This reverts commit a2fcdc7cc8.
Reason for revert: Large regressions in RCS (https://chromeperf.appspot.com/group_report?bug_id=740126)
Original change's description:
> [runtime] Move profiler ticks from SFI to feedback vector
>
> Instead of counting profiler ticks on the shared function info (which is
> shared between native contexts), count them on the feedback vector
> (which is not). This allows us to continue pushing optimization
> decisions off the SFI, onto the feedback vector.
>
> Note that a side-effect of this is that ICs don't have to walk the stack
> to reset profiler ticks, as they can access the feedback vector directly
> from their feedback nexus.
>
> Change-Id: I232ae9e759fca75cd89d393148a4ff42caa2646f
> Reviewed-on: https://chromium-review.googlesource.com/544888
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46411}
TBR=rmcilroy@chromium.org,leszeks@chromium.org,ishell@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Change-Id: Id587e4172e300c420f93c49744a2a0e66696edf8
Reviewed-on: https://chromium-review.googlesource.com/574227
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46702}
Some of the benchmarks were pointing to the wrong test functions.
Bug:
Change-Id: I6f7850feec1da61bea7b8c1ac03c00d75400f458
Reviewed-on: https://chromium-review.googlesource.com/574023
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Cr-Commit-Position: refs/heads/master@{#46701}
There are wasm tests which are supposed to fail, but they fail for the
wrong reason (because blocks do not declare their type).
This CL fixes this, and changes the error output to contain the
expected and observed results for better debuggability.
R=titzer@chromium.org
Change-Id: Ibbd7883e43677a91f858575578586c9e9d1641d5
Reviewed-on: https://chromium-review.googlesource.com/571810
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46698}
This makes the runtime rely on the {HasBytecodeArray} predicate to
determine whether code generated by TurboFan was build without any
deoptimization support, as opposed to {asm_function}.
R=rmcilroy@chromium.org
BUG=v8:6589
Change-Id: Id124bed47a5fa02d31ff8fd3eee561b2df6c9226
Reviewed-on: https://chromium-review.googlesource.com/571786
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46694}
Goal of this CL: explicit return from non-async function has position after
return expression as return position (will unblock [1]).
BytecodeArrayBuilder has SetStatementPosition and SetExpressionPosition methods.
If one of these methods is called then next generated bytecode will get passed
position. It's general treatment for most cases.
Unfortunately it doesn't work for Returns:
- debugger requires source positions exactly on kReturn bytecode in stepping
implementation,
- BytecodeGenerator::BuildReturn and BytecodeGenerator::BuildAsyncReturn
generates more then one bytecode and general solution will put return position
on first generated bytecode,
- it's not easy to split BuildReturn function into two parts to allow something
like following in BytecodeGenerator::VisitReturnStatement since generated
bytecodes are actually controlled by execution_control().
..->BuildReturnPrologue();
..->SetReturnPosition(stmt);
..->Return();
In this CL we pass ReturnStatement through ExecutionControl and use it for
position when we emit return bytecode right here.
So this CL only will improve return position for returns inside of non-async
functions, I'll address async functions later.
[1] https://chromium-review.googlesource.com/c/543161/
Change-Id: Iede512c120b00c209990bf50c20e7d23dc0d65db
Reviewed-on: https://chromium-review.googlesource.com/560738
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46687}
SuspendFlags was originally used by the suspend operation to determine
which field to record the bytecode offset of a suspended generator, and
the value the generator was resumed with. For async generators, await
operations would use a separate field, in order to preserve the previous
yield input value. This was important to ensure `function.sent`
continued to function correctly.
As function.sent is being retired, this allows the removal of support
for that. Given that this was the only real need for SuspendFlags in the
first place (with other uses tacked on as a hack), this involves several
other changes as well:
- Modification of MacroAssembler AssertGeneratorObject. No longer
accepts a SuspendFlags parameter to determine which type of check to
perform.
- Removal of `flags` operand from SuspendGenerator bytecode, and the
GeneratorStore js-operator.
- Removal of `flags` parameter from ResumeGeneratorTrampoline builtins.
- Removal of Runtime functions, interpreter intrinsics and
AccessBuilders associated with the [[await_input_or_debug_pos]] field
in JSAsyncGeneratorObject, as this field no longer exists.
- Addition of a new `Yield` AST node (subclass of Suspend) in order to
prevent the need for the other SuspendFlag values.
BUG=v8:5855
TBR=bmeurer@chromium.org
Change-Id: Iff2881e4742497fe5b774915e988c3d9d8fbe487
Reviewed-on: https://chromium-review.googlesource.com/570485
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46683}
Returning a double from ToFloat64 could lead to problems. If value_ has the bit
representation of a signaling NaN (sNaN), then returning it as double can cause
the signaling bit to flip, and value_ is returned as a quiet NaN (qNaN).
The usage of the Double wrapper also, makes the function ToFloat64AsInt
redundant, since the Double wrapper already has the AsUint64() method,
which returns an uint64_t.
R=ahaas@chromium.org
Change-Id: I1e627b97b2fb6110fc702fe58f2b83eb343e9ca2
Reviewed-on: https://chromium-review.googlesource.com/563215
Commit-Queue: Enrico Bacis <enricobacis@google.com>
Reviewed-by: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46680}
This is a reland of 5648aad553.
