This reverts commit c5ad9c6d8e.
Reason for revert: Fails on gc stress:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/12661
Original change's description:
> [TypeFeedbackVector] Store optimized code in the vector
>
> Since the feedback vector is itself a native context structure, why
> not store optimized code for a function in there rather than in
> a map from native context to code? This allows us to get rid of
> the optimized code map in the SharedFunctionInfo, saving a pointer,
> and making lookup of any optimized code quicker.
>
> Original patch by Michael Stanton <mvstanton@chromium.org>
>
> BUG=v8:6246
>
> Change-Id: I60ff8c408c3001bc272b4b198c9cbaea2872a9e5
> Reviewed-on: https://chromium-review.googlesource.com/476891
> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Michael Stanton <mvstanton@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#45022}
TBR=ulan@chromium.org,rmcilroy@chromium.org,yangguo@chromium.org,mvstanton@chromium.org,jarin@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:6246
Change-Id: I9cd5735b03898cae6ae7adea0f19d32fceb31619
Reviewed-on: https://chromium-review.googlesource.com/493287
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45027}
The test and associated bug have been fixed a while ago.
BUG=chromium:336820,v8:6325
Review-Url: https://codereview.chromium.org/2851343002
Cr-Commit-Position: refs/heads/master@{#45023}
Since the feedback vector is itself a native context structure, why
not store optimized code for a function in there rather than in
a map from native context to code? This allows us to get rid of
the optimized code map in the SharedFunctionInfo, saving a pointer,
and making lookup of any optimized code quicker.
Original patch by Michael Stanton <mvstanton@chromium.org>
BUG=v8:6246
Change-Id: I60ff8c408c3001bc272b4b198c9cbaea2872a9e5
Reviewed-on: https://chromium-review.googlesource.com/476891
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45022}
Give the IC one more chance to get itself into a state that's in
line with Turbofan's capabilities and the following assertOptimized
expectation.
BUG=v8:6101,v8:6325
Review-Url: https://codereview.chromium.org/2848193003
Cr-Commit-Position: refs/heads/master@{#45020}
While parsing top-level code eager functions are skipped just like lazy
ones, but also a parse task is created for each.
The parse tasks are run by the compiler dispatcher and can be executed
either on background thread or in idle time.
After parsing of top-level code finishes it waits for all unfinished
parser tasks - possibly picking up and executing them on current thread.
Afterwards parse task results are stitched together with top-level AST,
in case of failures eager functions are treated just like lazy -
parsing/compilation is retriggered for them in the runtime and proper
errors are generated (performance is not optimized for error case at
all).
BUG=v8:6093
Change-Id: Ie6508211a04b90becfe44139cce1c8ecec386b6e
Reviewed-on: https://chromium-review.googlesource.com/486725
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Wiktor Garbacz <wiktorg@google.com>
Cr-Commit-Position: refs/heads/master@{#45016}
As required by #sec-built-in-function-objects.
They were strict functions before (see
e2f1c26982), but that got lost when they
were ported to ASM builtins.
This makes optimized and non-optimized code agree on the same behavior
in regress-105.js.
BUG=v8:105,v8:5778,v8:6325
Review-Url: https://codereview.chromium.org/2848313004
Cr-Commit-Position: refs/heads/master@{#45012}
The error thrower did allocate the exception at the moment the error was
detected. For async compilation, this meant in another step than when
it was actually thrown. Since the HandleScope of the exception already
died at that point, this would have lead to memory errors.
With this refactoring, we only store the information needed to generate
the exception in the ErrorThrower, and only generate the exception
object once it is actually needed.
With regression test.
R=ahaas@chromium.org, mtrofin@chromium.org
Also-by: ahaas@chromium.org
Change-Id: Iffcab1f8d1cf5925e3643fcf0729ba9a84c7d277
Reviewed-on: https://chromium-review.googlesource.com/490085
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45000}
This CL changes certain frequently-called Array builtins to use CodeStubArguments
rather than peek at the stack frames above array builtins to determine if options
arguments have been passed into them.
Previous failure likely due to unfortunate/unluckily timed GC that moved due to
changed timing/allocation from this CL. Test mitigation for allocation-site-info.js
included.
