port f435d6222fa194c96c6be2e2d8a753016437931a(r41735)
original commit message:
Original commit message:
[wasm] Introduce the TrapIf and TrapUnless operators to generate trap code.
Some instructions in WebAssembly trap for some inputs, which means that the
execution is terminated and (at least at the moment) a JavaScript exception is
thrown. Examples for traps are out-of-bounds memory accesses, or integer
divisions by zero.
Without the TrapIf and TrapUnless operators trap check in WebAssembly introduces 5
TurboFan nodes (branch, if_true, if_false, trap-reason constant, trap-position
constant), in addition to the trap condition itself. Additionally, each
WebAssembly function has four TurboFan nodes (merge, effect_phi, 2 phis) whose
number of inputs is linear to the number of trap checks in the function.
Especially for functions with high numbers of trap checks we observe a
significant slowdown in compilation time, down to 0.22 MiB/s in the sqlite
benchmark instead of the average of 3 MiB/s in other benchmarks. By introducing
a TrapIf common operator only a single node is necessary per trap check, in
addition to the trap condition. Also the nodes which are shared between trap
checks (merge, effect_phi, 2 phis) would disappear. First measurements suggest a
speedup of 30-50% on average.
This CL only implements TrapIf and TrapUnless on x64. The implementation is also
hidden behind the --wasm-trap-if flag.
Please take a special look at how the source position is transfered from the
instruction selector to the code generator, and at the context that is used for
the runtime call.
BUG=
Review-Url: https://codereview.chromium.org/2679853002
Cr-Commit-Position: refs/heads/master@{#42998}
Cleanup CHECK_EQ order and simplify CHECK_EQ(true/false).
Cleanup callorder for negative numbers
Cleanup callorder order for capital letter constants.
Cleanup callorder for test.x checks.
BUG=
Review-Url: https://codereview.chromium.org/2677183002
Cr-Commit-Position: refs/heads/master@{#42997}
Moves ownership of the parsing Zone to ParseInfo with a shared_ptr. This is
in preperation for enabling background compilation jobs for inner functions
share the AST in the outer-function's parse zone memory (read-only), with the
and zone being released when all compilation jobs have completed.
BUG=v8:5203,v8:5215
Review-Url: https://codereview.chromium.org/2632123006
Cr-Original-Commit-Position: refs/heads/master@{#42993}
Committed: 14fb337200
Review-Url: https://codereview.chromium.org/2632123006
Cr-Commit-Position: refs/heads/master@{#42996}
Reason for revert:
doesn't compile on ToT
Original issue's description:
> Reland: [Parse] ParseInfo owns the parsing Zone.
>
> Moves ownership of the parsing Zone to ParseInfo with a shared_ptr. This is
> in preperation for enabling background compilation jobs for inner functions
> share the AST in the outer-function's parse zone memory (read-only), with the
> and zone being released when all compilation jobs have completed.
>
> BUG=v8:5203,v8:5215
>
> Review-Url: https://codereview.chromium.org/2632123006
> Cr-Commit-Position: refs/heads/master@{#42993}
> Committed: 14fb337200TBR=marja@chromium.org,mstarzinger@chromium.org,ahaas@chromium.org,verwaest@chromium.org,rmcilroy@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5203,v8:5215
Review-Url: https://codereview.chromium.org/2685543003
Cr-Commit-Position: refs/heads/master@{#42994}
Moves ownership of the parsing Zone to ParseInfo with a shared_ptr. This is
in preperation for enabling background compilation jobs for inner functions
share the AST in the outer-function's parse zone memory (read-only), with the
and zone being released when all compilation jobs have completed.
BUG=v8:5203,v8:5215
Review-Url: https://codereview.chromium.org/2632123006
Cr-Commit-Position: refs/heads/master@{#42993}
When computing the type info for a given function, make sure to also
count generic BinaryOp and Compare IC slots. TurboFan can deal with
those, and often still generates good code.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2666323002
Cr-Commit-Position: refs/heads/master@{#42992}
Due to hoisting, the value of a 'var'-declared variable may actually change even
if the code contains only the "initial" assignment, namely when that assignment
occurs inside a loop. For example:
let i = 10;
do { var x = i } while (i--):
As a simple and very conservative approximation of this, we explicitly mark
as maybe-assigned any non-lexical variable whose "declaration" does not
syntactically occur in the function scope. (In the example above, it
occurs in a block scope.)