Previous compile error should be fixed by disabling strict aliasing
assumptions on gyp: https://chromium-review.googlesource.com/c/571806
Original change's description:
> [wasm] Don't store global handles in the interpreter
>
> Storing global handles in the interpreter is dangerous, because the
> global handles are strong roots into the heap. The interpreter itself is
> referenced from the heap via a Managed. Hence the interpreter keeps the
> instance alive, while the instance keeps the Managed alive. So the GC
> will never collect them.
>
> This CL refactors this to only store the handle to the instance object
> while executing in the interpreter, and clearing it when returning.
> It also removes the cache of import wrappers, as it should not be
> performance critical, but keeps lots of objects alive. If it turns out
> to be performance critical, we will have to reintroduce such a cache
> stored in the WasmDebugInfo object.
>
> R=titzer@chromium.org
> CC=ahaas@chromium.org
>
> Bug: chromium:610330
> Change-Id: I54b489dadc16685887c0c1a98da6fd0df5ad7cbb
> Reviewed-on: https://chromium-review.googlesource.com/567058
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46629}
TBR=titzer@chromium.org
Bug: chromium:610330
Change-Id: Ic7836b1b1a044a89f2138f0c76f92acd3a1b2f2b
Reviewed-on: https://chromium-review.googlesource.com/570578
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46679}
Bug: v8:6000
Change-Id: I8c068383300ba869a87f836504c84ea08fcff87e
Reviewed-on: https://chromium-review.googlesource.com/568307
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46675}
- Add more conformance tests for proxy call and calling undetectable
- This improves the performance of calling a proxy by ~5x
Bug: v8:6558, v8:6557
Change-Id: I5fe78d7ca703cfe86a2a14e39f0b6d88bb8c8e03
Reviewed-on: https://chromium-review.googlesource.com/570023
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Maya Lekova <mslekova@google.com>
Cr-Commit-Position: refs/heads/master@{#46673}
This reverts commit 20d5048a6f.
Revert "[heap] Ensure that concurrent marking tasks exit before heap tear down."
This reverts commit 387f65d41a.
Reason: concurrent marking tasks waiting for a signal from the main thread
is susceptible to deadlocks. We should instead re-schedule concurrent marking
threads once they exit.
BUG=chromium:694255
Change-Id: I20db2f26b42e960f4cc04506d9598c1187b8a003
Reviewed-on: https://chromium-review.googlesource.com/571800
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46671}
This includes several changes. From most to least interesting:
- No longer implement AwaitExpressions using a do-expression.
- Reduces frame-size of async generators by not allocating temporary
variables to hold results of Await epxressions.
- Streamline and reduce generated bytecodes for Await.
- Debugger no longer emits a debug::kCallBreakLocation breakpoint for
the JS-builtin call performed for Await, and instead only emits such
a breakpoint if the operand of Await is actually a call.
- Push fewer parameters to Await* builtins, using the receiver for the
first parameter (possible now that the CallRuntime invocation not
part of the AST).
- Adds a new Await AST node. No new members or anything, but it seemed
palatable to avoid having `if (is_await())` in a number of
VisitSuspend functions.
BUG=v8:5855, v8:5099, v8:4483
R=rmcilroy@chromium.org, kozyatinskiy@chromium.org, yangguo@chromium.orgTBR=bmeurer@chromium.org
Change-Id: I9cd3fda99cd40295c04fdf1aea01b5d83fac6caf
Reviewed-on: https://chromium-review.googlesource.com/558806
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46666}
The code was already there, but there was a bug in it: Because of the
missing reference, we were only updating a *copy* of the signature map,
hence the update had no effect.
This intentially is a minimal CL, in order to allow for easy
backmerging.
More mitigations and tests are coming in a separate CL.
R=titzer@chromium.org
Change-Id: Ifb462093f4b8f4d5380b6774636537c67c2b676c
Reviewed-on: https://chromium-review.googlesource.com/570278
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46664}
The "test-disasm-arm64/DISASM_debug" test would fail on hardware because we
expected a "hlt" instruction instead of "brk". The former is specific to running
inside the simulator.
Bug:
Change-Id: I7a5a3d4c1a93d03bbf4c934037c565d27379c2b5
Reviewed-on: https://chromium-review.googlesource.com/570442
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/master@{#46663}
Bug: v8:6000
Change-Id: Ia50108ebbf838e210d95cb268858394e6a66c88d
Reviewed-on: https://chromium-review.googlesource.com/567990
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46658}
Currently every VirtualMemory allocation on 64-bit systems
uses a random 46-bit address hint for ASLR.
This leads to wired page leak on MacOS discovered by Erik Chen (see
crbug.com/700928 and https://chromium-review.googlesource.com/c/557958/):
"The Darwin kernel [as of macOS 10.12.5] does not clean up page directory
entries [PDE] created from mmap or mach_vm_allocate, even after
the region is destroyed. Using a virtual address space that is too large
causes a leak of about 1 wired [can never be paged out] page per call to
mmap(). The page is only reclaimed when the process is killed."
This patch changes VirtualMemory to accept the hint parameter explicitly.
On MacOS the hints are confined to 4GB contiguous region. Algorithm:
- On startup, set heap.mmap_region_base_ to a random address.
- For each mmap use heap.mmap_region_base_ + (random_offset % (4*GB)).
