This implements a mechanism to track the exact depth of the operand
stack in full-codegen for every sub-expression visitation. So far we
only tracked the depth at statement level, but not at expression level.
With the introduction of do-expressions it will be possible to construct
local control flow (i.e. break, continue and friends) that target labels
at an arbitrary operand stack depth, making this tracking a prerequisite
for full do-expression support.
R=rossberg@chromium.org,jarin@chromium.org
BUG=v8:4755,v8:4488
LOG=n
Review URL: https://codereview.chromium.org/1706283002
Cr-Commit-Position: refs/heads/master@{#34211}
When assigning to an integer view of the heap an intish
value does not need to be collapsed with |0.
Similarly a floatish value does not need to be collapsed with
fround when assigned to a float view of the heap.
i32[0] = i32_1 + i32_2; // ok
f32[0] = f32_1 + f32_2; // ok
However, floatish values cannot be safely assigned to double
arrays.
f64[0] = f32_1 + f32_2; // not ok
BUG= https://code.google.com/p/v8/issues/detail?id=4203
TEST=mjsunit/asm-wasm,test-asm-validator
R=aseemgarg@chromium.org,titzer@chromium.org
LOG=N
Review URL: https://codereview.chromium.org/1722473002
Cr-Commit-Position: refs/heads/master@{#34206}
It turns out that some old polyfill library uses
RegExp.prototype.flags as a way of feature testing. It's not clear
how widespread this is. For now, as a minimal workaround, we can
return undefined from getters like RegExp.prototype.global when
the receiver is RegExp.prototype. This patch implements that strategy
but omits a UseCounter to make backports easier.
R=adamk
CC=yangguo@chromium.org
BUG=chromium:581577
LOG=Y
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1640803003
Cr-Commit-Position: refs/heads/master@{#34201}
In ES2016, the Proxy enumerate trap is removed. This patch changes
for-in iteration on Proxies to use the ownKeys trap. Due to the clean
organization of that code, the patch basically consists of deletions.
R=adamk
LOG=Y
BUG=v8:4768
Review URL: https://codereview.chromium.org/1717893002
Cr-Commit-Position: refs/heads/master@{#34200}
This patch makes ArraySpeciesCreate fast in V8 by avoiding two property reads
when the following conditions are met:
- No Array instance has had its __proto__ reset
- No Array instance has had a constructor property defined
- Array.prototype has not had its constructor changed
- Array[Symbol.species] has not been reset
For subclasses of Array, or for conditions where one of these assumptions is
violated, the full lookup of species is done according to the ArraySpeciesCreate
algorithm. Although this is a "performance cliff", it does not come up in the
expected typical use case of @@species (Array subclassing), so it is hoped that
this can form a good start. Array subclasses will incur the slowness of looking
up @@species, but their use won't slow down invocations of, for example,
Array.prototype.slice on Array base class instances.
Possible future optimizations:
- For the fallback case where the assumptions don't hold, optimize the two
property lookups.
- For Array.prototype.slice and Array.prototype.splice, even if the full lookup
of @@species needs to take place, we still could take the rest of the C++
fastpath. However, to do this correctly requires changing the calling convention
from C++ to JS to pass the @@species out, so it is not attempted in this patch.
With this patch, microbenchmarks of Array.prototype.slice do not suffer a
noticeable performance regression, unlike their previous 2.5x penalty.
TBR=hpayer@chromium.org
Review URL: https://codereview.chromium.org/1689733002
Cr-Commit-Position: refs/heads/master@{#34199}
The Proxy enumerate trap and Reflect.enumerate are removed from the
ES2016 draft specification. This patch removes the Reflect.enumerate
function, and a follow-on patch will be responsible for the Proxy
trap changes.
R=adamk
LOG=Y
BUG=v8:4768
Review URL: https://codereview.chromium.org/1721453002
Cr-Commit-Position: refs/heads/master@{#34196}
This was changed to match Annex B.2.5.1 of ES2015 and Firefox in
https://chromium.googlesource.com/v8/v8/+/469d9bfa, but website
breakage was seen in M49 Beta. JSC still returns undefined here.
BUG=chromium:585775
LOG=y
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1714903004
Cr-Commit-Position: refs/heads/master@{#34172}
Adds a profiling counter to each BytecodeArray object, and adds
code to Jump and Return bytecode handlers to update this
counter by the size of the jump or the distance from the return
to the start of the function. This is more accurate than fullcodegen's
approach since it takes forward jumps into account as well as back-edges.
Modifies RuntimeProfiler to track ticks for interpreted frames.
Currently we use the SharedFunctionInfo::profiler_ticks() instead
of adding another to tick field to avoid adding another field to
BytecodeArray since SharedFunctionInfo::profiler_ticks() is only
used by Crankshaft otherwise so we shouldn't need both for
BUG=v8:4689
LOG=N
Review URL: https://codereview.chromium.org/1707693003
Cr-Commit-Position: refs/heads/master@{#34166}
We cannot omit flag check with kPointersToHereAreInterestingMask for maps because incremental marker dynamically sets and clears the flag.
