Commit Graph

19 Commits

Author SHA1 Message Date
Benedikt Meurer
92c6af8a2d [interpreter] Do ToObject implicitly as part of CloneObject.
The CloneObject bytecode was only able to handle objects, null and
undefined, and explicit bytecode had to be generated to perform the
ToObject outside the bytecode (unlike the other IC bytecodes that
just perform the ToObject implicitly). That means the simplest possible
object cloning would also generate a sequence of 5 bytecodes (at least):

```
   Mov <register>, a0
   JumpIfNull @1
   JumpIfUndefined @1
   ToObject <register>
1: CloneObject <register>
```

That is quite wasteful and unnecessary, since the core logic in the
runtime already does the ToObject properly anyways. This change
refactors the CloneObjectIC slightly to behave more like the other ICs
and do the ToObject implicitly when necessary.

Bug: v8:7611, v8:9114, v8:9183, v8:9343
Change-Id: I11973e90bf875f154a5a7739287bee17041e4a7a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1649554
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62064}
2019-06-08 17:42:12 +00:00
Ross McIlroy
5b794a389b [Test] Add PrepareForOptimization to some mjsunit tests.
Bug: v8:8801, v8:8394
Change-Id: I6bb46ecafe1bd94adbf0409f13c9b2e558da0823
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1594558
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61200}
2019-05-03 13:32:32 +00:00
Benedikt Meurer
4995c85f28 [runtime] Optimize general object spread.
This adds a new %_CopyDataProperties intrinsic, that reuses most of the
existing machinery that we already have in place for Object.assign() and
computed property names in object literals. This speeds up the general
case for object spread (where the spread is not the first item in an
object literal) and brings it on par with Object.assign() at least - in
most cases it's significantly faster than Object.assign().

In the test case [1] referenced from the bug, the performance goes from

  objectSpreadLast: 3624 ms.
  objectAssignLast: 1938 ms.

to

  objectSpreadLast: 646 ms.
  objectAssignLast: 1944 ms.

which corresponds to a **5-6x performance boost**, making object spread
faster than Object.assign() in general.

Drive-by-fix: This refactors the Object.assign() fast-path in a way that
it can be reused appropriately for object spread, and adds another new
builtin SetDataProperties, which does the core of the Object.assign()
work. We can teach TurboFan to inline Object.assign() based on the new
SetDataProperties builtin at some later point to further optimize
Object.assign().

[1]: https://gist.github.com/bmeurer/0dae4a6b0e23f43d5a22d7c91476b6c0

Bug: v8:9167
Change-Id: I57bea7a8781c4a1e8ff3d394873c3cd4c5d73834
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587376
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61100}
2019-04-29 18:47:19 +00:00
Caitlin Potter
3729410578 [cloneobjectic] initialize property array before filling it
This avoids leaving the heap in an invalid state if a GC occurs during
population of the cloned property array, as is done in other IC
builtins.

BUG=chromium:904167, v8:7611
R=jkummerow@chromium.org, ishell@chromium.org

Change-Id: I0350ed2d65b72e299f7109b7d5aa86331f60e940
Reviewed-on: https://chromium-review.googlesource.com/c/1350282
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57879}
2018-11-27 17:24:21 +00:00
Caitlin Potter
3e010af274 [CloneObjectIC] clone MutableHeapNumbers only if !FLAG_unbox_double_fields
Change the macros added in bf84766a2c to
only do the hard work if FLAG_unbox_double_fields is unset (otherwise,
they will attempt to dereference raw float64s, which is bad!)

Also adds a write barrier in CopyPropertyArrayValues for each store if
it's possible that a MutableHeapNumber is cloned.

BUG=chromium:901301, chromium:902965, chromium:903070, v8:7611
R=cbruni@chromium.org, jkummerow@chromium.org, ishell@chromium.org

Change-Id: I224d3c4e7b0a887684bff68985b4d97021ba4cfb
Reviewed-on: https://chromium-review.googlesource.com/c/1323911
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57368}
2018-11-08 19:14:11 +00:00
Caitlin Potter
bf84766a2c [CloneObjectIC] clone MutableHeapNumbers instead of referencing them
Adds a helper macro "CloneIfMutablePrimitive", which tests if the
operand is a MutableHeapNumber, and if so, clones it, otherwise
returning the original value.

