In particular, recognize builtins' values accesses and direct accesses
to external reference values. For example:
REX.W leaq rax,[r13+0x47a0]
REX.W leaq rbx,[r13+0x80b0]
turns into
REX.W leaq rax,[r13+0x47a0] (builtin (RecordWrite))
REX.W leaq rbx,[r13+0x80b0] (external value (Isolate::context_address))
This CL also extends the via-root-register-accessible region to the
whole Isolate object.
Bug: v8:8238
Change-Id: I218d8589690579919cfa01b2f3c3094af0e73c51
Reviewed-on: https://chromium-review.googlesource.com/1251550
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56332}
MIPS architecture doesn't have support for 64-bit atomics.
It is possible to implement them using 32-bit atomics,
but the process is involved and takes time. For the time
being support 64-bit atomics using runtime.
Bug: v8:8100
Change-Id: I8c732ea9975c46be70643a1e722d78938c8a70de
Reviewed-on: https://chromium-review.googlesource.com/1251521
Commit-Queue: Ivica Bogosavljevic <ibogosavljevic@wavecomp.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56331}
This improves the performance on primitive strings of
IterableToListWithSymbolLookup, which implements the
CreateArrayFromIterable bytecode. The fast path is only
taken if the string iterator protector is valid (that is,
String.prototype[Symbol.iterator] and
String.prototype[Symbol.iterator]().next are untouched).
This brings spreading of primitive strings closer to the
performance of the string iterator optimizations.
(see https://docs.google.com/document/d/13z1fvRVpe_oEroplXEEX0a3WK94fhXorHjcOMsDmR-8/).
Bug: chromium:881273, v8:7980
Change-Id: Ic8d8619da2f2afcc9346203613a844f62653fd7a
Reviewed-on: https://chromium-review.googlesource.com/1243110
Commit-Queue: Hai Dang <dhai@google.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56329}
For wasm modules with non-absolute sourceMappingURL, the source needs
to be empty so that devtools can look for the source map at the origin
of the module.
R=clemensh@chromium.org,adamk@chromium.org
Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I74c40addc1a7cb1be0442e9f2b272590c0b81f60
Reviewed-on: https://chromium-review.googlesource.com/1250402
Commit-Queue: Aseem Garg <aseemgarg@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56326}
Following up on the earlier work regarding redundant Smi checks in
https://chromium-review.googlesource.com/c/v8/v8/+/1246181, it was
noticed that the handling of the 0 and -0 and how some operations
identify these is not really consistent, but was still rather ad-hoc.
This change tries to unify the handling a bit by making sure that all
number comparisons generally pass truncations that identify zeros, since
for the number comparisons in JavaScript there's no difference between
0 and -0. In the same spirit NumberAbs and NumberToBoolean should also
pass these truncations, since they also don't care about the differences
between 0 and -0.
Adjust NumberCeil, NumberFloor, NumberTrunc, NumberMin and NumberMax
to pass along any incoming kIdentifiesZeros truncation, since these
operations also don't really care whether the inputs can be -0 if the
use nodes don't care.
Also utilize the kIdentifiesZeros truncation for NumberModulus with
Signed32 inputs, because it's kind of common to do something like
`x % 2 === 0`, where it doesn't really matter whether `x % 2` would
eventually produce a negative zero (since that would still be considered
true for the sake of the comparison).
This also adds a whole lot of tests to ensure that not only are these
optimizations correct, but also that we do indeed perform them.
Drive-by-fix: The `NumberAbs(x)` would incorrectly lower to just `x` for
PositiveIntegerOrMinusZeroOrNaN inputs, which was obviously wrong in
case of -0. This was fixed as well, and an appropriate test was added.
The reason for the unification is that with the introduction of Word64
for CheckBounds (which is necessary to support large TypedArrays and
DataViews) we can no longer safely pass Word32 truncations for the
interesting cases, since the index might be outside the Signed32 or
Unsigned32 ranges, but we still identify 0 and -0 for the sake of the
bounds check, and so it's important that this is handled consistently
to not regress performance on TypedArrays and DataViews accesses.
Bug: v8:8015, v8:8178
Change-Id: Ia1d32f1b726754cea1e5793105d9423d84a6393a
Reviewed-on: https://chromium-review.googlesource.com/1246172
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56325}
TracingCpuProfiler wrapper uses API interrupt to start the profiling
on the Isolate thread. However it could do it before Isolate is
initialized, so the interrupt it requested got lost.
