This CL changes the ArrayPrototypeShift builtin to a CSA macro which
is used in a newly created Torque builtin.
This is in preparation for removing the JavaScript fall-back, which
will be replaced by a baseline Torque implementation.
R=cbruni@chromium.org, jgruber@chromium.org
Bug: v8:7624
Change-Id: I9b7898beea2802cc02d394e040a1e500387cf108
Reviewed-on: https://chromium-review.googlesource.com/1169172
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@google.com>
Cr-Commit-Position: refs/heads/master@{#55036}
The HasProperty builtin differed in its expected argument order from
the HasProperty runtime function. Like all other related spec
primitives (e.g.: GetProperty, SetProperty, DeleteProperty), it should
take {object} as the first argument and {key} as the second.
This CL changes the builtin and all related spots to use the correct
order.
There was also a tricky bug in interpreter intrinsic rewriting, which
assumes (but does not verify) that the argument order between runtime
function and builtin is identical. Besides cctests, HasProperty
intrinsic rewriting seems to be dead code.
Bug: v8:8036
Change-Id: Ia669fd6f5c73a30df4e4607064603be759ced392
Reviewed-on: https://chromium-review.googlesource.com/1167297
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55022}
This reverts commit ff4fa92e88.
Reason for revert: blocks roll: https://chromium-review.googlesource.com/c/chromium/src/+/1167969 ... see https://chromium-swarm.appspot.com/task?id=3f344f7ada4e0110&refresh=10&show_raw=1 for stacktrace.
Original change's description:
> [builtins] Enable Torque Array.prototype.splice
>
> Before, splice was implemented with a C++ fast path and a
> comprehensive JavaScript version.
>
> This impl. is entirely in Torque with a fastpath for SMI,
> DOUBLE and OBJECT arrays, and a comprehensive slow path.
> The same level of "sparse" array support as given by the
> array.js implementation is included.
>
> Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
> Change-Id: Ibfa3407ed75b9ad15ac54cce446b3952e38f90a9
> Reviewed-on: https://chromium-review.googlesource.com/1039190
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Michael Stanton <mvstanton@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54974}
TBR=danno@chromium.org,yangguo@chromium.org,mvstanton@chromium.org,tebbi@chromium.org,szuend@google.com
Change-Id: I900f667b30a0cf673ead9621618a9988cf85ffdf
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/1168902
Commit-Queue: Michael Hablich <hablich@chromium.org>
Reviewed-by: Michael Hablich <hablich@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54998}
Before, splice was implemented with a C++ fast path and a
comprehensive JavaScript version.
This impl. is entirely in Torque with a fastpath for SMI,
DOUBLE and OBJECT arrays, and a comprehensive slow path.
The same level of "sparse" array support as given by the
array.js implementation is included.
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ibfa3407ed75b9ad15ac54cce446b3952e38f90a9
Reviewed-on: https://chromium-review.googlesource.com/1039190
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54974}
This patch ports most of the Intl.Collator from JS to C++.
The Intl.Collator object no longer stores all the resolved
values. Instead these are looked up on demand as part of
Intl.Collator.prototype.resolvedOptions(), saving several words. In
the future, we can cache the result of the resolvedOptions as well.
In this patch, we use ICU to do parsing of the unicode extension in
the bcp47 language tag instead of using a custom extension parser.
This patch also fixes several spec compliance bugs as well.
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Iaaa7be4a628404da1bd83d882e04a2c6de70ebd9
Bug: v8:5751, v8:7480
Reviewed-on: https://chromium-review.googlesource.com/1165084
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54965}
This CL is the first step towards a SetProperty stub, by adding a
stub that redirects to the runtime and replacing every runtime
call-site with a call to this stub.
A followup CL will then add an implementation to the stub similar
to KeyedStoreGenericAssembler::KeyedStoreGeneric().
R=cbruni@chromium.org, jgruber@chromium.org
Change-Id: Iff2f913988cada6220d54817d94d011ad6de2b77
Reviewed-on: https://chromium-review.googlesource.com/1163519
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54926}
Previously, Intl.PluralRules was mostly implemented in JavaScript. This
patch moves most of the constructor and parts of other methods to C++.
