Adds support for generating deoptimization translations for interpreter
stack frames, and building interpreter frames for these translations
when a function deopts. Also adds builtins for
InterpreterNotifyDeoptimized which resume the function's continuation at
the correct point in the interpreter after deopt.
MIPS patch contributed by balazs.kilvady@igmtec.com
BUG=v8:4280
LOG=N
TEST=test-deoptimization.cc with --ignition and --turbo
Review URL: https://codereview.chromium.org/1528913003
Cr-Commit-Position: refs/heads/master@{#32971}
This CL prepare newspace evacuation for parallel execution wrt. to actual
allocations. The priority for allocations is:
* Try to allocate from LAB if objects are below kMaxLabObjectSize
* Allocate directly (synchronized) from newspace for larger objects.
* Fall back to old space allocation (which will be backed by a local compaction
space in future).
Semantical change: Previously we did fall back to regular new space promotion if
we are OOM in old space. With this CL we fall back to new space promotion, which
could fail because of fragmentation, again leading to an old space allocation
that finally bails into OOM.
Newspace evacuation is still single threaded and requires further changes to
allocation site tracking.
BUG=chromium:524425
LOG=N
Review URL: https://codereview.chromium.org/1487853002
Cr-Commit-Position: refs/heads/master@{#32970}
The trunc_l_[s,d] instructions incorrectly returns success when the input is INT64_MAX.
TEST=test-run-machops/RunTryTruncateFloat32ToInt64WithCheck,test-run-machops/RunTryTruncateFloat64ToInt64WithCheck
BUG=
Review URL: https://codereview.chromium.org/1539763003
Cr-Commit-Position: refs/heads/master@{#32968}
Adds FrameState nodes to graphs built by the Bytecode Graph Builder, in
preparation for adding deopt support. Also adds a new
FrameStateType::kInterpretedFunction to allow for specialized deopt
stack translation for interpreted frames. Finally adds support for
disabling typed lowering of binary ops, since the current approach
relies on a FrameState hack which does not apply to interpreted frames
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1514413002
Cr-Commit-Position: refs/heads/master@{#32964}
Updated toolchain.gypi to support v8 using CLANG on MIPS. These changes
include using integrated assembler with CLANG, and disabling options
used by GCC which are not supported by CLANG.
Reland https://codereview.chromium.org/1519493002 with fix to remove
duplicated 'conditions' sections.
TEST=
BUG=
Review URL: https://codereview.chromium.org/1530153003
Cr-Commit-Position: refs/heads/master@{#32963}
Pretty much everywhere except for a few places where we use
iterators.
BUG=
Review URL: https://codereview.chromium.org/1540453002
Cr-Commit-Position: refs/heads/master@{#32962}
Rolling v8/buildtools to fee7f1e849f59c3fd7bb7b2cacf876edca0572f3
Rolling v8/tools/clang to c745f4763a6af65800a40b6da508f3e943d1804e
TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org
Review URL: https://codereview.chromium.org/1540513002
Cr-Commit-Position: refs/heads/master@{#32961}
port 5bd4832492 (r32929)
original commit message:
Introduce a new Apply builtin that forms a correct and optimizable foundation for the Function.prototype.apply, Reflect.construct and Reflect.apply builtins
(which properly does the PrepareForTailCall as required by the ES2015 spec). The new Apply builtin avoids going to the runtime if it is safe to just access
the backing store elements of the argArray, i.e. if you pass a JSArray with no holes, or an unmapped, unmodified sloppy or strict arguments object.
mips/mips64 ports by Balazs Kilvady <balazs.kilvady@imgtec.com>;
BUG=
Review URL: https://codereview.chromium.org/1534543003
Cr-Commit-Position: refs/heads/master@{#32960}
This is based on the Skia Implementation.
More on the project can be found here:
https://docs.google.com/a/chromium.org/document/d/1_4LAnInOB8tM_DLjptWiszRwa4qwiSsDzMkO4tU-Qes/edit#heading=h.p97rw6yt8o2j
The V8 Tracing platform will replace the isolate->event_logger().
But since the current embedders (namely chromium) currently use the isolate->event_logger, I made the default implementation (event-tracer) call into isolate->event_logger if an event_logger was set.
Once the embedders properly implement the interface (for example in chromium it would look like this: https://codereview.chromium.org/707273005/), the default implementation will be doing nothing.