BUG=chromium:587004
LOG=NO
Review URL: https://codereview.chromium.org/1714513003
Cr-Commit-Position: refs/heads/master@{#34165}
This CL introduces an import section that names functions to be imported
as well as a CallImport bytecode to call imports from this table.
R=binji@chromium.org,bradnelson@chromium.org
LOG=Y
BUG=chromium:575167
Review URL: https://codereview.chromium.org/1709653002
Cr-Commit-Position: refs/heads/master@{#34157}
The DataView constructor calls into C++ anyway, and is easier to deal
with this way, especially since we don't have the half initialized
object floating through JavaScript.
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/1712163002
Cr-Commit-Position: refs/heads/master@{#34145}
This CL also enhances a "tail-call-megatest" which now tests product of the following cases:
1) tail caller is inlined/not-inlined
2) tail callee is inlined/not-inlined
3) tail caller has an arguments adaptor frame above or not
4) tail callee has an arguments adaptor frame above or not
5) tail callee is a sloppy/strict/possibly eval/bound/proxy function
6) tail calling via normal call/function.apply/function.call
BUG=v8:4698
LOG=N
Review URL: https://codereview.chromium.org/1711863002
Cr-Commit-Position: refs/heads/master@{#34143}
Various syntactic forms now cause functions to have names where they
didn't before. Per the upcoming changes to the toString spec, only
a name that was literally part of a function's expression or declaration
is meant to be reflected in toString. This also happens to be the same
set of names that V8 currently outputs (without the --harmony-function-name
flag).
This required distinguishing anonymous FunctionExpressions from other sorts
of function definitions (like methods and getters/setters) in the AST, parser,
and at runtime.
The patch also takes the opportunity to remove one more argument (and enum)
from FunctionLiteral, as well as adding a special factory method for the
case of a FunctionLiteral representing toplevel or eval'd code.
BUG=v8:4760
LOG=n
Review URL: https://codereview.chromium.org/1712833002
Cr-Commit-Position: refs/heads/master@{#34132}
In ES2015, Date.prototype.toGMTString is simply an alias of
Date.prototype.toUTCString, so it has the same identity as a function and
doesn't have its own name. Firefox has already shipped this behavior.
Previously, we copied JSC behavior by making it a separate function.
This change makes an addition test262 test pass.
BUG=v8:4708
LOG=Y
R=adamk
Review URL: https://codereview.chromium.org/1709373002
Cr-Commit-Position: refs/heads/master@{#34131}
Reason for revert:
See Domenic's comment on the V8 bug.
Original issue's description:
> Use displayName in Error.stack rendering if present.
>
> BUG=v8:4761
> LOG=y
>
> Committed: https://crrev.com/953874e974037e7e96ef282a7078760ccc905878
> Cr-Commit-Position: refs/heads/master@{#34105}
TBR=jochen@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4761
Review URL: https://codereview.chromium.org/1713663002
Cr-Commit-Position: refs/heads/master@{#34129}
This frees up one bit in FunctionKind, which I plan to make slightly
more syntactic info about functions available in SharedFunctionInfo
(needed for ES2015 Function.name support).
BUG=v8:3956, v8:4760
LOG=n
Review URL: https://codereview.chromium.org/1704223002
Cr-Commit-Position: refs/heads/master@{#34125}
Moves the accumulator value on-heap to be restored in the
InterpreterNotifyDeopt handler rather than explicitly
setting the accumulator register. This allows it to be
materialized correctly if required.
BUG=v8:4678
LOG=N
Review URL: https://codereview.chromium.org/1707133003
Cr-Commit-Position: refs/heads/master@{#34113}
Implements iterator finalisation by desugaring for-of loops with an additional try-finally wrapper. See comment in parser.cc for details.
Also improved some AST printing facilities while there.
@Ross, I had to disable the bytecode generation test for for-of, because it got completely out of hand after this change (the new bytecode has 150+ lines). See the TODO that I assigned to you.
Patch set 1 is WIP patch by Georg (http://crrev.com/1695583003), patch set 2 relative changes.
@Georg, FYI, I changed the following:
- Moved try-finally out of the loop body, for performance, and in order to be able to handle `continue` correctly.
- Fixed scope management in ParseForStatement, which was the cause for the variable allocation failure.
- Fixed pre-existing zone initialisation bug in rewriter, which caused the crashes.
- Enabled all tests, adjusted a few others, added a couple more.
BUG=v8:2214
LOG=Y
Review URL: https://codereview.chromium.org/1695393003
Cr-Commit-Position: refs/heads/master@{#34111}
In case when F inlined normal call to G which tail calls H we should not write translation for G for the tail call site.
Otherwise we will see G in a stack trace inside H.