Also modifies the signature of "CopyPropertyArrayValues" to take a
"DestroySource" enum, indicating whether or not the resulting object is
supplanting the source object or not, and removes all default
parameters from that macro (which were not used anyways).

This corrects the issue reported in chromium:901301, where
StaNamedOwnProperty was replacing the value of a MutableHeapNumber
referenced by both the cloned object and the source object.

BUG=chromium:901301, v8:7611
R=cbruni@chromium.org, jkummerow@chromium.org

Change-Id: I43df1ddc84dfa4840e680b6affeba452ce0b6629
Reviewed-on: https://chromium-review.googlesource.com/c/1318096
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57304}
2018-11-07 03:15:45 +00:00
Caitlin Potter
fbcf0221fa [CloneObjectIC] add CSA implementation of slow case
The CSA implementation is a separate handler so that TF has the
opportunity to reduce to a direct call, skipping some of the dispatching
in the CloneObjectIC stub.

This patch moves the looping over a source object's keys and values into the
base CodeStubAssembler, so that it can be shared between ObjectAssignFast
and CloneObjectIC_Slow.

During each step of the loop, storing is delegated to a new SetPropertyInLiteral
helper in KeyedStoreGenericGenerator, which performs a store without consulting
the prototype chain, and automatically reconfigures accessors into data
properties regardless of their attributes.

BUG=v8:8067, v8:7611
R=ishell@chromium.org, jkummerow@chromium.org

Change-Id: I06ae89f37e9b4265aab67389cf68a96529f90578
Reviewed-on: https://chromium-review.googlesource.com/1182122
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55806}
2018-09-11 20:43:53 +00:00
Caitlin Potter
7098f35c7c [CloneObjectIC] copy may_have_interesting_symbols bit to fast result map
This fixes a CHECK failure in MapVerify, and gets the correct behaviour
for uses of the well-known symbols.

BUG=v8:7611, chromium:866229
R=jkummerow@chromium.org, mvstanton@chromium.org, bmeurer@chromium.org

Change-Id: I5d679357b8807ea9d1054121d8d336fe0dd43c7c
Reviewed-on: https://chromium-review.googlesource.com/1162278
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#54905}
2018-08-04 16:48:18 +00:00
Caitlin Potter
5caee70b66 Reland "Reland [CloneObjectIC] overwrite monomorphic/polymorphic feedback if deprecated"
An object with a deprecated Map which has already been cached in
CloneObjectIC feedback is still a valid Map for fast cloning --- but
to be consistent with other ICs, deprecated maps are ignored, and are
expected to be transitioned away from.

If the source object has a deprecated map, the instance is migrated.

BUG=v8:7611, chromium:867958, chromium:868586, chromium:869342, chromium:869347, chromium:869293
R=jkummerow@chromium.org, mvstanton@chromium.org

Reviewed-on: https://chromium-review.googlesource.com/1154143
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#54799}
Change-Id: I6e2f7b28c41bb9bd6255441da0f209a97bce5e8f
Reviewed-on: https://chromium-review.googlesource.com/1157142
Cr-Commit-Position: refs/heads/master@{#54830}
2018-08-01 00:30:11 +00:00
Michael Achenbach
3879e8bfe3 Revert "Reland [CloneObjectIC] overwrite monomorphic/polymorphic feedback if deprecated"
This reverts commit d9f6c685f0.