BUG=chromium:700928
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I2ae6a024e02fbe63f940105d7920b57c19abacc6
Reviewed-on: https://chromium-review.googlesource.com/558876
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46656}
This CL inlines the following builtins into TurboFan
- %MapIteratorPrototype%.next
- %SetIteratorPrototype%.next
following the design that we are using for Array iteration already
(different instance types for the different kinds of iterators). Details
can be found in the relevant design document at:
https://docs.google.com/document/d/13z1fvRVpe_oEroplXEEX0a3WK94fhXorHjcOMsDmR-8
The key to great performance here is to ensure that the inlined code
allows escape analysis and scalar replacement of aggregates to remove
the allocations for the iterator itself as well as the iterator results
and potential key/value arrays in the simple case of a for-of loop (and
by extension also in other constructs that reduce to for-of loops
internally), i.e.:
const s = new Set;
// ... do something with s
for (const x of s) {
// ...
}
Here the for-of loop shouldn't perform any allocations of helper
objects.
Drive-by-fix: Replace the ExistsJSMapWithness in JSBuiltinReducer with a more
general HasInstanceTypeWitness, similar to what's in JSCallReducer. Also
migrate the {Map,Set}.prototype.size getter inlining to the
JSBuiltinReducer, so that everything is in a single place.
R=jgruber@chromium.org
Bug: v8:6344, v8:6571, chromium:740122
Change-Id: I09cb506fe26ed3e10d7dcb2f95ec4415e639582d
Reviewed-on: https://chromium-review.googlesource.com/570159
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46655}
Only allow BindingIdentifier in BindingRestPattern and
ValidReferenceExpression in AssignmentRestPattern.
Also updated to a better, actionable error message.
Bug: v8:6500, v8:6513
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Ifaba2f85c20bc20e263267e8c76d50a27075b87d
Reviewed-on: https://chromium-review.googlesource.com/550559
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46653}
The tail call implementation is hidden behind the --harmony-tailcalls
flag, which is off-by-default (and has been unstaged since February).
It is known to be broken in a variety of cases, including clusterfuzz
security issues (see sample Chromium issues below). To avoid letting
the implementation bitrot further on trunk, this patch removes it.
Bug: v8:4698, chromium:636914, chromium:724746
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng;master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I9cb547101456a582374fdf7b1a3f044a9ef33e5c
Reviewed-on: https://chromium-review.googlesource.com/569069
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46651}
We only optimize functions which are already compiled, so there is no need
to ensure baseline in pipeline.cc, and since ast-graph-builder doesn't
do inlining, there are no other uses.
BUG=v8:5203, v8:6409
Change-Id: I830c8868d50363f61193a96d9a5774e059a1af0e
Reviewed-on: https://chromium-review.googlesource.com/570033
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46649}
These are no longer necessary since we only have one optimizing compiler.
Also avoid changing --turbo-filter when --no-opt is set, and instead
explicitly check both the FLAG_opt and FLAG_turbo_filter in
GetOptimizedCode to check whether optimization is disabled.
BUG=v8:6408
Change-Id: I0948f788e8ff111c08022270d86c22f848da300a
Reviewed-on: https://chromium-review.googlesource.com/568484
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46648}
This is the x64 implementation of the CL
https://codereview.chromium.org/2763593002
Original message:
[wasm][arm] Add an additional stack check for functions with big frames.
Stack overflow checks are typically implemented as part of the TurboFan
graph of a function. This means that the stack check code is executed
after frame construction. When a frame is too big, though, there may not
be enough space on the stack anymore to throw the stack overflow
exception after frame construction. With this CL we do an additional
stack check before frame construction for functions with big frames.
As discussed offline with mstarzinger, I do this change currently only
for WebAssembly.
This CL contains only the changes for arm. I will do the other platforms
in separate CLs.
R=titzer@chromium.org
Bug: v8:6318
Change-Id: Id4a8ea3ee76c37132e86a7c4e5d05d3bd86df44a
Reviewed-on: https://chromium-review.googlesource.com/565562
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46640}
... that have computed name and/or require home object.
This should give us the opportunity to implement initialization
of name and home object values in a stub.
Bug: v8:6459
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I47a1a2c185e120e86c793733cce737811f895291
Reviewed-on: https://chromium-review.googlesource.com/512802
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Andreas Rossberg <rossberg@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46638}
Removes the --ignition flag which is now on by default. Adds a
--stress-fullcodegen flag which enables running all functions supported
by fullcodegen to be compiled by fullcodegen.
This will enable moving parser internalization later when we are not
stressing fullcodegen or compiling asm.js functions.
BUG=v8:5203, v8:6409, v8:6589
Change-Id: I7fa68016d4e734755434ec0b4e749ef65ffa7f4e
Reviewed-on: https://chromium-review.googlesource.com/565569
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46635}
Additionally, drive-by add a test inspired by a worrying TODO
in the parser.
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng,master.tryserver.v8:v8_linux64_msan_rel,v8_linux64_tsan_rel,v8_linux_arm64_dbg,v8_linux_gc_stress_dbg,v8_linux_noi18n_rel_ng,v8_linux_nosnap_rel
Change-Id: I693a858a638753f8c1091f2f9086710f628b40dd
Reviewed-on: https://chromium-review.googlesource.com/553677
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Daniel Ehrenberg <littledan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46634}
This reverts commit 5648aad553.
