RecordWrite is not isolate-independent on arm/arm64.
TBR=yangguo@chromium.org
NOTRY=true
Bug: v8:6666
Change-Id: Ie1160434dc9fcb0da91ce53ea06addf9f87434dd
Reviewed-on: https://chromium-review.googlesource.com/951247
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51771}
The idea of GetUnaryOpTargetRegister and GetBinaryOpTargetRegister is
to reuse the register of one of the operands instead of using an
separate third one, because we can often generate better code if the
destination register matches the src or lhs.
This was implemented by looking at the top or the first two stack
entries, and using one of their registers if there is only one use.
Instead of doing that we can also just pop them and then later check
whether this was the only use. This makes the code smaller, more
readable and probably faster.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: Ia5d9e320bdb3add5032400455a64a0c7fee77cbd
Reviewed-on: https://chromium-review.googlesource.com/950947
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51770}
Tests are failing on MIPS with bus error because instruction cache is not flushed.
Change-Id: I1725a87ea2dc36ffde767d10a0c4deea0e069c09
Reviewed-on: https://chromium-review.googlesource.com/950722
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Cr-Commit-Position: refs/heads/master@{#51768}
This fixes HeapSnapshotGenerator::SetProgressTotal so that
ProgressReport is called with finished flag only once.
The DevTools front-end assumes that progress with finished flag is
reported only once.
Change-Id: Iad958478aa8ad27a520cb491419e521027967754
Reviewed-on: https://chromium-review.googlesource.com/949224
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51767}
ObjectSpace was only referred to in static_asserts and was otherwise
removed in http://codereview.chromium.org/7945009.
AllocationActions's last usage was removed in
https://codereview.chromium.org/1991293002.
Bug: v8:7310
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I2ccbf3b674517bc698b4c92754cd0b251229d342
Reviewed-on: https://chromium-review.googlesource.com/931887
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51763}
Instead of computing the disassmebly and offset tables eagerly on
registering a WASM function with a debugger agent, only generate
it when the source or offset tables are actually required. This is
implemented using a lazy, memoizing supplier that is shared
between the debugger agent and wasm translator.
Bug: chromium:794941
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I1a2f7dd71ab65c80f91ddee4f7babbdf33d2e74b
Reviewed-on: https://chromium-review.googlesource.com/918641
Commit-Queue: Stephan Herhut <herhut@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51762}
Make BuiltinsArrayAssembler::o() and len() into TNode<JSReceiver> and
TNode<Number> respectively.
Also adds typing to CodeStubAssembler::ToLength_Inline.
Fixes a type error in ArraySpeciesCreate which needs to take a Number rather
than a Smi.
Bug: v8:7310
Change-Id: Ie01d58ba195bddfe58ac7e4a31272c8f1a14c6ce
Reviewed-on: https://chromium-review.googlesource.com/934821
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51761}
We now unconditionally both parse and compile StreamedSource on the background
thread.
BUG=v8:5203
Change-Id: I42d6fe9059bc1745da3a415d270f46cf1c08b306
Reviewed-on: https://chromium-review.googlesource.com/948854
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51758}
Note that {nullptr} is a dangerous sentinel value in V8's object model
because it can be interpreted as Smi(0) and hence will turn into a
completely different type than the declared return type at runtime.
R=ahaas@chromium.org
BUG=v8:7509
Change-Id: I89cffa1160a3bf6853f91c04fb90c74ad08888a3
Reviewed-on: https://chromium-review.googlesource.com/948907
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51757}
Instead of a hard-coded list of function addresses, we now use a flag
on the AccessorInfo object to annotate whether the getter can cause any
side effect.
Future changes will extend this to InterceptorInfo, CallHandlerInfo, and
expose this through the API.
R=jgruber@chromium.org, luoe@chromium.org
Bug: v8:7515
Change-Id: Id0fedf03493c3bd81913557a5681f8f63660f6a4
Reviewed-on: https://chromium-review.googlesource.com/945909
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51756}
The optimized code for %ArrayIteratorPrototype%.next for holey arrays
was wrong, since it would first store the [[NextIndex]] and then check
whether it hit a hole. However in that case TurboFan doesn't have any
point to deoptimize to, so we need to perform the side-effecting stores
only after all checks are done.
