For additions like a+'' or ''+a where we have String feedback on the
JSAdd, we can drop the concatenation and just check that a is a valid
String already (via CheckString).
BUG=v8:6259
R=petermarshall@chromium.org
Review-Url: https://codereview.chromium.org/2894563002
Cr-Commit-Position: refs/heads/master@{#45395}
For a single deferred commands, using a jump table is overkill, so
instead simply test the token against the single entry.
Bug: v8:4280
Bug: v8:6218
Change-Id: I0300f640080705fb10f46ad4ed5791703fa4dd77
Reviewed-on: https://chromium-review.googlesource.com/506153
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45393}
Restore original behavior in that strings are deduplicated in lower-case
conversion (i.e. if the string is already lower-case, the original
string is returned).
BUG=v8:6353,v8:6412
Review-Url: https://codereview.chromium.org/2891853004
Cr-Commit-Position: refs/heads/master@{#45391}
We already had an optimization to turn Function.prototype.apply with
arguments object, i.e.
function foo() { return bar.apply(this, arguments); }
into a special operator JSCallForwardVarargs, which avoids the
allocation and deconstruction of the arguments object, but just passes
along the incoming parameters. We can do the same for rest parameters
and spread calls/constructs, i.e.
class A extends B {
constructor(...args) { super(...args); }
}
or
function foo(...args) { return bar(1, 2, 3, ...args); }
where we basically pass along the parameters (plus maybe additional
statically known parameters).
For this, we introduce a new JSConstructForwardVarargs operator and
generalize the CallForwardVarargs builtins that are backing this.
BUG=v8:6407,v8:6278,v8:6344
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2890023004
Cr-Commit-Position: refs/heads/master@{#45388}
We use Schedule::EnsureDeferredCodeSingleEntryPoint as a helper for
hand-crafted builtin code, to ensure deferred code isn't entered from a
mix of deferred and non-deferred code (invariant required for hot/cold
allocation, or "splintering").
When we create a "merger" block, it may be the case that the original
block had a few phi operands. Those need to be moved as well.
This bug was uncovered by both v8:6390, and, earlier, by v8:5998. We
fixed the earlier one by authoring a the builtin to avoid the need for
EnsureDeferredCodeSingleEntryPoint. I proposed earlier an alternative
where we'd replace the Ensure... method with a Verify, and throw early
when the builtin is assembled, however, we may want to maintain the
slightly higher level DSL for authoring builtins, and perform such
graph adjustments for the lower level constraints afterwards, hence
this current CL.
Bug: v8:5998 v8:6390
Change-Id: Ia3143f7a66904fe480d8edb5b52bf915b8d185dc
Reviewed-on: https://chromium-review.googlesource.com/505264
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45387}
Port 11a211ff1b
Port 663a8ef470
Original Commit Message:
Since the feedback vector is itself a native context structure, why
not store optimized code for a function in there rather than in
a map from native context to code? This allows us to get rid of
the optimized code map in the SharedFunctionInfo, saving a pointer,
and making lookup of any optimized code quicker.
Original patch by Michael Stanton <mvstanton@chromium.org>
R=rmcilroy@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:6246,chromium:718891
LOG=N
Review-Url: https://codereview.chromium.org/2892663002
Cr-Commit-Position: refs/heads/master@{#45385}
IC system does its best to properly mark stable transition source maps
as unstable (see https://chromium-review.googlesource.com/483442)
however an already recorded map can be deprecated later and the
optimizing compiler may try to generate an elements kind transition
from the updated version of deprecated map which can "become" stable
again.
Bug: chromium:723455
Change-Id: Ic0c392f153587c3cd7c7623a3a6ea85ec72ad5bd
Reviewed-on: https://chromium-review.googlesource.com/507887
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45384}
Mark Runtime::kInlineGeneratorGetContext as not needing a FrameState
(matching the other Generator field-loading intrinsics) and avoid
a call to PrepareEagerCheckpoint() in VisitResumeGenerator() (since
there should never be a deopt during resume).
Change-Id: I03a2d89914bc7de27bbfe6228ca115e635ea4c4e
Reviewed-on: https://chromium-review.googlesource.com/506815
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45382}
In analogy to the CHECK() macro, this generates an assertion check in CSA that is enabled in release builds. Intended for some security-relevant assertions in TypedArray builtins.