The patch moves TracingCpuProfiler creation after ThreadLocal object
for isolate is initialized.
BUG=v8:8247
Change-Id: I5b0b3d18e017396f9860faeab909abbfab4616df
Reviewed-on: https://chromium-review.googlesource.com/1252762
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Alexei Filippov <alph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56324}
The current Android NDK defines __BIONIC_HAVE_UCONTEXT_T for all
architecures, so the old paths are no longer needed.
Bug: chromium:437330
Change-Id: I6314971e9ee1d78c4b73f8c1b37af7aa6f419b71
Reviewed-on: https://chromium-review.googlesource.com/1252282
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Richard Coles <torne@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56322}
Picking a few low-hanging fruits.
Bug: v8:7790
Change-Id: I798d579b1f1a08fab821e159d08f453d2dad89c1
Reviewed-on: https://chromium-review.googlesource.com/1254124
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56320}
This removes duplication in the platform-dependent assemblers by
introducing {AssemblerBase::ShouldRecordRelocInfo}.
On arm64, we also remove a bool and replace it by an early exit.
R=mstarzinger@chromium.org
Bug: v8:8238
Change-Id: I08c623a19167a358c3188dc9008f045120da82b1
Reviewed-on: https://chromium-review.googlesource.com/1251085
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56319}
This reduces the usage of macros and shrinks the binary size (by 4 KiB).
Bug: v8:8238
Change-Id: Ic689f8ce7dabe481125fcdb74a265155431317b6
Reviewed-on: https://chromium-review.googlesource.com/1253605
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56316}
The protector is useful for follow-up optimizations on string iterator.
Tests are also added.
Change-Id: I416037c742628c4d4d3b878d0df727a9ae7162f7
Reviewed-on: https://chromium-review.googlesource.com/1251122
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Hai Dang <dhai@google.com>
Cr-Commit-Position: refs/heads/master@{#56315}
Delay the creation of FunctionNameVariables until we validated the
FormalParameters. This is needed so we don't declare them in cases where
we later get an error, have to reset, and reparse.
Bug: chromium:890553, v8:7926
Change-Id: I742e6f7f71158e3903843bd583dc7943468c18f6
Reviewed-on: https://chromium-review.googlesource.com/1254061
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Florian Sattler <sattlerf@google.com>
Cr-Commit-Position: refs/heads/master@{#56314}
This removes the burden from Torque not to emit unnecessary phis.
This is factored out from the Torque IR CL (https://crrev.com/c/1245766).
Change-Id: I302714250e9ea6367f37613c09caa522d56c151c
Reviewed-on: https://chromium-review.googlesource.com/1254121
Reviewed-by: Daniel Clifford <danno@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56312}
Instead of writing the forwarding pointer of this object and treating it like
an object that would survive on scavenge just write the actual string pointer
to the outer slot. As a consequence, the ThingString will not look like a live
object and is handled properly when pruning the external string table.
Bug: v8:8249
Test: test/cctest/heap/test-external-string-tracker.cc
Change-Id: I975900213e2e4b598f298c8f78b6c6047c9e6da4
Reviewed-on: https://chromium-review.googlesource.com/1252885
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56311}
It was shipped in Chrome 67.
Bug: v8:6791, v8:8238
Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;luci.chromium.try:linux_chromium_rel_ng;luci.v8.try:v8_linux_noi18n_rel_ng;master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I94d8f0aa18570452403a35dea270b18f155c970a
Reviewed-on: https://chromium-review.googlesource.com/1253604
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56310}
This change adds an infrastructure to "snapshot" data that is being
serialized only once. This data lives in its own per-isolate zone, wrapped
in a new CompilerData class.
This change reduces the "serialize standard objects" on TypeScript
benchmark from ~69ms to ~30ms (more than 50% improvement).
Bug: v8:7790
Change-Id: I6ce4f6fb993334969662fdd993d681945a9f3727
Reviewed-on: https://chromium-review.googlesource.com/1238920
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56309}
Once the broker retired, only allow retrieval of a reference's
handle. That's all we need for now.
Bug: v8:7790
Change-Id: Ib75887ed4a68e19ad7fad4c6046e340502542850
Reviewed-on: https://chromium-review.googlesource.com/1251086
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56308}
Currently, we call the MapRef::AsElementsKind method on an initial
map multiple times (from JSCreateLowering::ReduceJSCreateArray).
