Snapshots don't yet work in 64-bit win/cross builds, so disable them
until they do.
No behavior change in builds that aren't 64-bit win/cross builds.
Bug: chromium:803591
Change-Id: I7a04c7e01a58a95a2bfb78c7d2593c7c5c5041cf
Reviewed-on: https://chromium-review.googlesource.com/936668
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Nico Weber <thakis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51554}
This adds support for poisoning the stack pointer and implicit register
arguments like the context register and the function register in the
prologue of generated code with JavaScript linkage. The speculation
poison is computed similarly to the interpreter by matching expected
with actual code start addresses.
R=jarin@chromium.org,rmcilroy@chromium.org
BUG=chromium:798964
Change-Id: I5fa48844745459cf7b3d00c407a7b835f61c857b
Reviewed-on: https://chromium-review.googlesource.com/919167
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51553}
Currently we didn't always consistently use the String feedback on
JSAdd, but only if JSTypedLowering would already figure out statically
that one of the inputs is already a String. That leads to some odd
performance cliffs, as highlighted in the referenced bug.
This CL fixes the JSTypedLowering::ReduceJSAdd to always bake in the
String feedback. This improves the relevant performance tests from the
bug from
console.timeEnd: Runtime join3, 967.512000
console.timeEnd: Runtime join, 1004.599000
console.timeEnd: Runtime join3, 1124.764000
console.timeEnd: Runtime join, 966.164000
console.timeEnd: Runtime join3, 1145.296000
console.timeEnd: Runtime join, 966.176000
console.timeEnd: Runtime join3, 1145.272000
console.timeEnd: Runtime join, 931.266000
to
console.timeEnd: Runtime join3, 903.050000
console.timeEnd: Runtime join, 856.509000
console.timeEnd: Runtime join3, 945.144000
console.timeEnd: Runtime join, 840.038000
console.timeEnd: Runtime join3, 927.965000
console.timeEnd: Runtime join, 841.263000
console.timeEnd: Runtime join3, 929.342000
console.timeEnd: Runtime join, 858.143000
which corresponds to an 8-18% improvement.
Bug: v8:7415
Change-Id: I62e008298e4ee0864885b37817c91d055acf2a09
Reviewed-on: https://chromium-review.googlesource.com/936643
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51551}
Removing includes which are not needed and also not indirectly pulled in.
BUG=v8:7490, v8:7310
Change-Id: I219ba92c3281c3c245cc6c5574c85c2d51a217a9
Reviewed-on: https://chromium-review.googlesource.com/934722
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51550}
The CreateClosureMode introduced with 2ece046c5 is still not 100%
fail-safe and doesn't scale. What we really need instead, especially
when we might start removing the SharedFunctionInfo::code field
eventually, is to tell the JSCreateClosure node which code object to
use. So instead of adding magic around it, let's just pass it to the
node.
Bug: v8:2206, v8:7253, v8:7310
Change-Id: Iedb6ae468a763643617975f47d96854d1aeafbe9
Reviewed-on: https://chromium-review.googlesource.com/937121
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51548}
We use JSCreateClosure to also constructs closures for builtins, i.e.
for the callbacks created by the Promise constructor. For these builtins
we cannot set code to CompileLazy builtin, but need to use the code from
the SharedFunctionInfo. The explicit mode tells the lowering what it
should do (instead of relying on SharedFunctionInfo::native(), which is
not the right bit).
Bug: v8:2206, v8:7253, v8:7310
Change-Id: Ic956814e137c57b36ebb5d7b4d964dde5ee51a0d
Reviewed-on: https://chromium-review.googlesource.com/930964
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51547}
This reverts commit 3c62f7ae07.
(and commit 4939463c77)
The goal of this revert is to contrast the effect on perf bots of
landing it vs reverting it to more easily attribute its impact.
R=hpayer@chromium.org
Bug: chromium:812178
Change-Id: I7c977b1b0b587f787263272400d87f6aae7af634
Reviewed-on: https://chromium-review.googlesource.com/936761
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51546}
This implements the full set of f32 comparisons (f32.eq, f32.ne,
f32.lt, f32.gt, f32.le, f32.ge) on ia32 and x64.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: I2be786431d01b4ed540b70f3e4a27c19b7d2649e
Reviewed-on: https://chromium-review.googlesource.com/928982
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51545}
This is a follow-up to https://chromium-review.googlesource.com/904164
now that I've realized raw TRACE_EVENTs work in v8 (initially thought
had to go through heap()->tracer()).
After adding events to EvacuatePage(), the subitem event for evacuation tasks
became redundant. Since this results in a better output this CL applies
this approach to all paralell work items.
Not using TRACE_BACKGROUND_GC also avoids polluting logs with subitems
when using v8's tracing flags.