BUG=v8:1956
LOG=N
Review-Url: https://codereview.chromium.org/2829093004
Cr-Commit-Position: refs/heads/master@{#44998}
Reason for revert:
Still fails. Likely has to do with gc heap size for allocation site tests, mitigation pending...
Original issue's description:
> [turbofan] Reland: Avoid going through ArgumentsAdaptorTrampoline for select CSA array builtins
>
> This CL changes certain frequently-called Array builtins to use CodeStubArguments
> rather than peek at the stack frames above array builtins to determine if options
> arguments have been passed into them.
>
> Previous failure cannot be reproed with failing config. Flake?
>
> BUG=v8:1956
> LOG=N
>
> Review-Url: https://codereview.chromium.org/2829093004
> Cr-Commit-Position: refs/heads/master@{#44996}
> Committed: 7ca381e847TBR=mvstanton@chromium.org,ishell@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:1956
Review-Url: https://codereview.chromium.org/2851063002
Cr-Commit-Position: refs/heads/master@{#44997}
This CL changes certain frequently-called Array builtins to use CodeStubArguments
rather than peek at the stack frames above array builtins to determine if options
arguments have been passed into them.
Previous failure cannot be reproed with failing config. Flake?
BUG=v8:1956
LOG=N
Review-Url: https://codereview.chromium.org/2829093004
Cr-Commit-Position: refs/heads/master@{#44996}
Reason for revert:
Nosnap failure
Original issue's description:
> [turbofan] Avoid going through ArgumentsAdaptorTrampoline for select CSA/C++ builtins
>
> This CL changes certain frequently-called Array builtins to use CodeStubArguments
> rather than peek at the stack frames above array builtins to determine if options
> arguments have been passed into them.
>
> BUG=v8:1956
> LOG=N
>
> Review-Url: https://codereview.chromium.org/2829093004
> Cr-Commit-Position: refs/heads/master@{#44994}
> Committed: 680356278dTBR=mvstanton@chromium.org,ishell@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:1956
Review-Url: https://codereview.chromium.org/2851703005
Cr-Commit-Position: refs/heads/master@{#44995}
This CL changes certain frequently-called Array builtins to use CodeStubArguments
rather than peek at the stack frames above array builtins to determine if options
arguments have been passed into them.
BUG=v8:1956
LOG=N
Review-Url: https://codereview.chromium.org/2829093004
Cr-Commit-Position: refs/heads/master@{#44994}
1. Replaces --crankshaft with --opt in tests.
2. Also fixes presubmit to check for --opt flag when
assertOptimized is used.
3. Updates testrunner/local/variants.py and
v8_foozie.py to use --opt flag.
This would mean, nooptimize variant means there are
no optimizations. Not even with %OptimizeFunctionOnNextCall.
Bug:v8:6325
Change-Id: I638e743d0773a6729c6b9749e2ca1e2537f12ce6
Reviewed-on: https://chromium-review.googlesource.com/490206
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44985}
The spec requires that a null @@split / @@replace symbol is treated exactly the
same as if it were undefined, i.e. execution should move on to the default
implementation instead of throwing a TypeError.
BUG=v8:6313
Review-Url: https://codereview.chromium.org/2845153002
Cr-Commit-Position: refs/heads/master@{#44959}
With this CL we reduce the difference between directly using a null prototype
in a literal or using Object.create(null).
- The EmitFastCloneShallowObject builtin now supports cloning slow
object boilerplates.
- Unified behavior to find the matching Map and instantiating it for
Object.create(null) and literals with a null prototype.
- Cleanup of literal type parameter of CompileTimeValue, now in sync with
ObjectLiteral flags.
Review-Url: https://codereview.chromium.org/2445333002
Cr-Commit-Position: refs/heads/master@{#44941}
This makes sure that asm.js modules can only be instantiated with a
valid {ArrayBuffer} as the underlying heap buffer for all cases where
accepting anything else would be observably different from JavaScript
proper.
R=clemensh@chromium.org
TEST=mjsunit/asm/asm-memory
BUG=chromium:715505,chromium:715748
Change-Id: I355686200151c5667bf836824de922d657a8d943
Reviewed-on: https://chromium-review.googlesource.com/488521
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44938}
This also fixes incorrect type for fixed array accesses.
