A failing memory bounds check is a debugging event. At debugging events
the value stack is observable and therefore has to match the speced
value stack. In Atomic.Wait the value stack got modified before the
bounds. With this CL memory bounds check gets moved to the beginning.
R=clemensb@chromium.org
Bug: chromium:1380498
Change-Id: I4a5fe4d49f05d5376cb717f3dc7ecca4fdcbd998
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3998816
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84051}
for-in enumeration creates an EnumCache, which is currently incorrectly
allocated in the per-thread heap. This CL preallocates the enum cache at
SharedStructType-creation time.
Also drive-by fixes typos in the enum cache code.
Bug: v8:12547, chromium:1379616
Change-Id: I1930f88844eca5ccfeebd8dfdcce4ad0bd80ee38
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3997701
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84047}
Change the test helper, %PrepareFunctionForOptimization, to permanently
mark functions for manual optimization (rather than being marked only up
to their next optimization). These functions will now never be heuristic
optimized, and will always require tier-up via intrinsics.
This prevents variants with low interrupt budgets from messing with
tests that are carefully controlling optimization state across
multiple optimisations, as well as simplifying the mechanism since we
no longer have to maintain the state machine of 'function state'.
Change-Id: I9a45312c70ba4a03b57924c3b3ee17e892ede5a0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3990787
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84038}
In a few places, shared structs currently incorrectly assume all storage
is in-object. This CL fixes those and rename
CSA::StoreJSSharedStructInObjectField to CSA::StoreSharedObjectField to
reflect the genericity.
Bug: v8:12547
Change-Id: I7c155b6bc584fbdcdbd484fda38f9f8a1940953d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3997700
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84022}
Copy the instanceof fast path from TurboFan, which emits an
'OrdinaryHasInstance' when there is no @@hasInstance symbol (which can
eventually become a constant true/false if we can look through the
prototype chain), and a direct call of @@hasInstance otherwise.
In particular, the call to @@hasInstance requires a continuation builtin
(to call ToBoolean), so add support for these too.
Bug: v8:7700
Change-Id: I14aee4346e98cd650f190b811cc7a733e33addae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3990844
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84012}
Before https://crrev.com/c/3054114 we needed to pad the frame size to 4k
so that it fits into a 'sub' instruction as an immediate.
Since frame sizes larger than 4k use special OOL code now, this is not
required any more.
We thus remove the padding to save stack space.
R=ahaas@chromium.org
Bug: chromium:1379364
Change-Id: I155628141d2c0438415ccff36a4de8f7d1ad4fd3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3991050
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83999}
An Int32Constant might need to be tagged in Phi boundaries.
This exposes the Graph's smi constants to frames state
merger logic.
Bug: v8:7700, chromium:1378814, chromium:1379571
Change-Id: Ib373b44a76324eeb23cf9fef4483f70160cd54b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3993220
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83993}
This reverts commit e7f6d34cfe.
Reason for revert: Regressions and clusterfuzz bugs
Original change's description:
> [ic] Remove SameValue optimisation for constant fields
>
> We would previously try to preserve field constness if field assignment
> was assigning the same value. It's unexpected that real-life code would
> be assigning the same value multiple times to an intentionally constant
> field, so this was additional bookkeeping with unclear value.
>
> Replace this with not doing it, and considering any write to a constant
> field to convert it to mutable. In particular, this means that stores to
> existing constant fields in TurboFan become unconditional deopts, rather
> than emitting additional code to check whether the value is the same.
>
> Locally, this deopt doesn't fire on our peak-performance benchmarks.
>
> Bug: v8:5495
> Change-Id: I12216c5f10a00f42be32c64ca3afe7cf59b4e7f3
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3976516
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83955}
Bug: v8:5495
Change-Id: Ifeeceb773af04e9dd5e069821cd128a1cdbedcf5
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3990683
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#83970}
This reverts commit 57db447bf2.
This reland adds handling for Oddballs in Int64Add and Int64Sub in the
SLVerifier and updates the Verifier to check that Int32Constant and
Int64Constant are correctly typed with Type::Machine().
Original change's description:
> [turbofan] Optimize rab/gsab-backed TypedArrays and DataViews
>
> This CL adds TurboFan optimizations for length and element access
> of TypedArrays and DataViews that are rab/gsab-backed.
>
> To enable this optimization, this CL builds the necessary machinery
> required to allow machine operators at the front of the pipeline
> (before simplified lowering). Some key changes to allow this are:
> - Introduce Type::Machine() to allow the typer and the verifier to
> provide a type to those machine operators in parts of the pipeline
> that require nodes to be typed.