Bug: v8:7510, v8:7514, chromium:819086
Change-Id: I0214c7124833286113e4dc7403ddc20a82fa8da3
Reviewed-on: https://chromium-review.googlesource.com/950723
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51753}
Port 88062a2cbc
Original Commit Message:
Implement in-place weak reference handling in GC.
Turn FeedbackVector::optimized_code_or_smi into an in-place weak reference (this
is the only in-place weak reference at this point).
(See bug for design doc.)
R=marja@chromium.org, joransiu@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:7308
LOG=N
Change-Id: I00c6aa7c08524b7769d3428d0c18ce334f35a722
Reviewed-on: https://chromium-review.googlesource.com/949368
Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#51747}
There must not be both an allocating function call and a handle deref
in the list of arguments to a call. Depending on the evaluation order
that the C++ compiler chooses, the deref could happen before the call
and the resulting raw pointer be invalidated by the GC.
Bug: chromium:818424
Change-Id: I525947252ff9d0b048a5bf82c2976e0acce739be
Reviewed-on: https://chromium-review.googlesource.com/949782
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51746}
I initially left them out because I thought they are harder to
implement than the other float binops, but it turns out it is actually
just the same.
R=ahaas@chromium.org
Bug: v8:6600
Change-Id: I68b98daf4dfaf4e00d57fc68257fe43977c4ae6a
Reviewed-on: https://chromium-review.googlesource.com/948543
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51745}
- Provide sorted instance type contribution per GC
- Visualize percentages per InstanceType based on the selected GC
- Visualize percentags per category
- Use some more arrow functions
- Introduce helper.js file
Bug: v8:7266
Change-Id: I26099cc64d9545b2de9e4574da2faf52d54ad198
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/949222
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51743}
This patch moves the has_braces_ bool to the bit_field_, and moves
function_literal_id_ into the freed-up slack space. This saves
4 bytes on 32-bit platforms and 8 bytes on 64-bit.
Change-Id: Ib5ba475915e46494c75019cfc184aafe72f6407f
Reviewed-on: https://chromium-review.googlesource.com/947467
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51742}
Now the mock platform delays all background tasks and forwards them
to the real platform in its destructor.
This fixes a race that happens when the background tasks calls
TestPlatform::MonotonicallyIncreasingTime() while the mock platform
is being destroyed.
BUG: v8:7494
Change-Id: I659ccc19121144152f447d59ff3c5e7ef1bec6d5
Reviewed-on: https://chromium-review.googlesource.com/949202
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51741}
Minor cleanup: Instead of a cryptic memcpy, just use ReadUnalignedValue
and WriteUnalignedValue.
Also add DCHECKs to these helpers to ensure that they are only used for
trivially copyable types.
R=ahaas@chromium.org
Bug: v8:7310
Change-Id: Id5014a828573f8d13a6c3a5380eae2f377e8f130
Reviewed-on: https://chromium-review.googlesource.com/948544
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51740}
IsFixedArray is too broad in many cases and should be replaced by
IsFixedArrayExact in the objects stats collection.
Bug: v8:7266
Change-Id: I3d5de8b70dc596a391ffdc2a5b4bdeaa5d437712
Reviewed-on: https://chromium-review.googlesource.com/948502
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51739}
Math fast-path cannot drop arguments because their side-effects
must be preserved. For example, Math.imul(x) dropped x entirely,
because if x is convertible to an integer, the result is 0.
This, however, is not OK because converting x to an integer might
throw.
Bug: chromium:818070, v8:7250, v8:7240
Change-Id: I8363e6dcd3fc78c879395aacb636d5782c3b023e
Reviewed-on: https://chromium-review.googlesource.com/948523
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51736}
This is a cosmetic change only.
Change-Id: I9a0ea9a23b4fc1490759433153c7d47e492b853d
Reviewed-on: https://chromium-review.googlesource.com/936624
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51733}
Implement in-place weak reference handling in GC.
Turn FeedbackVector::optimized_code_or_smi into an in-place weak reference (this
is the only in-place weak reference at this point).
(See bug for design doc.)
BUG=v8:7308
TBR=yangguo@chromium.org
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I16d65dc768f10ed431252e23a0df07bee9063534
Reviewed-on: https://chromium-review.googlesource.com/948493
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51731}
This makes sure that the object can be identified by a unique instance
type and hence is not accidentally confused with other FixedArrays on
the heap.