Reason for revert: Compile error on mips:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Mips%20-%20builder/builds/10732
Original change's description:
> [wasm] Don't store global handles in the interpreter
>
> Storing global handles in the interpreter is dangerous, because the
> global handles are strong roots into the heap. The interpreter itself is
> referenced from the heap via a Managed. Hence the interpreter keeps the
> instance alive, while the instance keeps the Managed alive. So the GC
> will never collect them.
>
> This CL refactors this to only store the handle to the instance object
> while executing in the interpreter, and clearing it when returning.
> It also removes the cache of import wrappers, as it should not be
> performance critical, but keeps lots of objects alive. If it turns out
> to be performance critical, we will have to reintroduce such a cache
> stored in the WasmDebugInfo object.
>
> R=titzer@chromium.org
> CC=ahaas@chromium.org
>
> Bug: chromium:610330
> Change-Id: I54b489dadc16685887c0c1a98da6fd0df5ad7cbb
> Reviewed-on: https://chromium-review.googlesource.com/567058
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46629}
TBR=titzer@chromium.org,clemensh@chromium.org
Change-Id: Ifadfb885f937f37bb3eab4732a97f20ff40c2583
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:610330
Reviewed-on: https://chromium-review.googlesource.com/569962
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46630}
Storing global handles in the interpreter is dangerous, because the
global handles are strong roots into the heap. The interpreter itself is
referenced from the heap via a Managed. Hence the interpreter keeps the
instance alive, while the instance keeps the Managed alive. So the GC
will never collect them.
This CL refactors this to only store the handle to the instance object
while executing in the interpreter, and clearing it when returning.
It also removes the cache of import wrappers, as it should not be
performance critical, but keeps lots of objects alive. If it turns out
to be performance critical, we will have to reintroduce such a cache
stored in the WasmDebugInfo object.
R=titzer@chromium.orgCC=ahaas@chromium.org
Bug: chromium:610330
Change-Id: I54b489dadc16685887c0c1a98da6fd0df5ad7cbb
Reviewed-on: https://chromium-review.googlesource.com/567058
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46629}
When disassembling some instructions we would print `r12`, which can be
confusing when the rest of the disassembly consistently uses `ip`.
Bug:
Change-Id: Id4cfc5805ef102a0845cdaaa8390e618ee981b19
Reviewed-on: https://chromium-review.googlesource.com/570038
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/master@{#46628}
There is just one version now, called IsPowerOfTwo. It accepts any
integral type.
There is one slight semantical change: Called with kMinInt, it
previously returned true, because the argument was implicitly casted to
an unsigned. It's now (correctly) returning false, so I had to add
special handlings of kMinInt in machine-operator-reducer before calling
IsPowerOfTwo on that value.
R=mlippautz@chromium.org,mstarzinger@chromium.org,jgruber@chromium.org,ishell@chromium.org,yangguo@chromium.org
Change-Id: Idc112a89034cdc8c03365b778b33b1c29fefb38d
Reviewed-on: https://chromium-review.googlesource.com/568140
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46627}
This CL changes the USE macro to accept more than one parameter.
This is particularly interesting for calling a method on each type in a
parameter pack, as in:
template<typename... T>
void foo(T&&... ts) {
USE(do_something(ts)...);
}
Drive-by fix: Allow to pass arbitrary types to USE, including
references. This might prevent a copy for pass-by-value.
R=ishell@chromium.org, tebbi@chromium.org
Also-by: tebbi@chromium.org
Change-Id: I544e83bb996aaa638e7512295973dd3e742254bc
Reviewed-on: https://chromium-review.googlesource.com/567507
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46626}
It's ok that the instance of the called code object is different from
the caller instance. This happens if one instance calls an exported
function of another instance.
R=ahaas@chromium.org
Bug: chromium:739768
Change-Id: I6afa8332a9b33fe32e9332cdca573053f058421d
Reviewed-on: https://chromium-review.googlesource.com/568494
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46624}
The shortcuts ensure that field type generalization is properly
propagated in the transition graph.
Bug: chromium:738763
Change-Id: Id701a6f95ed6ea093c707fbe0bac228f1f856e9f
Reviewed-on: https://chromium-review.googlesource.com/567992
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46622}
This correctly types values loaded via {LoadElement} nodes from arrays
of HOLEY_DOUBLE_ELEMENTS elements kind as {Type::NumberOrHole}. Even
though "the hole" is still encoded as a tagged NaN, the type system
still needs to consider it as a potential hole value.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-736575
BUG=chromium:736575
Change-Id: Ib869284900a4affb2ddaa1d2a96df9443dba6921
Reviewed-on: https://chromium-review.googlesource.com/567180
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46620}
Previously we enforced that all lengths for ArrayLike objects must
be within Smi range, but all negative numbers should actually be first
converted to +0.
Bug: chromium:740372
Change-Id: If50de9ce0eeb7cb09e14b8e8803f434350d00508
Reviewed-on: https://chromium-review.googlesource.com/566867
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46615}
Insertion into a collection changes the map because of the addition of
the hash value property. Check the root map, not the current map.
Fixes: https://github.com/nodejs/node/issues/14139
Change-Id: Iabcea5337323b9b6deffa1a06892c1cb749f2065
Reviewed-on: https://chromium-review.googlesource.com/566833
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46614}
Didn't seem to help and caused a couple of regressions.
