There are no stale store buffer pointers anymore. The sweeper thread can not be in conflict with store buffer processing.
BUG=
Review URL: https://codereview.chromium.org/993983002
Cr-Commit-Position: refs/heads/master@{#27107}
The prototype of a class constructor function is read only. When we set
computed property names we were ignoring this and we were overriding the
property.
Since the prototype is the only possible own read only property on the
constructor function object we special case this so we do not have to
check this for every property in the class literal.
BUG=v8:3945
LOG=N
R=mstarzinger@chromium.org, dslomov@chromium.org
Review URL: https://codereview.chromium.org/985643003
Cr-Commit-Position: refs/heads/master@{#27106}
We can do that now since we have the invariant that the store buffer always has valid slots after marking.
BUG=
Review URL: https://codereview.chromium.org/991853002
Cr-Commit-Position: refs/heads/master@{#27105}
This reduces the size of the StackHandler by one word. We no longer
need to keep track of the code object, as the stack walk finds it.
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/985803002
Cr-Commit-Position: refs/heads/master@{#27103}
We can remove a few of them now (those which unconditionally bailout),
but this will be done in a separate CL to see any impact separately.
BUG=v8:3947
LOG=n
Review URL: https://codereview.chromium.org/993963002
Cr-Commit-Position: refs/heads/master@{#27102}
Note that this patch is not really a *solution*, it is just enough to
make the undefined behavior unobservable. The real fix would be being
much more correct about sizes and signedness in our code base...
BUG=chromium:464657
LOG=n
R=dcarney@chromium.org
Review URL: https://codereview.chromium.org/995743002
Cr-Commit-Position: refs/heads/master@{#27100}
The bits in CompilerHints are accessed via FunctionKindBits, and on the other
hand, with accessors defined by BOOL_ACCESSORS(SharedFunctionInfo,
compiler_hints, is_accessor_function, kIsAccessorFunction) etc.
So the bit order in FunctionKind must match CompilerHints.
This is not causing problems (yet) because there's no accessor for these two
bits, but if somebody adds one, things will go wrong.
R=dslomov@chromium.org
BUG=
Review URL: https://codereview.chromium.org/988413002
Cr-Commit-Position: refs/heads/master@{#27096}
We use slightly different schema for JumpTable on arm64 than for x64.
We do a branch (B) to the JumpTable from the code,
then a branch (B) to the end of jump table code
and then branch to the deoptimizer code with putting
the return address into lr register (Call which is actually Blr).
As a result the 'from' address in Deoptimizer always points to
the end of JumpTable code and we can get nothing from this information.
0) I moved save_doubles and needs_frame code out of for_loop.
1) I replaced B commands with Bl so we put different return addresses
to lr register for the different jump table entries and replaced
the final Call with Br which do not touch lr register.
Also I removed the last_entry check so we will always do the Bl
even for the last entry because we need the right address in lr.
I don't think that this will affect the performance because it
just one more branch for entire deopt mechanics.
BUG=chromium:452067
LOG=n
Review URL: https://codereview.chromium.org/984893003
Cr-Commit-Position: refs/heads/master@{#27094}
Provide an intrinsic %MathFloor / %_MathFloor that is used to optimize
both Math.ceil and Math.floor, and use the JS inlining mechanism to
inline Math.ceil into TurboFan code. Although we need to touch code
outside of TurboFan to make this work, this does not affect the way we
handle Math.ceil and/or Math.floor in CrankShaft, because for CrankShaft
the old-style builtin function id based inlining still kicks in first.
Once this solution is stabilized, we can use it for Math.floor as well.
And once that is settled, we can establish it as the unified way to
inline builtins, and get rid of the specialized builtin function id
based inlining at some point.
Note that "builtin" applies to basically every piece of internal
JavaScript/intrinsics based code, so this also applies to the yet to be
defined JavaScript based code stubs and handlers.
BUG=v8:3953
LOG=n
R=yangguo@chromium.org,svenpanne@chromium.org
Review URL: https://codereview.chromium.org/990963003
Cr-Commit-Position: refs/heads/master@{#27086}
Context specialization enables inlining (at least currently it is the
only enabler for inlining), but inlining enables more possibilities for
context specialization. So we really need to run them together.
This is especially important with the "module based builtins" that we're
working towards.