The size of the Intl.PluralRules object is reduced by not storing
MinimumIntegerDigits, MinimumFractionDigits, MaximumFractionDigits,
MinimumSignificantDigits, MaximumSignificantDigits. Instead these are
looked up from icu::DecimalFormat as required.
Another optimziation is that we don't create the result of
resolvedOptions when the Intl.PluralRules object is constructed, but
instead defer until this method is called. In the future, we may want
to cache the result.
This patch also cleans up several error handling paths that shouldn't
happen with ICU and instead just crashes should it ever happen.
Bug: v8:5751
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I84c5aa6c25c35fe2d336693dee1b36bf3dcd4a79
Reviewed-on: https://chromium-review.googlesource.com/1158701
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jungshik Shin <jshin@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54917}
This also move the function body of Runtime_StringLocaleConvertCase
into IntlFunc::StringLocaleConvertCase
Bug: v8:7958
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ibc081150babdd7d50043383b0f7375d46cfcf4a5
Reviewed-on: https://chromium-review.googlesource.com/1144525
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Jungshik Shin <jshin@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54737}
This is a reland of 9eca23e9ed
Adds a deopt continuation, which fixes JavaScript stack traces
to contain the number constructor after inlining.
Original change's description:
> [turbofan] Inline Number constructor in certain cases
>
> This CL adds inlining for the Number constructor if new.target is not
> present. The lowering is BigInt compatible, i.e. it converts BigInts to
> numbers.
>
> Bug: v8:7904
> Change-Id: If03b9f872d82e50b6ded7709069181c33dc44e82
> Reviewed-on: https://chromium-review.googlesource.com/1118557
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54454}
Bug: v8:7904
Change-Id: Ic416e5ba81fa3a0f59ae4afa80df83c46a759487
Reviewed-on: https://chromium-review.googlesource.com/1146581
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54609}
As discussed in
https://docs.google.com/document/d/1sBdGe8RHgeYP850cKSSgGABTyfMdvaEWLy-vertuTCo/edit?ts=5b3ba5cc#,
this CL introduces a new bytecode (CloneObject), and a new IC type.
In this prototype implementation, the type feedback looks like the
following:
Uninitialized case:
{ uninitialized_sentinel, uninitialized_sentinel }
Monomorphic case:
{ weak 'source' map, strong 'result' map }
Polymorphic case:
{ WeakFixedArray with { weak 'source' map, strong 'result' map }, cleared value }
Megamorphic case:
{ megamorphic_sentinel, cleared_Value }
In the fast case, Object cloning is done by allocating an object with
the saved result map, and a shallow clone of the fast properties from
the source object, as well as cloned fast elements from the source object.
If at any point the fast case can't be taken, the IC transitions to the
slow case and remains there.
This prototype CL does not include any TurboFan optimization, and the
CloneObject operation is merely reduced to a stub call.
It may still be possible to get some further improvements by somehow
incorporating compile-time boilerplate elements into the cloned object,
or simplifying how the boilerplate elements are inserted into the
object.
In terms of performance, we improve the ObjectSpread score in JSTests/ObjectLiteralSpread/
by about 8x, with substantial improvements over the Babel and ObjectAssign scores.
R=gsathya@chromium.org, mvstanton@chromium.org, rmcilroy@chromium.org, neis@chromium.org, bmeurer@chromium.org
BUG=v8:7611
Change-Id: I79e1796eb77016fb4feba0e1d3bb9abb348c183e
Reviewed-on: https://chromium-review.googlesource.com/1127472
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54595}
This reverts commit 9eca23e9ed.
Reason for revert: Clusterfuzz correctness issue
Original change's description:
> [turbofan] Inline Number constructor in certain cases
>
> This CL adds inlining for the Number constructor if new.target is not
> present. The lowering is BigInt compatible, i.e. it converts BigInts to
> numbers.
