Since there are some regression tests that use this instruction
many times in a row, trampoline pool can't be emitted. This commit
fixes this issue.
Change-Id: I7b575c4920f7e72a39051dee1ccca4baf9562ff1
Reviewed-on: https://chromium-review.googlesource.com/955696
Commit-Queue: Sreten Kovacevic <sreten.kovacevic@mips.com>
Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Cr-Commit-Position: refs/heads/master@{#51846}
If the value can be converted, we can skip the write barrier.
Change-Id: I88ac7f3756ddfaf4b8e58dc36a9b26faf544f0d9
Reviewed-on: https://chromium-review.googlesource.com/957033
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51845}
This patch removes the TypedArrayConstructor_ConstructStub builtin,
merging its functionality into the refactored TypedArrayConstructor
TurboFan builtin.
This brings us closer to our goal of deprecating the `construct_stub`
field in `SharedFunctionInfo`.
Bug: v8:7503, v8:7518
Change-Id: I264aa0933b3c80814e021b05033636196dc289da
Reviewed-on: https://chromium-review.googlesource.com/956044
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51843}
Previously we used a FixedArray for the FeedbackMetadata, packing bits
of information into Smi fields. On 64-bit platforms, we waste at least
half of the available memory by using the Smi representation.
Given that this is just raw data (no pointers), we can just use a new
type that uses the existing packing scheme to store the data in int32
format instead.
This CL changes FeedbackMetadata to a new subclass of HeapObject. This
is to reduce the API surface exposed, in comparison to extending/using
a more general purpose data structure like ByteArray, which is also just
raw data.
FeedbackMetadata only exposes general purpose methods for accessing
slots, but hides the implementation detail of packing bits into int32
fields.
This CL also introduces a sentinal EmptyFeedbackMetadata, because there
are ~750 empty FeedbackMetadata objects when running an empty program in
V8. These are probably for builtins.
Bug: v8:7500
Change-Id: Ic85563153abbd71a22854cee8519260c32b1e9ab
Reviewed-on: https://chromium-review.googlesource.com/945730
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51842}
This adds support for f32.convert_{s,u}/i{32,64}.
On 32-bit platforms, i64 conversions are implemented by a call to a c
function. Since the signature of this c function is very different to
the currently used functions in Liftoff (in particular they contain an
out parameter), this CL requires a major refactoring of how Liftoff
generates c-calls.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: Iffb4d0263ca1ca3eb9c6216344220322cda16062
Reviewed-on: https://chromium-review.googlesource.com/952122
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51841}
This benchmark checks comparison with StringAt functions against
each other and and constants. The benchmarks will serve to measure
the effect of an optimization that will omit the implicit
String.fromCharCode in such cases.
Bug: v8:7531
Change-Id: I171df92301516c96beb6a4ed86f1dec8d10e34f5
Reviewed-on: https://chromium-review.googlesource.com/957086
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51839}
This is a move-only CL (except includes cleanup).
Bug: v8:6666
Change-Id: I28422b4a21074e642e8d5c9b3a563ecafdafbda7
Reviewed-on: https://chromium-review.googlesource.com/957087
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51838}
It turns out that with the help of Code::Instruction{Start,End,Size}
helpers, we don't need custom profiler methods.
InstructionStream is now all-static.
Bug: v8:6666
Change-Id: I59e1d2d2cb72c128725a1ed03f11506d40e76224
Reviewed-on: https://chromium-review.googlesource.com/947973
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51837}
This is a reland of 6afd25fff0
Original change's description:
> [builtins] Execute binary-embedded builtin code
>
> This CL creates trampolines into binary-embedded builtins on
> isolate-creation, if --stress-off-heap-code is passed.
>
> Note that this still overwrites existing code objects with the
> off-heap trampoline, and that off-heap builtins still exist both in
> the snapshot and the binary. Addressing these points are the next
> steps.
>
> Drive-by-change: More efficient off-heap code lookups now that the
> off-heap memory area has a contiguous and static layout.
>
> Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel_ng
> Bug: v8:6666
> Change-Id: I7e7ef0aa2cd7b8184ae3a13fa02bdcbb4f2c9f86
> Reviewed-on: https://chromium-review.googlesource.com/947969
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51809}
TBR=mstarzinger@chromium.org
Bug: v8:6666
Change-Id: I4e0684de90733e5f18f6f0ea4832e327d03dfbf7
Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/955595
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51835}
Some compilers complain that ConvertReturn is private in SimulatorBase,
but used in the arm64 Simulator. This CL fixes this by making
ConvertReturn protected.
R=ulan@chromium.org
Bug: v8:7541
Change-Id: I9326b2c746829e9c37c58c14561811b32929c615
Reviewed-on: https://chromium-review.googlesource.com/955689
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51834}
This reverts commit daa224d4d0.
