If the eval contains a let, we need to know whether an inner function
refers to the variable to be able to decide its context allocation
status.
The added test needs https://codereview.chromium.org/2435023002/ too
in order to pass.
BUG=v8:5736
Review-Url: https://codereview.chromium.org/2574753002
Cr-Commit-Position: refs/heads/master@{#41723}
The error reported by the graph verifier looks like:
#
# Fatal error in ../src/compiler/machine-graph-verifier.cc, line 638
# TypeError: node #54:ChangeInt32ToInt64 uses node #53:ChangeUint32ToUint64 which doesn't have an int32-compatible representation.
#
# Specify option --csa-trap-on-node=test,54 for debugging.
#
BUG=
Review-Url: https://codereview.chromium.org/2574353002
Cr-Commit-Position: refs/heads/master@{#41721}
Some instructions in WebAssembly trap for some inputs, which means that the
execution is terminated and (at least at the moment) a JavaScript exception is
thrown. Examples for traps are out-of-bounds memory accesses, or integer
divisions by zero.
Without the TrapIf and TrapUnless operators trap check in WebAssembly introduces 5
TurboFan nodes (branch, if_true, if_false, trap-reason constant, trap-position
constant), in addition to the trap condition itself. Additionally, each
WebAssembly function has four TurboFan nodes (merge, effect_phi, 2 phis) whose
number of inputs is linear to the number of trap checks in the function.
Especially for functions with high numbers of trap checks we observe a
significant slowdown in compilation time, down to 0.22 MiB/s in the sqlite
benchmark instead of the average of 3 MiB/s in other benchmarks. By introducing
a TrapIf common operator only a single node is necessary per trap check, in
addition to the trap condition. Also the nodes which are shared between trap
checks (merge, effect_phi, 2 phis) would disappear. First measurements suggest a
speedup of 30-50% on average.
This CL only implements TrapIf and TrapUnless on x64. The implementation is also
hidden behind the --wasm-trap-if flag.
Please take a special look at how the source position is transfered from the
instruction selector to the code generator, and at the context that is used for
the runtime call.
R=titzer@chromium.org
Review-Url: https://codereview.chromium.org/2562393002
Cr-Commit-Position: refs/heads/master@{#41720}
Adds assignment tracking to the bytecode analysis pass, and updates
bytecode graph builder to only create LoopExitValues for assigned
values.
Review-Url: https://codereview.chromium.org/2558093005
Cr-Commit-Position: refs/heads/master@{#41719}
MIPS[64]R6 supports only fusion multiply-accumulate instructions, and using
these causes failures of several tests that expect exact floating-point
results. Therefore we disable fusion multiply-accumulate in both emitted and
compiled code on R6.
TEST=cctest/test-run-machops/RunFloat64MulAndFloat64Add1,mjsunit/es6/math-expm1.js
mjsunit/es6/math-fround.js,mjsunit/compiler/multiply-add.js
BUG=
Review-Url: https://codereview.chromium.org/2569683002
Cr-Commit-Position: refs/heads/master@{#41717}
This splits branch ref creation and landing. The ref now directly uses
heads (without pending) and for landing we use depot_tools.
For simplicity, the check for existing tags is removed, as it now
is very unlikely to happen again without gnumbd.
BUG=chromium:674448
NOTRY=true
TBR=tandrii@chromium.org
Review-Url: https://codereview.chromium.org/2584523002
Cr-Commit-Position: refs/heads/master@{#41716}
Allocate the registers used as arguments to a call on-demand after visiting the
argument (or reciever). This means that the visited expression can use registers
that would otherwise have been allocated for arguments which haven't been
visited yet.
The reason for doing this is to avoid keeping things live in registers
unecessarily for chained function calls, which avoids a memory leak for
functions which chain a large number of calls with large temporary arguments /
recievers.
BUG=chromium:672027
Review-Url: https://codereview.chromium.org/2557173004
Cr-Commit-Position: refs/heads/master@{#41714}
This fixes a corner case where the {FastCloneShallowArrayStub} was used
for literals that are backed by a double backing store and would exceed
limits for new-space allocations on 32-bit architectures. The stub in
question does not support such literals, callers must use the runtime.
Note that this fix is for Ignition as well as FullCodeGenerator.
R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-672792
BUG=chromium:672792
Review-Url: https://codereview.chromium.org/2570843002
Cr-Commit-Position: refs/heads/master@{#41713}
Templatizes the AccumulatorUsage and OperandType for BytecodeNode creation and
BytecodeRegisterOptimizer::PrepareForBytecode. This allows the compiler to
statically know whether the bytecode being created accesses the accumulator
and what operand types need scaling, avoiding runtime checks in the code.
Also removes BytecodeNode::set_bytecode methods.
Review-Url: https://codereview.chromium.org/2542903003
Cr-Commit-Position: refs/heads/master@{#41706}
Determine if the scope of the function to be serialized includes asm-
wasm, and if so, bypass serialization, since we do not support it in
that scenario.
In this change, we do so regardless of whether the asm-wasm path was
successful. This is so we keep the design simple, since the guidance
to developers, moving forward, is to use wasm.
BUG=643595
Review-Url: https://codereview.chromium.org/2573193002
Cr-Commit-Position: refs/heads/master@{#41704}
Promise catch prediction no longer has to be threaded through the
parser since the code using %catch has been moved to TF codestubs.