BUG=chromium:715651,v8:6309,chromium:715204
Review-Url: https://codereview.chromium.org/2848583002
Cr-Commit-Position: refs/heads/master@{#44926}
Clearing out the constructor field is invalid in the case where the
function's map has transitioned since the last SetPrototype call.
Bug: chromium:714972
Change-Id: Ie918702a128219c4995b805f7c9a53b41cc4e4b6
Reviewed-on: https://chromium-review.googlesource.com/486130
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44906}
This still doesn't cover all the paths yet, since some paths are
impossible to trigger at this point due to the way the CanInlineCall
predicate works on the AllocationSite, which says multiple things:
- In case of Array(len), the len was always a Smi so far.
- In case of Array(...args), storing the args didn't change the
elements kind.
- In case of Array(len), the len was always less than the initial
maximum fast element array size.
These conditions are tailored towards Crankshaft and don't really
make a lot of sense in the TurboFan world. We'd need more fine
grained protections, which we will achieve by refactoring the Array
constructor.
BUG=chromium:715404,v8:6262
TBR=machenbach@chromium.org
Review-Url: https://codereview.chromium.org/2843033002
Cr-Commit-Position: refs/heads/master@{#44901}
For holey Smi and double source arrays, we would go to the general
case, which is much slower than before. We already check that there
are no prototype chain changes in IterableToListCanBeElided, and
there is no JS-code run between that check and the copying of the
elements, so we can safely check for the hole and convert it to
undefined, which is then converted to 0/NaN appropriately for the
given TypedArray.
Bug: chromium:713570,chromium:711275
Change-Id: I5b21c915907d71eebb73b7b1eea8eb58b4a5436d
Reviewed-on: https://chromium-review.googlesource.com/485520
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44899}
Reason for revert:
Field representation is not preserved
Original issue's description:
> [turbofan] Set proper representation for initial arguments length.
>
> The JSArgumentsObject::length representation is initially Smi, so we can
> record that on the initial map and use it to optimize the accesses in
> TurboFan based on that. Similar for JSSloppyArgumentsObject::caller.
>
> BUG=v8:6262
> R=yangguo@chromium.org
>
> Review-Url: https://codereview.chromium.org/2810333004
> Cr-Commit-Position: refs/heads/master@{#44644}
> Committed: 5eec7df9b3TBR=yangguo@chromium.org,bmeurer@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:6262
Review-Url: https://codereview.chromium.org/2825323002
Cr-Commit-Position: refs/heads/master@{#44893}
This makes sure that the observable property order of the module export
maintains insertion order. Now that properties are configurable, we no
longer need to reverse the export processing.
R=clemensh@chromium.org
TEST=mjsunit/asm/asm-validation
BUG=chromium:715420
Change-Id: Ib2024254c07bdad7fee1cf2fa0bd3e847721f5b5
Reviewed-on: https://chromium-review.googlesource.com/488022
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44891}
This fixes the bounds checking of "unsigned" numeric literals (those
that do not contains dots) by the parser. In particular this fixes a
bogus truncation to 32-bit in the scanner. It also makes the scanner
more robust by limiting the range of those numeric literals, hence
completely avoiding rounding loss or truncation errors.
R=clemensh@chromium.org
TEST=unittests/AsmJsScannerTest.UnsignedNumbers
BUG=v8:6298
Change-Id: Id31ab3c652e99fa8d3d6663315768e1bfaf3b773
Reviewed-on: https://chromium-review.googlesource.com/486881
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44890}
Only create a singleton array for Array(len) if Type(len) cannot be
Number, otherwise we might need to throw an exception instead.
BUG=chromium:715404
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2838123004
Cr-Commit-Position: refs/heads/master@{#44886}
Although we currently only support up to 1GB memory, we want to raise
this issue in the future. This test illustrates several issues we need
to be sure to fix first.
Bug: v8:6306
Change-Id: I362b7a9e51e8eb33a50e3b172a6f01d41995c3cb
Reviewed-on: https://chromium-review.googlesource.com/487047
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44876}
Also add more local variables to regress-v8-6077 to force
register spill on platform with 32 float registers.
BUG=
Review-Url: https://codereview.chromium.org/2822073003
Cr-Commit-Position: refs/heads/master@{#44865}
This reverts commit 56a6fda316.
