CallProperty IR has inputs 0 (function), 1 (context), and the
remaining are variable according to the register count.
Bug: v8:7700
Change-Id: Ie9d8785bd5c1ae878c664683f8ebcff4ce6c408a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3541924
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79562}
This is a reland of 6b690a6b48.
The previous version of this CL was a bit too aggressive in the
duplication of branch conditions. This caused an increase in
register pressure in some cases, thus reducing performance.
In fact, duplicating branch conditions that require an "== 0" to be
added provides no benefits. We are thus now a bit less aggressive, and
only duplicate comparisons.
Original change's description:
> Reland [compiler] Simplify "==0" branches in MachineOperatorReducer
>
> This is a reland of 48b443f692.
>
> While fixing the initial CL, we stumbled upon a few bugs that
> we had to fix:
>
> - CommonOperatorReducer and SimplifiedOperatorReducer were applied
> before and after SimplifiedLowering, but always assumed that it
> was before SimplifiedLowering, and thus had the wrong semantics
> for branches in some cases. They now have an added parameter to
> know which semantics of branch they should use.
>
> - The lowering of StaticAssert was wrong and could leave kHeapConstant
> in the assert (instead of machine Booleans).
>
> Original change's description:
> > [compiler] Simplify "==0" branches in MachineOperatorReducer
> >
> > Bug: v8:12484
> > Change-Id: I0667c7464c0dd71338bc199a24a69248a7a0a525
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3497303
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Owners-Override: Tobias Tebbi <tebbi@chromium.org>
> > Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#79379}
>
> Bug: v8:12484
> Change-Id: Ibbf5df96fce5ccb04868dc517539479bf69f5703
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3516869
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79528}
Bug: v8:12484
Change-Id: I31f575a59811a83c7c1acb4c14bf5ded63a8f536
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540102
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79560}
Currently getting the following 2 errors:
```
error: reference to 'MarkingType' is ambiguous
error: reference to 'SweepingType' is ambiguous
```
Change-Id: Ia50d1b5ea8af0fcc85acb9c0dc5cfae1956cec62
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540624
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#79556}
This fixes the following compiler warning:
```
src/compiler/backend/register-allocator-verifier.cc:365:19: warning: loop variable 'pair' of type 'const
std::__1::pair<const v8::internal::compiler::InstructionOperand, v8::internal::compiler::Assessment *>' creates a
copy from type 'const std::__1::pair<const v8::internal::compiler::InstructionOperand,
v8::internal::compiler::Assessment *>' [-Wrange-loop-analysis]
for (const auto pair : map()) {
^
src/compiler/backend/register-allocator-verifier.cc:365:8: note: use reference type 'const
std::__1::pair<const v8::internal::compiler::InstructionOperand, v8::internal::compiler::Assessment *> &' to
prevent copying
for (const auto pair : map()) {
^~~~~~~~~~~~~~~~~
&
```
Signed-off-by: Darshan Sen <raisinten@gmail.com>
Change-Id: Ifbaa85345d8dcdf56a68d194bba98d76878c96f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3538286
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79555}
During a frame merge we call ForEachValue that "get"s every
live register, including the virtual accumulator. That currently
fails since we need to check if the register is the virtual
accumulator and set/get the accumulator field in InterpreterFrameState.
The virtual accumulator slot in RegisterFrameArray (the same as the
return address in a live frame) is actually unused.
So we can use this slot for the InterpreterFrameState's accumulator,
instead of a separate field.
Bug: v8:7700
Change-Id: Ife33946a4f9c58ca1f4eadeb587f9880f6fb2afc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3536648
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79553}
This reverts commit 6b690a6b48.
Reason for revert: causes a few regressions here https://chromeperf.appspot.com/group_report?rev=79528
Original change's description:
> Reland [compiler] Simplify "==0" branches in MachineOperatorReducer
>
> This is a reland of 48b443f692.
>
> While fixing the initial CL, we stumbled upon a few bugs that
> we had to fix:
>
> - CommonOperatorReducer and SimplifiedOperatorReducer were applied
> before and after SimplifiedLowering, but always assumed that it
> was before SimplifiedLowering, and thus had the wrong semantics
> for branches in some cases. They now have an added parameter to
> know which semantics of branch they should use.
