSFunction, since it can essentially be any
JSReceiver that is a constructor, i.e. it can also be a JSBoundFunction.
Bug: chromium:801627
Change-Id: Ia37bf9c0a751e4665e1167a3771fbe166473c979
Reviewed-on: https://chromium-review.googlesource.com/866493
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50563}
It was shipped in Chrome 63.
Bug: v8:5855
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Icc00b8300622d1c7b5662be8ac5e425b9781f666
Reviewed-on: https://chromium-review.googlesource.com/858381
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50558}
Add tests with a few Array.of invocations in preparation for adding a
CodeStubAssembler generated version.
Change-Id: I5aee3f32a584ae31cebcbbe6b0e5491a4bc1da34
Reviewed-on: https://chromium-review.googlesource.com/861884
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50550}
This adds a reduced version of bot_default with only d8-based test suites.
Those can be used for gc stress testing, fuzzing and predictable mode.
This also adds a missing explicit build rule for the debugger test suite.
It's working as it's part of the isolate file, but incremental
re-isolation might break on code changes.
Running the tests is still commented out to allow the infra-side to
land. Afterwards, we'll activate the extra testing as a V8 CL
commenting the lines back in.
Bug: v8:7285
Change-Id: I7b758c212f0c4ae3d2f79beea5ec597cee479565
Reviewed-on: https://chromium-review.googlesource.com/864045
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50545}
Flag getters (e.g. RegExp.p.get global) are defined on the prototype and
thus we need to use the more general BranchIfFastRegExp here instead of
IsFastRegExpNoPrototype.
Bug: chromium:800538
Change-Id: Ib6bc8a4fd3bf2f7dd31538c8dbb61814106c184b
Reviewed-on: https://chromium-review.googlesource.com/859767
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50538}
This fixes a spec bug in which the order of calls to 1) the flag getter
and 2) ToUint32(limit) was incorrect if ToUint32 pushes the regexp
instance onto the slow path. We are now more restrictive and completely
avoid ToUint32 on the fast path.
Bug: chromium:801171
Change-Id: I21d15fe566754d2bc05853f895636bb882fbf599
Reviewed-on: https://chromium-review.googlesource.com/863644
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50533}
This CL makes a fuzzer out of the cctest
test-multiple-return/ReturnMultipleRandom. The fuzzer creates a
CallDescriptor with input parameters and returns, and a function which
maps input parameters to returns. The fuzzer then calls this function
with a wrapper which checks that the correct mapping happened.
R=clemensh@chromium.org
Change-Id: Ib89c4063638baae69540a44486d7b2e9d13f8c1f
Reviewed-on: https://chromium-review.googlesource.com/859768
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50532}
https://github.com/tc39/ecma262/pull/988 gained concensus during the
september 2017 TC39 meetings. This moves the load of the "next" method
to the very beginning of the iteration protocol, rather than during
each iteration step.
This impacts:
- yield*
- for-of loops
- spread arguments
- array spreads
In the v8 implementation, this also affects async iteration versions of
these things (the sole exception being the Async-From-Sync iterator,
which requires a few more changes to work with this, likely done in a
followup patch).
This change introduces a new AST node, ResolvedProperty, which can be used
as a callee by Call nodes to produce the same bytecode as Property calls,
without observably re-loading the property. This is used in several
AST-desugarings involving the iteration protocol.
BUG=v8:6861, v8:5699
R=rmcilroy@chromium.orgTBR=neis@chromium.org, adamk@chromium.org
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I9685db6e85315ba8a2df87a4537c2bf491e1e35b
Reviewed-on: https://chromium-review.googlesource.com/857593
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50518}
The timezone offset in effect on Dec 25, 1995 won't be applicable
in years far away from 1995 (e.g. year 1111).
Calculate the timezone offset in Feb 1, 1995 and run other tests
on the same day.
This issue has been hidden because the current implementation doesn't
take into account the history of timezone offset changes(crbug.com/3547),
but was exposed when a correct implementation based on ICU was tried.
( https://chromium-review.googlesource.com/c/v8/v8/+/572148 ).
Bug: v8:7268
Test: webkit/date-constructor
Change-Id: I09834cff0baa47d6c8981e7712ebf39541e5ecb7
Reviewed-on: https://chromium-review.googlesource.com/861196
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50515}
This is a reland of 50baf93425
This fixes the number of expected instructions in MaybeCallEntryHookDelayed,
only exposed by nosnap tests.
