Since both null and undefined are also marked as undetectable now, we
can just test that bit instead of having the CompareNilIC try to collect
feedback to speed up the general case (without the undetectable bit
being used).
Drive-by-fix: Update the type system to match the new handling of
undetectable in the runtime.
R=danno@chromium.org
Committed: https://crrev.com/666aec0348c8793e61c8633dee7ad29a514239ba
Cr-Commit-Position: refs/heads/master@{#34237}
Review URL: https://codereview.chromium.org/1722193002
Cr-Commit-Position: refs/heads/master@{#34344}
Port d00da47b61
Original commit message:
The CompareICStub produces an untagged raw word value, which has to be
translated to true or false manually in the TurboFan code. But for lazy
bailout after the CompareIC, we immediately go back to fullcodegen or
Ignition with the raw value, to a location where both fullcodegen and
Ignition expect a boolean value, which might crash or in the worst case
(depending on the exact computation inside the CompareIC) could lead to
arbitrary memory access.
Short-term fix is to use the proper runtime functions (unified with the
interpreter now) for comparisons. Next task is to provide optimized
versions of these based on the CodeStubAssembler, which can then be used
via code stubs in TurboFan or directly in handlers in the interpreter.
R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:4788
LOG=n
Review URL: https://codereview.chromium.org/1745643002
Cr-Commit-Position: refs/heads/master@{#34341}
Reason for revert:
Original commit reverted.
Original issue's description:
> PPC: [compiler] Drop the CompareNilIC.
>
> Port 666aec0348
>
> Original commit message:
> Since both null and undefined are also marked as undetectable now, we
> can just test that bit instead of having the CompareNilIC try to collect
> feedback to speed up the general case (without the undetectable bit
> being used).
>
> Drive-by-fix: Update the type system to match the new handling of
> undetectable in the runtime.
>
> R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
> BUG=
>
> Committed: https://crrev.com/546ea6b8393a894f07597ade5ec1c7db02c1e425
> Cr-Commit-Position: refs/heads/master@{#34266}
TBR=bmeurer@chromium.org,joransiu@ca.ibm.com,jyan@ca.ibm.com,michael_dawson@ca.ibm.com
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=
Review URL: https://codereview.chromium.org/1736253003
Cr-Commit-Position: refs/heads/master@{#34340}
This reland fixes a bug by pulling properties off the utils object, so
that it can be garbage collected in nosnap builds.
Original commit message:
Intl has been somewhat of an oddball for how it integrates with V8.
One aspect is that it largely didn't use utils to install itself
into the snapshot, which led to some missing names, which new
test262 tests check for, and duplicated code. This patch brings
Intl a bit closer to how the rest of the builtins do things, though
not entirely as it is currently structured to do unusual things,
such as creating new constructors from JavaScript rather than C++.
New test262 tests check for some of the names that are added in
this patch.
R=adamk
CC=jshin
BUG=v8:4778
LOG=Y
Review URL: https://codereview.chromium.org/1745483002
Cr-Commit-Position: refs/heads/master@{#34337}
Port 3ef573e9f1
Original commit message:
Replace the somewhat awkward RestParamAccessStub, which would always
call into the runtime anyway with a proper FastNewRestParameterStub,
which is basically based on the code that was already there for strict
arguments object materialization. But for rest parameters we could
optimize even further (leading to 8-10x improvements for functions with
rest parameters), by fixing the internal formal parameter count:
Every SharedFunctionInfo has a formal_parameter_count field, which
specifies the number of formal parameters, and is used to decide whether
we need to create an arguments adaptor frame when calling a function
(i.e. if there's a mismatch between the actual and expected parameters).
Previously the formal_parameter_count included the rest parameter, which
was sort of unfortunate, as that meant that calling a function with only
the non-rest parameters still required an arguments adaptor (plus some
other oddities). Now with this CL we fix, so that we do no longer
include the rest parameter in that count. Thereby checking for rest
parameters is very efficient, as we only need to check whether there is
an arguments adaptor frame, and if not create an empty array, otherwise
check whether the arguments adaptor frame has more parameters than
specified by the formal_parameter_count.
The FastNewRestParameterStub is written in a way that it can be directly
used by Ignition as well, and with some tweaks to the TurboFan backends
and the CodeStubAssembler, we should be able to rewrite it as
TurboFanCodeStub in the near future.
Drive-by-fix: Refactor and unify the CreateArgumentsType which was
different in TurboFan and Ignition; now we have a single enum class
which is used in both TurboFan and Ignition.
