This saves about 5% of memory and node count consumed by graph building
on the TypeScript benchmark. High watermark goes down by 3-4%.
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2829093002
Cr-Commit-Position: refs/heads/master@{#45113}
We need the job_'s context to reify errors, for example.
Some tasks already managed their context, so centralized
that logic in a SyncCompileTask all sync tasks derive from.
Bug:
Change-Id: I90f462476b47bb8d5777db93d8dfb5c72fbd885b
Reviewed-on: https://chromium-review.googlesource.com/495392
Commit-Queue: Mircea Trofin <mtrofin@google.com>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45112}
Port 662aa425ba
Original Commit Message:
Since the feedback vector is itself a native context structure, why
not store optimized code for a function in there rather than in
a map from native context to code? This allows us to get rid of
the optimized code map in the SharedFunctionInfo, saving a pointer,
and making lookup of any optimized code quicker.
Original patch by Michael Stanton <mvstanton@chromium.org>
R=rmcilroy@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:6246
LOG=N
Review-Url: https://codereview.chromium.org/2861863003
Cr-Commit-Position: refs/heads/master@{#45111}
Removes the do-expression wrapping, modifies BytecodeGenerator change
to enter a class literal's block scope if needed.
This does not solve the actual bug in v8:6322, but helps mitigate it in
simple cases. The bug is caused by BytecodeGenerator not allocating a
large enough array of context registers to hold its entire stack,
allowing non-context registers to be overwritten during PushContext and
PopContext bytecodes.
Nevertheless, I like the idea of not depending on do-expressions when
possible, so I think it's worth doing anyways.
BUG=v8:6322
R=rmcilroy@chromium.org, marja@chromium.org, littledan@chromium.org
Change-Id: I82b7569db2a0eead1694bd04765fc4456c2f1a0a
Reviewed-on: https://chromium-review.googlesource.com/491074
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45110}
Different Intl features (DateTimeFormat, NumberFormat, etc) have
different lists of locales supported. Previously, the default locale
was set to "und", as opposed to what was detected from the surrounding
system, if any of these features was missing data. With this patch,
only that feature is set to "und". In this way, the data quality should
be just as good as if there were no fallback logic, but at the same time,
resolvedOptions().locale should show the locale actually in effect.
R=adamk,jshin
BUG=v8:6288
Change-Id: I62b083a1dde2465cb1541cb18ecc7e59f9097bc0
Reviewed-on: https://chromium-review.googlesource.com/492886
Commit-Queue: Daniel Ehrenberg <littledan@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45109}
The collection builtins (Map, Set, WeakMap, WeakSet) are still written
in JavaScript and make heavy use of %_ClassOf, which is kind of
expensive compared to a simple instance type check. Change that to use
simple instance type checks instead.
R=jarin@chromium.org
BUG=v8:6261,v8:6278,v8:6344
Review-Url: https://codereview.chromium.org/2814773005
Cr-Commit-Position: refs/heads/master@{#45106}
If an ArrayBuffer is setup through the WebAssembly.Memory constructor, identify these with a flag and avoid optimizations in js-typed-lowering.cc. This is needed becasue buffers associated with memory objects can be grown/detached leading to crashes.
BUG=chromium:717194
Review-Url: https://codereview.chromium.org/2862763002
Cr-Commit-Position: refs/heads/master@{#45105}
- Removes primitive shuffle opcodes.
- Adds Shuffle opcode for S32x4, S16x8, S8x16.
- Adds code to ARM instruction selector to pick best opcodes for some
common shuffle patterns.
LOG=N
BUG=v8:6020
Review-Url: https://codereview.chromium.org/2847663005
Cr-Commit-Position: refs/heads/master@{#45104}
Now that the optimized code hangs off the feedback vector, it is possible
to check whether a function has optimized code available every time it's
called in the interpreter entry trampoline. If optimized code exists, the
interpreter entry trampoline 'self-heals' the closure to point to the
optimized code and links the closure into the optimized code list.
BUG=v8:6246
Change-Id: If1bd7c555bb0551bfe04b36baa6bcf949604717e
Reviewed-on: https://chromium-review.googlesource.com/488026
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45103}
Keeping the CQ bot experimental for now. Will be converted to a regular bot in a follow up.
NOTRY=true
NOTREECHECKS=true
Bug: v8:6355
Change-Id: I094cc26c8fd89bc6fda761d6bfd848a5e3b6dcb5
Reviewed-on: https://chromium-review.googlesource.com/496186
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45100}
The concurrent marker now colors objects grey and black using
the atomic markbit operations.
The heap visitor is changed in two ways:
1) It iterates the map pointer of each object.
