This is a reland of 9eca23e9ed
Adds a deopt continuation, which fixes JavaScript stack traces
to contain the number constructor after inlining.
Original change's description:
> [turbofan] Inline Number constructor in certain cases
>
> This CL adds inlining for the Number constructor if new.target is not
> present. The lowering is BigInt compatible, i.e. it converts BigInts to
> numbers.
>
> Bug: v8:7904
> Change-Id: If03b9f872d82e50b6ded7709069181c33dc44e82
> Reviewed-on: https://chromium-review.googlesource.com/1118557
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54454}
Bug: v8:7904
Change-Id: Ic416e5ba81fa3a0f59ae4afa80df83c46a759487
Reviewed-on: https://chromium-review.googlesource.com/1146581
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54609}
Use the Isolate* version of Concat.
Bug: v8:7754
Change-Id: I3d16405032ab0690c57e2ba615cac60d8fa92464
Reviewed-on: https://chromium-review.googlesource.com/1146578
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54608}
Code::contains should return true in two cases: either the given
address is within the off-heap instruction stream, or within the
trampoline's instruction stream.
This CL fixes the second case. One effect is that code printed through
the jco gdb macro again displays the builtin name correctly when given
a trampoline pc.
Drive-by: a more efficient Builtins::Lookup for embedded builtins.
Bug: v8:6666,v8:7969
Change-Id: I54f5e5881fa2aed2546b9e62aa4b9390ad21b895
Reviewed-on: https://chromium-review.googlesource.com/1146566
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54605}
For JSProxies we filled a FixedArray with the numbers from 0 to
length - 1. Because all indices were assumed to be Smis, large array
indices on Proxies were not handled correctly.
R=jgruber@chromium.org
Bug: chromium:866314
Change-Id: I6a792e800f31617a6092b219ec82b0e05a83bf7b
Reviewed-on: https://chromium-review.googlesource.com/1146562
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@google.com>
Cr-Commit-Position: refs/heads/master@{#54603}
Drive-by change: Add std::iterator_traits typedefs to ZoneChunkListIterator
so we can use <algorithm>.
R=mstarzinger@chromium.org
Bug: v8:7754
Change-Id: Ib7d1c622fdb761fc99bea373dbdef206f15bd4a0
Reviewed-on: https://chromium-review.googlesource.com/1145075
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54601}
This should improve the debugging experience since backtraces will
list the exact builtin instead of just 'embedded_blob'. An example
gdb backtrace:
#0 <snip address> in Builtins_RegExpPrototypeExec ()
#1 <snip address> in Builtins_ArgumentsAdaptorTrampoline ()
<snip further frames>
Bug: v8:6666, v8:7722
Change-Id: Iafc995779903e7d7a980d66e7dad42938ac7d29e
Reviewed-on: https://chromium-review.googlesource.com/1145183
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54598}
This reverts commit a462a7854a.
Reason for revert: Breaks a TurboAssembler test:
https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Arm/7726
Original change's description:
> [turboassembler] Introduce hard-abort mode
>
> For checks and assertions (mostly for debug code, like stack alignment
> or zero extension), we had two modes: Emit a call to the {Abort}
> runtime function (the default), and emit a debug break (used for
> testing, enabled via --trap-on-abort).
> In wasm, where we cannot just call a runtime function because code must
> be isolate independent, we always used the trap-on-abort behaviour.
> This causes problems for our fuzzers, which do not catch SIGTRAP, and
> hence do not detect debug code failures.
>
> This CL introduces a third mode ("hard abort"), which calls a C
> function via {ExternalReference}. The C function still outputs the
> abort reason, but does not print the stack trace. It then aborts via
> "OS::Abort", just like the runtime function.
> This will allow fuzzers to detect the crash and even find a nice error
> message.
>
> Even though this looks like a lot of code churn, it is actually not.
> Most added lines are new tests, and other changes are minimal.
>
> R=mstarzinger@chromium.org
>
> Bug: chromium:863799
> Change-Id: I77c58ff72db552d49014614436259ccfb49ba87b
> Reviewed-on: https://chromium-review.googlesource.com/1142163
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54592}
TBR=mstarzinger@chromium.org,clemensh@chromium.org
Change-Id: I60c011cfe262ccebbb9abf32699a9fe17e72a3c8
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:863799
Reviewed-on: https://chromium-review.googlesource.com/1145431
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54597}
This reverts commit 29379945b6.