> - Add EnterMachineGraph and ExitMachineGraph operators that define
> the boundary between early machine graphs and the normal graph with
> JS semantics.
> - Give Branch operators a BranchSemantics parameter to distinguish
> between machine branches (condition is a machine level value) and
> JS branches (condition is a JS boolean value) and have phases that
> handle branches decide on the branch's semantics based on this
> parameter instead of the position in the pipeline.
> - Extend SimplifiedLowering and SimplifiedLoweringVerifier to handle
> machine graphs. In particular, constants required special handling,
> because they are cached in the graph but they may have uses in both
> a machine and the JS graph, which prevents consistent typing of
> them.
> - Moved lots of logic from JSCallReducerAssembler into
> [JS]GraphAssembler such that functionality can be shared between
> different phases (e.g. JSNativeContextSpecialization and
> JSCallReducer need to generate logic to compute a TypedArray's
> byte length). Extended assembler interface in general with
> additional TNode<> overloads.
>
>
> Bug: v8:11111, chromium:1358505
> Change-Id: Ife006b8c38a83045cd3b8558acbfdcb66408891f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898690
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83881}
Bug: v8:11111, chromium:1358505, v8:13412, chromium:1378439, chromium:1378162
Change-Id: I89702c4be05e0e71cd6836dc50d2e26736a55429
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3980759
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83956}
We would previously try to preserve field constness if field assignment
was assigning the same value. It's unexpected that real-life code would
be assigning the same value multiple times to an intentionally constant
field, so this was additional bookkeeping with unclear value.
Replace this with not doing it, and considering any write to a constant
field to convert it to mutable. In particular, this means that stores to
existing constant fields in TurboFan become unconditional deopts, rather
than emitting additional code to check whether the value is the same.
Locally, this deopt doesn't fire on our peak-performance benchmarks.
Bug: v8:5495
Change-Id: I12216c5f10a00f42be32c64ca3afe7cf59b4e7f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3976516
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83955}
This extends crrev.com/c/3948663 (ref.cast) by adding the new
"ref.cast null" which only behaves different for null for which
it doesn't trap but instead casts the null value to the target
(null)type.
Bug: v8:7748
Change-Id: I3ac85d83cc06c95af8830c1c60ae2f28414e2570
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3960329
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83934}
Unstable maps can transition to stable ones after a side effect,
therefore we cannot trust the set of stable maps. The CL nukes
from the set from stable_maps, equivalent of setting it to
the universal set.
Bug: v8:7700
Change-Id: I457f76efd48ec7eec747233ec063ebe265d3085a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3978169
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83923}
This reverts commit 05bd7d9cd6.
Reason for revert: Still looks like a reason for rollout tests failure https://ci.chromium.org/ui/p/chromium/builders/try/linux-rel/1179312/overview
Original change's description:
> Reland "[turbofan] Optimize rab/gsab-backed TypedArrays and DataViews"
>
> This reverts commit 4b28d53011.
>
> Original change's description:
> > [turbofan] Optimize rab/gsab-backed TypedArrays and DataViews
> >
> > This CL adds TurboFan optimizations for length and element access
> > of TypedArrays and DataViews that are rab/gsab-backed.
> >
> > To enable this optimization, this CL builds the necessary machinery
> > required to allow machine operators at the front of the pipeline
> > (before simplified lowering). Some key changes to allow this are:
> > - Introduce Type::Machine() to allow the typer and the verifier to
> > provide a type to those machine operators in parts of the pipeline
> > that require nodes to be typed.
> > - Add EnterMachineGraph and ExitMachineGraph operators that define
> > the boundary between early machine graphs and the normal graph with
> > JS semantics.
> > - Give Branch operators a BranchSemantics parameter to distinguish
> > between machine branches (condition is a machine level value) and
> > JS branches (condition is a JS boolean value) and have phases that
> > handle branches decide on the branch's semantics based on this
> > parameter instead of the position in the pipeline.
> > - Extend SimplifiedLowering and SimplifiedLoweringVerifier to handle
> > machine graphs. In particular, constants required special handling,
> > because they are cached in the graph but they may have uses in both
> > a machine and the JS graph, which prevents consistent typing of
> > them.
> > - Moved lots of logic from JSCallReducerAssembler into
> > [JS]GraphAssembler such that functionality can be shared between
> > different phases (e.g. JSNativeContextSpecialization and
> > JSCallReducer need to generate logic to compute a TypedArray's
> > byte length). Extended assembler interface in general with
> > additional TNode<> overloads.