2) It guards object visitation with a predicate, which is overridden
in the concurrent marker with the result of GreyToBlack transition.
BUG=chromium:694255
Review-Url: https://codereview.chromium.org/2855003004
Cr-Commit-Position: refs/heads/master@{#45099}
Storing a data property on |target| can change |source|'s map
if |target| and |source| are the same object.
BUG=chromium:716520
Review-Url: https://codereview.chromium.org/2855133006
Cr-Commit-Position: refs/heads/master@{#45097}
This flag generates false positives, since gcc inlines functions and
propagates constants, and then applies the check.
Drive-by: Refactor the checks that triggered the error to avoid
explicit casts.
R=jochen@chromium.org, machenbach@chromium.org
BUG=v8:6341
Change-Id: I86aebf402cbd2502ef17622a000a5bb777fd4b43
Reviewed-on: https://chromium-review.googlesource.com/494474
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45096}
Currently the VisitObject function iterates the object and then colors
it black. This does not work well with concurrent marking. The function
should instead first try to mark the object black and iterate its body
only if the color transition succeeds.
BUG=chromium:694255
Review-Url: https://codereview.chromium.org/2853323003
Cr-Commit-Position: refs/heads/master@{#45095}
These wrappers wouldn't be found by the marker otherwise and are only
reported upon the next marking step or GC which potentially is already
too late; the embedder could've reclaimed those objects already.
BUG=chromium:717480
Review-Url: https://codereview.chromium.org/2860753003
Cr-Commit-Position: refs/heads/master@{#45094}
concurrent marking is enabled.
This patch adds kAtomicity flag to IncrementalMarking that is set
depending on the concurrent marking compile time flag.
BUG=chromium:694255
Review-Url: https://codereview.chromium.org/2857743002
Cr-Commit-Position: refs/heads/master@{#45091}
So far the Array.prototype.pop lowering in the JSBuiltinReducer was
limited to (holey) fast or fast-smi elements. But it can be made to
work easily to also handle fast-double elements, so allow that as
well.
R=jarin@chromium.org
BUG=v8:5267,v8:6338
Review-Url: https://codereview.chromium.org/2861443006
Cr-Commit-Position: refs/heads/master@{#45090}
Reason for revert:
The decision for the specification was to not have this syntax, and instead the syntax before this patch.
Original issue's description:
> [regexp] Support unicode capture names in non-unicode patterns
>
> This ensures that capture names containing surrogate pairs are parsed
> correctly even in non-unicode RegExp patterns by introducing a new
> scanning mode which unconditionally combines surrogate pairs.
>
> BUG=v8:5437,v8:6192
>
> Review-Url: https://codereview.chromium.org/2791163003
> Cr-Commit-Position: refs/heads/master@{#44466}
> Committed: a8651c5671R=yangguo@chromium.org,jgruber@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5437,v8:6192
Review-Url: https://codereview.chromium.org/2859933003
Cr-Commit-Position: refs/heads/master@{#45088}
Make sure that the input to ChangeFloat64ToTagged is definitely of type
Number, because the operator cannot deal with non-Number inputs.
R=jarin@chromium.org
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2858153003
Cr-Commit-Position: refs/heads/master@{#45087}
The functions are validated later during graph generation.
This change uncovered a memory leak, which is now also fixed.
R=ahaas@chromium.org
Change-Id: I0150817da131c5c611fe21b156da9d9d00d4827d
Reviewed-on: https://chromium-review.googlesource.com/490088
Reviewed-by: Andreas Rossberg <rossberg@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45086}
Now non-atomic color transition operations return a boolean indicating
whether the transition succeeded or not.
This allows to replace color check and transition operations with a
single transition operation. For example:
if (IsWhite(object)) {
WhiteToBlack(object);
Foo();
}
becomes
if (WhiteToBlack(object)) {
Foo();
}
BUG=chromium:694255
Review-Url: https://codereview.chromium.org/2857713002
Cr-Commit-Position: refs/heads/master@{#45085}
Since the feedback vector is itself a native context structure, why
not store optimized code for a function in there rather than in
a map from native context to code? This allows us to get rid of
the optimized code map in the SharedFunctionInfo, saving a pointer,
and making lookup of any optimized code quicker.
Original patch by Michael Stanton <mvstanton@chromium.org>
BUG=v8:6246
TBR=yangguo@chromium.org,ulan@chromium.org
Change-Id: Ic83e4011148164ef080c63215a0c77f1dfb7f327
Reviewed-on: https://chromium-review.googlesource.com/494487
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45084}
1. Generalize context specialization such that the provided context
can be any outer context of the function, not necessarily the
immediate outer context.