BUG=v8:3952
LOG=n
Review URL: https://codereview.chromium.org/988423004
Cr-Commit-Position: refs/heads/master@{#27085}
since the old style weakness is slated for removal, we might as well reuse the name to limit confusion. additionally I simplified the callback type to a enum to either get internal field values or not
this should be a non-breaking change with the exception of PhantomPersistentValueMap, which is unused.
R=jochen@chromium.org, erikcorry@chromium.org
BUG=
Review URL: https://codereview.chromium.org/989153003
Cr-Commit-Position: refs/heads/master@{#27084}
Rationale: separate the inputs and outputs of parsing + analysis from the business of compiling (i.e. generating machine code).
BUG=
Review URL: https://codereview.chromium.org/974213002
Cr-Commit-Position: refs/heads/master@{#27078}
The original code always returned the first entry from RelocInfo that matched with
bailout_id. But we may have a few different deopt reasons for one bailout_id.
So we need to get the one which matches with a particular call from JumpTable.
We can do this by checking not 'target_address' (it maps to bailout_id)
but 'from' address which maps to a particular JumpTable entry.
The test was reworked so it tests identical functions against different reasons.
BUG=chromium:452067
LOG=n
Review URL: https://codereview.chromium.org/984773003
Cr-Commit-Position: refs/heads/master@{#27076}
After establishing the invariant that the store buffer always has valid slots after marking, the store buffer integrity check is not needed anymore.
BUG=454157
LOG=n
Review URL: https://codereview.chromium.org/990173002
Cr-Commit-Position: refs/heads/master@{#27073}
This makes sure only the %_DeoptimizeNow intrinsic is inlined, and
not the %DeoptimizeNow one. It hence re-establishes the invariant
that JSIntrinsicLowering only deals with inline intrinsics.
R=jarin@chromium.org
TEST=mjsunit/compiler/eager-deopt-simple
Review URL: https://codereview.chromium.org/988333003
Cr-Commit-Position: refs/heads/master@{#27070}
The JSInliner used to load the context from the JSFunction node at
runtime, which introduced a HeapConstant (because we had to materialize
the JSFunction after context specialization) and a LoadField operation,
independent whether the inlinee actually uses the context. This is
rather cumbersome currently, and therefore this is now changed to just
embed the context constant instead. Once we do inlining based on
SharedFunctionInfo rather than JSFunction, we should reconsider this
decision and come up with a proper heuristic.
BUG=v8:3952
LOG=n
R=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/994523002
Cr-Commit-Position: refs/heads/master@{#27069}
The store buffer can contain stale store buffer entries, i.e., slot in dead objects pointing to new space objects. These slots are treaded as live slots which cause problems with non-pointer fields and makes concurrent sweeping complicated. Removing these pointers from the store buffer before it is used makes life easier.
BUG=
Review URL: https://codereview.chromium.org/985453003
Cr-Commit-Position: refs/heads/master@{#27068}
Reason for revert:
This doesn't do what it's supposed to do. The problem seems to lie on the blink side, people aren't reusing their FunctionTemplates (or creating them when not necessary).
Original issue's description:
> Don't overwrite existing serial numbers on the function template, otherwise instantiating the function for a new context causes the serial number to bump.
>
> Committed: https://crrev.com/1e638c3610ec6938e5fb16c42018642195782fb2
> Cr-Commit-Position: refs/heads/master@{#27048}
TBR=yangguo@chromium.org,dcarney@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/993533003
Cr-Commit-Position: refs/heads/master@{#27067}
Reason for revert:
It caused a lot of Canary crashes.
Original issue's description:
> Remove slots that point to unboxed doubles from the StoreBuffer/SlotsBuffer.
>
> The problem is that tagged slot could become a double slot after migrating of an object to another map with "shifted" fields (for example as a result of generalizing immutable data property to a data field).
> This CL also adds useful machinery that helps triggering incremental write barriers.
>
> BUG=chromium:454297
> LOG=Y
>
> Committed: https://crrev.com/9633ebabd405c264d33f603f8798c31f59418dcd
> Cr-Commit-Position: refs/heads/master@{#27054}
TBR=verwaest@chromium.org,hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:454297
Review URL: https://codereview.chromium.org/991793002
Cr-Commit-Position: refs/heads/master@{#27063}
We mark certain builtins for inlining, and those should always be
inlined into optimized code (CrankShaft already handles it this way), so
we should support that in TurboFan as well. Currently this mainly
affects a certain set of Math functions, but once have the basics in
place we can extend this to any kind of builtin/code stub/accessor.