> >
> >
> > Bug: v8:11111, chromium:1358505
> > Change-Id: Ife006b8c38a83045cd3b8558acbfdcb66408891f
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898690
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> > Reviewed-by: Clemens Backes <clemensb@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#83881}
>
> Bug: v8:11111, chromium:1358505, v8:13412
> Change-Id: I61664e18a9dba1741bcb70ec22ba6342521f500a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3976512
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83904}
Bug: v8:11111, chromium:1358505, v8:13412
Change-Id: I960a34cfdb861feddf51cbcd759218f39b26cd56
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3980313
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Ilya Rezvov <irezvov@chromium.org>
Commit-Queue: Ilya Rezvov <irezvov@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83914}
This reverts commit 4b28d53011.
Original change's description:
> [turbofan] Optimize rab/gsab-backed TypedArrays and DataViews
>
> This CL adds TurboFan optimizations for length and element access
> of TypedArrays and DataViews that are rab/gsab-backed.
>
> To enable this optimization, this CL builds the necessary machinery
> required to allow machine operators at the front of the pipeline
> (before simplified lowering). Some key changes to allow this are:
> - Introduce Type::Machine() to allow the typer and the verifier to
> provide a type to those machine operators in parts of the pipeline
> that require nodes to be typed.
> - Add EnterMachineGraph and ExitMachineGraph operators that define
> the boundary between early machine graphs and the normal graph with
> JS semantics.
> - Give Branch operators a BranchSemantics parameter to distinguish
> between machine branches (condition is a machine level value) and
> JS branches (condition is a JS boolean value) and have phases that
> handle branches decide on the branch's semantics based on this
> parameter instead of the position in the pipeline.
> - Extend SimplifiedLowering and SimplifiedLoweringVerifier to handle
> machine graphs. In particular, constants required special handling,
> because they are cached in the graph but they may have uses in both
> a machine and the JS graph, which prevents consistent typing of
> them.
> - Moved lots of logic from JSCallReducerAssembler into
> [JS]GraphAssembler such that functionality can be shared between
> different phases (e.g. JSNativeContextSpecialization and
> JSCallReducer need to generate logic to compute a TypedArray's
> byte length). Extended assembler interface in general with
> additional TNode<> overloads.
>
>
> Bug: v8:11111, chromium:1358505
> Change-Id: Ife006b8c38a83045cd3b8558acbfdcb66408891f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898690
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83881}
Bug: v8:11111, chromium:1358505, v8:13412
Change-Id: I61664e18a9dba1741bcb70ec22ba6342521f500a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3976512
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83904}
Follow-up to commit 6168782925
With this change 0x14 now also consumes a sig index immediate.
This will allow users to switch from 0x17 back to 0x14 without
breaking changes. After another grace period, 0x17 can be removed.
Reland of commit I65fe8b5bceb70323dd5e6450ec7bcc02696b15fa adapted by the concurrent changes in 35cc93aa42.
(This reverts commit 01379ba6d65371b70908da8e8386a9d9993aa2f9.)
Change-Id: I699095afb85d460e1fef8bd88abfd4c748090eda
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3977828
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83900}
This CL solves two problems:
- Eliminating redundant CheckBigInt/CheckBigInt64 by decomposing
CheckBigInt64 to CheckBigInt and CheckedBigIntToBigInt64.
- Having precise checks for SignedBigInt64 to make the range of BigInt64
consistent in CheckedBigInt64Ops and CheckedBigIntToBigInt64.
Otherwise, there would be semantic difference between the subgraphs
where we keep CheckBigInt64 inbetween two CheckedBigInt64Ops (e.g.,
the variant assert_types) and the subgraphs where we eliminate the
checks.
Bug: v8:9407
Change-Id: I79a5c99e12eb3f3ffc7b5cbfc51191e6792f634b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3960333
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83899}
This reverts commit 8f3047531d.
Reason for revert: CL collision:
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20-%20builder/63710/overview
Original change's description:
> [wasm] ref.call: Consume sig index immediate
>
> Follow-up to commit 6168782925
> With this change 0x14 now also consumes a sig index immediate.
> This will allow users to switch from 0x17 back to 0x14 without
> breaking changes. After another grace period, 0x17 can be removed.
>
> Change-Id: I5d0039fd1ca9d62c3d42e5834fe7924de45ad7ef
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3974512
> Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83890}
Change-Id: I65fe8b5bceb70323dd5e6450ec7bcc02696b15fa
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3976029
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83894}
Follow-up to commit 6168782925
With this change 0x14 now also consumes a sig index immediate.