BUG=v8:6243,chromium:740124
Change-Id: I72887ba245a524211dbf181c77d0cdc6d917d090
Reviewed-on: https://chromium-review.googlesource.com/568480
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46608}
When we abort preparsing, we have to reset the Scope state, to ensure
re-parsing will leave us in the proper Zone. Resetting of rare_data_
was missing, causing this to fail in some cases.
Bug: chromium:740803
Change-Id: I7ce70f9c4670eaf1b76745ae8231eb95625b0f4b
Reviewed-on: https://chromium-review.googlesource.com/568784
Reviewed-by: Caitlin Potter <caitp@igalia.com>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46607}
By creating the boilerplate only on the second instantiation we cannot
propagate back the elements transitions early enough. The resulting literals
would change the initial ElementsKind one step too late and already pollute
ICs that went to monomorphic state.
- Disable lazy AllocationSites for literals containing arrays
- Introduce new ComplexLiteral class to share code between ObjectLiteral
and ArrayLiteral
- RegexpLiteral now no longer needs a depth_ field
Bug: v8:6517, v8:6519, v8:6211
Change-Id: Ia88d1878954e8895c3d00a7dda8d71e95bba005c
Reviewed-on: https://chromium-review.googlesource.com/563305
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46603}
This is a reland of f720d024dc
Original change's description:
> [mjsunit] Improve mjsunit stracktrace readability
>
> Format the function name and file-position into proper columns to easily spot
> where the test code ends and the mjsunit framework code starts.
>
> BEFORE:
> Stack: Error
> at new MjsUnitAssertionError (test/mjsunit/mjsunit.js:36:18)
> at failWithMessage (test/mjsunit/mjsunit.js:310:11)
> at fail (test/mjsunit/mjsunit.js:327:12)
> at assertEquals (test/mjsunit/mjsunit.js:398:7)
> at closure (test/mjsunit/regress/regress-4121.js:20:7)
> at literals_sharing_test (test/mjsunit/regress/regress-4121.js:27:3)
> at test (test/mjsunit/regress/regress-4121.js:37:5)
> at eval (eval at <anonymous> (test/mjsunit/regress/regress-4121.js:49:6), <anonymous>:1:1)
> at test/mjsunit/regress/regress-4121.js:49:6
> at Array.forEach.call (test/mjsunit/regress/regress-4121.js:50:7)
> throw new MjsUnitAssertionError(message);
>
> AFTER:
> Stack: MjsUnitAssertionError
> at assertEquals test/mjsunit/mjsunit.js 398:7
> at closure test/mjsunit/regress/regress-4121.js 20:7
> at literals_sharing_test test/mjsunit/regress/regress-4121.js 27:3
> at test test/mjsunit/regress/regress-4121.js 37:5
> at eval eval at <anonymous> (test/mjsunit/regress/regress-4121.js:49:6)
> at test/mjsunit/regress/regress-4121.js 49:6
> at Array.forEach.call test/mjsunit/regress/regress-4121.js 50:7
> throw new MjsUnitAssertionError(message);
>
>
> Change-Id: Iad3460a648e26effb43c00426ab043743ee6a138
> Reviewed-on: https://chromium-review.googlesource.com/563627
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46589}
Change-Id: I44bf07f7be4114369315605542cafd17345b4397
Reviewed-on: https://chromium-review.googlesource.com/567063
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46602}
JSFunction::SetName can fail if it tries to create a string with
length > String::kMaxLength (either by prepending "set "/"get " or
by surrounding a Symbol descriptor with "["/"]").
This patch propagates that exception to the surrounding code rather
than CHECK-failing.
Bug: chromium:740398
Change-Id: I394943af481f3147387dd82ec5862d7071d57827
Reviewed-on: https://chromium-review.googlesource.com/566092
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46601}
This makes it possible for automated tests to distinguish between CHECK
failures and DCHECK failures, the latter of which will continue to run
in release builds after the assertion failure point.
Change-Id: Ie26978c0342d401a8c85f3261749739195087579
Reviewed-on: https://chromium-review.googlesource.com/565515
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46596}
This reverts commit f720d024dc.
Reason for revert: Bot failure at
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20-%20custom%20snapshot%20-%20debug/builds/15690
Original change's description:
> [mjsunit] Improve mjsunit stracktrace readability
>
> Format the function name and file-position into proper columns to easily spot
> where the test code ends and the mjsunit framework code starts.