Original change's description:
> [arm64] Switch jssp to csp
>
> Switch stack pointer to using csp directly, making jssp redundant.
>
> Bug: v8:6644
> Change-Id: I8e38eda50d56a25161b187c0a033608dd9f90239
> Reviewed-on: https://chromium-review.googlesource.com/860097
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
> Cr-Commit-Position: refs/heads/master@{#50487}
Bug: v8:6644
Change-Id: Ie9a969ccbf00fd7a7cff8f45b73cdb6bc4f17df9
Reviewed-on: https://chromium-review.googlesource.com/860639
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/master@{#50513}
Band-aid fix for infinite recursion in RegExp TFJ builtins.
TFJ builtins don't contain stack checks in general, so any deep
recursion involving only TFJ builtins can end up overflowing the stack
and segfaulting on the red area.
RegExp builtins in particular can only build such recursions using
RegExp.p.exec, and (as far as I can tell) only by modifying the instance
or prototype, thus hitting the slow path in all builtins.
This CL adds a stack check to RegExpExec, which is the choke point for
calling exec on slow-mode RegExps.
Bug: v8:7239, chromium:797481
Regression test
Change-Id: I78dbb5f868a775d9697606d513623f912639d7db
Reviewed-on: https://chromium-review.googlesource.com/856777
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50511}
Ensure that for setcc, we only use a byte register as destination
register.
R=titzer@chromium.org
Bug: v8:6600, chromium:800756
Change-Id: Ie33f3faf602e7eda845205ba0ed2d9966460fd54
Reviewed-on: https://chromium-review.googlesource.com/860640
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50508}
Non-constant SMIs were being shifted to the right with SHR instead of SAR,
which caused corruption of negative offsets.
Add tests for SMI access to arguments using CodeStubArguments.
Change-Id: I6cc4fc0a5dd0018524f5ff4f16f9e9a21866363f
Reviewed-on: https://chromium-review.googlesource.com/854055
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50506}
set_local was implemented before, but not added to any list of
alternatives. tee_local is now additionally implemented and added.
R=ahaas@chromium.org
Change-Id: I51f0b35c7b507e8af06efd1f9baac30790f28a3b
Reviewed-on: https://chromium-review.googlesource.com/860460
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50505}
This CL centralizes constants related to decoding from several places
into one place and makes it no longer necessary to include
wasm-opcodes.h for some simple constants.
R=clemensh@chromium.org
Bug:
Change-Id: I53aa81e34167df467bc7455b717bf67083033943
Reviewed-on: https://chromium-review.googlesource.com/859764
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50503}
This makes RestoreGeneratorRegisters do a fuller resume process: update
the state register to indicate that it is now executing, and update the
accumulator with the input_or_debug_pos of the generator - i.e., perform
the boilerplate generator resuming in one bytecode instead of several.
Change-Id: Ia87b6766ac023064b40d3e9a143e7b32118ea3a0
Reviewed-on: https://chromium-review.googlesource.com/859770
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50499}
The fast-path of S.p.charAt/charCodeAt wrongly truncates the index,
i.e. charAt(k + 4294967295) yields the same as charAt(k-1). This CL
fixes this behaviour, at the cost of not providing a fast-path for
charAt(1.1), i.e. if charAt/charCodeAt is called with a Number.
Bug: chromium:800594
Change-Id: Ic8e749380d3118f0c9469eb626e81bf72cf09fec
Reviewed-on: https://chromium-review.googlesource.com/860003
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50497}
It was included accidentally. It is not in the ES spec, nor is it
provided by any other browser.
BUG=chromium:793095
Change-Id: I2370a6d2b8d14def8dbd47ff4a1ffb4f5f65f097
Reviewed-on: https://chromium-review.googlesource.com/815757
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50491}
Port 30fabc4cdf
Original Commit Message:
This ensures that there is only one entrance point from C++ to
generated code, hence only one method has to be excluded from CFI.
It also introduces type safety by only allowing the code to be called
with the right arguments.
This CL includes minor drive-by fixes in the tests, like removing
unused dummy variables.
R=clemensh@chromium.org, joransiu@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: Idb21a7b8103a8fb833c963c182463006d9dd6288
Reviewed-on: https://chromium-review.googlesource.com/857425
Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#50490}
Make it possible for embedders to provide their own tracing timetamps by
providing an overridable virtual function on V8's tracing controller.
