This reorders arguments in preparation for removing ebx from its
calling convention (in a follow-up some args will be passed on the
stack).
Drive-by: Improve readability in the code handling different cases
(array,spread,...).
Bug: v8:6666
Change-Id: I0160f8efafd0fd0e841739578e01c32b38adb66e
Reviewed-on: https://chromium-review.googlesource.com/1196884
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55557}
We can safely lower ToNumeric(x) to ToNumber(x) as long as we can
guarantee that x is any primitive except BigInt (as ToNumeric would
return that unchanged while ToNumber will throw).
Bug: v8:8015
Change-Id: I66573cc204c7c919095ca7598a027fabef7d71a8
Reviewed-on: https://chromium-review.googlesource.com/1199665
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55556}
In preparation for kRootRegister support on ia32.
For both descriptors we simply shuffle registers around to remove ebx
from the calling convention.
Possible follow-up work: The ApiCallbackDescriptor could be simplified
by passing call_data (and the Undefined constant) on the stack. This
currently happens in the builtin body.
Drive-by: Minor refactoring in InterpreterPushArgsMode to deobfuscate
the different paths (spread/no-spread). Also use
{Push,Pop}ReturnAddress helpers.
Bug: v8:6666
Change-Id: I25fd738501fff71c038a0745cec04363f90df660
Reviewed-on: https://chromium-review.googlesource.com/1196552
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55554}
GetIdentityHashHelper function can return hash from GlobalDictionary,
but SetHashAndUpdateProperties crashes on DCHECK on attempt to set
this hash (it works when DCHECKs are disabled because SetHash is defined
on base class for NameDictionary and GlobalDictionary).
R=yangguo@chromium.org
Bug: none
Change-Id: I740fa6a3232f7db8e4396b9a5e4664b8ab81969a
Reviewed-on: https://chromium-review.googlesource.com/1198765
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55551}
DebugEvaluate contains code since 2009 that bypasses JSGlobalProxy and
returns JSGlobalObject when result of expression is global proxy.
This behavior may be dangerous:
- JSGlobalObject does not perform security checks,
- some parts of V8 code do not ready for JSGlobalObject, e.g.,
SetHashAndUpdateProperties function will crash on DCHECK if we will
try to store JSGlobalObject to map.
At the same time it looks like there is no any valid use case for it.
R=yangguo@chromium.org
Bug: none
Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ib0e35d5ae9ef47318c866e44c5c6856e34ed05a5
Reviewed-on: https://chromium-review.googlesource.com/1198764
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55550}
As noticed by jkummerow@ there's probably not really a point in
keeping two separate runtime functions that perform the same
operation, but one has a different fast-path (which is not
available to the other). So %KeyedGetProperty is now effectively
%GetProperty and used consistently as fallback from both the ICs
as well as other callers like the GetProperty builtin.
Bug: v8:8015
Change-Id: Ib46b13da739229e2eb820ecf87923ac99c6971d3
Reviewed-on: https://chromium-review.googlesource.com/1199105
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55547}
This CL fixes an issue where getters/setters would get called on a
prototype with the wrong receiver. This happens in the pre-processing
for Array.p.sort when values get copied down from the prototype chain.
R=jgruber@chromium.org
Bug: v8:7682
Change-Id: I0d8ff1dc721c33bd721aaca54ffd357b3d2a2096
Reviewed-on: https://chromium-review.googlesource.com/1198767
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@google.com>
Cr-Commit-Position: refs/heads/master@{#55546}
This reverts commit 1c48d52bb1.
Reason for revert: Clusterfuzz found something.
Original change's description:
> [interpreter] Add bytecode for leading array spreads.
>
> This CL improves the performance of creating [...a, b] or [...a].
> If the array literal has a leading spread, this CL emits the bytecode
> [CreateArrayFromIterable] to create the literal. CreateArrayFromIterable
> is implemented by [IterableToListDefault] builtin to create the initial
> array for the leading spread. IterableToListDefault has a fast path to
> clone efficiently if the spread is an actual array.
>
> The bytecode generated is now shorter. Bytecode generation is refactored
> into to BuildCreateArrayLiteral, which allows VisitCallSuper to benefit
> from this optimization also.
> For now, turbofan also lowers the bytecode to the builtin.
>
> The idiomatic use of [...a] to clone the array a now performs better
> than a simple for-loop, but still does not match the performance of slice.