>
> BEFORE:
> Stack: Error
> at new MjsUnitAssertionError (test/mjsunit/mjsunit.js:36:18)
> at failWithMessage (test/mjsunit/mjsunit.js:310:11)
> at fail (test/mjsunit/mjsunit.js:327:12)
> at assertEquals (test/mjsunit/mjsunit.js:398:7)
> at closure (test/mjsunit/regress/regress-4121.js:20:7)
> at literals_sharing_test (test/mjsunit/regress/regress-4121.js:27:3)
> at test (test/mjsunit/regress/regress-4121.js:37:5)
> at eval (eval at <anonymous> (test/mjsunit/regress/regress-4121.js:49:6), <anonymous>:1:1)
> at test/mjsunit/regress/regress-4121.js:49:6
> at Array.forEach.call (test/mjsunit/regress/regress-4121.js:50:7)
> throw new MjsUnitAssertionError(message);
>
> AFTER:
> Stack: MjsUnitAssertionError
> at assertEquals test/mjsunit/mjsunit.js 398:7
> at closure test/mjsunit/regress/regress-4121.js 20:7
> at literals_sharing_test test/mjsunit/regress/regress-4121.js 27:3
> at test test/mjsunit/regress/regress-4121.js 37:5
> at eval eval at <anonymous> (test/mjsunit/regress/regress-4121.js:49:6)
> at test/mjsunit/regress/regress-4121.js 49:6
> at Array.forEach.call test/mjsunit/regress/regress-4121.js 50:7
> throw new MjsUnitAssertionError(message);
>
>
> Change-Id: Iad3460a648e26effb43c00426ab043743ee6a138
> Reviewed-on: https://chromium-review.googlesource.com/563627
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46589}
TBR=machenbach@chromium.org,cbruni@chromium.org,ishell@chromium.org
Change-Id: I631cec7f318637ce2f60500e2bf0ab7fe1f6d09e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/567062
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46592}
This CL moves collected source range information out of AST nodes
and into a side table stored on ParseInfo. The side table is only
created if block coverage is enabled, so there's almost no memory
overhead in the standard case.
Change-Id: I41871b8425ebbc6217d82d3ad26b5fc9e5d68ecb
Reviewed-on: https://chromium-review.googlesource.com/566808
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46590}
Format the function name and file-position into proper columns to easily spot
where the test code ends and the mjsunit framework code starts.
BEFORE:
Stack: Error
at new MjsUnitAssertionError (test/mjsunit/mjsunit.js:36:18)
at failWithMessage (test/mjsunit/mjsunit.js:310:11)
at fail (test/mjsunit/mjsunit.js:327:12)
at assertEquals (test/mjsunit/mjsunit.js:398:7)
at closure (test/mjsunit/regress/regress-4121.js:20:7)
at literals_sharing_test (test/mjsunit/regress/regress-4121.js:27:3)
at test (test/mjsunit/regress/regress-4121.js:37:5)
at eval (eval at <anonymous> (test/mjsunit/regress/regress-4121.js:49:6), <anonymous>:1:1)
at test/mjsunit/regress/regress-4121.js:49:6
at Array.forEach.call (test/mjsunit/regress/regress-4121.js:50:7)
throw new MjsUnitAssertionError(message);
AFTER:
Stack: MjsUnitAssertionError
at assertEquals test/mjsunit/mjsunit.js 398:7
at closure test/mjsunit/regress/regress-4121.js 20:7
at literals_sharing_test test/mjsunit/regress/regress-4121.js 27:3
at test test/mjsunit/regress/regress-4121.js 37:5
at eval eval at <anonymous> (test/mjsunit/regress/regress-4121.js:49:6)
at test/mjsunit/regress/regress-4121.js 49:6
at Array.forEach.call test/mjsunit/regress/regress-4121.js 50:7
throw new MjsUnitAssertionError(message);
Change-Id: Iad3460a648e26effb43c00426ab043743ee6a138
Reviewed-on: https://chromium-review.googlesource.com/563627
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46589}
This patch teaches the parser that async functions are not valid
destructuring targets so that it can cleanly exit with a SyntaxError.
Previously, async functions used in the wrong position would lead
to a check failure.
Bug: chromium:740366
Change-Id: Ie5b0cf50326c3f96174c6b29d0ccedb5da4f75a2
Reviewed-on: https://chromium-review.googlesource.com/567002
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Caitlin Potter <caitp@igalia.com>
Commit-Queue: Daniel Ehrenberg <littledan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46587}
This makes sure the inline allocation of generator objects only shrinks
initial maps when slack tracking is actually in progress. Shrinking all
unused properties unconditionally is bogus because instances using them
might have become unreachable and collected by the GC.
R=mvstanton@chromium.org
TEST=mjsunit/regress/regress-crbug-741078
BUG=chromium:741078
Change-Id: Iaf2f08a4fa82c820a945bf012d24c760a6b4f514
Reviewed-on: https://chromium-review.googlesource.com/567982
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46585}
In certain timezones, being at noon UTC doesn't guarantee that
you'll be the same day in local time. This patch fixes that
false assumption. Thanks to Holmes He for reporting the issue.
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I7432c0eb1e13fdf11c665e59dabaebeb79bff8c8
Reviewed-on: https://chromium-review.googlesource.com/568021
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Daniel Ehrenberg <littledan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46584}
This introduces 2^16 as an upper limit for the allowed value range of a
table switch on all architectures. It also fixes several overflows in
the table size calculation.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-736633
BUG=chromium:736633
Change-Id: I931bd226c99eb8a1ae1770c159fc314ff650bf57
Reviewed-on: https://chromium-review.googlesource.com/566829
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46575}
Previously (since f0e95769), this toLowerCase fast-path assumed
it would only see one-byte flat contents. Unfortunately, it's
possible to have a one-byte sliced string that has a two-byte parent.
This CL ensures that String.p.toLowerCase handles such cases
correctly.
BUG=chromium:736451
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Iae056b3db5535bb5665439a5cc8282a51571a548
Reviewed-on: https://chromium-review.googlesource.com/565559
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46574}
This patch changes the backing store of slow properties to be a
new instance type called PropertyArray.
Currently the only difference between this and a FixedArray is
the map. A future patch will change the length property to store
the hash code.