R=mlippautz@chromium.org
Bug: chromium:651354
Change-Id: I62efbde69da2a0a9bd255e34093d64924e339974
Reviewed-on: https://chromium-review.googlesource.com/934263
Commit-Queue: Gabriel Charette <gab@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51544}
I think those are safe to keep and add useful information to highlight
the type of evacuate copy step being performed.
This is a prerequisite for https://chromium-review.googlesource.com/c/v8/v8/+/934263
as it will drop tracing individual work items and will
leave it to top-level item trace events like these to
highlight individual work item's work.
Will reland after reverting them all however to confirm the re-adding
these doesn't cause regressions as the fine grain trace events
initially did.
R=hpayer@chromium.org
Bug: chromium:813824
Change-Id: I8e53b880ce0aeae08afa7a2c0f36a455f645bcfa
Reviewed-on: https://chromium-review.googlesource.com/934248
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Gabriel Charette <gab@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51543}
Change lowering for Store to use input replacement type.
Change-Id: Ic1fbbb37a3cc938fca7015d838933284bae6068e
Reviewed-on: https://chromium-review.googlesource.com/903266
Commit-Queue: Jing Bao <jing.bao@intel.com>
Reviewed-by: Aseem Garg <aseemgarg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51540}
Fuzzers after switching to ToT mjsunit.js, which accesses
Date.prototype, while for correctness fuzzing it's mocked out as a
proxy.
This makes the proxy return the property correctly.
TBR=yangguo@chromium.org
NOTRY=true
Bug: chromium:813833
Change-Id: Ic4b6412063f42c4e75905fbd568b7f81bc54daff
Reviewed-on: https://chromium-review.googlesource.com/936046
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51539}
This patch removes one unnecessary sub instruction in ComputeCodeStartAddress for SpeculationPoison generation at the beginning of each bytecode handler.
leaq rbx,[rip+0x0] => leaq rbx,[rip+0xfffffff9]
subq rbx,0x7 => To be removed
movq r9,0x0
cmpq rcx,rbx
movq rbx,0xffffffff
cmovzq r9,rbx
Change-Id: I7648ae27d4039488d1fc0f4c25477a5cb889bd6d
Reviewed-on: https://chromium-review.googlesource.com/933593
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Shiyu Zhang <shiyu.zhang@intel.com>
Cr-Commit-Position: refs/heads/master@{#51537}
Previously the API allowed the embedder to re fulfill a non pending
promise. This was changed as part of
c041296189.
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I53dc028fecdcc6ab05c05cfc7795e89519ed9633
Reviewed-on: https://chromium-review.googlesource.com/932968
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51536}
`CodeStubAssembler::ToInteger_Inline` performs a `TaggedIsSmi` check,
and calls `ToInteger` with the appropriate truncation mode if the
input is not a Smi.
When we already know we’re dealing with something that’s not a Smi,
this check is redundant, and we can use
`CallBuiltin(Builtins::kToInteger*)` directly.
Bug: v8:7310
Change-Id: If538e39bcb738014bd03f10edd0051dac72b7ea3
Reviewed-on: https://chromium-review.googlesource.com/934901
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51535}
Since we only need to store 18 different function kinds,
the bitfield approach was wasting space (requiring 11 bits).
This patch replaces the bitfield with a regular enum, and
updates all the FunctionKind predicates to use comparisons
instead of bitwise ops.
For the small amount of builtin code that depended upon being
able to do masking to determine whether something is a class
constructor, we still store two extra bits on FunctionKind,
which are computed when the SFI is initialized.
If this approach causes performance regressions (i.e., if it
turns out that other code was implicitly depending on masking
for fast checks), we can revert this or address it in
other ways (e.g., by doing similar caching of repeated checks
in the caller).
This is a reland of 42667bab5b.
Bug: v8:7310
Change-Id: I2ec54289ea687399c61d75b7aff2d849861a64f2
Reviewed-on: https://chromium-review.googlesource.com/934864
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51534}
This adds printing on failures to compare output when correctness fuzzing.
TBR=yangguo@chromium.org
NOTRY=true
Bug: chromium:813833
Change-Id: I0280561392f6614960608db4e93341552c716142
Reviewed-on: https://chromium-review.googlesource.com/934843
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51529}
Port 2579951648
Original Commit Message:
This introduces masking of loads with speculation bit during code generation.
At the moment, this is done only under the
--branch-load-poisoning flag, and this CL enlarges the set of supported
platforms from {x64} to {x64, arm}.
Overview of changes:
- new register configuration configuration with one register reserved for
the speculation poison/mask (kSpeculationPoisonRegister).
- in codegen, we introduce an update to the poison register at the starts
of all successors of branches (and deopts) that are marked as safety
branches (deopts).