>
> Bug: v8:7980
>
> Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
> Change-Id: Ibde659c82d3c7aa1b1777a3d2f6426ac8cc15e35
> Reviewed-on: https://chromium-review.googlesource.com/1181024
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Commit-Queue: Hai Dang <dhai@google.com>
> Cr-Commit-Position: refs/heads/master@{#55520}
TBR=rmcilroy@chromium.org,neis@chromium.org,sigurds@chromium.org,gsathya@chromium.org,jgruber@chromium.org,dhai@google.com
Change-Id: I1c86ddcc24274da9f5a8dd3d8bf8d869cbb55cb6
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7980
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/1199303
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55544}
If profiling is done with --log-source-code profview will now display
a "View source" link for each function in the tree view. Clicking this
will show a new source viewer, with sampled lines highlighted. See the
associated bug for screenshots.
This patch also fixes a bug in the profiler where the source info of
only the first code object for each function would be logged, and
includes some refactoring.
Bug: v8:6240
Change-Id: Ib96a9cfc54543d0dc9bef4657cdeb96ce28b223c
Reviewed-on: https://chromium-review.googlesource.com/1194231
Commit-Queue: Bret Sepulveda <bsep@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55542}
The %GetPrototype runtime function is not used anymore. Also remove the
cctests that were introduced to guard the Crankshaft optimizations for
the %_GetPrototype intrinsic.
Bug: v8:8015
Change-Id: I4b848f2c8d67209dae002d260a26867299d6b4a5
Reviewed-on: https://chromium-review.googlesource.com/1199106
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55541}
In the KeyedLoadICGeneric case the engine previously immediately fell
back to the %KeyedGetProperty runtime function if the key was not a
Name or a valid array index. This turns out to be really slow if a
program passes for example objects as keys. Since we already have all
the logic in place to convert an arbitrary JavaScript value to a Name,
we can just call into ToName first and then operate on the result of
that, which is significantly faster since C++ usually doesn't need to
call back into JavaScript then to convert a JSReceiver into a Name.
This also changes the ToName builtin to use the existing builtin for
NonPrimitiveToPrimitive, which stays in JavaScript land completely.
Since there's not really a point in inlining ToName into the call
sites, the other uses were also changed to call the builtin instead,
which saves some space and might also help with instruction cache
utilization (especially when the ToName logic is more involved now).
This improves the performance on the microbenchmark
```js
const n = 1e7;
const obj = {};
const key = [1,2];
const start = Date.now();
for (let i = 0; i < n; ++i) {
if (obj[key] === undefined) obj[key] = key;
}
print(`time: ${Date.now() - start} ms.`);
```
by up to 36%. On the ARES-6 ML benchmark the steady state improves by up
to ~7% and the overall mean for ARES-6 ML improves by up to ~6%. Further
improvements might be possible here if the GetProperty builtin could be
made faster for common prototype lookups like Symbol.toPrimitive and the
"valueOf" and "toString" functions.
Bug: v8:6344, v8:6670
Change-Id: Ic3ac2bc4d4277836ef03039de4eda5c5f66a85da
Reviewed-on: https://chromium-review.googlesource.com/1199022
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55540}
Teach the GetProperty builtin how to perform [[Get]] on JSProxy
instances by calling into the dedicated ProxyGetProperty builtin
that we already use for the LOAD_IC / KEYED_LOAD_IC. This is
important when proxies are used in places were GetProperty builtin
is used like for example as iterables in for..of loops or in spreads.
On a simple micro-benchmark like the following
```js
const proxy = new Proxy([1, 2, 3], {
get(target, property) { return target[property]; }
});
const TESTS = [
function testForOfProxy() { for (const x of proxy) {} },
function testSpreadProxy() { return [...proxy]; }
];
function test(fn) {
var result;
for (var i = 0; i < 1e6; ++i) result = fn();
return result;
}
test(x => x);
for (var j = 0; j < TESTS.length; ++j) test(TESTS[j]);
for (var j = 0; j < TESTS.length; ++j) {
var startTime = Date.now();
test(TESTS[j]);
print(TESTS[j].name + ':', (Date.now() - startTime), 'ms.');
}
```
improves from around
testForOfProxy: 1672.6 ms.
testSpreadProxy: 1956.6 ms.
to
testForOfProxy: 408.4 ms.
testSpreadProxy: 530.8 ms.
on average, which corresponds to a 4-5x performance improvement, even
for small arrays. On the ARES-6 Air benchmark this completely eliminates
all calls to the %GetProperty runtime function, and thereby improves the
steady state mean by 2-3%.