This adds a new flag --turbo_builtin_inlining (enabled by default), that
forces the inliner to always inline builtins marked for inlining, but
does not affect inlining of other functions (this is still controlled by
the --turbo-inlining flag).
BUG=v8:3952
LOG=n
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/993473002
Cr-Commit-Position: refs/heads/master@{#27059}
This is currently the cleanest approach to avoid the useless stack check
during inlining. We might be able to just remove the useless stack
checks later when we have a phase that also takes care of removing
redundant stack checks on loop back edges (which we do not generate
currently).
On the other hand, the flag introduced here might be useful when
building code stubs/builtins/dom stubs using JS based DSL, because you
certainly don't want a JS-level stack check in a code stub.
R=jarin@chromium.org
BUG=v8:3952
LOG=n
Review URL: https://codereview.chromium.org/994433002
Cr-Commit-Position: refs/heads/master@{#27058}
Loading the coefficients from a the constants typed array is currently
blocking inlining MathSin and MathCos into TurboFan generated code,
because there is no type feedback and hence TurboFan has to generate a
LOAD_IC for every coefficient.
R=yanggou@chromium.org
BUG=v8:3952
LOG=n
Review URL: https://codereview.chromium.org/989133002
Cr-Commit-Position: refs/heads/master@{#27057}
The key idea here is that the stack check should be explicit, such that
we can eliminate unnecessary stack checks after graph building and
potentially inlining.
R=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/981243002
Cr-Commit-Position: refs/heads/master@{#27056}
The problem is that tagged slot could become a double slot after migrating of an object to another map with "shifted" fields (for example as a result of generalizing immutable data property to a data field).
This CL also adds useful machinery that helps triggering incremental write barriers.
BUG=chromium:454297
LOG=Y
Review URL: https://codereview.chromium.org/957273002
Cr-Commit-Position: refs/heads/master@{#27054}
Now the three intrinsic lists only differ in their compiler
support. Unifying the lists and making the logic what is supported in
which compiler local to the compilers themselves is handled in a
follow-up CL.
BUG=v8:3947
LOG=n
Review URL: https://codereview.chromium.org/983183002
Cr-Commit-Position: refs/heads/master@{#27046}
Original issue: https://codereview.chromium.org/980573002/
Simple transitions are now stored in a map's "transitions" field (as a WeakCell wrapping the target map); full TransitionArrays are used when that's not sufficient.
To encapsulate these storage format implementation details, functions for manipulating and querying transitions have been refactored to be static functions on the TransitionArray class, and take maps as inputs.
Review URL: https://codereview.chromium.org/988703002
Cr-Commit-Position: refs/heads/master@{#27044}
This involved renaming apart a few more intrinsics. In the long run,
we want to clean up redundant intrinsics which just delegate.
BUG=v8:3947
LOG=n
Review URL: https://codereview.chromium.org/984963002
Cr-Commit-Position: refs/heads/master@{#27043}
This keeps dying maps alive for FLAG_retain_maps_for_n_gc garbage collections
to increase chances of them being reused for new objects in future and
decrease number of deoptimizations.
BUG=v8:3664
LOG=N
TEST=cctest/test-heap/MapRetaining
Review URL: https://codereview.chromium.org/980523004
Cr-Commit-Position: refs/heads/master@{#27040}
This makes sure that any pending message is saved before entering
and restored after exiting a finally block. It also makes sure that
operand stacks are kept in sync to full-codegen.
R=bmeurer@chromium.org
TEST=cctest/test-run-jsexceptions/ThrowMessage
Review URL: https://codereview.chromium.org/979173002
Cr-Commit-Position: refs/heads/master@{#27036}
External references are encoded as a tuple of type and ID. This
requires both the external reference encode and the decoder to
create a mapping between the encoding and the external reference
table index.
Instead, we simply use the external reference table index as
encoding.
We now also assume that there are no duplicate entries. Existing
duplicates have been removed in this change.