TEST=test/mjsunit/harmony/destructuring, test/mjsunit/harmony/default-parameters,
test/mjsunit/harmony/default-parameters, test/mjsunit/es6/classes-subclass-builtins,
BUG=
Review URL: https://codereview.chromium.org/1734273003
Cr-Commit-Position: refs/heads/master@{#34336}
The CompareICStub produces an untagged raw word value, which has to be
translated to true or false manually in the TurboFan code. But for lazy
bailout after the CompareIC, we immediately go back to fullcodegen or
Ignition with the raw value, to a location where both fullcodegen and
Ignition expect a boolean value, which might crash or in the worst case
(depending on the exact computation inside the CompareIC) could lead to
arbitrary memory access.
Short-term fix is to use the proper runtime functions (unified with the
interpreter now) for comparisons. Next task is to provide optimized
versions of these based on the CodeStubAssembler, which can then be used
via code stubs in TurboFan or directly in handlers in the interpreter.
R=mstarzinger@chromium.org
BUG=v8:4788
LOG=n
Review URL: https://codereview.chromium.org/1738153002
Cr-Commit-Position: refs/heads/master@{#34335}
Moves skips to explicit fails and groups errors be failure reason. Almost all failures
are due to lack of generator support.
BUG=v8:4680
LOG=N
TBR=oth@chromium.org
Review URL: https://codereview.chromium.org/1740843003
Cr-Commit-Position: refs/heads/master@{#34334}
This patch adds the newly added support for contexts in V8 Tracing, as well
as use it to mark all the entry points for a V8 Isolate.
Update for reland: The current tracing interface needs to be updated (AddTraceEvent),
but the embedders need to migrate to the new version before removing the old version.
(Reland of: https://codereview.chromium.org/1686233002)
The revert happened because the 2 signatures of the old and new AddTraceEvent where different
so it threw an overload-virtual error on cross arm debug. This issue is temporary, and to solve
it, I added an implementation of the old and new everywhere until the embedder implements the new.
BUG=v8:4565
LOG=N
R=jochen@chromium.org
Review URL: https://codereview.chromium.org/1704253002
Cr-Commit-Position: refs/heads/master@{#34332}
Initial commit with the bulk of the src/s390/* changes
along with associated changes to the build toolchain for
the new files.
A minor update to V8PRIuPTR definition for Mac OS X
affecting 32-bit S390 sim compilations.
R=danno@chromium.org,jkummerow@chromium.org,jochen@chromium.org,jyan@ca.ibm.com,michael_dawson@ca.ibm.com,mbrandy@us.ibm.com
BUG=
Review URL: https://codereview.chromium.org/1725243004
Cr-Commit-Position: refs/heads/master@{#34331}
Port ba2077aac3
Original commit message:
Move the already existing fast case for %NewObject into a dedicated
FastNewObjectStub that we can utilize in places where we would otherwise
fallback to %NewObject immediately, which is rather expensive.
Also use FastNewObjectStub as the generic implementation of JSCreate,
which should make constructor inlining based on SharedFunctionInfo (w/o
specializing to a concrete closure) viable soon.
BUG=
Review URL: https://codereview.chromium.org/1732333002
Cr-Commit-Position: refs/heads/master@{#34330}
This fixes the length computation in for object literals in generic
lowering. In rare cases (e.g. boilerplate at end of page) this could
lead to out of bounds reads.
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/1737893003
Cr-Commit-Position: refs/heads/master@{#34328}
When operating in --rebaseline mode, each of the files will be updated.
In --raw-js mode, all the expectations will be written to the same file.
In default mode no more than one input file is accepted.
On POSIX systems, --rebaseline will autodiscover golden files when run
from the project root and no input file is provided.
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1737623002
Cr-Commit-Position: refs/heads/master@{#34324}
The LoadBuffer operator that is used for asm.js heap access claims to
return only the appropriate typed array type, but out of bounds access
could make it return undefined. So far we tried to "repair" the graph
later if we see that our assumption was wrong, and for various reasons
that worked for some time. But now that wrong type information that is
propagated earlier is picked up appropriately and thus we generate wrong
code, i.e. we in the repro case we feed NaN into ChangeFloat64Uint32 and
thus get 2147483648 instead of 0 (with proper JS truncation).
This was always considered a temporary hack until we have a proper
asm.js pipeline, but since we still run asm.js through the generic
JavaScript pipeline, we have to address this now. Quickfix is to just
bailout from the pipeline when we see that the LoadBuffer type was
wrong, i.e. the result of LoadBuffer is not properly truncated and thus
undefined or NaN would be observable.
R=mstarzinger@chromium.org, jarin@chromium.org
BUG=chromium:589792
LOG=y
Review URL: https://codereview.chromium.org/1740123002
Cr-Commit-Position: refs/heads/master@{#34322}
Adds support for cpu profiler logging to the interpreter. Modifies the
the API to be passed AbstractCode objects instead of Code objects, and
adds extra functions to AbstractCode which is required by log.cc and
cpu-profiler.cc.