BUG=v8:5636
Review-Url: https://codereview.chromium.org/2673403003
Cr-Commit-Position: refs/heads/master@{#42989}
Sort experimental flags alphabetically and
add new flag for type profiling.
BUG=v8:5934
Review-Url: https://codereview.chromium.org/2675303002
Cr-Commit-Position: refs/heads/master@{#42988}
Reason for revert:
Doesn't fix perf regressions in crbug.com/688972 and introduces new ones for RegExp in crbug.com/689395.
Original issue's description:
> [regexp] Add stub for RegExpExec instead of inlining
>
> The code produced for RegExpExec is quite large, and we ended up completely
> inlining it several spots. This CL moves RegExpPrototypeExecBody into two
> stubs (one each for fast and slow paths) and converts inlined uses into stub
> calls. This decreases the local x64 snapshot size by around 80K.
>
> BUG=chromium:688972
>
> Review-Url: https://codereview.chromium.org/2677073004
> Cr-Commit-Position: refs/heads/master@{#42965}
> Committed: 5ea144afe3TBR=yangguo@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:688972
Review-Url: https://codereview.chromium.org/2679063003
Cr-Commit-Position: refs/heads/master@{#42985}
For x64, ia32 and x87 we would pop the return address before the stack
overflow check. This meant the stack couldn't be unwound properly if
it was going to overflow. This CL moves the pop of the return address
to after the stack overflow check.
Also adds a regression test to check that a RangeError is thrown.
BUG=689016
Review-Url: https://codereview.chromium.org/2681643004
Cr-Commit-Position: refs/heads/master@{#42984}
This correctly marks the {JSCreate} operator as potentially throwing,
since it might trigger a property access of the 'prototype' property
during instantiation. This is observable, can throw (not kNoThrow),
might have side-effects (not kNoWrite), or even trigger a lazy deopt
event (not kNoDeopt). The inlining logic has been adapted to wire up
control projections accordingly.
Note that this does not yet take care of the "after" frame-state which
is associated with the {JSCreate} node introduced by the inliner. We
still might re-evaluate the property access upon lazy deoptimization.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-5638
BUG=v8:5638
Review-Url: https://codereview.chromium.org/2671203003
Cr-Commit-Position: refs/heads/master@{#42981}
A script like "{ function foo() {} }" declares a VAR-variable at the
top-level and a LET-variable inside the block. The LET-variable does
not need to be unconditionally marked as assigned.
BUG=v8:5636
Review-Url: https://codereview.chromium.org/2680443002
Cr-Commit-Position: refs/heads/master@{#42980}
- entries preview available even if debugger agent is disabled,
- less deprecated mirrors usage in debugger-script.js
- no usage of debugger context - zero probability of leaking it.
- better test coverage.
BUG=v8:5510
R=yangguo@chromium.org,jgruber@chromium.org,alph@chromium.org,luoe@chromium.org
Review-Url: https://codereview.chromium.org/2672213002
Cr-Commit-Position: refs/heads/master@{#42978}
Adding a code path for strings introduces Phi nodes on the fast
(i.e. non-string) path, causing a performance regression.
BUG=chromium:687075
Review-Url: https://codereview.chromium.org/2670353004
Cr-Commit-Position: refs/heads/master@{#42977}
- Removes shared InnerArrayCopyWithin JS builtin from src/js/array.js
- Implements %TypedArray%.prototype.copyWithin as a C++ builtin, which
relies on std::memmove rather than accessing individual eleements.
- Fixes the case where copyWithin is invoked on a TypedArray with a
detached buffer.
- Add tests to ensure that +/-Infinity (for all 3 parameters) is handled correctly by the
algorithm
The C++ version gets through the benchmark more than 25000 times as
quickly as the JS implementation.
BUG=v8:5925, v8:5929, v8:4648
R=cbruni@chromium.org, adamk@chromium.org, littledan@chromium.org
Review-Url: https://codereview.chromium.org/2671233002
Cr-Commit-Position: refs/heads/master@{#42975}
Spotted by clang static analyzer, these variables are declared outside of
the condition but only used within.
Review-Url: https://codereview.chromium.org/2668003002
Cr-Commit-Position: refs/heads/master@{#42970}
This adapts the inlining logic to allow for inlining based solely on a
statically known underlying SharedFunctionInfo instead of a concrete
closure of the call target.
