In Wasm-to-interpeter entry creation, arguments for the interpreter
are stored in an argument buffer. Depending on the order of the
arguments some arguments may be misaligned and this causes crashes
on those architectures that do not support unaligned memory access.
TEST=cctest/test-wasm-interpreter-entry/TestArgumentPassing_AllTypes
BUG=
Review-Url: https://codereview.chromium.org/2705293011
Cr-Commit-Position: refs/heads/master@{#43476}
The new NewUnmappedArgumentsElements node now takes two inputs:
- the frame holding the arguments (current frame or arguments adaptor frame)
- the length of the suffix of passed arguments to be copied into the backing store
These inputs are computed with two new node types:
ArgumentsFrame()
ArgumentsLength[formal_parameter_count,is_rest_length](Node* arguments_frame)
The node type NewRestParameterElements can now be expressed with NewUnmappedArgumentsElements and an appropriate length and is thus not needed anymore.
In escape analysis, we lower loads from the length field of NewUnmappedArgumentsElements with its length input and if we find out that no write access to the arguments elements exists, we replace element loads with direct stack access and replace the NewUnmappedArgumentsElements node with a node of the new node type ArgumentsElementsState. This corresponds to an ObjectState node and gets translated into a deoptimizer instruction to allocate the backing store. Together with the already existing deoptimizer support for the actual arguments object/rest parameters, this allows to remove all allocations for arguments objects/rest parameters in this case.
In the deoptimizer, we read the actual parameters from the stack while transforming the static deopt info into TranslatedValue objects.
If escape analysis cannot remove the backing store allocation, NewUnmappedArgumentsElements gets lo
BUG=v8:5726
Review-Url: https://codereview.chromium.org/2692753004
Cr-Commit-Position: refs/heads/master@{#43475}
Avoiding runtime call overhead.
There's a fast path for Function.prototype loads, which are very common.
BUG=v8:5269
Review-Url: https://codereview.chromium.org/2711353002
Cr-Commit-Position: refs/heads/master@{#43474}
This handles relational comparison operations (no equality yet) having
number feedback during the early type-hint lowering (i.e. during graph
construction).
R=jarin@chromium.org
Change-Id: Ia276d1d7c5931f1e92f31e4e24c181d82d48a138
Reviewed-on: https://chromium-review.googlesource.com/446762
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43471}
This makes it no longer necessary to ensure that V8 and Blink have non-colliding
tags, which makes it easier for them to evolve independently, and also makes
the wire format more suitable for other V8 embedders, who would not
necessarily be surveyed before V8 introduced a new tag that might collide
with theirs.
BUG=chromium:686159
Review-Url: https://codereview.chromium.org/2709023003
Cr-Commit-Position: refs/heads/master@{#43466}
perf regression. See crbug.com/695653 for more info.
Revert "[SAB] Move Atomics builtins to C++"
This reverts commit 2b9840d86f.
Revert "[SAB] Remove unreachable Uint8Clamped atomics paths"
This reverts commit d1160fb14f.
Revert "Remove tiny unit test for MinSimple/MaxSimple"
This reverts commit 837760ecb7.
Revert "Remove infrastructure for experimental JS natives"
This reverts commit 8cfe45b6f1.
BUG=695653
TBR=hablich@chromium.org
Review-Url: https://codereview.chromium.org/2715223003
Cr-Commit-Position: refs/heads/master@{#43462}
This will randomly break compilation units that don't happen to #define
DCHECK before v8-util.h is included.
BUG=chromium:688155
Change-Id: I7abdaf87c8bb7aca995d9e6e7ef8b4faff0dc50c
Reviewed-on: https://chromium-review.googlesource.com/447002
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43455}
Make MarkerIs[Not]FrameType actually use their argument instead of a
fixed value for the stack frame type.
Review-Url: https://codereview.chromium.org/2709953002
Cr-Commit-Position: refs/heads/master@{#43454}
Inline the Array.isArray builtin during typed lowering, which generates
ideal code for the common case (non-JSProxy arg), and use the existing
%ArrayIsArray runtime function for the JSProxy case just like in baseline.