- in memory optimizer, we lower all field and element loads to PoisonedLoads.
- poisoned loads are then masked in codegen with the poison register.
* only integer loads are masked at the moment.
R=tebbi@chromium.org, joransiu@ca.ibm.com, bjaideep@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: Idda9bf06133d8999290cda5bcf6333c064b3e6dc
Reviewed-on: https://chromium-review.googlesource.com/927163
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#51528}
The list of runtime function use counts was generated with:
$ grep -o '^ *F(\w*' src/runtime/runtime.h | sed 's/^ *F(//' | sort | while read f; do USE_COUNT=$(git grep "\(Runtime::k\|Runtime::kInline\|%\|%_\)$f" | wc -l); echo $USE_COUNT $f; done
This reduces libv8.so size by 59K on an x64 release build.
Bug: v8:7310
Change-Id: Ib4d097e63ed065f41bf73e9529e4354575be5229
Reviewed-on: https://chromium-review.googlesource.com/934272
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51526}
CSA::Select makes the code compact and cleaner. Use it instead of
branches.
Bug: v8:7310
Change-Id: I3694b5ab5f8085c60266a4ad02640075005f4f94
Reviewed-on: https://chromium-review.googlesource.com/934509
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51525}
The Operand class is small enough to be efficiently passed by value.
This saves binary size and performance because the Operand does not need
to be emitted to the caller's frame and loaded in the callee.
Binary saving is 30kB in release mode on x64.
R=mstarzinger@chromium.org
Bug: v8:7310
Change-Id: Ibad9d438ace23cfe8e4641bd48063ab7035656f4
Reviewed-on: https://chromium-review.googlesource.com/934137
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51524}
Adding the StringSubstring simplified operator is a precursor to
improve inlining of String.p.{substr,substring,slice}.
This also contains a drive-by renaming to normalize different
spellings of 'Substring'.
Bug: v8:7250, v8:7340
Change-Id: I89e0fbafeab80f5d2f3ef348a5303d32c0abfe0a
Reviewed-on: https://chromium-review.googlesource.com/919084
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51522}
The deoptimizer can create argument adaptor frames, in which case we
write a return address onto the stack that jumps into the middle of
the ArgumentsAdaptorTrampoline builtin. Now that this builtin is
off-heap, we need to calculate the return address based on the
off-heap instruction stream, not the on-heap trampoline.
Bug: v8:6666
Change-Id: I55b27fe8b0573f6c6ae66375850352f71bdff618
Reviewed-on: https://chromium-review.googlesource.com/934202
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51520}
Off-heap code may have pc values that are not within
[instruction_start, instruction_end]. Handle these kinds of objects in
heap Code lookup functions.
Bug: v8:6666
Change-Id: Ib7a58f962ef6311c48234e506a35485fd5966814
Reviewed-on: https://chromium-review.googlesource.com/934184
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51518}
This fixes issues where the stack track contained 'Promise' but
not 'new'.
Bug: v8:7253
Change-Id: I840fcc0a76e2376aab0b64d321f5cf8ccc672956
Reviewed-on: https://chromium-review.googlesource.com/928762
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51516}
Previously, typing errors would be hidden by the SloppyTNode cast. Both
lambdas should always return strictly checked types that match the
templated type of the select, otherwise unchecked values can reach
TNodes.
Bug: v8:7479
Change-Id: Icd316c21a30c8c8305b7740c985efaa54c9a7015
Reviewed-on: https://chromium-review.googlesource.com/934455
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51515}
Off-heap-safety slightly differs from isolate-independence in that it
allows external references and checks instruction-size constraints.
This adds the new predicate as well as a cctest verifying it. New
DCHECKs are introduced to document assumptions and upcoming work.
Note that this breaks the --stress-off-heap-code flag. Fixes will
follow in upcoming CLs.
Bug: v8:6666
Change-Id: If4f3e0f4428bacc8d293cd864b9b07b81679c423
Reviewed-on: https://chromium-review.googlesource.com/934183
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51513}
This is the follow-up CL to
https://chromium-review.googlesource.com/#/c/v8/v8/+/931122.
Now that HeapConstants can be loaded through the builtins constants
table, the extra CallStub and CallRuntime has become unnecessary.
Bug: v8:6666
Change-Id: I02bb7805ac37bed6fe27fdd0689ac22ad7de034b
Reviewed-on: https://chromium-review.googlesource.com/931123
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51512}
Convert all context, receiver and argc Node*s to their appropriate TNode
type.
Bug: v8:7310
Change-Id: Ic6bf22ffb22199d390731d424b7395c47a8f19cf
Reviewed-on: https://chromium-review.googlesource.com/934442
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51511}