In cases where the closure is known, its bound context is constant
promoted just as before. In the new cases where only the SFI for an
entire class of closures is known, we use the dynamic SSA-value of the
bound context.
R=bmeurer@chromium.org
BUG=v8:2206
Review-Url: https://codereview.chromium.org/2626783003
Cr-Commit-Position: refs/heads/master@{#42968}
The code produced for RegExpExec is quite large, and we ended up completely
inlining it several spots. This CL moves RegExpPrototypeExecBody into two
stubs (one each for fast and slow paths) and converts inlined uses into stub
calls. This decreases the local x64 snapshot size by around 80K.
BUG=chromium:688972
Review-Url: https://codereview.chromium.org/2677073004
Cr-Commit-Position: refs/heads/master@{#42965}
Keep the order in CHECK_EQ calls consistent as
(expected, actual).
Simplify CHECK_EQ(true, expected) to CHECK(expected) and
CHECK_EQ(false, expected) to CHECK(!expected).
BUG=
Review-Url: https://codereview.chromium.org/2677133002
Cr-Commit-Position: refs/heads/master@{#42964}
The results are unreliable as-is, because es5 and es6 run in the same d8
process consecutively. The graph also shows a huge amount of noise,
which seems to be mostly resolved with this change.
Review-Url: https://codereview.chromium.org/2675263002
Cr-Commit-Position: refs/heads/master@{#42961}
In preparation for more perf work in turbofan, so that we can actually
see the results on the graph.
BUG=v8:5932
Review-Url: https://codereview.chromium.org/2676263002
Cr-Commit-Position: refs/heads/master@{#42960}
... by using KeyedStoreIC_Slow builtin instead. The issue with hard-coded
language mode is that the stub can be re-used through megamorphic stub cache for
an IC with incompatible language mode. KeyedStoreIC_Slow already does the
right thing - it decodes the language mode from the IC slot kind.
This CL also fixes the code kinds of the slow IC handlers. The code kind of
IC handlers is used only for checking that the handler was added to the right
megamorphic stub cache, which expect the handlers' code kinds to be either
Code::LOAD_IC or Code::STORE_IC.
And the megamorphic builtins are just helper code stubs that are called from
IC dispatchers, therefore they should have BUILTIN code kind. Same applies to
the other stubs which are neither IC dispatchers nor handlers.
BUG=v8:5917
Review-Url: https://codereview.chromium.org/2677603004
Cr-Commit-Position: refs/heads/master@{#42958}
We benefit from the optimizing compiler even if the IC state is generic,
so we'd better ignore the generic IC state count for the optimization
decision. This improves our speedometer score from 61.5 to 63.7
(default configuration is 65.9).
Review-Url: https://codereview.chromium.org/2674203002
Cr-Commit-Position: refs/heads/master@{#42955}
TypeFeedbackVectors are strongly rooted by a closure. However, in modern
JavaScript closures are created and abandoned more freely. An important
closure may not be present in the root-set at time of garbage collection,
even though we've cached optimized code and use it regularly. For
example, consider leaf functions in an event dispatching system. They may
well be "hot," but tragically non-present when we collect the heap.
Until now, we've relied on a weak root to cache the feedback vector in
this case. Since there is no way to signal intent or relative importance,
this weak root is as susceptible to clearing as any other weak root at
garbage collection time.
Meanwhile, the feedback vector has become more important. All of our
ICs store their data there. Literal and regex boilerplates are stored there.
If we lose the vector, then we not only lose optimized code built from
it, we also lose the very feedback which allowed us to create that optimized
code. Therefore it's vital to express that dependency through the root
set.
This CL does this by creating a strong link to a feedback
vector at the instantiation site of the function closure.
This instantiation site is in the code and feedback vector
of the outer closure.
BUG=v8:5456
Review-Url: https://codereview.chromium.org/2674593003
Cr-Commit-Position: refs/heads/master@{#42953}
This CL also removes unused LoadApiGetterStub and renames StoreElementStub to StoreSlowElementStub.
BUG=v8:4587
Review-Url: https://codereview.chromium.org/2670863003
Cr-Commit-Position: refs/heads/master@{#42951}
TailCallRuntime currently does not seem to handle adaptor frames
correctly.
BUG=chromium:688690
Review-Url: https://codereview.chromium.org/2675133003
Cr-Commit-Position: refs/heads/master@{#42950}