Reason for revert: https://bugs.chromium.org/p/chromium/issues/detail?id=819873
Original change's description:
> [builtins] Remove CheckOptimizationMarker builtin
>
> This was a shim for the non-I+TF codepath, which is now the only
> codepath (that still uses this tier-up mechanism anyway). There were a
> couple of places we were accidentally using it due to CompileLazy or
> deopts, so this also fixes those.
>
> Change-Id: I00a7fdf9fb5cf74844138dac62d01ceaaf192e17
> Reviewed-on: https://chromium-review.googlesource.com/951490
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51786}
TBR=rmcilroy@chromium.org,machenbach@chromium.org,leszeks@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Change-Id: I80765eb18aaf5086e6db5d5df96f608a317c999f
Reviewed-on: https://chromium-review.googlesource.com/957022
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51829}
This test depends on lack of randomness in the allocation path so it is
not compatible with stress_incremental_marking. Extract it into a
standalone tests which runs with the stress flag disabled.
Revert "[cctests] Disable flaky cctest test-heap-profiler/SamplingHeapProfiler"
This reverts commit 3ea2d6b06f.
Bug: v8:7444
Change-Id: Id246bca4699a61e6b9ff4b5b5d2ff1ce4ebbd0da
Reviewed-on: https://chromium-review.googlesource.com/953865
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
Cr-Commit-Position: refs/heads/master@{#51826}
This updates the scanner to use the correct error message when it
encounters an octal escape sequence in a template literal. Previously,
the error message referred to strict mode, even when the template
literal was not in strict mode code.
Bug: v8:7502
Change-Id: I37bb1338cf796c471108bc10f35f824cdf3ce0b7
Reviewed-on: https://chromium-review.googlesource.com/945411
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51823}
The number of embedder fields grows dynamically, but reading these
fields do not perform bounds checks. The naming is taken from a similar
method on v8::Isolate.
Also changed the growing strategy for the backing store to not
over-allocate.
R=adamk@chromium.org, bmeurer@chromium.org
Bug: v8:7533
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I70beab124a32296c940ffabd897a7790bc8ff47a
Reviewed-on: https://chromium-review.googlesource.com/952923
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51822}
Stack slots store the type of the respective value, so we can always
get the reg class from that type.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: I60ca21daa4cc1505562c344367c7586bcd272c9b
Reviewed-on: https://chromium-review.googlesource.com/950948
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51820}
This is to better pinpoint win64 failures.
TBR=bmeurer@chromium.org
Bug: v8:178
Change-Id: If778352cad1f209927067a12d5684e62c4ead8d2
Reviewed-on: https://chromium-review.googlesource.com/955687
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51818}
On 32-bit systems, the computation {count + type_list->size()} can
overflow, leading to memory corruption later on.
R=titzer@chromium.org
Bug: chromium:819869
Change-Id: Ic81d201e58211e3989b4e945cd52e98dc951fbda
Reviewed-on: https://chromium-review.googlesource.com/955025
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51817}
This reverts commit 6afd25fff0.
Reason for revert: https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20-%20debug%20-%20fyi/builds/1437
Original change's description:
> [builtins] Execute binary-embedded builtin code
>
> This CL creates trampolines into binary-embedded builtins on
> isolate-creation, if --stress-off-heap-code is passed.
>
> Note that this still overwrites existing code objects with the
> off-heap trampoline, and that off-heap builtins still exist both in
> the snapshot and the binary. Addressing these points are the next
> steps.
>
> Drive-by-change: More efficient off-heap code lookups now that the
> off-heap memory area has a contiguous and static layout.
>
> Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel_ng
> Bug: v8:6666
> Change-Id: I7e7ef0aa2cd7b8184ae3a13fa02bdcbb4f2c9f86
> Reviewed-on: https://chromium-review.googlesource.com/947969
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51809}
TBR=mstarzinger@chromium.org,jgruber@chromium.org
Change-Id: I18276541b468b9d2b2a1366ccd287822e96b6df7
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6666
Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/956042
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51816}
This adds a global protector to guard the lookup of "resolve" on the
%Promise% intrinsic object (the initial Promise constructor), making
sure that Promise.resolve yields the initial builtin method. We use
this protector to avoid the lookup of "resolve" all the time inside
of Promise.all and Promise.race, when called with constructor being
the %Promise% intrinsic object.
This improves the performance on the parallel-async-es2017-native
benchmark by roughly 2-3%.
Bug: v8:7253
Change-Id: Ida93b88afbaeae61f17be4cd30ea6a78b4267cea
Reviewed-on: https://chromium-review.googlesource.com/955564
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51810}
This CL creates trampolines into binary-embedded builtins on
isolate-creation, if --stress-off-heap-code is passed.
Note that this still overwrites existing code objects with the
off-heap trampoline, and that off-heap builtins still exist both in
the snapshot and the binary. Addressing these points are the next
steps.