Reason for revert: Needed for other revert:
https://chromium-review.googlesource.com/c/v8/v8/+/1145431
Original change's description:
> [cleanup] Rename {kLastErrorMessage} to {kNumberOfReasons}
>
> The name {kLastErrorMessage} is misleading, as it's not actually the
> index of the last message (or reason), but one more (i.e. number of
> messages / reasons). Thus this renaming.
>
> R=mstarzinger@chromium.org
>
> Bug: v8:7754
> Change-Id: Id21edcecac84c0e6068423c6124ef2881116dc7c
> Reviewed-on: https://chromium-review.googlesource.com/1145305
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54593}
TBR=mstarzinger@chromium.org,clemensh@chromium.org
Change-Id: I2af83f4a2299e05ad9bcacfe69c0b483fd1488de
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7754
Reviewed-on: https://chromium-review.googlesource.com/1145520
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54596}
As discussed in
https://docs.google.com/document/d/1sBdGe8RHgeYP850cKSSgGABTyfMdvaEWLy-vertuTCo/edit?ts=5b3ba5cc#,
this CL introduces a new bytecode (CloneObject), and a new IC type.
In this prototype implementation, the type feedback looks like the
following:
Uninitialized case:
{ uninitialized_sentinel, uninitialized_sentinel }
Monomorphic case:
{ weak 'source' map, strong 'result' map }
Polymorphic case:
{ WeakFixedArray with { weak 'source' map, strong 'result' map }, cleared value }
Megamorphic case:
{ megamorphic_sentinel, cleared_Value }
In the fast case, Object cloning is done by allocating an object with
the saved result map, and a shallow clone of the fast properties from
the source object, as well as cloned fast elements from the source object.
If at any point the fast case can't be taken, the IC transitions to the
slow case and remains there.
This prototype CL does not include any TurboFan optimization, and the
CloneObject operation is merely reduced to a stub call.
It may still be possible to get some further improvements by somehow
incorporating compile-time boilerplate elements into the cloned object,
or simplifying how the boilerplate elements are inserted into the
object.
In terms of performance, we improve the ObjectSpread score in JSTests/ObjectLiteralSpread/
by about 8x, with substantial improvements over the Babel and ObjectAssign scores.
R=gsathya@chromium.org, mvstanton@chromium.org, rmcilroy@chromium.org, neis@chromium.org, bmeurer@chromium.org
BUG=v8:7611
Change-Id: I79e1796eb77016fb4feba0e1d3bb9abb348c183e
Reviewed-on: https://chromium-review.googlesource.com/1127472
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54595}
The name {kLastErrorMessage} is misleading, as it's not actually the
index of the last message (or reason), but one more (i.e. number of
messages / reasons). Thus this renaming.
R=mstarzinger@chromium.org
Bug: v8:7754
Change-Id: Id21edcecac84c0e6068423c6124ef2881116dc7c
Reviewed-on: https://chromium-review.googlesource.com/1145305
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54593}
For checks and assertions (mostly for debug code, like stack alignment
or zero extension), we had two modes: Emit a call to the {Abort}
runtime function (the default), and emit a debug break (used for
testing, enabled via --trap-on-abort).
In wasm, where we cannot just call a runtime function because code must
be isolate independent, we always used the trap-on-abort behaviour.
This causes problems for our fuzzers, which do not catch SIGTRAP, and
hence do not detect debug code failures.
This CL introduces a third mode ("hard abort"), which calls a C
function via {ExternalReference}. The C function still outputs the
abort reason, but does not print the stack trace. It then aborts via
"OS::Abort", just like the runtime function.
This will allow fuzzers to detect the crash and even find a nice error
message.
Even though this looks like a lot of code churn, it is actually not.
Most added lines are new tests, and other changes are minimal.
R=mstarzinger@chromium.org
Bug: chromium:863799
Change-Id: I77c58ff72db552d49014614436259ccfb49ba87b
Reviewed-on: https://chromium-review.googlesource.com/1142163
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54592}
The most important point of IWYU (include-what-you-use) is that each
header includes everything it is using, so that whoever includes that
header does not need to additionally include other things.
