Commit Graph

46222 Commits

Author SHA1 Message Date
Michael Starzinger
f6ed92d6de [wasm] Turn {WasmCompiledModule} into a proper {Struct}.
This makes sure that the object can be identified by a unique instance
type and hence is not accidentally confused with other FixedArrays on
the heap.

R=clemensh@chromium.org
BUG=v8:7509

Change-Id: I20521cdcabbbddecd89ca8cd4bb203a47e1db0cd
Reviewed-on: https://chromium-review.googlesource.com/946253
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51730}
2018-03-05 13:44:51 +00:00
Vaclav Brozek
44bed6a85e TF stubs out of ArrayIndexOf and ArrayInclude builtins
ArrayIndexOf is a monolithic builtin which does some checking and then handles
three groups of fast arrays: those with holey doubles, compacted doubles and
SMIs+objects. TF cannot reuse this efficiently, because calling the TFJ
ArrayIndexOf duplicates some checks and also does not allow passing arguments
through registers. Similarly for ArrayInclude.

This CL splits the three different types of fast array handling into a separate
TF stubs, and makes the parent TFJ as well as TurboFan itself use them where
appropriate.

The TODOs not tackled in this CL inculde:
* passing an empty context to spare a register when possible
* inlining the search loop if there is any performance gain to it

(This is the contiunation of http://crrev.com/2757853002, moved due to Rietveld
deprecation.)

BUG=v8:5985

Change-Id: I00c97b71be4892f8bc7e1ed6d72e02087618a9a6
Reviewed-on: https://chromium-review.googlesource.com/573020
Commit-Queue: Vaclav Brozek <vabr@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51729}
2018-03-05 13:37:21 +00:00
Sigurd Schneider
efed5562cd [turbofan] Fix undefined behavior in accessing operator parameters
OpParameter<int32_t> was still used for an operator after the operators
parameter changed from int32_t to a struct. Coincidentally, the first
field of the struct holds the value previously stored in that int32_t,
so correctness tests did not catch this.

Bug: chromium:818611, v8:7517
Change-Id: Ie46f084f7fa8117cd3493fc5ceafac11553dc55e
Reviewed-on: https://chromium-review.googlesource.com/948546
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51728}
2018-03-05 13:35:21 +00:00
jgruber
8020b0dda5 [builtins] Only create constants table if serializing
Since we currently only fill the constants table if we're serializing,
we should only create & finalize the table in that case. Otherwise,
leave it initialized to empty_fixed_array.

Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel_ng
Bug: v8:6666
Change-Id: I6ecbfac9dc9a9dac7ff0f11331be09b1cbfb4c18
Reviewed-on: https://chromium-review.googlesource.com/948490
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51727}
2018-03-05 12:54:01 +00:00
Sigurd Schneider
a74b24913b [cleanup] Add DCHECK to uses of OpParameter<int>
Bug: v8:7517, v8:7310
Change-Id: I438bc933d51062bfbb9a419be9c5b67032707fdb
Reviewed-on: https://chromium-review.googlesource.com/946090
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51726}
2018-03-05 12:37:51 +00:00
Benedikt Meurer
06ee127b75 [es2015] Refactor the JSArrayIterator.
This changes the JSArrayIterator to always have only a single instance
type, instead of the zoo of instance types that we had before, and
which became less useful with the specification update to when "next"
is loaded from the iterator now. This greatly simplifies the baseline
implementation of the array iterator, which now only looks at the
iterated object during %ArrayIteratorPrototype%.next invocations.

In TurboFan we introduce a new JSCreateArrayIterator operator, that
holds the IterationKind and get's the iterated object as input. When
optimizing %ArrayIteratorPrototype%.next in the JSCallReducer, we
check whether the receiver is a JSCreateArrayIterator, and if so,
we try to infer maps for the iterated object from there. If we find
any, we speculatively assume that these won't have changed during
iteration (as we did before with the previous approach), and generate
fast code for both JSArray and JSTypedArray iteration.

Drive-by-fix: Drop the fast_array_iteration protector, it's not
necessary anymore since we have the deoptimization guard bit in
the JSCallReducer now.

This addresses the performance cliff noticed in webpack 4. The minimal
repro on the tracking bug goes from

  console.timeEnd: mono, 124.773000
  console.timeEnd: poly, 670.353000

to

  console.timeEnd: mono, 118.709000
  console.timeEnd: poly, 141.393000

so that's a 4.7x improvement.

Also make presubmit happy by adding the missing #undef's.

Bug: v8:7510, v7:7514
Change-Id: I79a46bfa2cd0f0710e09365ef72519b1bbb667b5
Reviewed-on: https://chromium-review.googlesource.com/946098
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51725}
2018-03-05 11:57:28 +00:00
Clemens Hammacher
2e3df6d916 [Liftoff] Implement f32.sqrt and f64.sqrt
On ia32, support for vsqrtss and vsqrtsd was missing, so I add the
implementation of these instructions and disassembly support.
On x64, disassembly support for vsqrtss was missing, while vsqrtsd was
implemented. Now both are implemented.
The implementation of f32.sqrt and f64.sqrt is very straight-forward on
ia32 and x64, we can immediately emit the {v}sqrtss or {v}sqrtsd
instruction.