The main change in sampler.cc is to determine if a stack frame is an
interpreter stack frame, and if so, use the bytecode address as the pc
for that frame. This allows sampling of bytecode functions. This
requires adding support to SafeStackIterator to determine if a frame is
interpreted, which we do by checking the PC against pre-stored addresses
for the start and end of interpreter entry builtins.
Also removes CodeDeleteEvents which are dead code and haven't
been reported for some time.
Still to do is tracking source positions which will be done in a
followup CL.
BUG=v8:4766
LOG=N
Review URL: https://codereview.chromium.org/1728593002
Cr-Commit-Position: refs/heads/master@{#34321}
Everything that HCallJSFunction does can be easily done using more general HInvokeFunction, so there's no need to have this dedicated instruction around.
Review URL: https://codereview.chromium.org/1728423002
Cr-Commit-Position: refs/heads/master@{#34320}
Extends the constant pool to deal with more slices.
Adds ReadUnalignedUInt32().
BUG=v8:4280,v8:4747
LOG=N
Review URL: https://codereview.chromium.org/1731893003
Cr-Commit-Position: refs/heads/master@{#34319}
We don't need to compare the result of ToObject against null, since
ToObject will always yield a proper receiver (or throw a TypeError).
R=rmcilroy@chromium.org
Review URL: https://codereview.chromium.org/1736233002
Cr-Commit-Position: refs/heads/master@{#34318}
The %TailCall runtime entry and the %_TailCall intrinsic is not used,
and will never be used (because %TailCall doesn't actually do a tail
call). We will soon have proper ES6 tail calls, which are correct and
properly tested.
The %Apply runtime entry is basically a super-slow, less correct version
of Reflect.apply, so we can as well just use Reflect.apply, which is
exposed to builtins via %reflect_apply.
R=ishell@chromium.org
Review URL: https://codereview.chromium.org/1739233002
Cr-Commit-Position: refs/heads/master@{#34317}
The %_Call intrinsic (if supported by the compiler) is lowered directly
to the Call builtin and thus throws a TypeError if the target is not
callable. The %Call runtime function also eventually calls into the Call
builtin, but had an early abort if the target is not a JSReceiver, which
is unnecessary and leads to various test failures for Ignition.
R=mvstanton@chromium.org
Review URL: https://codereview.chromium.org/1727833006
Cr-Commit-Position: refs/heads/master@{#34316}
The treatment of different undetectable objects was inconsistent after
the latest changes to the undetectable bit in the maps. Given two
different undetectable JSObjects a and b, a monomorphic CompareIC would
say false for a == b, while the rest of the system (including the
generic case for the CompareIC) would say true.
The fix is rather straight-forward: We just go generic on a CompareIC
once we see an undetectable JSObject.
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/1735863004
Cr-Commit-Position: refs/heads/master@{#34315}
Reason for revert:
Breaks a bot: https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20nosnap/builds/6812
Original issue's description:
> Make Intl install properties more like how other builtins do
>
> Intl has been somewhat of an oddball for how it integrates with V8.
> One aspect is that it largely didn't use utils to install itself
> into the snapshot, which led to some missing names, which new
> test262 tests check for, and duplicated code. This patch brings
> Intl a bit closer to how the rest of the builtins do things, though
> not entirely as it is currently structured to do unusual things,
> such as creating new constructors from JavaScript rather than C++.
> New test262 tests check for some of the names that are added in
> this patch.
>
> R=adamk
> CC=jshin
> BUG=v8:4778
> LOG=Y
>
> Committed: https://crrev.com/a40830577d80f699282dd83864619656b7a7966c
> Cr-Commit-Position: refs/heads/master@{#34311}
TBR=adamk@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4778
Review URL: https://codereview.chromium.org/1737873003
Cr-Commit-Position: refs/heads/master@{#34314}
Reason for revert:
An Intl change that this depends on breaks a bot
Original issue's description:
> Test262 roll, 2016-2-23
>
> R=adamk
>
> Committed: https://crrev.com/34492040fbfb04fead21416245c8696b9847e751
> Cr-Commit-Position: refs/heads/master@{#34312}
TBR=adamk@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/1736223002
Cr-Commit-Position: refs/heads/master@{#34313}
Intl has been somewhat of an oddball for how it integrates with V8.
One aspect is that it largely didn't use utils to install itself
into the snapshot, which led to some missing names, which new
test262 tests check for, and duplicated code. This patch brings
Intl a bit closer to how the rest of the builtins do things, though
not entirely as it is currently structured to do unusual things,
such as creating new constructors from JavaScript rather than C++.
New test262 tests check for some of the names that are added in
this patch.