>
> Bug: v8:7904
> Change-Id: If03b9f872d82e50b6ded7709069181c33dc44e82
> Reviewed-on: https://chromium-review.googlesource.com/1118557
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54454}
TBR=jarin@chromium.org,neis@chromium.org,sigurds@chromium.org,bmeurer@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:7904
Change-Id: Ie5fa6c1262b8acc33edb672a0124f4458fcded86
Reviewed-on: https://chromium-review.googlesource.com/1142777
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54544}
This CL moves Array.p.fill from JavaScript to a C++ builtin. It has
a generic slow-path and fast-paths implemented via ElementsAccessor in
elements.cc.
R=cbruni@chromium.org
Bug: v8:7624
Change-Id: I8820e1195d2cd9b41c254058923ad9875aab067c
Reviewed-on: https://chromium-review.googlesource.com/1131130
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54522}
This CL adds inlining for the Number constructor if new.target is not
present. The lowering is BigInt compatible, i.e. it converts BigInts to
numbers.
Bug: v8:7904
Change-Id: If03b9f872d82e50b6ded7709069181c33dc44e82
Reviewed-on: https://chromium-review.googlesource.com/1118557
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54454}
This increases the size of a NumberFormat instance by a word to store
the bound format function.
The instance to be bound is stored on the context of this builtin function.
Bug: v8:5751, v8:7800
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ie85d8db7d10aabb5c40e77687e6f7112a84f3ebd
Reviewed-on: https://chromium-review.googlesource.com/1122153
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54353}
RegExp builtins were the first to be ported to CSA roughly two years
ago. Back then, we weren't really aware of issues surrounding code
size and CSA inlining, and thus some of these builtins were bigger
than they should be.
This CL adds a few new helper builtins and removes inlined calls to
SubString, RegExpExecInternal, and StringAdd. It significantly
reduces the size of affected builtins. Minor performance regressions
due to call overhead are expected.
Before:
TFS Builtin, RegExpReplace, 20008
TFS Builtin, RegExpSplit, 17340
TFS Builtin, RegExpMatchFast, 17064
TFJ Builtin, RegExpStringIteratorPrototypeNext, 12862
After:
TFS Builtin, RegExpReplace, 5067
TFS Builtin, RegExpSplit, 6329
TFS Builtin, RegExpMatchFast, 8164
TFJ Builtin, RegExpStringIteratorPrototypeNext, 6652
Bug: v8:5737
Change-Id: I1c077a084da85bb73c0c5adb7118b941f488e0ec
Reviewed-on: https://chromium-review.googlesource.com/1127796
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54293}
* Rename BoilerplateDescription to ObjectBoilerplateDescription
* Add literal_type flag to ObjectBoilerplateDescription,
which is stored as zeroth element of Fixed array
* Create ArrayBoilerplateDescription with elements_kind and
constant_elements field
* Replace CompileTimeValue and ConstantElementPair with
ArrayBoilerplateDescription
* Kill ConstantElementPair and CompileTimeValue
Change-Id: Icb42dcfd575a27e2b64ffd5e2e61f9d703d5e986
Bug: v8:7787, chromium:818642
Reviewed-on: https://chromium-review.googlesource.com/1122411
Commit-Queue: Chandan Reddy <chandanreddy@google.com>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54272}
Fixes V8 correctness failure when there's a proxy in the global object
prototype chain and unsuccessful attempt is made to access a property.
Bug: chromium:849024
Change-Id: I829e1a6c038982b7c7a77f8bdefb61facb4614f0
Reviewed-on: https://chromium-review.googlesource.com/1124446
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54237}
Adds the builtin Trace and IsTraceCategoryEnabled functions
exposed via extra bindings. These are intended to use by
embedders to allow basic trace event support from JavaScript.
```js
isTraceCategoryEnabled('v8.some-category')
trace('e'.charCodeAt(0), 'v8.some-category',
'Foo', 0, { abc: 'xyz'})
```
Bug: v8:7851
Change-Id: I7bfb9bb059efdf87d92a56a0aae326650730c250
Reviewed-on: https://chromium-review.googlesource.com/1103294
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Fadi Meawad <fmeawad@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54121}
Currently we perform the full iteration protocol even when we don't need
to. When IterableToListCanBeElided is true, we still need to create a
copy of the array (from a spec correctness point of view, in case there
are user-JS side-effects that would modify the original).