This CL adds a script which generates files to automatically check this.
It is automatically invoked during "gclient runhooks" if the
"check_v8_header_includes" variable is set. This script generates a
number of .cc files in the "check-header-includes" directory, together
with a "sources.gni" file which lists all the generated cc files. Each
file includes one header.
If additionally the gn args "v8_check_header_includes" is set, this gni
file is included, and all the generated CC files will be compiled. This
will detect violations of the aforementioned IWYU rule.
R=titzer@chromium.org, machenbach@chromium.org
Bug: v8:7754, v8:7965
Change-Id: Id1cf256507052c3a9ea82f8c80ea1c0385457e31
Reviewed-on: https://chromium-review.googlesource.com/1145199
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54590}
string-builder.h was using functions defined in *-inl.h and that's not allowed.
BUG=v8:7754,v8:7490
Change-Id: I442ff761f3a5799b60c0d02f7130bf694dca9b1b
Reviewed-on: https://chromium-review.googlesource.com/1145185
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54589}
Adds an Isolate::FromWritableHeapObject method, with a bool return value
and Isolate* out parameter, and replace most accesses to Isolate via
MemoryChunk (which handle objectsin ROSpace rather than just failing) to
use that instead.
Bug: v8:7754
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: Idb472a3d6037deed92e6fa8c8a7a1a14293e2462
Reviewed-on: https://chromium-review.googlesource.com/1144933
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54579}
This function has been deprecated for month by now.
R=ulan@chromium.org
Bug: v8:7754
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I19d1b41bad2849b7f3d4d6684dc6f0f80af081f0
Reviewed-on: https://chromium-review.googlesource.com/1144922
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54575}
This is a reland of 0f2d22dd22
Original change's description:
> [wasm] Improve module code size sampling approach.
>
> This samples module code sizes at GC time instead of during destruction.
> It hence makes sure that we also receive samples for long-lived modules
> which would otherwise die with the Isolate and never be finalized. Note
> that this approach is still biased and just a stop-gap until we have a
> sampling tick based on actual wall-clock time.
>
> R=clemensh@chromium.org
>
> Change-Id: I9558d383a5aada8876bc9cbf63baca771dbe5c28
> Reviewed-on: https://chromium-review.googlesource.com/1141866
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54554}
Change-Id: I1863e94bbe91c89c248ddf8fc700ff91bc3593b2
Reviewed-on: https://chromium-review.googlesource.com/1143344
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54572}
Chrome-crash tells me that occasionally a function gets stripped of an
initial map entirely (e.g. report 917de3c31d0e0d9b).
R=jarin@chromium.org
Change-Id: Ie0103695c4801a4c2cbc488af91c3d580efe4eab
Reviewed-on: https://chromium-review.googlesource.com/1143483
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54568}
This will simplify the optimizing compiler (no need to pretenure
COW arrays when compiling).
Bug: v8:7790
Change-Id: I7502f43c6b6f7e10bce8536352462731083b5bef
Reviewed-on: https://chromium-review.googlesource.com/1143466
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54566}
Currently AtomicStores use AtomicExchange to store to memory, but
AtomicExchange produces an output that is ignored by the AtomicStore
visitor, a side effect of this is that a register already in use gets
overwritten by the output of the exchange.
BUG:v8:7602
Change-Id: I4ec3107a0a27503611e349e6f56ca9492d05d9f8
Reviewed-on: https://chromium-review.googlesource.com/1134576
Reviewed-by: Ben Smith <binji@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54565}
Uses the new Isolate version of methods.
Bug: v8:7754
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I1a38dd61d10899ae33ef796f4f443b11640315c2
Reviewed-on: https://chromium-review.googlesource.com/1143861
Commit-Queue: Dan Elphick <delphick@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54563}
CHECK is accessing 1 byte across object boundary because
*expect and *actual will return the object address with
tag. And memcmp should return 0 if we expect (expected == actual)
R=cbruni@chromium.org, gsathya@chromium.org, ishell@chromium.org
Bug: v8:6443, v8:7569
Change-Id: I316e450a80400cea4c9394dbe470932a1f30cea5
Reviewed-on: https://chromium-review.googlesource.com/1142351
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#54561}
