This fixes the representation type for values in JSArray::length fields
when JSNativeContextSpecialization lowers loads. Only arrays with fast
elements kind are guaranteed to have a Smi represented length.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-4515
BUG=v8:4515, v8:4493, v8:4470
LOG=n
Review URL: https://codereview.chromium.org/1410393006
Cr-Commit-Position: refs/heads/master@{#31558}
Currently we (mostly) infer FunctionType for JSFunction constants, and
match the FunctionType in the typing rule for JSCallFunction. This has
several drawbacks for JavaScript, especially we don't have Constant
types for global functions (i.e. String, Object, Reflect and friends).
Plus the FunctionType magic doesn't actually buy us anything. So this
changes the typing rule for HeapConstant constant to actually infer
Constant types for JSFunction objects and moves the recognition of
builtin functions to the typing rule for JSCallFunction.
Also adapts the specialized lowering in JSTypedLowering to Constant
functions instead of FunctionType, which has the additional advantage
that we can do the receiver wrapping/converting based on the (known)
SharedFunctionInfo.
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/1420093005
Cr-Commit-Position: refs/heads/master@{#31553}
The reason is when native_context_specialization flag is ture, X87 turbofan
will hit the known issue that X87 will change a sNaN to qNaN by default. And
then it will fail when bit-comparing the source (sNaN) and the result (qNaN).
reland https://codereview.chromium.org/1414733004/.
BUG=
Review URL: https://codereview.chromium.org/1419573007
Cr-Commit-Position: refs/heads/master@{#31552}
This lowers JSCreateArguments nodes within inline (i.e. non-outermost)
frames that create "unmapped arguments objects" to inline allocations.
The arguments count as well as each value is statically known and can be
directly stored into the arguments object. Note that the object is still
context-dependent and the map is loaded from the current context. The
object size is not taken into account for now, we might want to limit it
later though to keep code size bounded.
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/1412113004
Cr-Commit-Position: refs/heads/master@{#31550}
This addresses an issue where the at-start splitting used
in the splintering mechanism was in conflict with the mechanics
used in linear allocator, in particular in the initial split/spill of
ranges for memory operands. We are already doing a split-at-start in
Greedy, so this change centralizes that to the base RegisterAllocator.
Verified locally that v8:4508 is addressed by this. Also, this fixes
the failures that required the revert
5308a999eb. See trybots at
issue 1425533002.
R=bmeurer@chromium.org,jarin@chromium.org
BUG= v8:4508
LOG=n
Review URL: https://codereview.chromium.org/1426583002
Cr-Commit-Position: refs/heads/master@{#31544}
Reason for revert:
because of merge mistake, "regress/" is missed when skipping one test case for X87.
"regress/" will be added when relanding it.
Original issue's description:
> X87: disable the regress-undefined-nan test case for x87.
>
> The reason is when native_context_specialization flag is ture, X87 turbofan
> will hit the known issue that X87 will change a sNaN to qNaN by default. And
> then it will fail when bit-comparing the source (sNaN) and the result (qNaN).
>
> BUG=
>
> Committed: https://crrev.com/b3c719ebbad6c87afefa33a7d0b3f412b2e304db
> Cr-Commit-Position: refs/heads/master@{#31530}
TBR=bmeurer@chromium.org,weiliang.lin@intel.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review URL: https://codereview.chromium.org/1417303005
Cr-Commit-Position: refs/heads/master@{#31543}
port e678a0f9a9 (r31358)
original commit message:
Use %_ToLength for TO_LENGTH, implemented via a ToLengthStub
that supports a fast path for small integers. Everything else is still
handled in the runtime.
BUG=
Review URL: https://codereview.chromium.org/1421803002
Cr-Commit-Position: refs/heads/master@{#31542}
For some reason, the DisableCrankshaft() in ast-numbering.cc does not always
prevent crankshaft from happening. Bailout here rather than asserting an
unreachable condition.
BUG=546967, v8:4488
LOG=N
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/1414713004
Cr-Commit-Position: refs/heads/master@{#31537}
Reason for revert:
[sheriff] breaks benchmarks:
http://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20debug/builds/4998
Original issue's description:
> [Turbofan] Fix perf regression introduced by per-range change.
>
> When the range ends just at the gap of a non-deferred block, the last
> instruction the range covers is in the predecessor. If that predecessor is
> a deferred block, before this CL, we would splinter the remainder of the
> range all the way to the end. That leads to inefficient codegen, because
> we still want a split inside the deferred block.
>
> Also, opportunistically added a trace before we splinter, for better
> diagnostics.
>
> BUG= chromium:546416
> LOG=N
>
> Committed: https://crrev.com/32b6e085e74a8fcf94a01d20740fe4fdede07a86
> Cr-Commit-Position: refs/heads/master@{#31529}
TBR=bmeurer@chromium.org,jarin@chromium.org,mtrofin@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= chromium:546416
Review URL: https://codereview.chromium.org/1412893007
Cr-Commit-Position: refs/heads/master@{#31531}
The reason is when native_context_specialization flag is ture, X87 turbofan
will hit the known issue that X87 will change a sNaN to qNaN by default. And
then it will fail when bit-comparing the source (sNaN) and the result (qNaN).
BUG=
Review URL: https://codereview.chromium.org/1414733004
Cr-Commit-Position: refs/heads/master@{#31530}
When the range ends just at the gap of a non-deferred block, the last
instruction the range covers is in the predecessor. If that predecessor is
a deferred block, before this CL, we would splinter the remainder of the
range all the way to the end. That leads to inefficient codegen, because
we still want a split inside the deferred block.
Also, opportunistically added a trace before we splinter, for better
diagnostics.
BUG= chromium:546416
LOG=N
Review URL: https://codereview.chromium.org/1412123009
Cr-Commit-Position: refs/heads/master@{#31529}
Fix aborting compaction for pages by doing two separate passes, one that scans
all live objects, and one that later on sweeps the page.
Detailed description see bug report.
BUG=chromium:539356,chromium:524425
LOG=N
Review URL: https://codereview.chromium.org/1413763011
Cr-Commit-Position: refs/heads/master@{#31526}
This patch switches sloppy-mode code from legacy const semantics
to ES2015 semantics. It is unknown how much of the web will be
broken by this; likely the patch will have to be reverted before
a branch happens.
BUG=v8:3739
LOG=Y
R=rossberg,adamk
Review URL: https://codereview.chromium.org/1420223003
Cr-Commit-Position: refs/heads/master@{#31525}
We don't need to have an (untested) fallback for the case that a
prototype map is not stable when specializing a named property,
because prototype maps are always stable (which is now guarded
by a DCHECK in CompilationDependencies). Less (dead) code is
better code.
R=verwaest@chromium.org
BUG=v8:4470
LOG=n
Review URL: https://codereview.chromium.org/1417973006
Cr-Commit-Position: refs/heads/master@{#31524}
port 7557dc5a70 (r31312).
original commit message:
This change add a new bytecode for operator new and implements it using
the Construct() builtin.
BUG=
Review URL: https://codereview.chromium.org/1423733002
Cr-Commit-Position: refs/heads/master@{#31518}