R=vogelheim@chromium.org
Review URL: https://codereview.chromium.org/982773003
Cr-Commit-Position: refs/heads/master@{#27033}
This is introduced by 8d2e45669f (r26993)
original commit message:
First shot at eager deoptimization in Turbofan.
BUG=
Review URL: https://codereview.chromium.org/960973003
Cr-Commit-Position: refs/heads/master@{#27032}
Reason for revert:
x64 test failures
Original issue's description:
> Simplify and compact transitions storage
>
> Simple transitions are now stored in a map's "transitions" field (as a WeakCell wrapping the target map); full TransitionArrays are used when that's not sufficient.
> To encapsulate these storage format implementation details, functions for manipulating and querying transitions have been refactored to be static functions on the TransitionArray class, and take maps as inputs.
>
> Committed: https://crrev.com/45fbef7f2252fce10634931cb103ccc1fc95ae6a
> Cr-Commit-Position: refs/heads/master@{#27029}
TBR=verwaest@chromium.org,ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/982143002
Cr-Commit-Position: refs/heads/master@{#27030}
Simple transitions are now stored in a map's "transitions" field (as a WeakCell wrapping the target map); full TransitionArrays are used when that's not sufficient.
To encapsulate these storage format implementation details, functions for manipulating and querying transitions have been refactored to be static functions on the TransitionArray class, and take maps as inputs.
Review URL: https://codereview.chromium.org/980573002
Cr-Commit-Position: refs/heads/master@{#27029}
Port 4436c2642a
Original commit message:
This adds support for the double bits intrinsics to TurboFan, and is
a first step towards fast Math functions inlined into TurboFan code
or even compiled by themselves with TurboFan.
BUG=
Review URL: https://codereview.chromium.org/980073003
Cr-Commit-Position: refs/heads/master@{#27028}
Port 1382879f29
Original commit message:
This extends the stack unwinding logic to respect optimized frames
and perform a lookup in the handler table to find handlers. It also
contains fixes to the API call stubs to allow a stack walk while
promoting scheduled exceptions.
BUG=
Review URL: https://codereview.chromium.org/988463002
Cr-Commit-Position: refs/heads/master@{#27027}
There are no test cases for this piece of code and it is really hard to test. If this rare case triggers, we are anyway in an OOM situation and would crash probably soon afterwards.
BUG=
Review URL: https://codereview.chromium.org/977013003
Cr-Commit-Position: refs/heads/master@{#27026}
If function.name property has string type then stack frame will contain it otherwise DebugName from shared function info.
BUG=17356
LOG=Y
R=yurys@chromium.org
Review URL: https://codereview.chromium.org/917743002
Cr-Commit-Position: refs/heads/master@{#27025}
Internal references are absolute addresses into the instruction
stream. Turn them into relative addresses when serializing and
back when deserializing to keep them valid.
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/976623002
Cr-Commit-Position: refs/heads/master@{#27020}
According to Source Map specification [1] source map url can be passed either as a magic comment at the end of script or as SourceMap http header. We already parse the former value and expose it on Script object. This change allows to unify the way we deal with source map urls received in http header by providing api for passing that url into the script being compiled.
source_map_url is intentionally not passed into CompilationCacheScript::Lookup. The cache is anyways disabled when debugger is on.
[1] https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k/edit
LOG=Y
BUG=chromium:462572
Review URL: https://codereview.chromium.org/983603003
Cr-Commit-Position: refs/heads/master@{#27017}
This extends the stack unwinding logic to respect optimized frames
and perform a lookup in the handler table to find handlers. It also
contains fixes to the API call stubs to allow a stack walk while
promoting scheduled exceptions.
R=jarin@chromium.org
TEST=cctest/test-run-jsexceptions
Review URL: https://codereview.chromium.org/969533004
Cr-Commit-Position: refs/heads/master@{#27016}
This way, every function in those lists has one C++ implementation
called Runtime_##name. The previous distinction was confusing.
Review URL: https://codereview.chromium.org/983623002
Cr-Commit-Position: refs/heads/master@{#27010}
This adds support for the double bits intrinsics to TurboFan, and is
a first step towards fast Math functions inlined into TurboFan code
or even compiled by themselves with TurboFan.
Review URL: https://codereview.chromium.org/974313002
Cr-Commit-Position: refs/heads/master@{#27006}
port 1a608493e5 (r26983)
original commit message:
Refactor BreakLocationIterator.