This CL also adds a "megatest" which tests product of the following cases:
1) tail caller is inlined/not-inlined
2) tail callee is inlined/not-inlined
3) tail caller has an arguments adaptor frame above or not
4) tail callee has an arguments adaptor frame above or not
5) tail callee is a normal/bound/proxy function
Note that tests for not yet supported cases are not run for now.
BUG=v8:4698
LOG=N
Review URL: https://codereview.chromium.org/1709583002
Cr-Commit-Position: refs/heads/master@{#34108}
The reason:
Similar to the CL 31552 (https://codereview.chromium.org/1419573007).
The CL 33972 (https://codereview.chromium.org/1698783002) optimized some JS function in regress-crbug-242924 test case by TurboFan compiler.
But it will hit the known issue that X87 will change a sNaN to qNaN by default. And then it will fail when comparing the source (sNaN) Hole NaN and
the result (qNaN) which was expected to be a (sNaN) Hole NaN too.
BUG=
Review URL: https://codereview.chromium.org/1704313003
Cr-Commit-Position: refs/heads/master@{#34104}
This CL introduces two new bytecodes TailCall and TailCallWide.
BUG=v8:4698,v8:4687
LOG=N
Review URL: https://codereview.chromium.org/1698273003
Cr-Commit-Position: refs/heads/master@{#34083}
Removes some cctest and mjsunit test skips on Ignition for tests that now pass.
BUG=v8:4680
LOG=N
Review URL: https://codereview.chromium.org/1703563002
Cr-Commit-Position: refs/heads/master@{#34045}
Various places assume that GetExpression returns the locals for a frame.
Modify InterpretedFrames such that GetExpression(0) returns the first
local, not the fixed parts of the interpreter frame.
BUG=v8:4690,v8:4680
LOG=N
Review URL: https://codereview.chromium.org/1697223003
Cr-Commit-Position: refs/heads/master@{#34040}
Drive-by-fix: Remove the (now) unused %_SetValueOf and %_JSValueGetValue
intrinsics from the various compilers and the runtime.
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/1698343002
Cr-Commit-Position: refs/heads/master@{#34037}
Replaces the push of the dispatch table on the interpreted stack frame with a
push of the bytecode array. This enables the debugger to replace the bytecode
array with a patched version containing breakpoints.
BUG=v8:4690
LOG=N
Review URL: https://codereview.chromium.org/1699013002
Cr-Commit-Position: refs/heads/master@{#34032}
Fixes a bug in Ignition on Arm64 where lr gets trashed in StaContextSlot
which causes the stack walker to get confused and crash.
BUG=v8:4680
LOG=N
Review URL: https://codereview.chromium.org/1694263002
Cr-Commit-Position: refs/heads/master@{#34016}
for the special case where the same register is used as both left and
right input.
Review URL: https://codereview.chromium.org/1695283002
Cr-Commit-Position: refs/heads/master@{#33996}
Add a section identifier for declaring a start function as an index into
the function table. (This could also be done as a decl flag on the
function, but don't feel strongly here, since we probably want to redo
this when adding an import/export section.)
The start function must accept no parameters. Its return value is
currently ignored.
R=binji@chromium.org,bradnelson@chromium.org
BUG=chromium:575167
LOG=Y
Review URL: https://codereview.chromium.org/1692173002
Cr-Commit-Position: refs/heads/master@{#33978}
Adds support for ES6 super keyword and performing loads, stores, and
calls to super class members.
Implements SetHomeObject and enables ThisFunctionVariable.
BUG=v8:4280,v8:4682
LOG=N
Review URL: https://codereview.chromium.org/1689573004
Cr-Commit-Position: refs/heads/master@{#33977}
This is mostly preparation for allowing the function closure to be materialized.
As a drive-by fix, I have added ignition source position support to the frame inspector (this fixed some ignition test failures).
Review URL: https://codereview.chromium.org/1698743002
Cr-Commit-Position: refs/heads/master@{#33975}
Older versions of Emscripten appear to emit Asm.js containing:
HEAP8[x] with x in int
As opposed to the spec legal construct:
HEAP8[x>>0] with x in int
As older programs and even benchmarks such as Embenchen
include these constructs, support them for compatibility.
BUG= https://code.google.com/p/v8/issues/detail?id=4203
TEST=test-asm-validator,mjsunit/asm-wasm
R=aseemgarg@chromium.org,titzer@chromium.org
LOG=N
Review URL: https://codereview.chromium.org/1692713006
Cr-Commit-Position: refs/heads/master@{#33964}
Adds JumpIfNotHoleConstant and JumpIfNotHoleConstantWide bytecodes
and removes JumpIfHole bytecode.
In situations with large numbers of constants, the generator would
fail because an 8-bit constant could not be reserved for
JumpIfHole/JumpIfNotHole and so a 16-bit constant would be reserved.
Then when patching the bytecode the patcher would discover there was
no wide constant variant of the emitted jump.
BUG=v8:4280,v8:4680
LOG=N
Review URL: https://codereview.chromium.org/1697473002
Cr-Commit-Position: refs/heads/master@{#33952}