However, this does not does not play well with the heap copier/broker,
which only expectes AsElementsKind to be called on initial maps.
This CL makes sure we only call AsElementsKind once (on the initial map).
Bug: chromium:890620
Change-Id: If44421d3900abb7629ea8f789a005b8d8ebaf881
Reviewed-on: https://chromium-review.googlesource.com/1253105
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56307}
Shortcuts allow identifiable primary expressions to bypass all productions
starting from assignment expression. We can identify them by looking at the
token after the single token of which the primary expression consists. This CL
adds support for 'identifier' followed by '=' as a primary LHS.
Change-Id: I2f1939a39e03384598359a3a39e1d6cef9967e21
Reviewed-on: https://chromium-review.googlesource.com/1252805
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56306}
This reverts commit c285380ca8.
Reason for revert: Lots of dcheck failures on GPU bots, e.g.:
https://ci.chromium.org/p/v8/builders/luci.v8.ci/Win%20V8%20FYI%20Release%20(NVIDIA)/1997https://ci.chromium.org/p/v8/builders/luci.v8.ci/Linux%20V8%20FYI%20Release%20(NVIDIA)/2770
Original change's description:
> Create a fast path to get migration target when updating map
>
> During map updating, store the pointer to new map in the
> raw_transitions slot of the old map that is deprecated from map
> transition tree. Thus, we can get the migration target directly
> instead of TryReplayPropertyTransitions when updating map.
>
> This can improve Speedometer2.0 Elm-TodoMVC case by ~5% on ATOM
> Chromebook and ~9% on big-core Ubuntu.
>
> Change-Id: I56f9ce5183bbdd567b964890f623ef0ceed9b7db
> Reviewed-on: https://chromium-review.googlesource.com/1233433
> Commit-Queue: Shiyu Zhang <shiyu.zhang@intel.com>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#56303}
TBR=ishell@chromium.org,shiyu.zhang@intel.com
Change-Id: I9b268d662cfa3a7fec577468eafe6570389252bc
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/1253104
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56305}
The representation changer was lacking support for directly converting
Word64 values to Bit representation.
Bug: chromium:890243, v8:4153, v8:7881, v8:8171, v8:8178
Change-Id: I5fa31716c7b2b10ad00dc31d5035a1ada152661c
Reviewed-on: https://chromium-review.googlesource.com/1251551
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56304}
During map updating, store the pointer to new map in the
raw_transitions slot of the old map that is deprecated from map
transition tree. Thus, we can get the migration target directly
instead of TryReplayPropertyTransitions when updating map.
This can improve Speedometer2.0 Elm-TodoMVC case by ~5% on ATOM
Chromebook and ~9% on big-core Ubuntu.
Change-Id: I56f9ce5183bbdd567b964890f623ef0ceed9b7db
Reviewed-on: https://chromium-review.googlesource.com/1233433
Commit-Queue: Shiyu Zhang <shiyu.zhang@intel.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56303}
Change the way that the (internal) await closures store the link to the
generator object by introducing a dedicated AwaitContext, which stores
the generator object into the extension slot (instead of misusing a
regular FunctionContext here). Also unify the allocation+initialization
of these contexts in the await-related builtins (both for async functions
and generators).
The rationale behind this is that for (zero-cost) async stack traces, we
will need to dig into these contexts and we can do better checking with
a dedicated instance type there. As an additional benefit, we save one
word per await context, since we just use (the otherwise unused) extension
slot to remember the generator object. As yet another benefit we will
never accidentally use any of these contexts in the regular scope chain
lookups, meaning we can also catch bugs there. And last but not least
the objects printing machinery understands these contexts now and can
even print the generator object for AwaitContexts for short printing,
which is really valuable for debugging.