We now have BreakLocation::Iterator to iterate via RelocIterator, and
create a BreakLocation when we are done iterating. The reloc info is
stored in BreakLocation in a GC-safe way and instantiated on demand.
BUG=
Review URL: https://codereview.chromium.org/978183002
Cr-Commit-Position: refs/heads/master@{#27003}
Function name property is now standardized in ES6. It was a Mozilla proprietary
extension before. With ES6, the property was made configurable, so that it can
be used instead of another proprietary property, displayName.
This is a revert of revert c791d84112.
Last time this broke a Chrome browser test which has since been updated:
5f75a3be4c
BUG=v8:3333
LOG=N
R=mstarzinger@chromium.org,verwaest@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/977003004
Cr-Commit-Position: refs/heads/master@{#26996}
Port a820568b1f
Each call to emit_32 uses 5 constant pool slots:
* the "emit_32" string
* undefined (the receiver)
* the argument (heap number)
* the load IC
* the call IC
This change cuts that down 20% to 4, by loading the undefined from the heap roots.
BUG=
Review URL: https://codereview.chromium.org/963193005
Cr-Commit-Position: refs/heads/master@{#26995}
If we use HashMap::Lookup with insert=true, the returned entry may have
NULL as value. This could either mean that the value is 0, or that the
entry has just been inserted. This ambiguity can cause false negatives
in PartialCacheIndexMap::LookupOrInsert.
Also fix a TODO.
R=vogelheim@chromium.org
Review URL: https://codereview.chromium.org/974273002
Cr-Commit-Position: refs/heads/master@{#26994}
Experimental globals are simply flag values on the builtins object to
turn on/off harmony features. We still need to declare them even when
we don't turn on harmony features for the snapshot.
R=vogelheim@chromium.org
Review URL: https://codereview.chromium.org/978813002
Cr-Commit-Position: refs/heads/master@{#26992}
This makes sure that the implicit exception edges in the graph pass
the correct exception object and also fixes a bug in the dominance
relationship of the value entering the finally block and it's uses.
R=jarin@chromium.org
TEST=cctest/test-run-jsexceptions/FinallyBreak
Review URL: https://codereview.chromium.org/970253002
Cr-Commit-Position: refs/heads/master@{#26989}
Before the max_old_space_size was set for each space, which is not intuitive and not what we want. There is still a miss match between capacity and actual committed memory which should be cleaned up in a follow up cl.
BUG=
Review URL: https://codereview.chromium.org/979783002
Cr-Commit-Position: refs/heads/master@{#26985}
We now have BreakLocation::Iterator to iterate via RelocIterator, and
create a BreakLocation when we are done iterating. The reloc info is
stored in BreakLocation in a GC-safe way and instantiated on demand.
R=ulan@chromium.org
BUG=v8:3924
LOG=N
Review URL: https://codereview.chromium.org/967323002
Cr-Commit-Position: refs/heads/master@{#26983}
Re-installing experimental natives after deserialization causes failures if
said experimental native is already included in the snapshot. However, there
is no way to tell whether a certain harmony feature has been included.
Experimental natives may also be turned on/off on-demand, which a snapshot
that includes them would not support for all cases.
The simple solution for the meantime is to never include experimental natives
in the snapshot and initialize them after deserialization on-demand.
R=vogelheim@chromium.org
Review URL: https://codereview.chromium.org/981473002
Cr-Commit-Position: refs/heads/master@{#26982}
Each call to emit_32 uses 5 constant pool slots:
* the "emit_32" string
* undefined (the receiver)
* the argument (heap number)
* the load IC
* the call IC
This change cuts that down 20% to 4, by loading the undefined from the heap roots.
R=verwaest@chromium.org
BUG=
Review URL: https://codereview.chromium.org/980563002
Cr-Commit-Position: refs/heads/master@{#26979}
This is a follow-on to crrev.com/960883003, which fixed a memory leak in this code, but uncovered another, more subtle bug:
Previously, the code expected you would v8::V8::Initialize once, and v8::V8::Dispose once. The first bug was that in this case the holder_ variable would point to deallocated memory. The second bug was that once the snapshot was disposed, there was no way to get it back on a future Initialize. These are uncovered by the InitializeAndDisposeMultiple test case.
