The store buffer can contain stale store buffer entries, i.e., slot in dead objects pointing to new space objects. These slots are treaded as live slots which cause problems with non-pointer fields and makes concurrent sweeping complicated. Removing these pointers from the store buffer before it is used makes life easier.
BUG=
Review URL: https://codereview.chromium.org/985453003
Cr-Commit-Position: refs/heads/master@{#27068}
Reason for revert:
This doesn't do what it's supposed to do. The problem seems to lie on the blink side, people aren't reusing their FunctionTemplates (or creating them when not necessary).
Original issue's description:
> Don't overwrite existing serial numbers on the function template, otherwise instantiating the function for a new context causes the serial number to bump.
>
> Committed: https://crrev.com/1e638c3610ec6938e5fb16c42018642195782fb2
> Cr-Commit-Position: refs/heads/master@{#27048}
TBR=yangguo@chromium.org,dcarney@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/993533003
Cr-Commit-Position: refs/heads/master@{#27067}
Reason for revert:
It caused a lot of Canary crashes.
Original issue's description:
> Remove slots that point to unboxed doubles from the StoreBuffer/SlotsBuffer.
>
> The problem is that tagged slot could become a double slot after migrating of an object to another map with "shifted" fields (for example as a result of generalizing immutable data property to a data field).
> This CL also adds useful machinery that helps triggering incremental write barriers.
>
> BUG=chromium:454297
> LOG=Y
>
> Committed: https://crrev.com/9633ebabd405c264d33f603f8798c31f59418dcd
> Cr-Commit-Position: refs/heads/master@{#27054}
TBR=verwaest@chromium.org,hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:454297
Review URL: https://codereview.chromium.org/991793002
Cr-Commit-Position: refs/heads/master@{#27063}
We mark certain builtins for inlining, and those should always be
inlined into optimized code (CrankShaft already handles it this way), so
we should support that in TurboFan as well. Currently this mainly
affects a certain set of Math functions, but once have the basics in
place we can extend this to any kind of builtin/code stub/accessor.
This adds a new flag --turbo_builtin_inlining (enabled by default), that
forces the inliner to always inline builtins marked for inlining, but
does not affect inlining of other functions (this is still controlled by
the --turbo-inlining flag).
BUG=v8:3952
LOG=n
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/993473002
Cr-Commit-Position: refs/heads/master@{#27059}
This is currently the cleanest approach to avoid the useless stack check
during inlining. We might be able to just remove the useless stack
checks later when we have a phase that also takes care of removing
redundant stack checks on loop back edges (which we do not generate
currently).
On the other hand, the flag introduced here might be useful when
building code stubs/builtins/dom stubs using JS based DSL, because you
certainly don't want a JS-level stack check in a code stub.
R=jarin@chromium.org
BUG=v8:3952
LOG=n
Review URL: https://codereview.chromium.org/994433002
Cr-Commit-Position: refs/heads/master@{#27058}
Loading the coefficients from a the constants typed array is currently
blocking inlining MathSin and MathCos into TurboFan generated code,
because there is no type feedback and hence TurboFan has to generate a
LOAD_IC for every coefficient.
R=yanggou@chromium.org
BUG=v8:3952
LOG=n
Review URL: https://codereview.chromium.org/989133002
Cr-Commit-Position: refs/heads/master@{#27057}
The key idea here is that the stack check should be explicit, such that
we can eliminate unnecessary stack checks after graph building and
potentially inlining.
R=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/981243002
Cr-Commit-Position: refs/heads/master@{#27056}
The problem is that tagged slot could become a double slot after migrating of an object to another map with "shifted" fields (for example as a result of generalizing immutable data property to a data field).
This CL also adds useful machinery that helps triggering incremental write barriers.
BUG=chromium:454297
LOG=Y
Review URL: https://codereview.chromium.org/957273002
Cr-Commit-Position: refs/heads/master@{#27054}
Now the three intrinsic lists only differ in their compiler
support. Unifying the lists and making the logic what is supported in
which compiler local to the compilers themselves is handled in a
follow-up CL.