This will allow users to switch from 0x17 back to 0x14 without
breaking changes. After another grace period, 0x17 can be removed.
Change-Id: I5d0039fd1ca9d62c3d42e5834fe7924de45ad7ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3974512
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83890}
This reverts commit bd590292b3.
Reason for revert:
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Mac64%20GC%20Stress/25069/overview
Original change's description:
> [turbofan] Optimize rab/gsab-backed TypedArrays and DataViews
>
> This CL adds TurboFan optimizations for length and element access
> of TypedArrays and DataViews that are rab/gsab-backed.
>
> To enable this optimization, this CL builds the necessary machinery
> required to allow machine operators at the front of the pipeline
> (before simplified lowering). Some key changes to allow this are:
> - Introduce Type::Machine() to allow the typer and the verifier to
> provide a type to those machine operators in parts of the pipeline
> that require nodes to be typed.
> - Add EnterMachineGraph and ExitMachineGraph operators that define
> the boundary between early machine graphs and the normal graph with
> JS semantics.
> - Give Branch operators a BranchSemantics parameter to distinguish
> between machine branches (condition is a machine level value) and
> JS branches (condition is a JS boolean value) and have phases that
> handle branches decide on the branch's semantics based on this
> parameter instead of the position in the pipeline.
> - Extend SimplifiedLowering and SimplifiedLoweringVerifier to handle
> machine graphs. In particular, constants required special handling,
> because they are cached in the graph but they may have uses in both
> a machine and the JS graph, which prevents consistent typing of
> them.
> - Moved lots of logic from JSCallReducerAssembler into
> [JS]GraphAssembler such that functionality can be shared between
> different phases (e.g. JSNativeContextSpecialization and
> JSCallReducer need to generate logic to compute a TypedArray's
> byte length). Extended assembler interface in general with
> additional TNode<> overloads.
>
>
> Bug: v8:11111, chromium:1358505
> Change-Id: Ife006b8c38a83045cd3b8558acbfdcb66408891f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898690
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83881}
Bug: v8:11111, chromium:1358505
Change-Id: Ifa7b81523237ebda941cab2feed42c176846b618
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3976028
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Owners-Override: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83888}
This CL adds TurboFan optimizations for length and element access
of TypedArrays and DataViews that are rab/gsab-backed.
To enable this optimization, this CL builds the necessary machinery
required to allow machine operators at the front of the pipeline
(before simplified lowering). Some key changes to allow this are:
- Introduce Type::Machine() to allow the typer and the verifier to
provide a type to those machine operators in parts of the pipeline
that require nodes to be typed.
- Add EnterMachineGraph and ExitMachineGraph operators that define
the boundary between early machine graphs and the normal graph with
JS semantics.
- Give Branch operators a BranchSemantics parameter to distinguish
between machine branches (condition is a machine level value) and
JS branches (condition is a JS boolean value) and have phases that
handle branches decide on the branch's semantics based on this
parameter instead of the position in the pipeline.
- Extend SimplifiedLowering and SimplifiedLoweringVerifier to handle
machine graphs. In particular, constants required special handling,
because they are cached in the graph but they may have uses in both
a machine and the JS graph, which prevents consistent typing of
them.
- Moved lots of logic from JSCallReducerAssembler into
[JS]GraphAssembler such that functionality can be shared between
different phases (e.g. JSNativeContextSpecialization and
JSCallReducer need to generate logic to compute a TypedArray's
byte length). Extended assembler interface in general with
additional TNode<> overloads.
Bug: v8:11111, chromium:1358505
Change-Id: Ife006b8c38a83045cd3b8558acbfdcb66408891f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898690
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83881}
This removes the temporary option and sets its value to {true}
everywhere.
Bug: v8:7748
Change-Id: Icbc3071b531b130c0eb007758452d09b65491c04
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3974510
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83880}
It's been enabled by default since Chrome 91.
Bug: v8:6020
Change-Id: Id26b7fb0b7dffe19a88a6f0071dd59203b06415a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3957636
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83862}
Code coverage tests invoke garbage collection, to test that coverage
data is not reclaimed by the garbage collector and that the native
%DebugTogglePreciseCoverage works as intended. One of them tests that
garbage collection indeed reclaims the coverage data, if the above
native is not used. When conservative stack scanning is used, this may
fail.