This CL copies the array directly, skipping the iteration protocol.
This recovers the JSTests/TypedArrays/ConstructArrayLike benchmark
almost completely.
Change-Id: I7f1593dd9af6e4a0485bd654e6c02186c5ae99d0
Reviewed-on: https://chromium-review.googlesource.com/1105995
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53996}
Migrate the Object.getOwnPropertyNames to the CodeStubAssembler and use the enum cache backing store when
1) the enum cache is avaible
2) the {object} has no elements
3) all own properties are enumerable
This makes a speedup of 10x when using Object.getOwnPropertyNames with fast-path. It improves Speedometer2.0 Inferno case by ~9% on ATOM platform.
Change-Id: I05e1df0e7d9d53d97664c322248cedb106a7b1d0
Reviewed-on: https://chromium-review.googlesource.com/1004434
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Shiyu Zhang <shiyu.zhang@intel.com>
Cr-Commit-Position: refs/heads/master@{#53992}
This CL adds a builtin which receives an int32 argument and returns the
int32 result. Internally, it checks whether the argument is in the
valid smi range, then calls the runtime function with the smi argument
and converts the return value back from smi to int32.
This saves a lot of code in the wasm TF builder and in Liftoff.
R=mstarzinger@chromium.org
Bug: v8:6600
Change-Id: Icddcb020eae74c767a75090feb4939275432c007
Reviewed-on: https://chromium-review.googlesource.com/1107711
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53946}
This makes sure we use WebAssembly runtime stubs when performing value
coercions in wrapper code that is compiled into {WasmCode}. It hence
removes the last {RelocInfo::CODE_TARGET} references in {WasmCode}.
R=clemensh@chromium.org
BUG=v8:7424
Change-Id: Ic96e541abe98f90796a6506b09ff99557743b6f7
Reviewed-on: https://chromium-review.googlesource.com/1104462
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53846}
Now TFJ builtins can use their own descriptors so there's no need to
keep the hacky BuiltinDescriptor around.
Bug: v8:7754
Change-Id: Ia7f23a21fb979370fd2149fef13186b83a3d5d30
Reviewed-on: https://chromium-review.googlesource.com/1104428
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53806}
This CL also adds macros for defining JS-compatible interface descriptors that
has additional parameters.
ArrayConstructorDescriptor is redefined using the new macros.
Bug: v8:7754
Change-Id: Id39cac9f234666576f35de755d11aba198248bea
Reviewed-on: https://chromium-review.googlesource.com/1100833
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53796}
This allows WebAssembly runtime stubs implemented as {WasmCode} to be
called with regular stub linkage. So far we have only been able to call
such stubs with WebAssembly linkage.
Also switch two more on-heap builtins over to WebAssembly runtime stubs.
R=clemensh@chromium.org
BUG=v8:7424
Change-Id: Ifa553b5908ee27a1be780c325a114449d7fe7001
Reviewed-on: https://chromium-review.googlesource.com/1100882
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53734}
No need to have a separately defined CallDescriptor.
R=titzer@chromium.org
Change-Id: Ic7c0ee87d458fa8e55bef4d750aa7f61a763237f
Reviewed-on: https://chromium-review.googlesource.com/1098927
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53699}
This CL adds a TFS stub for RegExp#test and moves several checks to
the JSCallReducer. In particular, the JSCallReducer checks that
- property {exec} on the regexp is still the original exec
- property {lastIndex} on the regexp is a non-negative smi
The stub does not repeat these checks in release mode.
This effectively means that if the regexp is known, we can perform these
checks at compile time, and get away with a map dependency.
Bug: v8:7779, v8:7200
Change-Id: I0c6d711d4f1d2f6f325a1c02855b0e1b62e014c8
Reviewed-on: https://chromium-review.googlesource.com/1074654
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53630}