Bug:
Change-Id: Ie15a3892c4698a916bcd53bd9bfb4411eec6ebe4
Reviewed-on: https://chromium-review.googlesource.com/506158
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45381}
This uses a separate temporary zone for running the asm.js parser, which
can be discarded immediately after the parser finished validating one
module. It reduces the lifetime of all data-structures local to the
parser and only uses the compilation zone to hold the resulting module.
R=clemensh@chromium.org
Change-Id: I5f5a613e0abd24cd85a49ebd97f9ee7cee46b02a
Reviewed-on: https://chromium-review.googlesource.com/506733
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45377}
Super calls need to refer to .this_function, .new.target and this, and super
property references need to refer to .this_function and this, so that the
is_used for those variables will be set and they will be allocated correctly.
BUG=v8:5516
Change-Id: Idc58539fccad70c995e029051b59a67ea66bff91
Reviewed-on: https://chromium-review.googlesource.com/506094
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45376}
This CL refactors the module decoder so that it can process a list of
section buffers instead of one module buffer. This change is needed for
streaming compilation. Streaming compilation may require additional
changes.
This CL introduces the following interface to the module decoder:
StartDecoding -- starts the decoding
DecodeModuleHeader -- decodes the module header
DecodeSection -- decodes the section
FinishDecoding -- finishes the decoding and returns the WasmModule
Aside from the different interface the biggest change to the module
decoder is the introduction of a buffer_offset, which is the offset
of the current section buffer of the module decoder in the module bytes.
This buffer_offset is used to translate from section offsets to module
offsets and back.
Another nice change is that the module decoder does not have a zone
anymore. Instead the zone is stored directly in the WasmModule where
it belongs. Zone ownership is also more obvious now.
R=mtrofin@chromium.org, clemensh@chromium.org
Change-Id: I815d777ec380f4c617c39e828ea0c9746c0bae20
Reviewed-on: https://chromium-review.googlesource.com/505490
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45374}
AssembleCode will eventually be moved into ExecuteJob, i.e., off
the main thread.
Bug: v8:6048
Change-Id: If84ee2aaca6c8827cb769c7d69e5094fb4f32e4b
Reviewed-on: https://chromium-review.googlesource.com/506669
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45372}
Original CL description:
[compiler] Delay allocation of heap numbers for deoptimization literals.
... until after the main bulk of code generation, which will soon run on a
different thread.
Bug: v8:6048, chromium:722978
Change-Id: I690c0b009211a2bac60cf06f577720a914c21000
Reviewed-on: https://chromium-review.googlesource.com/507207
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45371}
AstNodeFactory used to get the Zone directly from AstValueFactory. But that's
generally the wrong Zone (the main Zone, instead of the temp Zone), and the
creator of AstNodeFactory had to call set_zone right after. By adding a Zone
param, we can pass the correct Zone right away.
Also made PreParserFactory have an AstNodeFactory, so that we don't need to
create temporary AstNodeFactories all the time.
Also removed AstNodeFactory::BodyScope since DiscardableZoneScope essentially
did the same thing already.
BUG=v8:5516,v8:6092
Change-Id: I189d2e6afe91c91e49d8ed7e3496a0d9c405e1c5
Reviewed-on: https://chromium-review.googlesource.com/507129
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45370}
This makes message reporting use the same message text for the normal
as well as --predictable execution. Running in predictable mode should
just suppress all asm.js messages wholesale if needed.
R=clemensh@chromium.org
Change-Id: Ice1e83c4b098fbc4c3b301c685614afe26190016
Reviewed-on: https://chromium-review.googlesource.com/506093
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45368}
Non-printable characters do not make sense.
Inputs with non balanced brackets are mostly useless as well.
This validation function makes the fuzzer 15-20x faster.
Also use -only_ascii=1 option of libFuzzer:
https://codereview.chromium.org/2875933003
BUG=chromium:584819
Review-Url: https://codereview.chromium.org/2881583002
Cr-Commit-Position: refs/heads/master@{#45367}
This reverts commit bb90a2e85d.
Reason for revert: https://bugs.chromium.org/p/chromium/issues/detail?id=722978
Original change's description:
> [compiler] Delay allocation of heap numbers for deoptimization literals.
>
> ... until after the main bulk of code generation, which will soon run on a
> different thread.