Reason for revert:
https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux%20-%20gc%20stress/17584

Original change's description:
> Reland [CloneObjectIC] overwrite monomorphic/polymorphic feedback if deprecated
> 
> An object with a deprecated Map which has already been cached in
> CloneObjectIC feedback is still a valid Map for fast cloning --- but
> to be consistent with other ICs, deprecated maps are ignored, and are
> expected to be transitioned away from.
> 
> If the source object has a deprecated map, the instance is migrated.
> 
> BUG=v8:7611, chromium:867958, chromium:868586
> R=​jkummerow@chromium.org, mvstanton@chromium.org
> 
> Change-Id: I477aec6c8d0ae1e1648a70e85d2fd46146521d1c
> Reviewed-on: https://chromium-review.googlesource.com/1154143
> Commit-Queue: Caitlin Potter <caitp@igalia.com>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54799}

TBR=jkummerow@chromium.org,mvstanton@chromium.org,caitp@igalia.com

Change-Id: Ifcb422c3a692543490710d450590323524a6359a
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7611, chromium:867958, chromium:868586
Reviewed-on: https://chromium-review.googlesource.com/1155593
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54800}
2018-07-31 06:29:49 +00:00
Caitlin Potter
d9f6c685f0 Reland [CloneObjectIC] overwrite monomorphic/polymorphic feedback if deprecated
An object with a deprecated Map which has already been cached in
CloneObjectIC feedback is still a valid Map for fast cloning --- but
to be consistent with other ICs, deprecated maps are ignored, and are
expected to be transitioned away from.

If the source object has a deprecated map, the instance is migrated.

BUG=v8:7611, chromium:867958, chromium:868586
R=jkummerow@chromium.org, mvstanton@chromium.org

Change-Id: I477aec6c8d0ae1e1648a70e85d2fd46146521d1c
Reviewed-on: https://chromium-review.googlesource.com/1154143
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54799}
2018-07-31 04:11:05 +00:00
Deepti Gandluri
43098ecbe8 Revert "[CloneObjectIC] overwrite monomorphic/polymorphic feedback if deprecated"
This reverts commit 670fa86fd1.

Reason for revert: Causes gc-stress bots to fail - 
https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket.appspot.com/8939819990688690880/+/steps/Check_-_d8/0/logs/object-spread-ic/0
https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket.appspot.com/8939819696982258192/+/steps/Check_-_d8/0/logs/object-spread-ic/0

Original change's description:
> [CloneObjectIC] overwrite monomorphic/polymorphic feedback if deprecated
> 
> An object with a deprecated Map which has already been cached in
> CloneObjectIC feedback is still a valid Map for fast cloning --- but
> to be consistent with other ICs, deprecated maps are ignored, and are
> expected to be transitioned away from.
> 
> If the source object has a deprecated map, the instance is migrated.
> 
> BUG=v8:7611, chromium:867958
> R=​jkummerow@chromium.org, mvstanton@chromium.org
> 
> Change-Id: I9771b00400fb4dda45a62e874a31d9b50630d847
> Reviewed-on: https://chromium-review.googlesource.com/1152414
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Caitlin Potter <caitp@igalia.com>
> Cr-Commit-Position: refs/heads/master@{#54758}

TBR=jkummerow@chromium.org,mvstanton@chromium.org,caitp@igalia.com

Change-Id: Id17652ad6f3f09adb43848069549ad146d48b2d7
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7611, chromium:867958
Reviewed-on: https://chromium-review.googlesource.com/1153747
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54760}
2018-07-27 21:39:00 +00:00
Caitlin Potter
670fa86fd1 [CloneObjectIC] overwrite monomorphic/polymorphic feedback if deprecated
An object with a deprecated Map which has already been cached in
CloneObjectIC feedback is still a valid Map for fast cloning --- but
to be consistent with other ICs, deprecated maps are ignored, and are
expected to be transitioned away from.

If the source object has a deprecated map, the instance is migrated.

BUG=v8:7611, chromium:867958
R=jkummerow@chromium.org, mvstanton@chromium.org

Change-Id: I9771b00400fb4dda45a62e874a31d9b50630d847
Reviewed-on: https://chromium-review.googlesource.com/1152414
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#54758}
2018-07-27 19:37:39 +00:00
Caitlin Potter
d6efcbf022 [runtime] fix ClusterFuzz regressions (and remaining nits) in CloneObject
Includes fixes for several ClusterFuzz regressions:

1) fix an invalid Handle-cast in ic.cc (chromium:866282)

2) fix for improper accounting of used/unused inobject
fields, found by clusterfuzz (chromium:866357).