BUG=v8:3947
LOG=n
Review URL: https://codereview.chromium.org/983183002
Cr-Commit-Position: refs/heads/master@{#27046}
Original issue: https://codereview.chromium.org/980573002/
Simple transitions are now stored in a map's "transitions" field (as a WeakCell wrapping the target map); full TransitionArrays are used when that's not sufficient.
To encapsulate these storage format implementation details, functions for manipulating and querying transitions have been refactored to be static functions on the TransitionArray class, and take maps as inputs.
Review URL: https://codereview.chromium.org/988703002
Cr-Commit-Position: refs/heads/master@{#27044}
This involved renaming apart a few more intrinsics. In the long run,
we want to clean up redundant intrinsics which just delegate.
BUG=v8:3947
LOG=n
Review URL: https://codereview.chromium.org/984963002
Cr-Commit-Position: refs/heads/master@{#27043}
This keeps dying maps alive for FLAG_retain_maps_for_n_gc garbage collections
to increase chances of them being reused for new objects in future and
decrease number of deoptimizations.
BUG=v8:3664
LOG=N
TEST=cctest/test-heap/MapRetaining
Review URL: https://codereview.chromium.org/980523004
Cr-Commit-Position: refs/heads/master@{#27040}
This makes sure that any pending message is saved before entering
and restored after exiting a finally block. It also makes sure that
operand stacks are kept in sync to full-codegen.
R=bmeurer@chromium.org
TEST=cctest/test-run-jsexceptions/ThrowMessage
Review URL: https://codereview.chromium.org/979173002
Cr-Commit-Position: refs/heads/master@{#27036}
External references are encoded as a tuple of type and ID. This
requires both the external reference encode and the decoder to
create a mapping between the encoding and the external reference
table index.
Instead, we simply use the external reference table index as
encoding.
We now also assume that there are no duplicate entries. Existing
duplicates have been removed in this change.
R=vogelheim@chromium.org
Review URL: https://codereview.chromium.org/982773003
Cr-Commit-Position: refs/heads/master@{#27033}
This is introduced by 8d2e45669f (r26993)
original commit message:
First shot at eager deoptimization in Turbofan.
BUG=
Review URL: https://codereview.chromium.org/960973003
Cr-Commit-Position: refs/heads/master@{#27032}
Reason for revert:
x64 test failures
Original issue's description:
> Simplify and compact transitions storage
>
> Simple transitions are now stored in a map's "transitions" field (as a WeakCell wrapping the target map); full TransitionArrays are used when that's not sufficient.
> To encapsulate these storage format implementation details, functions for manipulating and querying transitions have been refactored to be static functions on the TransitionArray class, and take maps as inputs.
>
> Committed: https://crrev.com/45fbef7f2252fce10634931cb103ccc1fc95ae6a
> Cr-Commit-Position: refs/heads/master@{#27029}
TBR=verwaest@chromium.org,ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/982143002
Cr-Commit-Position: refs/heads/master@{#27030}
Simple transitions are now stored in a map's "transitions" field (as a WeakCell wrapping the target map); full TransitionArrays are used when that's not sufficient.
To encapsulate these storage format implementation details, functions for manipulating and querying transitions have been refactored to be static functions on the TransitionArray class, and take maps as inputs.
Review URL: https://codereview.chromium.org/980573002
Cr-Commit-Position: refs/heads/master@{#27029}
Port 4436c2642a
Original commit message:
This adds support for the double bits intrinsics to TurboFan, and is
a first step towards fast Math functions inlined into TurboFan code
or even compiled by themselves with TurboFan.
BUG=
Review URL: https://codereview.chromium.org/980073003
Cr-Commit-Position: refs/heads/master@{#27028}
Port 1382879f29
Original commit message:
This extends the stack unwinding logic to respect optimized frames
and perform a lookup in the handler table to find handlers. It also
contains fixes to the API call stubs to allow a stack walk while
promoting scheduled exceptions.
BUG=
Review URL: https://codereview.chromium.org/988463002
Cr-Commit-Position: refs/heads/master@{#27027}
There are no test cases for this piece of code and it is really hard to test. If this rare case triggers, we are anyway in an OOM situation and would crash probably soon afterwards.
