Add a new JSConstructWithArrayLike operator that is backed by the
ConstructWithArrayLike builtin (similar to what was done before
for the JSCallWithArrayLike operator), and use that operator to
optimize Reflect.construct inlining in TurboFan. This is handled
uniformly with JSConstructWithSpread in the JSCallReducer.
Also add missing test coverage for Reflect.construct in optimized
code, especially for some interesting corner cases.
R=petermarshall@chromium.org
BUG=v8:4587,v8:5269
Review-Url: https://codereview.chromium.org/2949813002
Cr-Commit-Position: refs/heads/master@{#46087}
This addresses a TODO about the correct location of the helper function
in question, it is now internal to TurboFan instead of being shared.
R=jarin@chromium.org
Change-Id: I7e6112e9bc9759255a416fa2e2a9f92a8e4248c8
Reviewed-on: https://chromium-review.googlesource.com/542840
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46086}
- Iterator advancing is kept mainly unchanged.
- The iterator stores the size of the object which is to be used by the
caller in follow ups. This way we might be able to avoid further out
of line loads.
- The iteartor follows the regular std conventions allowing range based
loops.
Bug: chromium:651354
Change-Id: I8928224a62d3a48a48145a2d00279a28608bc634
Reviewed-on: https://chromium-review.googlesource.com/543335
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46085}
Inlines some functions to improve reduce the stack requirements for
chains of binary operations in the bytecode generator, thereby
enabling support of deeper expression stacks.
BUG=chromium:731861
Change-Id: I5ca437d507e9b2a7eb74f33deaa708ecd646077b
Reviewed-on: https://chromium-review.googlesource.com/541356
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46080}
The fuzzer has already been removed from chromium. In addition I removed
code which was only used by this fuzzer.
BUG=chromium:734550
R=clemensh@chromium.orgCC=mstarzinger@chromium.org
Change-Id: I2ff4614e4d64131412ead759318e5c38e38f5d3d
Reviewed-on: https://chromium-review.googlesource.com/542816
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46078}
- Now that there are no boolean vector types, we can directly test the
results of relational ops.
Bug: v8:6020
Change-Id: Id2139133ae3a548a9985a26a3427cbeddc6272a6
Reviewed-on: https://chromium-review.googlesource.com/536176
Reviewed-by: Aseem Garg <aseemgarg@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46075}
Also remove support for "python macros" as the last
existing one is removed in this patch.
Change-Id: I537d604a0a1c9ca11cd5c195841b9f5a0ec74850
Reviewed-on: https://chromium-review.googlesource.com/540836
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46069}
On an error during {ProcessExports()}, we would just continue
execution, resulting in a DCHECK failure later.
I did not find any tests for exported globals, so I added a few
(including a regression test for the referenced bug).
R=ahaas@chromium.org
BUG=chromium:734295
Change-Id: I35370de934c274f870680c662ef848c72268a7bc
Reviewed-on: https://chromium-review.googlesource.com/539401
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46064}
If one wasm instance imports an exported function of another instance,
we unwrap the js-to-wasm wrapper of the export and use the underlying
code object directly. However, the code object does not keep the wasm
instance alive. It is only connected via a WeakCell.
With this CL, we explicitly store a FixedArray of all wasm instances
from which we imported functions to keep them alive at least as long as
the instance which imports the code.
R=mtrofin@chromium.org, ahaas@chromium.org
BUG=chromium:734345
Change-Id: I8dcfc9a4ea2d791a62d8cb7255039e481c50bdfd
Reviewed-on: https://chromium-review.googlesource.com/539738
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46062}
This patch replaces IterateBlackObject with two functions:
- RecordWrites,
- ProcessBlackAllocatedObject.
The RecordWrites function is a write barrier, and its behaviour depends
on whether the concurrent marking is on or not.
The ProcessBlackAllocatedObject is the same indepenent from the
concurrent marker.
BUG=chromium:694255
Change-Id: I1666371fbdac9b26c6f875b9e1d1751da4ea1960
Reviewed-on: https://chromium-review.googlesource.com/541441
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46060}
This adapts the predicate in question to be geared towards TurboFan now
that Crankshaft is no longer being used. It makes the predicate respect
the --allocation-site-pretenuring flag again in all cases.
R=mlippautz@chromium.org
BUG=v8:6408
Change-Id: Ib2753f70d7904764859a2d91815a675745416239
Reviewed-on: https://chromium-review.googlesource.com/541321
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46058}
Inspector uses only BREAK_POSITION_ALIGNED, no tests pass STATEMENT_ALIGNED. It's exposed only with debugger API but I'm pretty sure that nobody actually uses it and as far as mirrors API is deprecated - it's time to remove it.