Reason for revert: Makes tsan flaky:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20TSAN/builds/15038
Original change's description:
> [parser] Inital parallel parse tasks implementation.
>
> While parsing top-level code eager functions are skipped just like lazy
> ones, but also a parse task is created for each.
>
> The parse tasks are run by the compiler dispatcher and can be executed
> either on background thread or in idle time.
> After parsing of top-level code finishes it waits for all unfinished
> parser tasks - possibly picking up and executing them on current thread.
> Afterwards parse task results are stitched together with top-level AST,
> in case of failures eager functions are treated just like lazy -
> parsing/compilation is retriggered for them in the runtime and proper
> errors are generated (performance is not optimized for error case at
> all).
>
> BUG=v8:6093
>
> Change-Id: I718dd2acc8a70ae1b09c2dea2616716605d7b05d
> Reviewed-on: https://chromium-review.googlesource.com/483439
> Commit-Queue: Wiktor Garbacz <wiktorg@google.com>
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Jochen Eisinger <jochen@chromium.org>
> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44849}
TBR=marja@chromium.org,vogelheim@chromium.org,jochen@chromium.org,wiktorg@google.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:6093
Change-Id: I17e689efee7d216d28a94a5c8147022ae7e830dd
Reviewed-on: https://chromium-review.googlesource.com/486883
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44859}
With this CL SloppyArguments immediately go to dictionary elements on
deletion, keeping the arguments backing store packed.
Bug: v8:6251
Change-Id: I2afa4fb5f0af9942eee0a1606942f5f289539330
Reviewed-on: https://chromium-review.googlesource.com/480379
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44857}
This fixes propagation of validation failures that happen during the
validation of a heap access expression in {ValidateHeapAccess}.
R=clemensh@chromium.org
TEST=mjsunit/regress/regress-crbug-714971
BUG=chromium:714971
Change-Id: I8f91ac1da34ae50fdde2938f61b6468cdac92b6e
Reviewed-on: https://chromium-review.googlesource.com/486801
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44851}
While parsing top-level code eager functions are skipped just like lazy
ones, but also a parse task is created for each.
The parse tasks are run by the compiler dispatcher and can be executed
either on background thread or in idle time.
After parsing of top-level code finishes it waits for all unfinished
parser tasks - possibly picking up and executing them on current thread.
Afterwards parse task results are stitched together with top-level AST,
in case of failures eager functions are treated just like lazy -
parsing/compilation is retriggered for them in the runtime and proper
errors are generated (performance is not optimized for error case at
all).
BUG=v8:6093
Change-Id: I718dd2acc8a70ae1b09c2dea2616716605d7b05d
Reviewed-on: https://chromium-review.googlesource.com/483439
Commit-Queue: Wiktor Garbacz <wiktorg@google.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44849}
Some of these tests pass the pattern as a string, and in this case
there's a subtle distinction between
"/\u{0041}/" // Unicode escape interpreted in string literal.
and
"/\\u{0041}/" // Unicode escape interpreted by regexp parser.
Extend these tests to check both cases.
Thanks littledan@ for pointing this out.
BUG=v8:5437
Review-Url: https://codereview.chromium.org/2839923002
Cr-Commit-Position: refs/heads/master@{#44840}
In general, deleting a property from a fast-properties object
requires transitioning the object to dictionary mode. However,
when the most-recently-added property is deleted, we can simply
roll back the last map transition that the object went through.
This is a performance experiment: it should make things faster,
but if it turns out to have more negative than positive impact,
we will have to revert it.
TBR=bmeurer@chromium.org (just adding a comment)
Previously reviewed at https://codereview.chromium.org/2830093002
Previously landed as 98acfb36e1 / r44799
Review-Url: https://codereview.chromium.org/2840583002
Cr-Commit-Position: refs/heads/master@{#44808}
This makes sure that typed array constructors (e.g. Int8Array, ...) used
within an asm.js module are considered uses of stdlib values, and hence
are checked during module instantiation.