Bug:
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I727e633cb7f63d4b41c2e427ecca3c9174c90bfe
Reviewed-on: https://chromium-review.googlesource.com/847690
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Fadi Meawad <fmeawad@chromium.org>
Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
Cr-Commit-Position: refs/heads/master@{#50489}
Update tests to work with new behavior.
Thanks Yang Guo for fixing the GC problem in
ad126d46bbR=adamk@chromium.org, machenbach@chromium.org
Q_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
Bug: v8:4958
Change-Id: Ia7d9417f80087fb6df4ef877d0b4357875ee6c30
Reviewed-on: https://chromium-review.googlesource.com/834458
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Josh Wolfe <jwolfe@igalia.com>
Cr-Commit-Position: refs/heads/master@{#50486}
Drive-by-cleanup:
- Add InternalElementsAccessor to expose protected instance methods
to ElementsAccessor subclasses.
- Make some more ElementsAccessor methods protected that take the
raw entry as parameter.
Bug: chromium:798644
Change-Id: Iffd00f1953461e8dd22c123e62298410fb6e049c
Reviewed-on: https://chromium-review.googlesource.com/856816
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50480}
Before this, only the [[ProxyHandler]] was set to null during revocation
of the Proxy through either the v8::Proxy::Revoke() or the
Proxy.revocable() API. To be consistent with the spec, the Proxy's
target is set to null as well. This change should not be observable
through JS, since the check for if the Proxy is revoked should always
use the handler. But the changed value is exposed through the public
v8::Proxy::GetTarget() API, which is used by the inspector API and
Node.js.
Also included is a much more comprehensive test for Inspector's support
for Proxy, which prior to this commit did not work as intended.
Bug:
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I727607ec2b3cea8642cd636573932c1e6bb5cc07
Reviewed-on: https://chromium-review.googlesource.com/854676
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50476}
Disallow using the PC as a base in LDR and instead provide a dedicated assembler
method for pc-relative loads. The reason for this is that the generic
`Assembler::ldr` method may decide to generate more instructions if the offset
is out of range, and if the PC was the base, we would get surprising
results. For example:
~~~
ldr r0, [pc, #0xcabba9e]
~~~
is not equivalent to:
~~~
movw ip, #0xba9e
movt ip, #0xcab
ldr r0, [pc, ip]
~~~
since the reference to the PC has moved down two instructions!
We could teach the assembler to handle those cases correctly, but pc-relative
loads are used in specific cases only so that's not necessary.
As a drive-by, remove a reference to code aging.
Bug:
Change-Id: I586d83a418db52cf28d3b524f889bf40f077998a
Reviewed-on: https://chromium-review.googlesource.com/847008
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/master@{#50475}
This fixes a long-standing TODO to only make a copy of a module's
wire bytes if the input is a SharedArrayBuffer and also fixes the
concurrent-modification bug for synchronous validation.
R=clemensh@chromium.org
BUG=chromium:794091
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I8d2f20a9aeedbc306434853f8f6cfc070a24cf97
Reviewed-on: https://chromium-review.googlesource.com/856559
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50472}
This reverts commit 8fbc6a05c1.
Reason for revert: https://crbug.com/800356
Original change's description:
> Optimize TypedArraySpeciesCreate using SpeciesProtector of Array
>
> If there is no constructor or species updates on Array or TypedArrays,
> then skip lookups of constructor and species so that we can create a new
> typed array quickly. This path makes TA.p.slice() 4x faster in fast
> cases.
>
> Bug: v8:7161
> Change-Id: Ib8d2a3f6b8b5ed356c5822a814164166d1285f64
> Reviewed-on: https://chromium-review.googlesource.com/828343
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50423}
TBR=jkummerow@chromium.org,jgruber@chromium.org,ishell@chromium.org,bmeurer@chromium.org,cwhan.tunz@gmail.com
Change-Id: Icca07564d2a83710852eb797bac25f1d5600696e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7161
Reviewed-on: https://chromium-review.googlesource.com/859156
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50470}
This is used in chromium for html attribute event handlers.
See blink layout test fast/events/event-function-toString.html
Bug: v8:4958
Change-Id: Ib3d88af834bbb62b4ccd4683eda743d92064b075
Reviewed-on: https://chromium-review.googlesource.com/837641
Commit-Queue: Josh Wolfe <jwolfe@igalia.com>
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50460}