This is currently dead code.
BUG=v8:5343,v8:5741
Review-Url: https://codereview.chromium.org/2575133002
Cr-Commit-Position: refs/heads/master@{#41701}
Printing an asm.js success message and timings is useful,
but also non-deterministic. Making the message stable unless a flag is passed.
This will avoid making it a hassle in the future to create LayoutTests
that use asm.js and verify console output.
BUG=v8:4203
R=titzer@chromium.org
Review-Url: https://codereview.chromium.org/2574273002
Cr-Commit-Position: refs/heads/master@{#41700}
Avoid needless resizing of the StateValueList's fields vector by
reserving its (already known) size.
Review-Url: https://codereview.chromium.org/2572683005
Cr-Commit-Position: refs/heads/master@{#41698}
This reverts commit 5c1babcc16.
This seems to regress a range of benchmarks on ia32:
Emscripten for Fannkuch, Zlib, MemOps, Life, Bullet
AreWeFastYet for BulletLoadTime, Fasta, Fannkuch
JetStream for towers.c, quicksort.c, gcc-loops.cpp, bigfib.cpp
BUG=673861
R=jarin@chromium.org,shiyu.zhang@intel.com
Review-Url: https://codereview.chromium.org/2573983003
Cr-Commit-Position: refs/heads/master@{#41696}
Adding timing info going to the console about asm.js
Rename ConvertAsmToWasm -> CompileAsmViaWasm, to be more precise.
Add enum for wasm data elements.
BUG=v8:4203
R=titzer@chromium.org,yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2577453003
Cr-Commit-Position: refs/heads/master@{#41695}
Without this patch, the tests on lines 410, 414, 418 and 422 in
function testNonStaticName of test/mjsunit/es6/function-name.js
would all fail. The bug caused non-static "name" methods and
properties to be mistaken for static ones.
R=adamk@chromium.org, verwaest@chromium.org
BUG=
LOG=N
Review-Url: https://codereview.chromium.org/2567343004
Cr-Commit-Position: refs/heads/master@{#41692}
WASM exported functions have additional internal fields which change the instance
size. Adding a getter or setter to such an exported function results in its map
becoming normalized. The normalized map cache, however, finds a different map
with a different instance size, and thus BOOM.
R=verwaest@chromium.org,cbruni@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2554343002
Cr-Commit-Position: refs/heads/master@{#41691}
The least two bits of the owner field of a Page are used to determine
whether the Page is part of a large object. If these bits are not equal
to 0x11, the page is part of a large object and needs special handling
e.g. in MemoryChunk::FromAnyPointerAddress to determine which chunk it
belongs to.
This CL fixes an issue in which the store buffer overflows after
a large object space allocation but before the object has been fully
initialized. Store buffer overflow handling attempts to look up the
chunk of a page, but fails to do so correctly since the page's owner
field has not yet been initialized.
This CL ensures that the owner field of all pages belonging to a large
object allocation are initialized to a value that is interpreted
correctly.
BUG=chromium:672041
Committed: https://crrev.com/9b6808bfb5366beebe3af30a06f9851edb2039d4
Review-Url: https://codereview.chromium.org/2565713002
Cr-Original-Commit-Position: refs/heads/master@{#41641}
Cr-Commit-Position: refs/heads/master@{#41687}
Debug mirrors will no longer be supported in the near future.
It will now only be tested by being used by the v8-inspector.
R=jgruber@chromium.org
BUG=v8:5530
Review-Url: https://codereview.chromium.org/2566103002
Cr-Commit-Position: refs/heads/master@{#41686}
Reason for revert:
LiveEdit is broken in some cases.
Original issue's description:
> Store SharedFunctionInfos of a Script in a FixedArray indexed by their ID
>
> Now that SharedFunctionInfos have a unique ID (and the IDs are dense),
> we can use them as an index into an array, instead of using a
> WeakFixedArray where we have to do a linear scan.
>
> Hooking up liveedit is a bit more involved, see
> https://docs.google.com/presentation/d/1FtNa3U7WsF5bPhY9uGoJG5Y9hnz5VBDabfOWpb4unWI/edit
> for an overview
>
> BUG=v8:5589
> R=verwaest@chromium.org,jgruber@chromium.org
>
> Committed: https://crrev.com/6595e7405769dc9d49e9568d61485efc6d468baf
> Cr-Commit-Position: refs/heads/master@{#41600}
TBR=jgruber@chromium.org,verwaest@chromium.org,yangguo@chromium.org,jochen@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5589,chromium:673950
NOPRESUBMIT=true
Review-Url: https://codereview.chromium.org/2578433002
Cr-Commit-Position: refs/heads/master@{#41684}
Splits PromiseHandle into two TF builtins to account for catch
prediction. An exception in PromiseHandleReject builtin results in a
"caught" prediction whereas an expception in PromiseHandle results in a
"promise rejection" prediction.
An extra is_exception_caught bit is added to Code to mark this catch
prediction behavior.
BUG=v8:5343
Review-Url: https://codereview.chromium.org/2572623002
Cr-Commit-Position: refs/heads/master@{#41683}
The fast-path for dynamic local variables was previously checking the
lookup variable rather than the shadowed variable when deciding whether
to add a hole check.
BUG=669540
Review-Url: https://codereview.chromium.org/2551023004
Cr-Commit-Position: refs/heads/master@{#41677}