R=clemensh@chromium.org
TEST=mjsunit/regress/regress-6280
BUG=v8:6280,chromium:714537
Change-Id: Ic5d689f5319c4dac4e9df3dca4a8cf5a4edd890b
Reviewed-on: https://chromium-review.googlesource.com/485521
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44800}
In general, deleting a property from a fast-properties object
requires transitioning the object to dictionary mode. However,
when the most-recently-added property is deleted, we can simply
roll back the last map transition that the object went through.
This is a performance experiment: it should make things faster,
but if it turns out to have more negative than positive impact,
we will have to revert it.
TBR=bmeurer@chromium.org (just adding a comment)
Review-Url: https://codereview.chromium.org/2830093002
Cr-Commit-Position: refs/heads/master@{#44799}
We already have an optimization to constant-fold access to an object's
prototype via the special __proto__ accessor (specified in appendix B).
We can use the same optimization to also constant-fold accesses to an
object's prototype via the official Object.getPrototypeOf function.
Also add the optimization for Reflect.getPrototypeOf, which is
equivalent for object inputs.
This is commonly used by Babel to implement various new language
features, for example subclassing and certain property lookups.
R=yangguo@chromium.org
BUG=v8:6292
Review-Url: https://codereview.chromium.org/2841463002
Cr-Commit-Position: refs/heads/master@{#44788}
Ensure source map is not stable if elements kind transitions are expected.
BUG=chromium:700733
Change-Id: Ie937e7064127250b1100109986c3e9b411fae1d6
Reviewed-on: https://chromium-review.googlesource.com/483442
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44780}
This also removes a broken optimization regarding immutable (i.e. const)
global variables. For now mutable and immutable global variables are
treated the same and hence copied during module initialization.
R=rossberg@chromium.org
TEST=mjsunit/asm/global-imports
BUG=v8:6279
Change-Id: I020fc12036dc534f5a62fb43f5c6fdb252314e62
Reviewed-on: https://chromium-review.googlesource.com/483360
Reviewed-by: Andreas Rossberg <rossberg@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44763}
The included test case illustrates the problem. It subtracts (16 << 27)
from another number. The Machine Operator Reducer would replace the
shift computation with 0x0000000080000000, and then change the subtract
to an add of -(0x0000000080000000), which is 0xffffffff80000000.
The instruction selector would determine that this value could be an
immediate, because it fits in 32 bits, so it would select the lea
instruction. Finally, the code generator would detect that the
immediate was less than 0, flip the sign and replace the add with a
subtract of 0x80000000. Because the x64 subtract instruction's
immediate field is 32 bits, the processor would interpret this as
0xffffffff80000000 instead of an unsigned value.
This change fixes the issue by making the CanBeImmediate check
explicitly compare against INT_MIN and INT_MAX. We disallow INT_MIN
as an immediate precisely because we cannot tell 0x0000000080000000
from 0xffffffff80000000 when truncated to 32 bits.
Bug: chromium:711203
Change-Id: Ie371b8ea290684a6bb723bae9c693a866f961850
Reviewed-on: https://chromium-review.googlesource.com/482448
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44758}
Move JSOrdinaryHasInstance lowering to JSNativeContextSpecialization,
which was previously mostly done in JSTypedLowering (for no reason).
Add new logic to the lowering to constant-fold OrdinaryHasInstance
checks when the map of the left-hand side and the "prototype" of the
right-hand side is known. This address the performance issue with the
(base) class constructors generated by Babel, i.e.:
function _classCallCheck(instance, Constructor) {
if (!(instance instanceof Constructor)) {
throw new TypeError("Cannot call a class as a function");
}
}
var C = function C() { _classCallCheck(this, C); };
for
class C {}
Also ensure that a known constructor being used inside an instanceof
get's a proper initial map on-demand.
BUG=v8:6275
R=mstarzinger@chromium.org
Review-Url: https://codereview.chromium.org/2827013002
Cr-Commit-Position: refs/heads/master@{#44727}
When adding or overwriting properties of an object, the generic
keyed store stub must check if that property's name might have
an associated protector (e.g. the ArraySpeciesProtector) and
take the slow path if so to ensure that the protector is updated
as needed.
BUG=v8:6269
Review-Url: https://codereview.chromium.org/2821213004
Cr-Commit-Position: refs/heads/master@{#44726}
This includes a fastpath in the ElementsAccessor for the source
array being a JSArray with FastSmi or FastDouble packed kinds. This
is probably a pretty common usage, where an array is passed in as
a way of initializing the TypedArray at creation (as there is not other
syntax to do this). e.g. new Float64Array([1.0, 1.0, 1.0]) for some
sort of vector application.