>
> - The lowering of StaticAssert was wrong and could leave kHeapConstant
> in the assert (instead of machine Booleans).
>
> Original change's description:
> > [compiler] Simplify "==0" branches in MachineOperatorReducer
> >
> > Bug: v8:12484
> > Change-Id: I0667c7464c0dd71338bc199a24a69248a7a0a525
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3497303
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Owners-Override: Tobias Tebbi <tebbi@chromium.org>
> > Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#79379}
>
> Bug: v8:12484
> Change-Id: Ibbf5df96fce5ccb04868dc517539479bf69f5703
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3516869
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79528}
Bug: v8:12484
Change-Id: I457464d793e9c5af8448564aa3b46be863b96fbb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540148
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79552}
Port b2978927d8
Original Commit Message:
This CL removes:
- Dynamic map checks aka minimorphic property loads (TF support,
builtins).
- "Bailout" deopts (= drop to the interpreter once, but don't
throw out optimized code).
- "EagerWithResume" deopts (= part of dynamic map check
functionality, we call a builtin for the deopt check and deopt
or resume based on the result).
R=jgruber@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N
Change-Id: I64476f73810774c2c592231d82c4a2cbfa2bf94e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3537881
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#79551}
Access to the object start bitmap is only safe during marking until
sweeping is started as the concurrent sweeper may clear and rebuild
the bitmap at any time during sweeping.
Adds a DCHECK and an additional test for a previously broken
pre-finalizer scenario.
Bug: chromium:1307471
Change-Id: If67ade43f7cdad6de4720c0efeac11bfe8c22b3c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3535782
Reviewed-by: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79550}
This way Blink will not sanitize error events coming from JavaScript
entered via the DevTools console, and instead forward the original error
event as-is, which is more likely to match the developers' expectations.
Bug: chromium:1295750
Change-Id: Id02c048e4af21d0c232d8e44d11115f6b61c0bf1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540145
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79549}
When cross realm invoke PromiseConstructor and realm not
allowed to CrossRealmAccess, PromiseConstructor will
silently return undefined, which will cause crash in
ConstructJSWithTarget type cast, Change to throw type
error when HasAccessCheck failed.
Bug: v8:12705
Change-Id: I18f697a1897c31163dd60522db12449033419f9a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3521174
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79548}
Originally, 'Promise()' without 'new' will throw "undefined is not a
promise". Now it will throw "Promise constructor cannot be invoked
without 'new'".
Bug: v8:10817
Change-Id: Ic8b72a902ed395e44dbb32ccf96a2130a4a9422f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3459924
Reviewed-by: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79547}
This CL removes:
- Dynamic map checks aka minimorphic property loads (TF support,
builtins).
- "Bailout" deopts (= drop to the interpreter once, but don't
throw out optimized code).
- "EagerWithResume" deopts (= part of dynamic map check
functionality, we call a builtin for the deopt check and deopt
or resume based on the result).
Fixed: v8:12552
Change-Id: I492cf1667e0f54586690b2f72a65ea804224b840
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3401585
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79544}
Reporting messages can trigger termination in case of `inspector-test`,
which we need to be able to deal with gracefully for the fuzzer.
Fixed: chromium:1307449
Change-Id: I88ba2b13d920134a1670b808adc4ace4ca6d1dff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540260
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79543}
- Avoid redrawing property-link tables if the contents don't change
- Don't update timeline legends if the selection doesn't change
- Use shorter class names for the flamechart for faster parsing
- Round positions in flamechart to avoid long strings that would be
created from raw double positions
- Don't redraw the tooltip if the content is the same
Change-Id: I925f1708400286c7c9f8db62f75c3b5fe8a16b12
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3521945
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79540}
This implements the last bits of basic concurrent Maglev compilation.
When jobs have been processed, schedule an interrupt to trigger codegen
and building the Code object on the main thread.
Changed since the initial version:
- Put the include behind V8_ENABLE_MAGLEV.
- Skip 18.js until we have deterministic test helpers for concurrent
tiering.