Tbr: ulan@chromium.org
Bug: v8:7253, v8:7522, v8:8015
Change-Id: I86955f5701e694e8a10b91ebe5f52705aa90968d
Reviewed-on: https://chromium-review.googlesource.com/1249491
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56301}
Remove Unpack* methods from all Intl objects
Make the icu data in Intl objects more consistent in naming
Bug: v8:8248
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: If81a3010265e91919b548dad2dbd11c5ae8e4abd
Reviewed-on: https://chromium-review.googlesource.com/1252883
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56299}
This CL mirrors the ia32 SIMD conversion, Alltrue/AnyTrue operations
with minor cleanliness changes to use TempRegisters instead of
ScratchRegisters
Change-Id: I84d3e148200dd611a72380b24404b75c73c5352d
Reviewed-on: https://chromium-review.googlesource.com/1174096
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56297}
Remove numbering_system and change the type of locale
to reduce memory usage of JSDateTimeFormat
Bug: v8:8066
Change-Id: I8a319e05312ffa62f22a382bf150bbe9b48f5f54
Reviewed-on: https://chromium-review.googlesource.com/1242093
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56296}
Sometimes we do not have promise on stack, e.g. Promise.reject call,
but we need to attribute this pause with promise rejection.
TBR=yangguo@chromium.org
Bug: chromium:755728
Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I03ca1e1cd6c21677f0a12ece626e2c8a1938437b
Reviewed-on: https://chromium-review.googlesource.com/1249942
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56293}
This is necessary to be able to share the data for read-only
objects amongst multiple broker instances.
Bug: v8:7790
Change-Id: I0da58f8a9eded06ac6e994bc540a3a1bc481d6a7
Reviewed-on: https://chromium-review.googlesource.com/1251308
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56292}
This CL adds a bit more rigor to the handling of length properties
in JSObject-derived classes that explicitly contain that property
inline.
This involves:
- Introducing a new superclass of JSArgumentsObject called
JSArgumentsObjectWithLength that is shared with other object
instances that also have a fixed length property.
- Adding JSArgumentsObjectWithLength to the type hierarchy in Torque,
including adding fast-cases for leading the length property for all
classes deriving from JSObjectWithLength.
- Adding more rigor to Context and NativeContext handling in base.tq.
This is useful for the map checks required to verify objects are
argument object types derived from JSArgumentsObjectWithLength.
Change-Id: I2f0a20601ffcb90b3767cbaeb766e9998d3462ec
Reviewed-on: https://chromium-review.googlesource.com/1248661
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56289}
We have the generic {no_reg} and {no_dreg}, other definitions are dead.
Currently even {no_dreg} is dead, but I am keeping this because I can
see future need for that.
R=mstarzinger@chromium.org
Bug: v8:8238
Change-Id: I0de597fead6b3def18fd5c530419d3c149f235a8
Reviewed-on: https://chromium-review.googlesource.com/1251123
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56288}
It was accidentally removed in CL that introduced BoundedPageAllocator.
This CL also cleans up the CodeRangeAddressHint a bit.
Bug: v8:8096, chromium:887252
Change-Id: Idc84796dd1ff1b440cbe3515732984264defcf2d
Reviewed-on: https://chromium-review.googlesource.com/1249125
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56287}
Pending phantom handle callbacks are not reliably executed if the heap
shuts down. This can cause to memory leaks or other unwanted behaviour,
like in wasm where the NativeModules (held in Managed objects
implemented via phantom handles) unregister from the WasmEngine in the
second-pass callback. This must be executed before tearing down the
WasmEngine.
This CL fixes this by running pending callback synchronously on heap
tear down.
R=ulan@chromium.org, mlippautz@chromium.org
Bug: v8:8208
Change-Id: I27b630c4d8f1fb12309040ea2179b64eed38710a
Reviewed-on: https://chromium-review.googlesource.com/1249101
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56286}
Minor refactoring, for readability and performance.
R=ahaas@chromium.org
Bug: v8:8015
Change-Id: I30c4a76998c8867aea0e08fd982b4425d4ae8fef
Reviewed-on: https://chromium-review.googlesource.com/1251163
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56285}
Trimming may free up some allocatable pages that can be reused by subsequent
allocations.
This CL also fixes base::AddressRegion::contains(Address, size_t).
Bug: v8:8096
Change-Id: I3b7381fd32f7dbf186dffc1a26d5a88cd8a30d2f
Reviewed-on: https://chromium-review.googlesource.com/1249127
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56284}
|this| cannot be an ambiguous declaration. Actual declarations are inserted
upon function scope creation, so we can simply parse as reference and it will
resolve correctly.
Change-Id: I3aaa1a2666b4caffbf8524caec7068125e10240b
Reviewed-on: https://chromium-review.googlesource.com/1251162
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56283}