Bug: v8:6344, v8:6557, v8:6559
Change-Id: Ifebdaff8f3ae5899a33ce408ecd54655247f3a02
Reviewed-on: https://chromium-review.googlesource.com/1199023
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55539}
Change-Id: I4b810b3684609f19cef3adf295ac104d00b9a4c3
Reviewed-on: https://chromium-review.googlesource.com/1194441
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55536}
- Cleans up existing code that tests for representations using a
bitmask.
- Bypass FP register allocation for sequences without FP vregs.
Change-Id: I5ff32e80e0c33848ba83ee17f786b01e37821aa2
Reviewed-on: https://chromium-review.googlesource.com/1195528
Commit-Queue: Bill Budge <bbudge@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55535}
This CL fixes a bug where the receiving instance was updated improperly
in the dispatch table(s) of an imported table.
BUG=chromium:875322
R=mstarzinger@chromium.org
Change-Id: Ib5af238a0847bf332a12863523e897f59f137c1d
Reviewed-on: https://chromium-review.googlesource.com/1196886
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55534}
We have an API (GetCodeRange) which gives the location of V8 code on the
heap, but builtin code no longer lives on the heap.
The upcoming work on the V8 stack unwinder requires the embedder to
provide the code ranges for both the heap and builtins, so this API will
be used there.
Bug: v8:8116
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I15e900716e68256b9732be0ea1a5cda24878eccf
Reviewed-on: https://chromium-review.googlesource.com/1196551
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55532}
This is a naive implementation of a class that manages regions
allocation/deallocation inside given range of addresses.
This code will be used in a follow-up CLs.
Bug: v8:8096
Change-Id: I7bea7051a1525cc7f87ba34d67b85b274c5de18a
Reviewed-on: https://chromium-review.googlesource.com/1127175
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55531}
This addresses a TODO in JSTypedLowering and generally makes the more
easier to follow since the methods deal only with one kind of Node now.
Bug: v8:8015
Change-Id: I8c3521b8d630dbe272264dc01e9ab3a5b0a8f682
Reviewed-on: https://chromium-review.googlesource.com/1196883
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55530}
This is a purely cosmetic change to make the Number constructor
in the JSCallReducer easier to read.
Bug: v8:7904, v8:8015
Change-Id: Id3248dcf9c4e8111bb4f0418bfa6993630df74bb
Reviewed-on: https://chromium-review.googlesource.com/1196432
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55528}
This CL removes a regression test that was intended to check that the
maximum call stack size was not exceeded when calling Array.p.sort.
As the new sorting algorithm (TimSort) does not work recursively, this
test is no longer really necessary. It is also rather slow and causes
issues on some bots, so we remove the test.
R=mslekova@chromium.org
Bug: v8:7783
Change-Id: I5bb9693ab825fe077776fd6825688545286285fd
Reviewed-on: https://chromium-review.googlesource.com/1196511
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@google.com>
Cr-Commit-Position: refs/heads/master@{#55527}
This adds experimental support for an 'except_ref' value type for caught
exceptions as per the exception handling proposal. In the current for it
is only allowed to have such types in the stack or in a local, support
for having it as part of any signature was left out.
The default value for a local of type 'except_ref' is the 'ref_null'
value for now. Since this value cannot escape a wasm function, the
concrete value is not actually observable.
R=ahaas@chromium.org
TEST=unittests/LocalDeclDecoderTest.ExceptRef,mjsunit/wasm/exceptions
BUG=v8:8091
Change-Id: I7bd65274327a833262f8749cbe0e24e737f6e0c1
Reviewed-on: https://chromium-review.googlesource.com/1196510
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55526}
This CL fixes a bug if the second argument ('from') for lastIndexOf
changes the array when its converted to an integer.
R=jgruber@chromium.org
Bug: chromium:878845
Change-Id: I8759dd19381c63f0dde1d4c5abc1b6c7291c6048
Reviewed-on: https://chromium-review.googlesource.com/1196507
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@google.com>
Cr-Commit-Position: refs/heads/master@{#55525}
This is no longer necessary as the JSFunction::code field is now a
proper tagged field, that points to a Code object, instead of a
naked pointer into the beginning of the Code object. So now the
representation selection always sees a proper tagged value here.
Bug: v8:8015
Change-Id: Ia66e9425d82a0f765e4cbb6e3bed7bcdd9438958
Reviewed-on: https://chromium-review.googlesource.com/1196662
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55524}
Since jump tables cannot be embedded, prevent their generation for
bytecode handlers. This allows the remaining 7 bytecode handlers to be
marked isolate independent.