R=adamk
CC=jshin
BUG=v8:4778
LOG=Y
Review URL: https://codereview.chromium.org/1733293003
Cr-Commit-Position: refs/heads/master@{#34311}
Rolling v8/base/trace_event/common to 81b7b6f531ad2375140b2a5f4d3a803e5ba2514c
Rolling v8/buildtools to 14288a03a92856fe1fc296d39e6a25c2d83cd6cf
Rolling v8/tools/swarming_client to a72f46e42dba1335e8001499b4621acad2d26728
TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org
Review URL: https://codereview.chromium.org/1737243003
Cr-Commit-Position: refs/heads/master@{#34309}
Reason for revert:
Speculative revert in attempt to fix#2 crasher on canary.
Original issue's description:
> [compiler] Drop the CompareNilIC.
>
> Since both null and undefined are also marked as undetectable now, we
> can just test that bit instead of having the CompareNilIC try to collect
> feedback to speed up the general case (without the undetectable bit
> being used).
>
> Drive-by-fix: Update the type system to match the new handling of
> undetectable in the runtime.
>
> R=danno@chromium.org
>
> Committed: https://crrev.com/666aec0348c8793e61c8633dee7ad29a514239ba
> Cr-Commit-Position: refs/heads/master@{#34237}
TBR=danno@chromium.org,verwaest@chromium.org,bmeurer@chromium.org
LOG=y
BUG=chromium:589897
NOTRY=true
Review URL: https://codereview.chromium.org/1743433002
Cr-Commit-Position: refs/heads/master@{#34308}
This patch moves iterator finalization (calling .return() when a
for-of loop exits early) to shipping. The only part of this feature
which is currently known to be missing is destructuring--.return()
should be also be called when destructuring with an array which
does not end in a rest pattern, but it currently does not. The rest
of this feature, including calling .return() from certain builtins,
is implemented.
R=adamk
BUG=v8:3566
LOG=Y
Review URL: https://codereview.chromium.org/1738463003
Cr-Commit-Position: refs/heads/master@{#34307}
This calback is run after an attempt to run microtasks.
BUG=chromium:585949
LOG=Y
Review URL: https://codereview.chromium.org/1731773005
Cr-Commit-Position: refs/heads/master@{#34305}
Only use one set of %StrictEquals/%StrictNotEquals and
%Equals/%NotEquals runtime entries for both the interpreter
and the old-style CompareICStub. The long-term plan is to
update the CompareICStub to also return boolean values, and
even allow some more code sharing with the interpreter there.
R=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/1738883002
Cr-Commit-Position: refs/heads/master@{#34303}
This reverts commit 9146bc5e20.
This contains a fix for the following crash:
1. We record slots for a fixed array.
2. We trim the fixed array, so that some recorded slots are now in free space.
3. During mark-compact we sweep the page with the fixed array. Now free list items contain memory with recorded slots.
4. We evacuate a byte array using the new free list items.
5. We iterate slots that are now inside the byte array and crash.
BUG=chromium:589413,chromium:578883
LOG=NO
Review URL: https://codereview.chromium.org/1735523002
Cr-Commit-Position: refs/heads/master@{#34302}
operators.'
Port c129aa4d39
Original commit message:
These macro operators represent a conditional eager deoptimization exit
without explicit branching, which greatly reduces overhead of both
scheduling and register allocation, and thereby greatly reduces overall
compilation time, esp. when there are a lot of eager deoptimization
exits.
BUG=
TEST=mjsunit/asm/embenchen/fasta
Review URL: https://codereview.chromium.org/1736653003
Cr-Commit-Position: refs/heads/master@{#34301}
It is possible for JS objects to be allocated while we are retrieving the
profile. These JS objects can in turn end up getting sampled by the profiler.
Adding these to the profile data structures invalidates the iterators that
are presently in flight. This change prevents such concurrent modifications
from affecting the retrieve operation.
BUG=
Review URL: https://codereview.chromium.org/1735733002
Cr-Commit-Position: refs/heads/master@{#34298}
This adds explicit setters for the SharedFunctionInfo::function_data
field. Such setters are safer because they allow for explicit checking
of which values are allowed, and they improve readability because the
intended semantics become clear for each call-site. Also fix a cctest
case along the way.
R=rmcilroy@chromium.org
Review URL: https://codereview.chromium.org/1730853005
Cr-Commit-Position: refs/heads/master@{#34297}
We should prefer hints from operands in non-deferred blocks, else we
risk sideways moves on the hot path, just to accommodate the register
allocator's choice of register assignment in the deferred block.
BUG=
Review URL: https://codereview.chromium.org/1718223002
Cr-Commit-Position: refs/heads/master@{#34296}