The fix is to keep memory to the raw snapshot and to then cleanly build & destroy the tables in Initialize & Dispose. Since sometimes setNativesBlob is called just after Initialize, that situation must be handled, too.
BUG=
Review URL: https://codereview.chromium.org/974943003
Cr-Commit-Position: refs/heads/master@{#26978}
Shouldn't make a difference in practice, but it's a bit more readable and it
gets the case of a 0 shift correct without undefined behavior.
BUG=463436
LOG=N
Review URL: https://codereview.chromium.org/975283002
Cr-Commit-Position: refs/heads/master@{#26975}
Bit-shifts have undefined behaviour if the shift amount is greater
or equal to the width of the type.
In this case the code would do imm32 >> 32 when rot == 0.
A newer version of Clang unrolled the loop, optimized the first
iteration away, causing the test suite to fail with:
#
# Fatal error in ../src/arm/assembler-arm.cc, line 1212
# Check failed: !rn.is(ip).
#
as well as crashing when running Chromium tests on Android (at least
we think this was the cause, see the bug).
BUG=463436, 444089
LOG=Y
Review URL: https://codereview.chromium.org/979633002
Cr-Commit-Position: refs/heads/master@{#26974}
Problem:
Excuting with flags as "--prof --logfile-per-isolate --logfile=/path/to/filename"
expected file name: /path/to/isolate-<isolate id>-filename
current result: isolate-<isolate id>-/path/to/filename
This patch makes the file name we expected.
Review URL: https://codereview.chromium.org/960813004
Cr-Commit-Position: refs/heads/master@{#26955}
Android doesn't have swap space so if the heap goes over the physical memory
size the system will just kill us. Applying the Heap::kPointerMultipler
to heap size could cause the max heap size to be larger than physical memory.
Instead use the defaults which are based on actual physical memory configured
by Api::ConfigureDefaults().
BUG=432909
LOG=N
Review URL: https://codereview.chromium.org/960213007
Cr-Commit-Position: refs/heads/master@{#26954}
TryInline needed position only for the case when we track positions.
We can drop the position argument and use the current position from GraphBuilder.
The only problem that it doesn't match with the inline point.
The reason of that was the fact that builder had moved the position forward by
visiting arguments expressions.
I fixed this by restoring the current positon in HOptimizedGraphBuilderWithPositions::Visit*
BUG=452067
LOG=n
Review URL: https://codereview.chromium.org/962593005
Cr-Commit-Position: refs/heads/master@{#26953}
Contribution of PowerPC port (continuation of 422063005, 817143002,
866843003, and 901083004. This patch updates the ppc directories
to make them current with changes in common code, removes the
optimization to use the ool constant pool, and excludes tests that
don't pass under the ppc simulator given a 240s timeout.
Subsequent patches will cover:
- remaining optimizations for PPC
- remaining AIX changes not resolved by 4.8 compiler (4.8 is only recently available for AIX)
- incremental updates required to ppc directories due to platform specific changes made
in google repos while we complete the above steps.
modified: src/compiler/ppc/code-generator-ppc.cc
modified: src/ic/ppc/handler-compiler-ppc.cc
modified: src/ppc/assembler-ppc-inl.h
modified: src/ppc/assembler-ppc.cc
modified: src/ppc/assembler-ppc.h
modified: src/ppc/builtins-ppc.cc
modified: src/ppc/code-stubs-ppc.cc
modified: src/ppc/debug-ppc.cc
modified: src/ppc/deoptimizer-ppc.cc
modified: src/ppc/frames-ppc.cc
modified: src/ppc/frames-ppc.h
modified: src/ppc/full-codegen-ppc.cc
modified: src/ppc/lithium-codegen-ppc.cc
modified: src/ppc/lithium-ppc.cc
modified: src/ppc/lithium-ppc.h
modified: src/ppc/macro-assembler-ppc.cc
modified: src/ppc/macro-assembler-ppc.h
modified: test/cctest/cctest.status
modified: test/mjsunit/mjsunit.status
R=danno@chromium.org, svenpanne@chromium.org
BUG=
Review URL: https://codereview.chromium.org/965823002
Cr-Commit-Position: refs/heads/master@{#26951}
On Intel targets, it is cheaper to load the context from the frame
instead of loading the context as a constant (which usually involves a
PropertyCell because the context is in new space when we compile the
function).