Bug: v8:8068
Change-Id: I3a4a6e6530fd1c585558a0d44bd429f572318b57
Reviewed-on: https://chromium-review.googlesource.com/1196509
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55523}
This improves parse time for code-load and other benchmarks.
Bug: v8:7926
Change-Id: I9c8017f2e7f73dd952c025db5abe8e4062e6ef9b
Reviewed-on: https://chromium-review.googlesource.com/1196506
Commit-Queue: Florian Sattler <sattlerf@google.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55521}
This CL improves the performance of creating [...a, b] or [...a].
If the array literal has a leading spread, this CL emits the bytecode
[CreateArrayFromIterable] to create the literal. CreateArrayFromIterable
is implemented by [IterableToListDefault] builtin to create the initial
array for the leading spread. IterableToListDefault has a fast path to
clone efficiently if the spread is an actual array.
The bytecode generated is now shorter. Bytecode generation is refactored
into to BuildCreateArrayLiteral, which allows VisitCallSuper to benefit
from this optimization also.
For now, turbofan also lowers the bytecode to the builtin.
The idiomatic use of [...a] to clone the array a now performs better
than a simple for-loop, but still does not match the performance of slice.
Bug: v8:7980
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ibde659c82d3c7aa1b1777a3d2f6426ac8cc15e35
Reviewed-on: https://chromium-review.googlesource.com/1181024
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Commit-Queue: Hai Dang <dhai@google.com>
Cr-Commit-Position: refs/heads/master@{#55520}
This is needed to meet the timeout requirements of android builds.
Change-Id: Ia771f94683e2e0c88c54ed0e0a75925abfa85786
Reviewed-on: https://chromium-review.googlesource.com/1196508
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Florian Sattler <sattlerf@google.com>
Cr-Commit-Position: refs/heads/master@{#55519}
This changes SimplifiedLowering to be more consistent when chosing Smi
representation as input for Number comparisons. We already had some
isolated logic for doing (speculative) Number comparisons on Smis, but
only in the case where that decision was based on type feedback, not on
information already present in the graph.
Bug: v8:7703
Change-Id: I25370ade630917675a6ac79b5ae6a8afd253dfc7
Reviewed-on: https://chromium-review.googlesource.com/1196422
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55518}
This removes the thread-local field in question. This side-channel for
the "caught exception" is not needed, we can just explicitly pass the
exception value to all support functions. Also, there is an inherent
problem with having this side-channel, as it will not be properly reset
when an exception handler ends up not rethrowing the exception.
R=ahaas@chromium.org
BUG=v8:8097
Change-Id: I2fdaff89f0eb318ce5a33bf56513165185547c1b
Reviewed-on: https://chromium-review.googlesource.com/1194063
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55517}
This reverts two CLs that were intended to show symbols for embedded builtins in chromecrash. The symbols never showed up, a part of this must still be missing.
Revert "[builtins] Declare builtin symbols as globals"
This reverts commit 8412353c99.
Revert "[builtins] Declare builtin symbols"
This reverts commit 17ad3ae47f.
TBR=yangguo@chromium.org
Bug: v8:6666, v8:7722
Change-Id: Ifcbf56a36ea51ea65de77c507886402f3663f414
Reviewed-on: https://chromium-review.googlesource.com/1195493
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55515}
Use BuiltinAssemblerOptions to generate AssemblerOptions when generating
the bytecode handlers (assuming v8_enable_embedded_bytecode_handlers is
on).
Mark all but InvokeIntrinsic, InvokeIntrinsicWide,
InvokeIntrinsicExtraWide, TestIn, TestInWide, TestInExtraWide and
TestTypeOf as isolate-independent. The excluded handlers create jump
tables which have absolute addresses.
Bug: v8:8068
Change-Id: Ia29e9c737ec345193e24fc2aa3684daefb113a9a
Reviewed-on: https://chromium-review.googlesource.com/1195508
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55514}
Also takes care of InterpreterEnterBytecodeAdvance.
Drive-by:
- Add DCHECK to ensure cmpb is only used with byte registers.
- Add Push/PopRootRegister to TurboAssembler with DCHECK ensuring
that there is a NoRootArrayScope
Change-Id: Ibcf1c91b12767bdf6425b18872c41b31124de3ba
Bug: v8:6666
Reviewed-on: https://chromium-review.googlesource.com/1190305
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55512}
Minor cleanup moving some types to more meaningful headers.
Bug: v8:8015
Change-Id: I99e428529f0b2d967a3c67385c80001bb0df19fa
Reviewed-on: https://chromium-review.googlesource.com/1195506
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Stephan Herhut <herhut@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55511}