>
> R=jarin@chromium.org
>
> Bug: v8:6048
> Change-Id: I12aaaf2725e2422f588c29f50084eb77b56ad9a5
> Reviewed-on: https://chromium-review.googlesource.com/505616
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#45340}
TBR=jarin@chromium.org,neis@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Bug: v8:6048
Change-Id: I161f175685c24dc59ee4e761ea6d00a235573e7a
Reviewed-on: https://chromium-review.googlesource.com/506021
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45366}
The underlying issue is that TF Nodes cannot handle input counts
outside the integer range. On an illegal br_table instruction, we
generated a switch node with a control output count >kMaxInt.
Operator::ControlOutputCount turned this into a negative integer later,
leading to a failing DCHECK.
Since such large numbers cannot occur in any valid wasm function anyway,
we just add an additional check to the br table count. There is already
a TODO in the code to change Operator::ControlOutputCount to size_t.
R=ahaas@chromium.org
BUG=chromium:722445
Change-Id: I1975072226e073dee6c8da3b9fa9a050a4695917
Reviewed-on: https://chromium-review.googlesource.com/505496
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45365}
The interpreter does not implement all asm.js specific opcodes. Thus
the combination of --validate-asm and --wasm-interpret-all might crash.
The interpreter does not need to execute asm.js modules, as they are
debugged by executing them in turbofan instead of the wasm interpreter.
This CL thus excludes asm.js modules from --wasm-interpret-all.
R=ahaas@chromium.org
BUG=chromium:719175
Change-Id: I14228ea11ee3ea8a229cfa6e4179338a442b6cca
Reviewed-on: https://chromium-review.googlesource.com/506160
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45364}
This encapsulates message reporting into separate functions independent
from the logic of asm.js compilation and instantiation. It is mostly
refactoring with a small fix to also report successful instantiation of
the "single function" case.
R=clemensh@chromium.org
Change-Id: I89c2d62707e891bf51c19945c4067195f41290a4
Reviewed-on: https://chromium-review.googlesource.com/506195
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45362}
Migrate the Object.keys builtin to the CodeStubAssembler and
use the enum cache backing store whenever it is available. This
gives a nice speedup of 1.5x to 2x when using Object.keys on fast-mode
objects that have (or can have) an enum cache.
R=cbruni@chromium.org
BUG=v8:5269,v8:6405
Review-Url: https://codereview.chromium.org/2853393002
Cr-Commit-Position: refs/heads/master@{#45361}
This brings clear separation to tasks vs isolate management.
BUG=none
Review-Url: https://codereview.chromium.org/2885253002
Cr-Commit-Position: refs/heads/master@{#45355}
By default we just break when we first time reach passed location, with current - we'll break at passed location only when it happens within the same stack frame.
BUG=v8:6397
R=dgozman@chromium.org
Review-Url: https://codereview.chromium.org/2879923003
Cr-Commit-Position: refs/heads/master@{#45354}
Adds a generic job that is based on items and tasks.
Bug: chromium:651354
Change-Id: I378e04741c5761ea6c4a74816b9af8ea22867f53
Reviewed-on: https://chromium-review.googlesource.com/506075
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45353}
This will make it easier to create more connections/context groups.
BUG=none
Review-Url: https://codereview.chromium.org/2886903003
Cr-Commit-Position: refs/heads/master@{#45352}
No need to return an empty map. Return a JSObject instead.
Bug: v8:5933
Change-Id: I9fb727c5e1920ba94fd3d5e7ef2a7d9d602f56d8
Reviewed-on: https://chromium-review.googlesource.com/506194
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45350}
So continue to location can be called only for one context group id at the same time.
BUG=v8:6397
Review-Url: https://codereview.chromium.org/2882213004
Cr-Commit-Position: refs/heads/master@{#45349}
Generate the code (extra runtime calls) for --trace-ignition support at
compile time, based on a #define (similar to TRACE_MAPS). Then check for
--trace-ignition at run-time when deciding whether to actually print
anything. This should make --trace-ignition less painful to use.
Note that --trace-igition is disabled by default, even on debug builds.
It has to be enabled with the gn arg "v8_enable_trace_ignition=true"
As a drive-by, TRACE_MAPS is renamed to V8_TRACE_MAPS, for consistency,
and SFI unique index (needed both by --trace-ignition and --trace-maps)
is cleaned up to be behind another #define.
Change-Id: I8dd0c62d0e6b7ee9c75541d45eb729dc03acbee9
Reviewed-on: https://chromium-review.googlesource.com/506203
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45346}