Drive-by-change: More efficient off-heap code lookups now that the
off-heap memory area has a contiguous and static layout.
Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel_ng
Bug: v8:6666
Change-Id: I7e7ef0aa2cd7b8184ae3a13fa02bdcbb4f2c9f86
Reviewed-on: https://chromium-review.googlesource.com/947969
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51809}
JSCallReducer runs at the same time as DeadCodeElimination and hence can observe an incompletely propagated DeadValue in place of a StateValue node holding the arguments to materialize for JSCreateArguments.
This CL fixes this by aborting the lowring of JSCreateArguments in this case.
Bug: chromium:819311 v8:7536
Change-Id: I42c4a1923e3dbe470db1a16c5069aaa7c38659ac
Reviewed-on: https://chromium-review.googlesource.com/955306
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51808}
The PromiseResolve builtin was missing it's fast-path for when we can
skip the "constructor" lookup due to a typo.
Bug: v8:7253
Change-Id: Icca033af5d4f7fe8b43ebf49c9315b4c80d52cbc
Reviewed-on: https://chromium-review.googlesource.com/955483
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51807}
Test started failing after commit `[Liftoff] Remove Get{Unary,Binary}OpTargetRegister`.
Optimization shouldn't be done if dst == rhs in i32_set_cond instruction.
This CL fixes the issue.
Change-Id: I67cd1ca4692fcf69202ef25f7aa58756a5ddddca
Reviewed-on: https://chromium-review.googlesource.com/952963
Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Cr-Commit-Position: refs/heads/master@{#51806}
When optimizing SpeculativeToNumber we need to pay attention to the
hint, otherwise we optimize away a Signed32 conversion, based on the
fact that the input is a Number.
Bug: chromium:819298
Change-Id: I2ac7b0dac708fee9083eca2880bd5674a82daaa3
Reviewed-on: https://chromium-review.googlesource.com/955423
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51805}
... and use Smi Map::kPrototypeChainValid for the cases where direct receiver's
prototype is not JSObject instead of creating a new valid cell for each such
case. This will make a validity cell checking code simpler.
Bug: v8:5988
Change-Id: I52cf55797171cc8021d80e4e441615d0c8fc8bd4
Reviewed-on: https://chromium-review.googlesource.com/951384
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51803}
UnalignedLoad is the only kind of load operation that defines its own
UnalignedLoadRepresentation type alias and LoadRepresentationOf function.
This is a problem because it means we cannot use the LOAD_MATCHER
infrastructure without defining all of this boilerplate for all the other
kinds of load operations. Since these aliases serve no real purpose,
it is best to unify UnalignedLoad to how its peers are handled.
Change-Id: I51a591eb82fb85edee66512136b23276e851f767
Reviewed-on: https://chromium-review.googlesource.com/951683
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51802}
The debugger script implementation had its own way to write
uint32_t values to a string as hex values. This removes the
custom code and uses a shared implementation in String16Builder
instead.
The observable effect is that script hashes are now lower-case
and the character sequence is reversed for each 8-character
pair.
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ib21769fbe10c24055fbd3fa9573bc5c2d72f6a74
Reviewed-on: https://chromium-review.googlesource.com/951303
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Commit-Queue: Stephan Herhut <herhut@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51801}
- Make it explicit that the field marks are supposed to be all-false after each
object.
- Remove unused param from MarkVisitedField.
BUG=v8:7534
Change-Id: Ibc226290bb09daca60b92819944e0049bb33e594
Reviewed-on: https://chromium-review.googlesource.com/951725
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51799}
The tricky part here is to take away one register from register
allocation for the mask. The only problem is with calls that need
an input operand to be passed in the poison register. For such calls,
we change the register constraint in the instruction selector
to pass the value in whatever place the register allocator sees fit.
During code generation, we then copy the value from that place
to the poison register. By that time, the mask is not necessary
(once we bake the mask into the target, it should be done before
this move).
For the branches, the mask update does not use cmov (unlike x64)
because cmov does not take an immediate and we do not have
a scratch register. Instead we use bit-twiddling tricks
(suggested by @tebbi). For example, here is the code for masking
register update after a bailout on non-zero:
jnz deopt_bailout ;; Bailout branch
setnz bl ;; These three instructions update the mask
add ebx, 255
sar ebx, 31
(On x64, the sequence is:
jnz deopt_bailout
mov r10, 0 ;; We have a scratch register for zero
cmovnz r9, r10 ;; Set to zero if we execute this branch
;; in branch mis-speculation
)
This CL also fixes a bug in register configuration, where we used
to wrongly restrict the array of register name.
Change-Id: I5fceff2faf8bdc527d9934afc284b749574ab69e
Bug: chromium:798964
Reviewed-on: https://chromium-review.googlesource.com/946251
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51798}