This CL fixes the tests, ensuring that a precise garbage collection
will be invoked, without scanning the stack. To achieve this, the
garbage collection is invoked not with %CollectGarbage but by using
--expose-gc and the asynchronous execution mode, which ensures that
it will be invoked from the event loop without a stack.
Bug: v8:13257
Change-Id: Id44ef0d442bfd0a8afda282c3345e5ebeb239356
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3968708
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83851}
This CL makes the object keeping stack information thread-local, moving
it from Heap to ThreadLocalTop. In this way, stack scanning will work
correctly when switching between threads, e.g., using v8::Locker.
It also introduces a mechanism for setting a stack marker, to be used
for scanning only the part of stack between its start and the marker
(instead of the current stack top).
Bug: v8:13257
Change-Id: I01091f5f49d9a8143d50aeef53789a98bdb29048
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3960991
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83848}
For some reason we overlooked shared memory64 so far. Supporting it is
trivial, we just need to fix flag parsing.
To make parsing simpler, we replace the switch by a bit-decoding logic.
R=jkummerow@chromium.org
Bug: v8:10949, v8:13401
Change-Id: I1d884a174f901ed359c1d385055c9f2d24b0e2f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3967904
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83846}
When inlining a tail call node into a regular call, the tail call node
is transformed into a regular call. This new call node (or its
projections in the case of multi-return) has to be typed.
Bug: v8:13406, v8:12166
Change-Id: I39cc619e6ee4f0d16763699fe4facebe461a750f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3968715
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83839}
It's been enabled everywhere since Chrome 88, and the related
Chromium flag was removed in https://crrev.com/c/2886421.
Bug: v8:6532
Change-Id: I987a5761f9453d4e7d77d16199e8f0b3a659c70a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3956131
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Auto-Submit: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83809}
Lowering the Clamp annotation relies on float rounding, which is
only supported with SSE4 enabled. Thus disabling generating the
fast call path if such arguments are present and SSE4 is disabled.
Bug: chromium:1374745
Change-Id: I14438902946d4744521dac8d8d314af51a722da5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3960410
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83799}
This is a reland of commit 4804c4de31.
There are major changes since the previous attempt:
- The WasmLiftoffFrameSetup (formerly WasmGetFeedbackVector) builtin
now performs as much of the frame setup work as possible, to reduce
generated code size for each function.
- The WasmLazyCompile builtin/runtime function no longer allocates,
hence gets frame type INTERNAL, and is un-handlified.
Original change's description:
> [wasm] Allocate feedback vectors on demand
>
> We previously allocated feedback vectors when instantiating the module,
> or when lazily compiling a function. That's not sufficient when there
> are multiple instances of the same NativeModule, or when we eagerly
> tier-down all code for debugging. This patch changes the "get vector from
> instance" sequence at the beginning of every Liftoff function to "get
> or allocate vector"; factored into a builtin call to avoid generating
> more code for every function.
>
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3939667
> Cr-Commit-Position: refs/heads/main@{#83610}
Bug: v8:12852
Change-Id: I58a6a02a55c3e29cae3cbdafad6cf81487faccbe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3942206
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83794}
When creating a character class in unicode, case-insensitive mode we use
icu::UnicodeSet::closeOver() to add all characters that case-insensitive
match the characters in the class.
According to the spec only simple case folding shall be performed for
case-insensitive unicode matching, but closeOver() adds all characters
that are equal w.r.t full case folding.
The current approach of just removing strings from the closeOver set is
not enough, as single code point characters still remain in the set if
they were equal only by performing full case folding.
E.g. the characters \u0390 and \u1FD3 both fold to the same string
"\u03B9\u0308\u0301" via full case folding, but they don't have a simple
case folding in common.
To prevent these wrong matches, we calculate the set of all characters
with close overs that are wrong according to the spec at build time and
remove them from the set before adding case-insensitive equivalent
characters.
Bug: v8:13377
Change-Id: I0252c79143f266911691331dd0e1e27044ea8cba
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3952095
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83791}
Collect feedback for small BigInt division and modulo operation in
the interpreter and use feedback for BigInt subtraction,
multiplication, and division in turbofan except modulo operation
because it is not supported yet in turbofan.
Bug: v8:9407
Change-Id: I931cf9f70778c866599611474f1834417f023a74
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3948787
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83768}
--use-map-space was already disabled by default. This CL removes
the possibility to enable map space again by removing that flag and
all its usages.
Bug: v8:12578
Change-Id: I8af18f39e9bf645316aa8718b49589eb4b852374
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3959658
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83758}