2. Based on this: if function specialization is disabled, then
specialize for the module context if there is one.
3. Extend typed lowering of module loads and stores such that if
the operand is a Module constant, we constant-fold the cell load.
That is, a JSLoadModule with a Module HeapConstant input becomes
a LoadField with a Cell HeapConstant input, and similarly for
JSStoreModule.
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2841613002
Cr-Commit-Position: refs/heads/master@{#45083}
Remove the --zap_code_space flag and always patch deopted code to hard fail
if called.
Also, as a drive-by add deopt code patching for Arm64.
BUG=v8:6246
Change-Id: Ibf1bc53692dbbe618132100a66c56a88c97fd62b
Reviewed-on: https://chromium-review.googlesource.com/496127
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45082}
It's not clear what this logic is there for; ICU seems to already
preserve the locale in the way that the comment mentions. There
appear to be tests in test/intl/general/mapped-locale.js which
remain passing.
Bug: v8:5751
Change-Id: Ib9c64f00b982711ae0eab078252a88f44b81b894
Reviewed-on: https://chromium-review.googlesource.com/485780
Commit-Queue: Daniel Ehrenberg <littledan@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45080}
Note that this just switches from the AST-based validator to a dedicated
parser for asm.js modules. The validation of asm.js modules in general
still is predicated by the "--validate-asm" flag, and not enabled by
default yet.
R=clemensh@chromium.org,marja@chromium.org
BUG=v8:6127
Change-Id: Ibd920b03e20ec3c70ee51b79c6c5a2043964fe4f
Reviewed-on: https://chromium-review.googlesource.com/496146
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45078}
AllocateGuarded previously fell back on Allocate and then called Guard
to set the protection to PROT_NONE. Linux commits RW memory, but the
important thing here is to reserve the address space without committing
it. This change adds a new variant of Allocate that takes explicit
permission bits so that AllocateGuarded allocates non-RW memory from the
beginning.
Bug: v8:6320
Change-Id: I7962acbed09938951bf3bb4af2d1f302adba2547
Reviewed-on: https://chromium-review.googlesource.com/491928
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45075}
In the spirit of the full MC, we evacuate and update pointers in parallel for
the young generation.
The collectors are connected during incremental marking when mark bits are
transferred from the young generation bitmap to the old generation bitmap.
The evacuation phase cannot (yet) move pages and relies completely on copying
objects.
BUG=chromium:651354
Review-Url: https://codereview.chromium.org/2796233003
Cr-Commit-Position: refs/heads/master@{#45074}
-fsanitize-coverage={edge,bb,func} are deprecated.
-fsanitize-coverage={edge,bb,func},trace-pc-guard should be used instead (edge is default).
BUG=chromium:651540
Review-Url: https://codereview.chromium.org/2860653002
Cr-Commit-Position: refs/heads/master@{#45072}
When deleting the most recently added fast property from an object
by undoing its last map transition, we must clear any recorded slots.
This can only be done in C++, so this functionality must move out
of the stub.
Also update a CHECK in the JSObject verifier to allow backing stores
sticking around after such property deletions.
BUG=chromium:716912,chromium:714981
Review-Url: https://codereview.chromium.org/2854373002
Cr-Commit-Position: refs/heads/master@{#45069}
If a negative value is passed as end position it may get past the end
without triggering any DCHECK due to int to size_t cast.
BUG=v8:6093
Change-Id: I0c6be0e8442049cc4b7fc87593ad018bce4b677e
Reviewed-on: https://chromium-review.googlesource.com/494108
Commit-Queue: Wiktor Garbacz <wiktorg@google.com>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45068}
by pulling parameterizable things out of the case-blocks.
No change in functionality.
BUG=chromium:714894
Review-Url: https://codereview.chromium.org/2854273004
Cr-Commit-Position: refs/heads/master@{#45066}
More care must be taken to remain on the fast path in the face of
@@species constructors.
BUG=chromium:716044
Review-Url: https://codereview.chromium.org/2846963003
Cr-Commit-Position: refs/heads/master@{#45065}
Blink uses Isolate::GetEnteredContext() to implement HTML's "entry
context" concept, and thus depends on it not being changed except
explicitly (by Blink.) To support this, stop entering contexts
implicitly in all external API entry points; rather just set the
context as current. The only thing that changes the entered context
is now Context::Enter()/Context::Exit() (and Context::Scope.)
BUG=v8:6307
Review-Url: https://codereview.chromium.org/2862483003
Cr-Commit-Position: refs/heads/master@{#45064}