BUG= v8:5977
Change-Id: Ice4ad9fc29f56b1c4b0b30736a1330efdc289003
Reviewed-on: https://chromium-review.googlesource.com/465126
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44722}
This fixes source position tracking within the "increment" expression of
a for-statement. The old {StashCode} method was inherently incompatible
with side tables like the source position table, as it would leave them
untouched while mutating the bytecode stream. It was hence trimmed down
to {DeleteCode}.
R=bradnelson@chromium.org
BUG=v8:6127
Change-Id: I7a5ff60cd5334208c44b165c8b54144d9ae83209
Reviewed-on: https://chromium-review.googlesource.com/480301
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44714}
The typing rule for JSCreateArguments must properly declare rest
parameters as arrays and only consider sloppy and strict arguments
objects as Type::OtherObject.
TBR=jarin@chromium.org
BUG=v8:6262,chromium:712802
Review-Url: https://codereview.chromium.org/2828573004
Cr-Commit-Position: refs/heads/master@{#44712}
When --harmony-strict-legacy-accessor-builtins is enabled, it brings
V8's behavior in line with the spec and more recent versions of
SpiderMonkey and JSC:
- No implicit receiver coercion
- Attempting to redefine a non-configurable property throws
Bug: v8:5070
Change-Id: I82b927538604136c0c550e19bcc606fbfea1377e
Reviewed-on: https://chromium-review.googlesource.com/478312
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44703}
+ additional fixes uncovered by bug, and addressed remaining feedback
from original CL (https://codereview.chromium.org/2806073002/).
Note that the regression test differs slightly from the bug reported one,
in that it catches the RangeError which will eventually be thrown due
to call stack size being exceeded.
BUG=chromium:712569
Review-Url: https://codereview.chromium.org/2825073002
Cr-Commit-Position: refs/heads/master@{#44700}
The feature is not quite ready for getting ClusterFuzzed.
BUG=v8:5516
Change-Id: I90a42f950727c8ecf46cb2987c9a459b2ba1f5a7
Reviewed-on: https://chromium-review.googlesource.com/480400
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44693}
This fixes the de-duplication logic used when writing the deoptimizer
translation of a frame-state containing {kArgumentsElementsState}. The
object counts as a captured object and participates in the numbering of
duplicated objects.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-711166
BUG=chromium:711166
Change-Id: I4a3b892017ab8217197e5f94c1a0975d0cd6979f
Reviewed-on: https://chromium-review.googlesource.com/476631
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44692}
This changes the message from
"method_name is not generic"
to
"method_name requires that 'this' be a primitive_name object"
BUG=v8:6206
Review-Url: https://codereview.chromium.org/2814043006
Cr-Commit-Position: refs/heads/master@{#44683}
Currently when the module has memory specified in the compiled bytes, but with no initial memory
exported memory assigns a bogus buffer to the instance. When grow_memory is called on this buffer, it tries to patch an incorrect address.
- Fix exported memory to handle no initial memory
- Fix grow_memory to handle uninitialized buffers
BUG=chromium:710844
R=bradnelson@chromium.org
Review-Url: https://codereview.chromium.org/2820223002
Cr-Commit-Position: refs/heads/master@{#44671}
Today, the semantics of:
WebAssembly.instantiate
and
WebAssembly.compile().then(new WebAssemblyInstance)
are subtly different, to the point where attempting the proposed
change uncovered bugs.
In the future, it's possible that .instantiate actually have different
semantics - if we pre-specialized to the provided ffi, for example.
Right now that's not the case.
This CL:
- gets our implementation closer to what developers may write using
the compile -> new Instance alternative, in particular wrt promise
creation. By reusing code paths, we uncover more bugs, and keep
maintenance cost lower.
- it gives us the response-based WebAssembly.instantiate implicitly.
Otherwise, we'd need that same implementation on the blink side. The
negative is maintenance: imagine if the bugs I mentioned could only be
found when running in Blink.