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/970803002
Cr-Commit-Position: refs/heads/master@{#26935}
On 64-bit targets, we can skip the write barrier for Store nodes if the
input is ChangeInt32ToTagged, because the value being stored is
definitely represented as a smi then.
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/968113002
Cr-Commit-Position: refs/heads/master@{#26934}
This is partially based on r21609 but that CL was incomplete.
Function name is still non writable so one has to use defineProperty
to change the actual value.
BUG=v8:3333
LOG=N
R=adamk, mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/960343002
Cr-Commit-Position: refs/heads/master@{#26924}
This required fixing the exports_ hash map to use the appropriate
comparison function instead of pointer comparison.
BUG=v8:1569
LOG=n
Review URL: https://codereview.chromium.org/960793003
Cr-Commit-Position: refs/heads/master@{#26920}
InstallBuiltinFunctionIds stood out when looking at code that grew
strangely when compiled with default optimizations.
This change from repeated code to a loop saves 6-7 KB of machine code.
I suspect it's faster but I also suspect it's fast enough either way so
that is not really a factor. Machine code reduction seen below.
Code formatted with git cl format.
clang x64:
Total change: -5985 bytes
-------------------------------------------
+517 - Source: ?? - (gained 744, lost 227)
-------------------------------------------
New symbols:
+744: v8::internal::Genesis::InstallBuiltinFunctionIds()::builtins type=d, size=744 bytes
Removed symbols:
-4: .L.str98 type=r, size=4 bytes
... [stripped 30 similar lines]
-19: .L.str100 type=r, size=19 bytes
----------------------------------------------------------------------------------------------
-6502 - Source: /home/bratell/src/chromium/src/v8/src/bootstrapper.cc - (gained 0, lost 6502)
----------------------------------------------------------------------------------------------
Removed symbols:
-1135: v8::internal::ResolveBuiltinIdHolder(v8::internal::Handle<v8::internal::Context>, char const*) type=t, size=1135 bytes
Shrunk symbols:
-5367: v8::internal::Genesis::InstallBuiltinFunctionIds() type=t, (was 7105 bytes, now 1738 bytes)
BUG=
Review URL: https://codereview.chromium.org/918303005
Cr-Commit-Position: refs/heads/master@{#26919}
Save Unknown position as zero in RelocInfo.
Remove copy constructor of SourcePosition because it is trivial.
Mechanical replace int raw_position with SourcePosition position.
BUG=452067
LOG=n
Review URL: https://codereview.chromium.org/959203002
Cr-Commit-Position: refs/heads/master@{#26916}
Without this shortcut we generate one BooleanNot per JSUnaryNot with
number input, which is quite common in asm.js. These dead nodes then
survive until the late control reducer runs, and may prevent
optimizations in the mean time.
R=dcarney@chromium.org
Review URL: https://codereview.chromium.org/963713002
Cr-Commit-Position: refs/heads/master@{#26911}
port 6af7ca6be4 (r26886)
original commit message:
Skip the mapcheck on the global object since the global proxy and cell are already
checked (or the global object map for contextual global loads).
BUG=
Review URL: https://codereview.chromium.org/965693002
Cr-Commit-Position: refs/heads/master@{#26908}
port e9cdcb7174 (r26875)
original commit message:
Only dynamically perform access checks on the receiver if it's a JSGlobalProxy.
Proxies up the chain are guaranteed to provide access if we had access to the receiver,
since otherwise we wouldn't have been able to compile the stub in the first place.
If the security check would change, the window navigates, changing the map of the JSGlobalProxy.
BUG=
R=weiliang.lin@intel.com
Review URL: https://codereview.chromium.org/964813002
Cr-Commit-Position: refs/heads/master@{#26905}
Reason for revert:
Need to revert the ported CL.
Original issue's description:
> MIPS: Also skip when the target is the global object.
>
> Port cc918d30b9
>
> BUG=
>
> Committed: https://crrev.com/b24a0efa447235e11b9ff9d1eeaada06131b2e04
> Cr-Commit-Position: refs/heads/master@{#26897}
TBR=danno@chromium.org,verwaest@chromium.org,paul.lind@imgtec.com,gergely.kis@imgtec.com,akos.palfi@imgtec.com,dusan.milosavljevic@imgtec.com,balazs.kilvady@imgtec.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review URL: https://codereview.chromium.org/963603002
Cr-Commit-Position: refs/heads/master@{#26898}
This also adds a new VariableMode, IMPORT, which will be
used to do appropriate binding for Import-declared Variables.