Bug: v8:5717, v8:6404
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Iaebc98f42e6d93c1392772e6f837787beb64afec
Reviewed-on: https://chromium-review.googlesource.com/539028
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46569}
Otherwise user code can produce an exception and we will crash.
R=jakob@chromium.org
Bug: chromium:736302
Change-Id: I078150909b0348a63e8c375b508e34fc4751b4ab
Reviewed-on: https://chromium-review.googlesource.com/565628
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46566}
After compiling a function, check that validation produces the same
success/error result.
R=ahaas@chromium.org
Change-Id: I617881e125dccff485f5572557b19709de488d55
Reviewed-on: https://chromium-review.googlesource.com/565722
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46561}
This fixes the lowering of Reflect.getPrototypeOf and friends to not
perform a [[ToObject]] coercion, but bailout instead. We ensure to
exclude primitive values from the lowering. This makes the lowering
uniform between "Reflect.getPrototypeOf" and "Object.getPrototypeOf".
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-740116
BUG=chromium:740116
Change-Id: If986ee2a3ae4e8f1fd227bdeb4668f523b0dea84
Reviewed-on: https://chromium-review.googlesource.com/565295
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46556}
Each reducer now has a virtual reducer_name function, returning its name
(the name of the class containing this reducer). This gets displayed when
using the --trace_turbo_reduction flag. Also when using this flags more
messages are displayed.
Actually when a node is replaced in-place (which is called an update
of the node), other reducers can still update it right after the
in-place replacement. When a node is really replaced (not in-place),
then we stop trying to apply reducers to it before we propagate the
reduction through the relevant nodes.
Before a message got printed only for the last reduction it went
through. So in case a node was reduced in-place several times
in a row, only the last update was printed, or none at all if after
being reduced in-place it got reduced by being replaced by another
node: only the non-in-place replacement was showed.
Now each time an in-place reduction is applied to a node, a message
gets printed.
Bug:
Change-Id: Id0f816fecd44c01d0253966c6decc4861be0c2fa
Reviewed-on: https://chromium-review.googlesource.com/563365
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Alexandre Talon <alexandret@google.com>
Cr-Commit-Position: refs/heads/master@{#46552}
Switch statements generate a counter for each clause plus a continuation
counter.
Bug: v8:6000
Change-Id: Ic55a7efda54de1152bd5283d753119aa2764afbd
Reviewed-on: https://chromium-review.googlesource.com/558249
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46550}
- Implement js-api changes for WebAssembly.Memory to accept a shared parameter
- Update allocation to use SharedArrayBuffers
BUG=v8:6532
R=binji@chromium.org, bradnelson@chromium.org
Change-Id: I021491217568751b06fbd7b4b08b1dd88910e21d
Reviewed-on: https://chromium-review.googlesource.com/564058
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46543}
This is a reland of 5b44ba0e34
Original change's description:
> (Reland) [parser] moved load property position after dot
>
> Currently LdaNamedProperty bytecode for expressions like a.b has position before dot. This CL moves this location after dot.
> It's important for later removing of Nop bytecodes in expressions like a.b() where a is local variable, property call and property load should have the same position.
>
> R=jgruber@chromium.org
> TBR=marja@chromium.org
>
> Bug: v8:6425
> Change-Id: I05c21ca5e018da9c432c6bc963c7a96799336d1c
> Reviewed-on: https://chromium-review.googlesource.com/562879
> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46484}
TBR=marja@chromium.org,jgruber@chromium.org
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Bug: v8:6425
Change-Id: I5eba5fe43ad31c5c781ffcc8c604cd9c98baa57e
Reviewed-on: https://chromium-review.googlesource.com/565907
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46542}
Adds missing opcodes for exception handling for the function body decoder.
Also adds error messages if the exception handling construct is not yet
functional.
Note that the previous prototype for catch and throw have been marked
as not yet functional. This was done because it doesn't model
exceptions the way the proposal suggests. Rather, they implement a
hard-coded (c++ model) of exceptions.
Bug: v8:6577
Change-Id: Ife170b9f0cb2be91b11082e43c4795ce81a427dc
Reviewed-on: https://chromium-review.googlesource.com/564138
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Karl Schimpf <kschimpf@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46540}
Modifies V8 to be able to parse the exception section (defining
exception types), when the experimental_wasm_eh flag is true.
Bug: v8:6577
Change-Id: I5d8b3fddaf5b0dec6b14ddd0992f9fb883e8dc90
Reviewed-on: https://chromium-review.googlesource.com/561757
Commit-Queue: Karl Schimpf <kschimpf@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46539}
This improves the general Array constructor call performance (w/o
usable AllocationSite feedback) in TurboFan by ~2x, i.e. for example
invoking the Array constructor like this
var a = Array.call(undefined, n);
instead of
var a = Array(n);
such that the CallIC doesn't know that it's eventually calling the
Array constructor.
It also thus changes the single argument Array constructor to always
return holey arrays. Previously the single argument case for the Array
constructor was somehow trying to dynamically detect 0 and in that case
returned a packed array instead of a holey one. That adds quite a lot
of churn, and doesn't seem to be very useful, especially since this
might lead to unnecessary feedback pollution later.
R=mvstanton@chromium.org
Bug: v8:2229, v8:5269, v8:6399
Change-Id: I3d7cb9bd975ec0e491e3cdbcf1230185cfd1e3de
Reviewed-on: https://chromium-review.googlesource.com/565721
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46538}
It's already skipped (for slowness) in debug, asan, and msan builds.