BUG=v8:5267
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2719023002
Cr-Commit-Position: refs/heads/master@{#43453}
When an instance of a constructor goes dictionary mode, this changes the initial map
of that constructor to also be in dictionary mode. This avoids spurious hidden class
creation, that also results in IC misses.
BUG=
Change-Id: I0e70f822ac345d0224f2092ec473621a603d4cc5
Reviewed-on: https://chromium-review.googlesource.com/446361
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43452}
In spec review, the Intl constructor fallback semantics ended
up changing a bit; this patch updates V8 to the newest semantics.
BUG=v8:4360,v8:4870
Review-Url: https://codereview.chromium.org/2618533002
Cr-Commit-Position: refs/heads/master@{#43448}
This extends the existing typer for JS-level comparisons to also be
applied on simplified-level number comparisons. Now that nodes having
such operators are introduced early during graph construction, precise
type information has become more important.
R=jarin@chromium.org
TEST=unittests/TyperTest
Change-Id: Ibcfda36cadf72381b3c63138dd8ad2f6b1f7fbba
Reviewed-on: https://chromium-review.googlesource.com/445879
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43447}
Nodes having the {Throw} operator are just used as terminators for
control-flow leaving the function body with an exception completion,
they turn into basic-block terminators within the schedule. Actually
raising an exception is done solely via runtime calls. Hence {Throw}
nodes no longer need any value input.
R=bmeurer@chromium.org
Change-Id: Id6d8e46b12c4b84f4e7a8ac96623c8efb1f27b26
Reviewed-on: https://chromium-review.googlesource.com/446501
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43445}
Don't just blindly bake in CallIC feedback in the JSCallReducer,
but instead try to estimate first whether it makes sense to bake
it in (and risk potential eager deoptimization exits). We already
didn't use the CallIC feedback when the call target is a known
constant, but we should also not use it if the target is a
JSCreateClosure node or a Phi of known constants / JSCreateClosure
nodes.
R=jarin@chromium.org
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2721483003
Cr-Commit-Position: refs/heads/master@{#43443}
Calling AstNode::Print() from within gdb, e.g. during bytecode
generation, sometimes results in a CHECK failure due to handle
dereferencing being disallowed. This is very frustrating.
Since this function is purely for debugging and not called anywhere in
the code base, I'm now explicitly adding an AllowHandleDereference scope
to it.
R=adamk@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2711003007
Cr-Commit-Position: refs/heads/master@{#43439}
Currently, ArrayIncludes handles the hypothetical case of an array with
a fast ElementsKind and non-SMI length. This should not happen (and is checked
against in JSArray::JSArrayVerify of objects_debug.cc).
Therefore this CL replaces that handling with a CSA_ASSERT that the length is
indeed SMI.
The CL also simplifies loading of the (SMI) length on 64 bit architectures by
using LoadAndUntagObjectField instead of LoadObjectField+SmiToWord.
BUG=v8:5985
Review-Url: https://codereview.chromium.org/2714193002
Cr-Commit-Position: refs/heads/master@{#43433}
Currently, Generate_ArrayIndexOf handles the hypothetical case of an array with
a fast ElementsKind and non-SMI length. This should not happen (and is checked
against in JSArray::JSArrayVerify of objects_debug.cc).
Therefore this CL replaces that handling with a CSA_ASSERT that the length is
indeed SMI.
The CL also simplifies loading of the (SMI) length on 64 bit architectures by
using LoadAndUntagObjectField instead of LoadObjectField+SmiToWord.
The CL does not add new tests, because test/mjsunit/array-length.js should
cover this already.
BUG=v8:5985
Review-Url: https://codereview.chromium.org/2714173002
Cr-Commit-Position: refs/heads/master@{#43431}
- Renames Create ops to Splat.
- Adds machine operators to initialize all SIMD machine types.
Boolean vector types may need initialization, so provide zero
operators.
LOG=N
BUG=v8:4124,695330
Review-Url: https://codereview.chromium.org/2719483002
Cr-Commit-Position: refs/heads/master@{#43430}
Node.js doesn't build because v8_extra_library_files is
used but not defined in v8.gyp.
We can probably clean up the build file and properly
delete v8_extra_library_files, just want to get the integration
build green again.
TBR=adamk@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2720483002
Cr-Commit-Position: refs/heads/master@{#43429}