Once the embedders side is fixed, we will change how V8 uses the tracing framework beyond the call from Logger:CallEventLogger. (which would also include a d8 implementation)
BUG=v8:4560
LOG=N
Review URL: https://codereview.chromium.org/988893003
Cr-Commit-Position: refs/heads/master@{#32959}
part of a compile time improvement push. We got from 3 minutes down
to ~30 seconds prior to the change here.
This change further reduces the compile time down to 2 seconds, which
is actually slightly better than the pre-splintering total execution time
of about 3 seconds.
The cause of the regression was the repeated traversal of the children
of a live range, seeking for the one covering a safe point. The fix is to
leverage the intrinsic ordering in the chain of live range children, as well
as that of the safe points.
BUG= chromium:567745
LOG=N
Review URL: https://codereview.chromium.org/1529293002
Cr-Commit-Position: refs/heads/master@{#32958}
Added structural validation to live ranges, esp. for bugs that may
arise due to splintering / merging.
BUG=
Review URL: https://codereview.chromium.org/1533723002
Cr-Commit-Position: refs/heads/master@{#32954}
If the profiler is started via the API and not stopped, V8 will
intermittently crash during isolate teardown.
The fix is to run the DeleteAllProfiles function in Isolate::Deinit()
if cpu_profiler_ still exists.
https://groups.google.com/forum/#!topic/v8-dev/WsIlpbaD4mo
TEST= Run in debug mode, if you start a profile and don't stop it,
this assert should fail:
Fatal error in ../src/profiler/cpu-profiler.cc, line 414
Check failed: !is_profiling_.
Review URL: https://codereview.chromium.org/1526253005
Cr-Commit-Position: refs/heads/master@{#32953}
Add an internal field to each wasm function to keep a reference to the module. (So the GC can do the right thing when you only hold references to wasm functions but not the module).
Use Realloc carefully, to avoid copying from out of bounds.
Make snprintf use platform independent.
Don't disconnect external arraybuffers provided for the heap.
R=ahaas@chromium.org
BUG=
Review URL: https://codereview.chromium.org/1531243003
Cr-Commit-Position: refs/heads/master@{#32951}
Allowing global references to be read through a proxy results in cross-origin information leaks. The ES6 spec currently does not mitigate this in any way. This CL adds a workaround that's easy for V8: throw whenever an unresolved reference would result in a proxy trap to be fired. I'm landing this so we can move forwards with staging proxies without putting users of --harmony at risk.
BUG=chromium:399951
LOG=n
Review URL: https://codereview.chromium.org/1529303003
Cr-Commit-Position: refs/heads/master@{#32949}
Make WasmModule free it's own memory, avoid mixing stack and
heap allocations in tests. This fixes several memory leaks.
Fix several signed compare issues.
Fix several floating point warnings.
Don't setup heap as external, as then the GC can't collect it.
Disable some tests that fail under ASAN.
R=ahaas@chromium.org
BUG=
Review URL: https://codereview.chromium.org/1538543002
Cr-Commit-Position: refs/heads/master@{#32948}
Fixing several memory leaks in wasm unittests.
Avoiding std::vector::data() as it isn't supported on all
compilers on the bots.
Use EXCEPT_TRUE / EXPECT_FALSE to avoid warnings on some compilers when testing boolean equality.
R=ahaas@chromium.org
BUG=
Review URL: https://codereview.chromium.org/1536603003
Cr-Commit-Position: refs/heads/master@{#32940}
port aafc3e5484 (r32926)
original commit message:
The FIRST-LAST_NONCALLABLE_SPEC_OBJECT_TYPE range was accidentially used
in field type tracking, where we should check for JSReceiver instead
(there's no need to exclude JSProxy or JSFunction from tracking).
And the use in %_ClassOf was actually wrong and didn't match the C++
implementation in JSReceiver::class_name() anymore. Now it's consistent
again.
BUG=
Review URL: https://codereview.chromium.org/1537613002
Cr-Commit-Position: refs/heads/master@{#32937}
- Before getting the length property, we must check for it
using [[GetOwnProperty]]. Also, if the obtained length
is a number, we must properly convert it to an integer.
- In order to get the prototype we must use [[GetPrototypeOf]],
and do so before checking the length.
R=cbruni@chromium.org, jkummerow@chromium.org
BUG=v8:1543
LOG=n
Review URL: https://codereview.chromium.org/1530893002
Cr-Commit-Position: refs/heads/master@{#32934}
In a previous incarnation of live range merging, we needed to cache the
last child in a chain of live ranges. We don't anymore, so removing
unused code.