BUG=
Review URL: https://codereview.chromium.org/977013003
Cr-Commit-Position: refs/heads/master@{#27026}
If function.name property has string type then stack frame will contain it otherwise DebugName from shared function info.
BUG=17356
LOG=Y
R=yurys@chromium.org
Review URL: https://codereview.chromium.org/917743002
Cr-Commit-Position: refs/heads/master@{#27025}
Internal references are absolute addresses into the instruction
stream. Turn them into relative addresses when serializing and
back when deserializing to keep them valid.
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/976623002
Cr-Commit-Position: refs/heads/master@{#27020}
According to Source Map specification [1] source map url can be passed either as a magic comment at the end of script or as SourceMap http header. We already parse the former value and expose it on Script object. This change allows to unify the way we deal with source map urls received in http header by providing api for passing that url into the script being compiled.
source_map_url is intentionally not passed into CompilationCacheScript::Lookup. The cache is anyways disabled when debugger is on.
[1] https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k/edit
LOG=Y
BUG=chromium:462572
Review URL: https://codereview.chromium.org/983603003
Cr-Commit-Position: refs/heads/master@{#27017}
This extends the stack unwinding logic to respect optimized frames
and perform a lookup in the handler table to find handlers. It also
contains fixes to the API call stubs to allow a stack walk while
promoting scheduled exceptions.
R=jarin@chromium.org
TEST=cctest/test-run-jsexceptions
Review URL: https://codereview.chromium.org/969533004
Cr-Commit-Position: refs/heads/master@{#27016}
This way, every function in those lists has one C++ implementation
called Runtime_##name. The previous distinction was confusing.
Review URL: https://codereview.chromium.org/983623002
Cr-Commit-Position: refs/heads/master@{#27010}
This adds support for the double bits intrinsics to TurboFan, and is
a first step towards fast Math functions inlined into TurboFan code
or even compiled by themselves with TurboFan.
Review URL: https://codereview.chromium.org/974313002
Cr-Commit-Position: refs/heads/master@{#27006}
port 1a608493e5 (r26983)
original commit message:
Refactor BreakLocationIterator.
We now have BreakLocation::Iterator to iterate via RelocIterator, and
create a BreakLocation when we are done iterating. The reloc info is
stored in BreakLocation in a GC-safe way and instantiated on demand.
BUG=
Review URL: https://codereview.chromium.org/978183002
Cr-Commit-Position: refs/heads/master@{#27003}
Function name property is now standardized in ES6. It was a Mozilla proprietary
extension before. With ES6, the property was made configurable, so that it can
be used instead of another proprietary property, displayName.
This is a revert of revert c791d84112.
Last time this broke a Chrome browser test which has since been updated:
5f75a3be4c
BUG=v8:3333
LOG=N
R=mstarzinger@chromium.org,verwaest@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/977003004
Cr-Commit-Position: refs/heads/master@{#26996}
Port a820568b1f
Each call to emit_32 uses 5 constant pool slots:
* the "emit_32" string
* undefined (the receiver)
* the argument (heap number)
* the load IC
* the call IC
This change cuts that down 20% to 4, by loading the undefined from the heap roots.
BUG=
Review URL: https://codereview.chromium.org/963193005
Cr-Commit-Position: refs/heads/master@{#26995}
If we use HashMap::Lookup with insert=true, the returned entry may have
NULL as value. This could either mean that the value is 0, or that the
entry has just been inserted. This ambiguity can cause false negatives
in PartialCacheIndexMap::LookupOrInsert.
Also fix a TODO.
R=vogelheim@chromium.org
Review URL: https://codereview.chromium.org/974273002
Cr-Commit-Position: refs/heads/master@{#26994}
Experimental globals are simply flag values on the builtins object to
turn on/off harmony features. We still need to declare them even when
we don't turn on harmony features for the snapshot.
R=vogelheim@chromium.org
Review URL: https://codereview.chromium.org/978813002
Cr-Commit-Position: refs/heads/master@{#26992}
This makes sure that the implicit exception edges in the graph pass
the correct exception object and also fixes a bug in the dominance
relationship of the value entering the finally block and it's uses.