Bug: v8:7700
Change-Id: Ibc103f097fe00f7df93a33a785939e43901f3734
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3536662
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79539}
Avoid instruction selector to emit sign extension instruction after most
`xxx.w` instructions in RV64I and RV64M, because `xxx.w` instructions
will automatically sign-extend the result
Change-Id: Ia4291242dc3e51f49be1e6dda2d5a3365b5e7bfa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3536845
Reviewed-by: Yahan Lu <yahan@iscas.ac.cn>
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#79537}
Will re-enable once a few issues have been resolved.
Change-Id: Ieed60efcb6d59cc5ca10931913dd4d9ffea8b9f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3532202
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#79533}
This is a reland of 48b443f692.
While fixing the initial CL, we stumbled upon a few bugs that
we had to fix:
- CommonOperatorReducer and SimplifiedOperatorReducer were applied
before and after SimplifiedLowering, but always assumed that it
was before SimplifiedLowering, and thus had the wrong semantics
for branches in some cases. They now have an added parameter to
know which semantics of branch they should use.
- The lowering of StaticAssert was wrong and could leave kHeapConstant
in the assert (instead of machine Booleans).
Original change's description:
> [compiler] Simplify "==0" branches in MachineOperatorReducer
>
> Bug: v8:12484
> Change-Id: I0667c7464c0dd71338bc199a24a69248a7a0a525
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3497303
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Owners-Override: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79379}
Bug: v8:12484
Change-Id: Ibbf5df96fce5ccb04868dc517539479bf69f5703
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3516869
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79528}
This reverts commit cf25b3bc53.
Reason for revert: https://crbug.com/1307471. TraceTrait must only be used during marking.
Original change's description:
> cppgc: Rework prefinalizers
>
> Move the check for whether an object is live or dead out of the
> prefinalizer trampoline. Moving it into the backend allows for
> inlining the check which avoids a call to the trampoline for live
> objects.
>
> On catapult benchmarks (e.g. cnn:2021, nytimes:2020), there's often
> ~2k finalizers registered. In order to avoid memory overhead in the
> range of a few KB, we store the fact whether the object points to the
> base object payload in the LSB of the pointer. For caged builds this
> is replaced with just storing the index into the cage for both object
> and base object payload.
>
> Locally saves around ~10% of atomic sweeping processing time which is
> in the order of .05ms.
>
> Bug: v8:12698
> Change-Id: I198205a6b1d57fc2df821ee4e73e53dc6f825ff5
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3497764
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79442}
Bug: v8:12698, chromium:1307471
Change-Id: I5c4e70d46cb99af66c77f0c013625b6af6c6eb8e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3535781
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79527}
There are problems calling WaitForRunningWorkers when we
call quit().
First, suppose the main thread first calls quit(),
and the worker thread calls quit() after the main
thread calls quit(), then sched_yield to wait for
quit_once_ updated to ONCE_STATE_DONE. However
the main thread is WaitForRunningWorkers to wait
for the worker thread to join, thus causing deadlock.
Second, suppose the worker thread calls quit() and empty
the running_workers_ by WaitForRunningWorkers, then
the main thread calls `onExit(isolate, true)` to dispose
the platform and other global data, which will crash other
running workers.
Bug: v8:12219
Change-Id: I333e5aad431daefb1c163f69e66d8e9d5e9bf754
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3518908
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79525}
This implements the last bits of basic concurrent Maglev compilation.
When jobs have been processed, schedule an interrupt to trigger codegen
and building the Code object on the main thread.
Bug: v8:7700
Change-Id: I348ade4777ddddf7c3a6b0575d9f51e5fa00c9fb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3528494
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79516}
.. into new virtual subclass TurbofanCompilationJob. Update all TF code
to derive from this class. Specifically, the OptimizedCompilationInfo is
TF-specific and now lives in TurbofanCompilationJob.
The motivation behind this is that Maglev now also uses this
infrastructure.
Drive-by: Replace CompilationMode with ConcurrencyMode.
Bug: v8:7700
Change-Id: Iae6d1ffd1c810e2e45cad6c9b4e43d4c82ac54a7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3528493
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79515}
In JSCallReducer::ReduceArrayPrototypeShift, add Unsigned32
TypeGuard for index Node used in fast path, avoid representing
kRepFloat64 (Range(1, inf)) to kRepWord64 when converting
input for kLoadElement.
Bug: v8:12632
Change-Id: I2e4b00840dc5462e4351e13a372c33b6272b9ea1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3528373
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79514}