BUG=
Review URL: https://codereview.chromium.org/1536523003
Cr-Commit-Position: refs/heads/master@{#32931}
Decoupled the Print APIs from RegisterAllocationData, and placed them
on the various APIs. Way easier to use these at debug time even outside
the register allocation pipeline.
BUG=
Review URL: https://codereview.chromium.org/1528983005
Cr-Commit-Position: refs/heads/master@{#32930}
Introduce a new Apply builtin that forms a correct and optimizable
foundation for the Function.prototype.apply, Reflect.construct and
Reflect.apply builtins (which properly does the PrepareForTailCall
as required by the ES2015 spec).
The new Apply builtin avoids going to the runtime if it is safe to
just access the backing store elements of the argArray, i.e. if you
pass a JSArray with no holes, or an unmapped, unmodified sloppy or
strict arguments object.
mips/mips64 ports by Balazs Kilvady <balazs.kilvady@imgtec.com>
CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux64_tsan_rel
BUG=v8:4413, v8:4430
LOG=n
R=yangguo@chromium.org
Committed: e4d2538911
Review URL: https://codereview.chromium.org/1523753002 .
Cr-Commit-Position: refs/heads/master@{#32929}
Reason for revert:
Breaks TSAN somewhow: http://build.chromium.org/p/client.v8/builders/V8%20Linux64%20TSAN/builds/7000
Original issue's description:
> [es6] Correct Function.prototype.apply, Reflect.construct and Reflect.apply.
>
> Introduce a new Apply builtin that forms a correct and optimizable
> foundation for the Function.prototype.apply, Reflect.construct and
> Reflect.apply builtins (which properly does the PrepareForTailCall
> as required by the ES2015 spec).
>
> The new Apply builtin avoids going to the runtime if it is safe to
> just access the backing store elements of the argArray, i.e. if you
> pass a JSArray with no holes, or an unmapped, unmodified sloppy or
> strict arguments object.
>
> mips/mips64 ports by Balazs Kilvady <balazs.kilvady@imgtec.com>
>
> CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
> BUG=v8:4413, v8:4430
> LOG=n
> R=yangguo@chromium.org
>
> Committed: e4d2538911TBR=yangguo@chromium.org,paul.lind@imgtec.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4413, v8:4430
Review URL: https://codereview.chromium.org/1533803002 .
Cr-Commit-Position: refs/heads/master@{#32928}
Introduce a new Apply builtin that forms a correct and optimizable
foundation for the Function.prototype.apply, Reflect.construct and
Reflect.apply builtins (which properly does the PrepareForTailCall
as required by the ES2015 spec).
The new Apply builtin avoids going to the runtime if it is safe to
just access the backing store elements of the argArray, i.e. if you
pass a JSArray with no holes, or an unmapped, unmodified sloppy or
strict arguments object.
mips/mips64 ports by Balazs Kilvady <balazs.kilvady@imgtec.com>
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
BUG=v8:4413, v8:4430
LOG=n
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/1523753002 .
Cr-Commit-Position: refs/heads/master@{#32927}
The FIRST-LAST_NONCALLABLE_SPEC_OBJECT_TYPE range was accidentially used
in field type tracking, where we should check for JSReceiver instead
(there's no need to exclude JSProxy or JSFunction from tracking).
And the use in %_ClassOf was actually wrong and didn't match the C++
implementation in JSReceiver::class_name() anymore. Now it's consistent
again.
R=yangguo@chromium.org
BUG=chromium:535408
LOG=n
Review URL: https://codereview.chromium.org/1535523003 .
Cr-Commit-Position: refs/heads/master@{#32926}
There's actually no need to restrict the inline allocation of
receivers for class constructors anymore; the relevant issues
were addressed in the compiler and runtime several weeks ago.
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/1532453004 .
Cr-Commit-Position: refs/heads/master@{#32925}
port 2c75e3d2ab (r32903)
original commit message:
We can no longer just walk the prototype chain without doing proper access-checks. When installing a proxy as the __proto__ of the global object we might accidentally end up invoking cross-realm code
without access-checks (see proxies-cross-realm-ecxeption.js).
BUG=
Review URL: https://codereview.chromium.org/1534663002
Cr-Commit-Position: refs/heads/master@{#32924}
Rolling v8/third_party/android_tools to f4c36ad89b2696b37d9cd7ca7d984b691888b188
Rolling v8/tools/clang to 67c5521f1878f7929f8f0afc74b31627b3bbffb3
TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org
Review URL: https://codereview.chromium.org/1530413002
Cr-Commit-Position: refs/heads/master@{#32923}