R=jarin@chromium.org
TEST=cctest/test-run-jsexceptions/FinallyBreak
Review URL: https://codereview.chromium.org/970253002
Cr-Commit-Position: refs/heads/master@{#26989}
Before the max_old_space_size was set for each space, which is not intuitive and not what we want. There is still a miss match between capacity and actual committed memory which should be cleaned up in a follow up cl.
BUG=
Review URL: https://codereview.chromium.org/979783002
Cr-Commit-Position: refs/heads/master@{#26985}
We now have BreakLocation::Iterator to iterate via RelocIterator, and
create a BreakLocation when we are done iterating. The reloc info is
stored in BreakLocation in a GC-safe way and instantiated on demand.
R=ulan@chromium.org
BUG=v8:3924
LOG=N
Review URL: https://codereview.chromium.org/967323002
Cr-Commit-Position: refs/heads/master@{#26983}
Re-installing experimental natives after deserialization causes failures if
said experimental native is already included in the snapshot. However, there
is no way to tell whether a certain harmony feature has been included.
Experimental natives may also be turned on/off on-demand, which a snapshot
that includes them would not support for all cases.
The simple solution for the meantime is to never include experimental natives
in the snapshot and initialize them after deserialization on-demand.
R=vogelheim@chromium.org
Review URL: https://codereview.chromium.org/981473002
Cr-Commit-Position: refs/heads/master@{#26982}
Each call to emit_32 uses 5 constant pool slots:
* the "emit_32" string
* undefined (the receiver)
* the argument (heap number)
* the load IC
* the call IC
This change cuts that down 20% to 4, by loading the undefined from the heap roots.
R=verwaest@chromium.org
BUG=
Review URL: https://codereview.chromium.org/980563002
Cr-Commit-Position: refs/heads/master@{#26979}
This is a follow-on to crrev.com/960883003, which fixed a memory leak in this code, but uncovered another, more subtle bug:
Previously, the code expected you would v8::V8::Initialize once, and v8::V8::Dispose once. The first bug was that in this case the holder_ variable would point to deallocated memory. The second bug was that once the snapshot was disposed, there was no way to get it back on a future Initialize. These are uncovered by the InitializeAndDisposeMultiple test case.
The fix is to keep memory to the raw snapshot and to then cleanly build & destroy the tables in Initialize & Dispose. Since sometimes setNativesBlob is called just after Initialize, that situation must be handled, too.
BUG=
Review URL: https://codereview.chromium.org/974943003
Cr-Commit-Position: refs/heads/master@{#26978}
Shouldn't make a difference in practice, but it's a bit more readable and it
gets the case of a 0 shift correct without undefined behavior.
BUG=463436
LOG=N
Review URL: https://codereview.chromium.org/975283002
Cr-Commit-Position: refs/heads/master@{#26975}
Bit-shifts have undefined behaviour if the shift amount is greater
or equal to the width of the type.
In this case the code would do imm32 >> 32 when rot == 0.
A newer version of Clang unrolled the loop, optimized the first
iteration away, causing the test suite to fail with:
#
# Fatal error in ../src/arm/assembler-arm.cc, line 1212
# Check failed: !rn.is(ip).
#
as well as crashing when running Chromium tests on Android (at least
we think this was the cause, see the bug).
BUG=463436, 444089
LOG=Y
Review URL: https://codereview.chromium.org/979633002
Cr-Commit-Position: refs/heads/master@{#26974}
Problem:
Excuting with flags as "--prof --logfile-per-isolate --logfile=/path/to/filename"
expected file name: /path/to/isolate-<isolate id>-filename
current result: isolate-<isolate id>-/path/to/filename
This patch makes the file name we expected.
Review URL: https://codereview.chromium.org/960813004
Cr-Commit-Position: refs/heads/master@{#26955}
Android doesn't have swap space so if the heap goes over the physical memory
size the system will just kill us. Applying the Heap::kPointerMultipler
to heap size could cause the max heap size to be larger than physical memory.