TBR=machenbach@chromium.org
Change-Id: I1d7cb38d88e621f6d14344426bc5f931b1d6ffcd
Reviewed-on: https://chromium-review.googlesource.com/565741
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46537}
In https://chromium-review.googlesource.com/c/472247/, I avoided
running DesugarLexicalBindingsInForStatement() if there were no lexical
loop variables, the function was not resumable, and the variables are
not captured by eval or a function declaration.
I think it's now possible to limit this further, and only do the more
extensive desugaring if there's a function declaration / eval() call
in the loop body. `yield` and `await` are not an issue as those loop
variables are written to the register file and not lost.
This change just removes the `is_resumable()` condition. If it passes
tests, I think it's safe.
BUG=v8:4762, v8:5460, v8:6579
Change-Id: I92d0308ad9401c1338411bc9ae9021f978803d3a
Reviewed-on: https://chromium-review.googlesource.com/563587
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46536}
This will allow for passing more than one variable. This is
particularly interesting for calling a method on each type in a
parameter pack, as in:
template<typename... T>
void foo(T&&... ts) {
USE(do_something(ts)...);
}
Drive-by fix: Allow to pass arbitrary types to USE, including
references. This might prevent a copy for pass-by-value.
R=ishell@chromium.org
Change-Id: I8f894d730bbcd195ed83705f98771994b4bc906f
Reviewed-on: https://chromium-review.googlesource.com/565561
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46527}
This adds a convenience method for the common Smi to int conversion
pattern.
Bug:
Change-Id: I7d7b171c36cfec5f6d10c60f1d9c3e06e3aed0fa
Reviewed-on: https://chromium-review.googlesource.com/563205
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Andreas Rossberg <rossberg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46516}
An invalid I32V value as index could be used to get a valid
WasmFunction.
R=clemensh@chromium.org
Bug: chromium:735887
Change-Id: I5fbfa01fc3300d86a4a2ba9bcbb86fc02f231ef9
Reviewed-on: https://chromium-review.googlesource.com/561536
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46504}
There are other things to export beside functions. Thus, also print the
export kind when printing an error for duplicate export names.
R=titzer@chromium.org
Change-Id: I7477040dda274a16cfd776d7ac8db6e50a197b97
Reviewed-on: https://chromium-review.googlesource.com/564940
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46503}
... according to the spec ES#sec-%throwtypeerror%
Bug: v8:4034
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Ia4f2d228397edf55447fe3e71402c8fc4589369a
Reviewed-on: https://chromium-review.googlesource.com/563214
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46498}
This is the next step towards faster Map and Set iteration. It
introduces the appropriate instance types for Map and Set
iterators (following the pattern for Array iterators) and migrates
the following builtins to the CodeStubAssembler:
- Set.prototype.entries
- Set.prototype.values
- Map.prototype.entries
- Map.prototype.keys
- Map.prototype.values
- %SetIteratorPrototype%.next
- %MapIteratorPrototype%.next
This already provides a significant performance boost for regular
for-of iteration of Sets and Maps, by a factor of 5-10 depending
on the input. The final step will be to inline some fast-paths
into TurboFan.
Drive-by-fix: Remove obsolete %IsJSSetIterator and %IsJSMapIterator
intrinsics and runtime functions.
TBR=jgruber@chromium.org
Bug: v8:6344, v8:6571, chromium:740122
Change-Id: I3ab0ee49e2afe8d4295707a5ecbd51adda621918
Reviewed-on: https://chromium-review.googlesource.com/563626
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46497}
This reverts commit 5b44ba0e34.
Reason for revert: Layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/16841
Original change's description:
> (Reland) [parser] moved load property position after dot
>
> Currently LdaNamedProperty bytecode for expressions like a.b has position before dot. This CL moves this location after dot.
> It's important for later removing of Nop bytecodes in expressions like a.b() where a is local variable, property call and property load should have the same position.
>
> R=jgruber@chromium.org
> TBR=marja@chromium.org
>
> Bug: v8:6425
> Change-Id: I05c21ca5e018da9c432c6bc963c7a96799336d1c
> Reviewed-on: https://chromium-review.googlesource.com/562879
> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46484}
TBR=kozyatinskiy@chromium.org,jgruber@chromium.org
Change-Id: If9d5fa5f46ed10a407559e9cf10d2a6a54dbe163
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6425
Reviewed-on: https://chromium-review.googlesource.com/564418
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46491}
BUG=v8:6231
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I326ace8ee27e5347d26bae11b8061f4fe524db53
Reviewed-on: https://chromium-review.googlesource.com/562744
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46488}
... but use proper map for functions with readonly prototype from the start.
Bug: v8:6459
Change-Id: I432d4969822e7cc4c2ba83e103f550d1c4f2e234
Reviewed-on: https://chromium-review.googlesource.com/563199
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46487}
Currently LdaNamedProperty bytecode for expressions like a.b has position before dot. This CL moves this location after dot.
It's important for later removing of Nop bytecodes in expressions like a.b() where a is local variable, property call and property load should have the same position.
R=jgruber@chromium.orgTBR=marja@chromium.org
Bug: v8:6425
Change-Id: I05c21ca5e018da9c432c6bc963c7a96799336d1c
Reviewed-on: https://chromium-review.googlesource.com/562879
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46484}