3) fix number of control outputs for the JSCloneObject
operator to be used by IfSuccess and IfException nodes (chromium:866727).

4) fix property constness in out-of-object properties of fast-cloned
object to be compatible with DCHECKs in StoreIC (chromium:866861).

Also includes the fixups missing from the initial commit, and
regression tests

BUG=v8:7611, chromium:866282, chromium:866357, chromium:866727, chromium:866861
R=jkummerow@chromium.org, mvstanton@chromium.org
TBR=rmcilroy@chromium.org

Change-Id: I77220308482f16db2893c0dcebec36530d0f5540
Reviewed-on: https://chromium-review.googlesource.com/1146297
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54706}
2018-07-25 21:23:05 +00:00
Caitlin Potter
b6f7ea5805 [runtime] use new CloneObject bytecode for some ObjectLiteralSpread cases
As discussed in
https://docs.google.com/document/d/1sBdGe8RHgeYP850cKSSgGABTyfMdvaEWLy-vertuTCo/edit?ts=5b3ba5cc#,

this CL introduces a new bytecode (CloneObject), and a new IC type.

In this prototype implementation, the type feedback looks like the
following:

Uninitialized case:
  { uninitialized_sentinel, uninitialized_sentinel }
Monomorphic case:
  { weak 'source' map, strong 'result' map }
Polymorphic case:
  { WeakFixedArray with { weak 'source' map, strong 'result' map }, cleared value }
Megamorphic case:
  { megamorphic_sentinel, cleared_Value }

In the fast case, Object cloning is done by allocating an object with
the saved result map, and a shallow clone of the fast properties from
the source object, as well as cloned fast elements from the source object.
If at any point the fast case can't be taken, the IC transitions to the
slow case and remains there.

This prototype CL does not include any TurboFan optimization, and the
CloneObject operation is merely reduced to a stub call.

It may still be possible to get some further improvements by somehow
incorporating compile-time boilerplate elements into the cloned object,
or simplifying how the boilerplate elements are inserted into the
object.

In terms of performance, we improve the ObjectSpread score in JSTests/ObjectLiteralSpread/
by about 8x, with substantial improvements over the Babel and ObjectAssign scores.

R=gsathya@chromium.org, mvstanton@chromium.org, rmcilroy@chromium.org, neis@chromium.org, bmeurer@chromium.org
BUG=v8:7611

Change-Id: I79e1796eb77016fb4feba0e1d3bb9abb348c183e
Reviewed-on: https://chromium-review.googlesource.com/1127472
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54595}
2018-07-20 16:48:59 +00:00
Yang Guo
18344ef408 [regexp] make lookbehind assertions non-quantifiable.
Until now lookbehind assertions have been quantifiable in non-unicode regexps.
This seems to be an oversight in the spec.

R=jgruber@chromium.org

Bug: v8:7462
Change-Id: Iad0db441089c7510dd2c42a861db92c05545ce1e
Reviewed-on: https://chromium-review.googlesource.com/926102
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51392}
2018-02-20 11:24:32 +00:00
Adam Klein
b20dc76909 Remove always-on --harmony-template-escapes flag
It was shipped in Chrome 62.

Bug: v8:5546, v8:4829
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I3ac318639f1f7483d4d4f4fe5606387a856be98a
Reviewed-on: https://chromium-review.googlesource.com/777940
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49687}
2017-11-28 18:36:41 +00:00
Adam Klein
d42534d441 Remove always-on flags for RegExp dotAll and lookbehind
Both of these features were shipped in Chrome 62.

Bug: v8:4545, v8:6172
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Ie00dcbeded7517a15696d4a78fcfbbf162919923
Reviewed-on: https://chromium-review.googlesource.com/775601
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49453}
2017-11-17 16:47:19 +00:00
Adam Klein
e6d57a9f66 [esnext] Remove --harmony-object-rest-spread flag
This flag has been on by default since Chrome 61.

Bug: v8:5549
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I81c34d1d3a7dbd219acce2cdf0cf4917eb484002
Reviewed-on: https://chromium-review.googlesource.com/738312
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48945}
2017-10-25 19:47:29 +00:00