Instead use the defaults which are based on actual physical memory configured
by Api::ConfigureDefaults().
BUG=432909
LOG=N
Review URL: https://codereview.chromium.org/960213007
Cr-Commit-Position: refs/heads/master@{#26954}
TryInline needed position only for the case when we track positions.
We can drop the position argument and use the current position from GraphBuilder.
The only problem that it doesn't match with the inline point.
The reason of that was the fact that builder had moved the position forward by
visiting arguments expressions.
I fixed this by restoring the current positon in HOptimizedGraphBuilderWithPositions::Visit*
BUG=452067
LOG=n
Review URL: https://codereview.chromium.org/962593005
Cr-Commit-Position: refs/heads/master@{#26953}
Contribution of PowerPC port (continuation of 422063005, 817143002,
866843003, and 901083004. This patch updates the ppc directories
to make them current with changes in common code, removes the
optimization to use the ool constant pool, and excludes tests that
don't pass under the ppc simulator given a 240s timeout.
Subsequent patches will cover:
- remaining optimizations for PPC
- remaining AIX changes not resolved by 4.8 compiler (4.8 is only recently available for AIX)
- incremental updates required to ppc directories due to platform specific changes made
in google repos while we complete the above steps.
modified: src/compiler/ppc/code-generator-ppc.cc
modified: src/ic/ppc/handler-compiler-ppc.cc
modified: src/ppc/assembler-ppc-inl.h
modified: src/ppc/assembler-ppc.cc
modified: src/ppc/assembler-ppc.h
modified: src/ppc/builtins-ppc.cc
modified: src/ppc/code-stubs-ppc.cc
modified: src/ppc/debug-ppc.cc
modified: src/ppc/deoptimizer-ppc.cc
modified: src/ppc/frames-ppc.cc
modified: src/ppc/frames-ppc.h
modified: src/ppc/full-codegen-ppc.cc
modified: src/ppc/lithium-codegen-ppc.cc
modified: src/ppc/lithium-ppc.cc
modified: src/ppc/lithium-ppc.h
modified: src/ppc/macro-assembler-ppc.cc
modified: src/ppc/macro-assembler-ppc.h
modified: test/cctest/cctest.status
modified: test/mjsunit/mjsunit.status
R=danno@chromium.org, svenpanne@chromium.org
BUG=
Review URL: https://codereview.chromium.org/965823002
Cr-Commit-Position: refs/heads/master@{#26951}
On Intel targets, it is cheaper to load the context from the frame
instead of loading the context as a constant (which usually involves a
PropertyCell because the context is in new space when we compile the
function).
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/970803002
Cr-Commit-Position: refs/heads/master@{#26935}
On 64-bit targets, we can skip the write barrier for Store nodes if the
input is ChangeInt32ToTagged, because the value being stored is
definitely represented as a smi then.
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/968113002
Cr-Commit-Position: refs/heads/master@{#26934}
This is partially based on r21609 but that CL was incomplete.
Function name is still non writable so one has to use defineProperty
to change the actual value.
BUG=v8:3333
LOG=N
R=adamk, mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/960343002
Cr-Commit-Position: refs/heads/master@{#26924}
This required fixing the exports_ hash map to use the appropriate
comparison function instead of pointer comparison.
BUG=v8:1569
LOG=n
Review URL: https://codereview.chromium.org/960793003
Cr-Commit-Position: refs/heads/master@{#26920}
InstallBuiltinFunctionIds stood out when looking at code that grew
strangely when compiled with default optimizations.
This change from repeated code to a loop saves 6-7 KB of machine code.
I suspect it's faster but I also suspect it's fast enough either way so
that is not really a factor. Machine code reduction seen below.