R=jgruber@chromium.org
Bug: none
Change-Id: I28d62e145811d3eb6f4d64007c47c51b2ecbaf0f
Reviewed-on: https://chromium-review.googlesource.com/536934
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46056}
AllocationSite objects survive if a page moves within new space. The
intended behavior was to update the count only when they are visited by
the Scavenger the first time, as they would die afterwards.
This fixes that case where we would move a page within new space where
most objects survive. We would unnecessarily update the AllocationSite
in this case.
Bug: chromium:651354
Change-Id: Ife4dd3e7f60320e0050e7c83dfc5457f66e2287c
Reviewed-on: https://chromium-review.googlesource.com/541302
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46052}
This makes sure that the coercion of global import values to numbers
remains non-observable to JavaScript. It allows instantiation failures
to fall back to JavaScript proper without accidentally causing some
side-effect to happen twice. Also coercions might invalidate previous
checks done during linking or throw exceptions.
R=clemensh@chromium.org
TEST=mjsunit/regress/regress-6431
BUG=v8:6431
Change-Id: Ibe2f7a336bc0fb25532d526746ecc802e04bbd5c
Reviewed-on: https://chromium-review.googlesource.com/512544
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46051}
The constructor of WireBytesRef checks that offset+length is still in
the uint32_t range. This CL avoids triggering this check on illegally
size strings.
R=ahaas@chromium.org
BUG=chromium:734246
Change-Id: Iab5c7013aa3e0ac5060bc4733e712a1652679b1a
Reviewed-on: https://chromium-review.googlesource.com/539402
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46050}
https://codereview.chromium.org/2632713003 with workaround for old GCC.
Drive-by: fix unused variable in src/wasm/wasm-js.cc
Bug:chromium:457078
Change-Id: I6c1b65076bae783c31869552bc87d05c28550e26
Reviewed-on: https://chromium-review.googlesource.com/538463
Commit-Queue: Loo Rong Jie <loorongjie@gmail.com>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46049}
This was never legal; the spec only allows '\0' in strict-mode strings or templates
when not followed by a decimal digit. Previously we were only enforcing that it
not be followed by an _octal_ digit.
This was already fixed for numeric literals, but not for escape sequences in strings.
BUG=v8:6504
Review-Url: https://codereview.chromium.org/2950633002
Cr-Commit-Position: refs/heads/master@{#46046}
Especially in wasm, many builtins don't actually need a context
parameter. We currently pass Smi::kZero instead. This CL allows to
generate a CallDescriptor for calling stubs without passing a context,
resulting in reduced compile time and code size, and increased
performance when executing these builtins.
We were calling the ThrowWasm* functions without passing a context
anyway (directly from code-generator-<arch>.h). With this change, we
will also call the StackCheck builtin without passing a (null) context.
This saves two bytes of code in each function plus each loop, and also
slightly reduces compile time (very noisy, but statistically
significant).
Drive-by: Use NoContextConstant instead of SmiConstant(Smi::kZero).
R=mstarzinger@chromium.org, ahaas@chromium.org
Change-Id: If794cc4c262a9cca8d29a68010803c01a2eef4a3
Reviewed-on: https://chromium-review.googlesource.com/541423
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46044}
A follow up will allow inserting slots during GC without emiting fences
Bug: chromium:651354
Change-Id: Ia1d0f88e3658bca31933bdb013db15a5c2ecd849
Reviewed-on: https://chromium-review.googlesource.com/541400
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46042}
Add a new JSCallWithArrayLike operator that is backed by the
CallWithArrayLike builtin, and use that operator for both
Function.prototype.apply and Reflect.apply inlining. Also unify
the handling of JSCallWithArrayLike and JSCallWithSpread in
the JSCallReducer to reduce the copy&paste overhead.
Drive-by-fix: Add a lot of test coverage for Reflect.apply and
Function.prototype.apply in optimized code, especially for some
corner cases, which was missing so far.
BUG=v8:4587,v8:5269
R=petermarshall@chromium.org
Review-Url: https://codereview.chromium.org/2950773002
Cr-Commit-Position: refs/heads/master@{#46041}
Changes the handling of TestResultScopes to allow them to be reused by
logical tests by rewiring instead of using a new TestResultScope.
Also does the following:
- moves some fields about in TestResultScope to reduce it's size
- moves RegisterListFreeEvent to the end of ReleaseRegisters to enable
it to be tail-called.
This increases the allowed depth of logical expressions which the
compiler can handle without overflowing the stack by about 2x on x64.
BUG=chromium:731861
Change-Id: I7733797bec5e52d07eec6332c07e2a886f2bbde1
Reviewed-on: https://chromium-review.googlesource.com/539521
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46039}