BUG=chromium:697028
Review-Url: https://codereview.chromium.org/2806073002
Cr-Original-Commit-Position: refs/heads/master@{#44592}
Committed: 7829af3275
Review-Url: https://codereview.chromium.org/2806073002
Cr-Commit-Position: refs/heads/master@{#44669}
If the current context is overwritten by doing Realm.navigate(0) we
fail to delete the module embedder data from the correct current
context, because we have an handle to the old context which was
already cleaned up by calling DisposeRealm in RealmNavigate.
This patch disallows navigation to the first realm.
Bug: chromium:711165
Change-Id: I6b9d3187367dae9d1fe38c0efa361d461c94c917
Reviewed-on: https://chromium-review.googlesource.com/476970
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44656}
e3246ad69c
removed some redundancies in yield and yield*.
In particular:
- AsyncGeneratorRawYield becomes unnecessary, and is deleted in this CL
- Parser::RewriteYieldStar() is updated to perform the IteratorValue() algorithm as appropriate
BUG=v8:6187, v8:5855
R=rmcilroy@chromium.org, adamk@chromium.org, littledan@chromium.org, vogelheim@chromium.org
Change-Id: I05e8429b9cbd4531c330ee53a05656b90162064c
Reviewed-on: https://chromium-review.googlesource.com/471806
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#44649}
Currently we count optimizations to decide to disable optimization, and
count deopts to detect this decision and allow re-enabling optimizations
after a while.
However, throwing out TurboFan OSR code and GC optimized code evictions
do not count as deopts, which means that the optimization count
increases without increasing the deopt count. This increased optimization
count disables further optimization -- which is bad, because these are
not "true" deopts -- and can stop the optimization from being re-enabled,
because the deopt count can't go high enough.
Instead, we now only ever look at deopts to disable/re-enable
optimization, and opt counts are only used for naming log files and in
tests.
Change-Id: I0c7d6be497545449a38cf952cd2f007ee51982ba
Reviewed-on: https://chromium-review.googlesource.com/468811
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44647}
This fixes the validation of "|0" annotations of call sites that are
used to indicate a "signed" return type of functions. We use lookahead
during call validation and request deferred validation as part of the
actual OR-expression. Special care has to be taken to get precedence
levels of all involved operators right.
R=clemensh@chromium.org
TEST=mjsunit/asm/call-annotation
BUG=v8:6183
Change-Id: If0586f669e7cee26a13425b0fd9f41098e852d68
Reviewed-on: https://chromium-review.googlesource.com/475871
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44639}
The condition only applies in unicode mode, where any lone surrogates
are desugared into a character class (and will not be considered in this
optimization). Non-unicode mode treats lone surrogates exactly like
any other codepoint.
BUG=chromium:711092
Review-Url: https://codereview.chromium.org/2808403006
Cr-Commit-Position: refs/heads/master@{#44638}
In eval scripts, the source code position can be 0 rather
than greater than 0.
Add regression test.
Drive-by fix: unrelated typo.
Bug: 707223
Change-Id: If52c0736daac3ad42ac6d324eb8ec5f1798f6f5a
Reviewed-on: https://chromium-review.googlesource.com/476630
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44637}
This fixes the existing lowering of {JSGetSuperConstructor} nodes to
unconditional throws. The above operator is marked as {kNoWrite} but
runtime calls are not marked as such. Any deoptimizing operation after
the throw would not be able to find a valid {Checkpoint}. We remove the
lowering case in question.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-6248
BUG=v8:6248
Change-Id: I22c922947336254502f698b02f944cf35dd8688a
Reviewed-on: https://chromium-review.googlesource.com/476570
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44632}
It's required by the spec -- and observable -- that the index be validated
before the conversion of the value(s) via ToInteger.
The previous implementation also had an old test for validating the atomic
index, which has now been switched to ToIndex.
This also exposed an issue in the ia32 code generator: cmpxchg_b requires a
byte register, but the ia32 instruction selector was ensuring that the
new_value was a byte register, not the TempRegister. This change forces the
temp register to use edx, which always can be used as a byte register (dl).
This is the same behavior as currently used in UseByteRegister.
BUG=v8:4614
R=jarin@chromium.org,jkummerow@chromium.org
Review-Url: https://codereview.chromium.org/2814753003
Cr-Commit-Position: refs/heads/master@{#44626}
Unfortunately, this test cannot test that a function was really skipped (i.e.,
not parsed).