Code formatted with git cl format.
clang x64:
Total change: -5985 bytes
-------------------------------------------
+517 - Source: ?? - (gained 744, lost 227)
-------------------------------------------
New symbols:
+744: v8::internal::Genesis::InstallBuiltinFunctionIds()::builtins type=d, size=744 bytes
Removed symbols:
-4: .L.str98 type=r, size=4 bytes
... [stripped 30 similar lines]
-19: .L.str100 type=r, size=19 bytes
----------------------------------------------------------------------------------------------
-6502 - Source: /home/bratell/src/chromium/src/v8/src/bootstrapper.cc - (gained 0, lost 6502)
----------------------------------------------------------------------------------------------
Removed symbols:
-1135: v8::internal::ResolveBuiltinIdHolder(v8::internal::Handle<v8::internal::Context>, char const*) type=t, size=1135 bytes
Shrunk symbols:
-5367: v8::internal::Genesis::InstallBuiltinFunctionIds() type=t, (was 7105 bytes, now 1738 bytes)
BUG=
Review URL: https://codereview.chromium.org/918303005
Cr-Commit-Position: refs/heads/master@{#26919}
Save Unknown position as zero in RelocInfo.
Remove copy constructor of SourcePosition because it is trivial.
Mechanical replace int raw_position with SourcePosition position.
BUG=452067
LOG=n
Review URL: https://codereview.chromium.org/959203002
Cr-Commit-Position: refs/heads/master@{#26916}
Without this shortcut we generate one BooleanNot per JSUnaryNot with
number input, which is quite common in asm.js. These dead nodes then
survive until the late control reducer runs, and may prevent
optimizations in the mean time.
R=dcarney@chromium.org
Review URL: https://codereview.chromium.org/963713002
Cr-Commit-Position: refs/heads/master@{#26911}
port 6af7ca6be4 (r26886)
original commit message:
Skip the mapcheck on the global object since the global proxy and cell are already
checked (or the global object map for contextual global loads).
BUG=
Review URL: https://codereview.chromium.org/965693002
Cr-Commit-Position: refs/heads/master@{#26908}
port e9cdcb7174 (r26875)
original commit message:
Only dynamically perform access checks on the receiver if it's a JSGlobalProxy.
Proxies up the chain are guaranteed to provide access if we had access to the receiver,
since otherwise we wouldn't have been able to compile the stub in the first place.
If the security check would change, the window navigates, changing the map of the JSGlobalProxy.
BUG=
R=weiliang.lin@intel.com
Review URL: https://codereview.chromium.org/964813002
Cr-Commit-Position: refs/heads/master@{#26905}
Reason for revert:
Need to revert the ported CL.
Original issue's description:
> MIPS: Also skip when the target is the global object.
>
> Port cc918d30b9
>
> BUG=
>
> Committed: https://crrev.com/b24a0efa447235e11b9ff9d1eeaada06131b2e04
> Cr-Commit-Position: refs/heads/master@{#26897}
TBR=danno@chromium.org,verwaest@chromium.org,paul.lind@imgtec.com,gergely.kis@imgtec.com,akos.palfi@imgtec.com,dusan.milosavljevic@imgtec.com,balazs.kilvady@imgtec.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review URL: https://codereview.chromium.org/963603002
Cr-Commit-Position: refs/heads/master@{#26898}
This also adds a new VariableMode, IMPORT, which will be
used to do appropriate binding for Import-declared Variables.
Only named imports are handled for now. "import *" and default
import syntaxes have had their TODOs adjusted to match the new
code structure.
BUG=v8:1569
LOG=n
Review URL: https://codereview.chromium.org/948303004
Cr-Commit-Position: refs/heads/master@{#26895}
Port e9cdcb7174
Original commit message:
Proxies up the chain are guaranteed to provide access if we had access to the receiver, since otherwise we wouldn't have been able to compile the stub in the first place. If the security check would change, the window navigates, changing the map of the JSGlobalProxy.
BUG=
Review URL: https://codereview.chromium.org/958923002
Cr-Commit-Position: refs/heads/master@{#26894}
This reverts commit b57be748b1 and
disables the test/mjsunit/debug-clearbreakpointgroup.js because
BreakLocationIterator::ClearBreakPoint is already broken for unrelated reasons (see v8:3924).
BUG=v8:3877
LOG=N
TEST=cctest/test-heap/Regress3877
Review URL: https://codereview.chromium.org/957373002
Cr-Commit-Position: refs/heads/master@{#26893}