R=clemensh@chromium.org
BUG=v8:7509
Change-Id: I20521cdcabbbddecd89ca8cd4bb203a47e1db0cd
Reviewed-on: https://chromium-review.googlesource.com/946253
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51730}
ArrayIndexOf is a monolithic builtin which does some checking and then handles
three groups of fast arrays: those with holey doubles, compacted doubles and
SMIs+objects. TF cannot reuse this efficiently, because calling the TFJ
ArrayIndexOf duplicates some checks and also does not allow passing arguments
through registers. Similarly for ArrayInclude.
This CL splits the three different types of fast array handling into a separate
TF stubs, and makes the parent TFJ as well as TurboFan itself use them where
appropriate.
The TODOs not tackled in this CL inculde:
* passing an empty context to spare a register when possible
* inlining the search loop if there is any performance gain to it
(This is the contiunation of http://crrev.com/2757853002, moved due to Rietveld
deprecation.)
BUG=v8:5985
Change-Id: I00c97b71be4892f8bc7e1ed6d72e02087618a9a6
Reviewed-on: https://chromium-review.googlesource.com/573020
Commit-Queue: Vaclav Brozek <vabr@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51729}
OpParameter<int32_t> was still used for an operator after the operators
parameter changed from int32_t to a struct. Coincidentally, the first
field of the struct holds the value previously stored in that int32_t,
so correctness tests did not catch this.
Bug: chromium:818611, v8:7517
Change-Id: Ie46f084f7fa8117cd3493fc5ceafac11553dc55e
Reviewed-on: https://chromium-review.googlesource.com/948546
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51728}
Since we currently only fill the constants table if we're serializing,
we should only create & finalize the table in that case. Otherwise,
leave it initialized to empty_fixed_array.
Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel_ng
Bug: v8:6666
Change-Id: I6ecbfac9dc9a9dac7ff0f11331be09b1cbfb4c18
Reviewed-on: https://chromium-review.googlesource.com/948490
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51727}
This changes the JSArrayIterator to always have only a single instance
type, instead of the zoo of instance types that we had before, and
which became less useful with the specification update to when "next"
is loaded from the iterator now. This greatly simplifies the baseline
implementation of the array iterator, which now only looks at the
iterated object during %ArrayIteratorPrototype%.next invocations.
In TurboFan we introduce a new JSCreateArrayIterator operator, that
holds the IterationKind and get's the iterated object as input. When
optimizing %ArrayIteratorPrototype%.next in the JSCallReducer, we
check whether the receiver is a JSCreateArrayIterator, and if so,
we try to infer maps for the iterated object from there. If we find
any, we speculatively assume that these won't have changed during
iteration (as we did before with the previous approach), and generate
fast code for both JSArray and JSTypedArray iteration.
Drive-by-fix: Drop the fast_array_iteration protector, it's not
necessary anymore since we have the deoptimization guard bit in
the JSCallReducer now.
This addresses the performance cliff noticed in webpack 4. The minimal
repro on the tracking bug goes from
console.timeEnd: mono, 124.773000
console.timeEnd: poly, 670.353000
to
console.timeEnd: mono, 118.709000
console.timeEnd: poly, 141.393000
so that's a 4.7x improvement.
Also make presubmit happy by adding the missing #undef's.
Bug: v8:7510, v7:7514
Change-Id: I79a46bfa2cd0f0710e09365ef72519b1bbb667b5
Reviewed-on: https://chromium-review.googlesource.com/946098
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51725}
On ia32, support for vsqrtss and vsqrtsd was missing, so I add the
implementation of these instructions and disassembly support.
On x64, disassembly support for vsqrtss was missing, while vsqrtsd was
implemented. Now both are implemented.
The implementation of f32.sqrt and f64.sqrt is very straight-forward on
ia32 and x64, we can immediately emit the {v}sqrtss or {v}sqrtsd
instruction.
R=ahaas@chromium.org
Bug: v8:6600
Change-Id: Icf3ec05a97a23e94cdf70f4a72f30dd02fbddd13
Reviewed-on: https://chromium-review.googlesource.com/944221
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51724}
Implement in-place weak reference handling in GC.
Turn FeedbackVector::optimized_code_or_smi into an in-place weak reference (this
is the only in-place weak reference at this point).
(See bug for design doc.)
BUG=v8:7308
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I0f9f992cb4ee0457c40b7c868317dfb607bfb906
Reviewed-on: https://chromium-review.googlesource.com/873638
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51722}