BUG=v8:5516
Change-Id: I8db5027d2216a95cc012ceae8e17554095cc1d4f
Reviewed-on: https://chromium-review.googlesource.com/457037
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44615}
Reason for revert:
Roll blocker: https://bugs.chromium.org/p/chromium/issues/detail?id=710824
Original issue's description:
> [wasm] instantiate expressed in terms of compile
>
> Today, the semantics of:
>
> WebAssembly.instantiate
>
> and
>
> WebAssembly.compile().then(new WebAssemblyInstance)
>
> are subtly different, to the point where attempting the proposed
> change uncovered bugs.
>
> In the future, it's possible that .instantiate actually have different
> semantics - if we pre-specialized to the provided ffi, for example.
> Right now that's not the case.
>
> This CL:
> - gets our implementation closer to what developers may write using
> the compile -> new Instance alternative, in particular wrt promise
> creation. By reusing code paths, we uncover more bugs, and keep
> maintenance cost lower.
>
> - it gives us the response-based WebAssembly.instantiate implicitly.
> Otherwise, we'd need that same implementation on the blink side. The
> negative is maintenance: imagine if the bugs I mentioned could only be
> found when running in Blink.
>
> BUG=chromium:697028
>
> Review-Url: https://codereview.chromium.org/2806073002
> Cr-Commit-Position: refs/heads/master@{#44592}
> Committed: 7829af3275TBR=bradnelson@chromium.org,ahaas@chromium.org,adamk@chromium.org,mtrofin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:697028
Review-Url: https://codereview.chromium.org/2810203002
Cr-Commit-Position: refs/heads/master@{#44614}
The hole NaN should also have proper Type::Hole, and not silently hide
in the Type::Number. This way we can remove all the special casing for
the hole NaN, and we also finally get the CheckNumber right.
This also allows us to remove some ducktape from the Deoptimizer, as for
escape analyzed FixedDoubleArrays we always pass the hole value now to
represent the actual holes.
Also-By: jarin@chromium.org
BUG=chromium:684208,chromium:709753,v8:5267
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2814013003
Cr-Commit-Position: refs/heads/master@{#44603}
RationalizeConsecutiveAtoms optimizes ab|ac|az to a(?:b|c|d).
Ensure that this optimization does not split surrogate pairs in unicode
mode.
BUG=chromium:641091
Review-Url: https://codereview.chromium.org/2813893002
Cr-Commit-Position: refs/heads/master@{#44599}
As of crrev.com/2760213003, the CheckBounds operator passes a truncation
that identfies zero and minus zero. However that was not reflected in
the typing rule, and as such the type of CheckBounds(-0,length) was
always Type::None. That confused the typed alias analysis in the
LoadElimination and led to ignoring StoreElement nodes.
BUG=chromium:708050
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2812013006
Cr-Commit-Position: refs/heads/master@{#44598}
This change mirrors the semantics for derived class constructors. This
change doesn't affect non class constructors.
This change could potentially break web compat. More details:
https://github.com/tc39/ecma262/pull/469
Bug=v8:5536
Change-Id: I519599949523733332d0b35e4f8d9ecb01cac495
Reviewed-on: https://chromium-review.googlesource.com/461225
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44594}
Today, the semantics of:
WebAssembly.instantiate
and
WebAssembly.compile().then(new WebAssemblyInstance)
are subtly different, to the point where attempting the proposed
change uncovered bugs.
In the future, it's possible that .instantiate actually have different
semantics - if we pre-specialized to the provided ffi, for example.
Right now that's not the case.
This CL:
- gets our implementation closer to what developers may write using
the compile -> new Instance alternative, in particular wrt promise
creation. By reusing code paths, we uncover more bugs, and keep
maintenance cost lower.
- it gives us the response-based WebAssembly.instantiate implicitly.
Otherwise, we'd need that same implementation on the blink side. The
negative is maintenance: imagine if the bugs I mentioned could only be
found when running in Blink.
BUG=chromium:697028
Review-Url: https://codereview.chromium.org/2806073002
Cr-Commit-Position: refs/heads/master@{#44592}