Only named imports are handled for now. "import *" and default
import syntaxes have had their TODOs adjusted to match the new
code structure.
BUG=v8:1569
LOG=n
Review URL: https://codereview.chromium.org/948303004
Cr-Commit-Position: refs/heads/master@{#26895}
Port e9cdcb7174
Original commit message:
Proxies up the chain are guaranteed to provide access if we had access to the receiver, since otherwise we wouldn't have been able to compile the stub in the first place. If the security check would change, the window navigates, changing the map of the JSGlobalProxy.
BUG=
Review URL: https://codereview.chromium.org/958923002
Cr-Commit-Position: refs/heads/master@{#26894}
This reverts commit b57be748b1 and
disables the test/mjsunit/debug-clearbreakpointgroup.js because
BreakLocationIterator::ClearBreakPoint is already broken for unrelated reasons (see v8:3924).
BUG=v8:3877
LOG=N
TEST=cctest/test-heap/Regress3877
Review URL: https://codereview.chromium.org/957373002
Cr-Commit-Position: refs/heads/master@{#26893}
Reason for revert:
Breaks test/mjsunit/debug-clearbreakpointgroup.js on arm64.debug.
Original issue's description:
> Fix memory leak caused by field type in descriptor array.
>
> When a field type is a map, it is wrapped in a weak cell upon storing to the descriptor array.
>
> Map::GetFieldType(i) does the unwrapping.
>
> BUG=v8:3877
> LOG=N
> TEST=cctest/test-heap/Regress3877
>
> Committed: https://crrev.com/77d3ae0e119893ac8d34ea6ca090cddd5bbf987e
> Cr-Commit-Position: refs/heads/master@{#26879}
TBR=verwaest@chromium.org,ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:3877
Review URL: https://codereview.chromium.org/960103003
Cr-Commit-Position: refs/heads/master@{#26883}
We cannot yet detect use-before-declaration in general, because for that we'd
need to analyze the context when compiling. But we can detect an error case
where we first see a use, then a declaration.
For this, I also added end position tracking (needed for error messages) to
VariableProxy.
Note: the position naming is completely inconsistent: start_position &
end_position, position & end_position, pos & end_pos, beg_pos & end_pos, to name
a few. This doesn't fix all of it, but tries to unify towards start_position &
end_position whenever possible w/ minimal changes.
BUG=
Review URL: https://codereview.chromium.org/943543002
Cr-Commit-Position: refs/heads/master@{#26880}
When a field type is a map, it is wrapped in a weak cell upon storing to the descriptor array.
Map::GetFieldType(i) does the unwrapping.
BUG=v8:3877
LOG=N
TEST=cctest/test-heap/Regress3877
Review URL: https://codereview.chromium.org/955063002
Cr-Commit-Position: refs/heads/master@{#26879}
Side note: tools/v8-info.sh seems to have been broken ever
since the move to git. At least it's not more broken now.
BUG=v8:3075
LOG=y
TEST=./script_test.py
Review URL: https://codereview.chromium.org/959713003
Cr-Commit-Position: refs/heads/master@{#26873}
Bad scenario:
- Enter a binop IC miss handler from optimized code object C from call
site S,
- From the binop IC, invoke arbitrary javascript that lazy deopts C,
so all relocation info is nuked and replaced with lazy deopt entries'
reloc info. In particular, there is no reloc info for S.
- Still from the arbitrary JavaScript, make IC target's code object move.
Note that the call site S is not updated.
- Return to the miss handler and inspect the IC's target. This will try
to get the target from S, but that is a potentially invalid pointer.
It is quite possible that we will have to do a similar fix for other ICs,
but we will have to find a reliable repro first. I am not submitting a
repro here because it is quite long running and brittle (it
relies on code compaction happening while in the binop IC).
BUG=v8:3910
LOG=n
R=ishell@chromium.org
Review URL: https://codereview.chromium.org/958473004
Cr-Commit-Position: refs/heads/master@{#26872}