R=ahaas@chromium.org

Bug: v8:6600
Change-Id: Icf3ec05a97a23e94cdf70f4a72f30dd02fbddd13
Reviewed-on: https://chromium-review.googlesource.com/944221
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51724}
2018-03-05 11:39:48 +00:00
Sigurd Schneider
73d6037c20 Revert "[in-place weak refs] Add in-place weak references & migrate one WeakCell to it."
This reverts commit 07c1e641d9.

Reason for revert: Breaks TSAN build.

https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20TSAN/builds/19784

Original change's description:
> [in-place weak refs] Add in-place weak references & migrate one WeakCell to it.
> 
> Implement in-place weak reference handling in GC.
> 
> Turn FeedbackVector::optimized_code_or_smi into an in-place weak reference (this
> is the only in-place weak reference at this point).
> 
> (See bug for design doc.)
> 
> BUG=v8:7308
> 
> Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;master.tryserver.chromium.linux:linux_chromium_rel_ng
> Change-Id: I0f9f992cb4ee0457c40b7c868317dfb607bfb906
> Reviewed-on: https://chromium-review.googlesource.com/873638
> Commit-Queue: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51722}

TBR=ulan@chromium.org,marja@chromium.org,yangguo@chromium.org,hpayer@chromium.org,mlippautz@chromium.org,ishell@chromium.org,bmeurer@chromium.org

Change-Id: I75a7dd99fbfd2f5922a6c4d2000bea2adfdeac11
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7308
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/948522
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51723}
2018-03-05 11:38:41 +00:00
Marja Hölttä
07c1e641d9 [in-place weak refs] Add in-place weak references & migrate one WeakCell to it.
Implement in-place weak reference handling in GC.

Turn FeedbackVector::optimized_code_or_smi into an in-place weak reference (this
is the only in-place weak reference at this point).

(See bug for design doc.)

BUG=v8:7308

Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I0f9f992cb4ee0457c40b7c868317dfb607bfb906
Reviewed-on: https://chromium-review.googlesource.com/873638
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51722}
2018-03-05 11:11:48 +00:00
Georg Neis
cf8cd1c444 [interpreter] Only create spread-related feedback slots when necessary.
Only create spread-related feedback slots when the array literal
actually contains a spread.

Bug: v8:5940
Change-Id: I0afad81d4bf1a86ebc1bf81f1213f680eb22bc49
Reviewed-on: https://chromium-review.googlesource.com/947955
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51721}
2018-03-05 11:01:32 +00:00
Sigurd Schneider
d1df563059 [turbofan] Fix bug in Array.p.reduceRight
Bug: v8:7495
Change-Id: Id929804e0d0f78c17d81d07cd6a5c5e571449d35
Reviewed-on: https://chromium-review.googlesource.com/947974
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51720}
2018-03-05 10:52:32 +00:00
Georg Neis
c895a23a99 [ic] Relax a CHECK.
The CHECK didn't account for the recent introduction of
StoreInArrayLiteralIC.

Bug: v8:5940, chromium:818438
Change-Id: I73b4120eb39b16d766f0b1a9cb82ba44804b09a3
Reviewed-on: https://chromium-review.googlesource.com/947950
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51719}
2018-03-05 10:09:01 +00:00
Sigurd Schneider
388e505a24 [cleanup] Remove OpParameter(Node*) helper
This also introduces FrameStateInfoOf helper.

Bug: v8:7517, v8:7310
Change-Id: If2dd1257fb9384fe957a980077a65154cc014d3b
Reviewed-on: https://chromium-review.googlesource.com/946009
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51718}
2018-03-05 10:05:05 +00:00
jgruber
abcc28ced0 [builtins] Enable embedded builtins and add testing variants
This enables the v8_enable_embedded_builtins gn flag on non-ia32 builds
and adds a new --stress-off-heap-code test mode to fyi bots.

v8_enable_embedded_builtins=true changes accesses to constants and
external references to go through the root list in builtins code.

--stress-off-heap-code copies builtins code off-heap on isolate
creation.

A few drive-by-fixes:
- ensure that we actually inspect the correct builtin during
  isolate-independence testing.
- relax tests to decrease maintenance (now we only fail if a builtin
  should be isolate-independent but isn't).
- switch to a different off-heap-trampoline register on arm due to
  conflicts with custom stub linkages.

Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel_ng
Bug: v8:6666
Change-Id: I09ad3c75cb4342f4c548ea780f275993730896c8
Reviewed-on: https://chromium-review.googlesource.com/934281
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Hablich <hablich@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51717}
2018-03-05 09:50:01 +00:00
Jaroslav Sevcik
a4353d1464 [turbofan] Only lower to PoisonedLoads when --branch-load-poisoning is on.
Change-Id: I618e357ea0d00b64dd4d8a54e865bed716a460e8
Bug: chromium:798964
Reviewed-on: https://chromium-review.googlesource.com/947963
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51716}
2018-03-05 07:33:49 +00:00
Mostyn Bramley-Moore
bd6b04fa6f [jumbo] avoid namespace collisions in wasm atomics tests
Followup to https://chromium-review.googlesource.com/c/v8/v8/+/923718

Bug: v8:6532
Change-Id: I4ed3dd94a59172a54cc5cb70730fdffba4efb383
Reviewed-on: https://chromium-review.googlesource.com/947942
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Mostyn Bramley-Moore <mostynb@vewd.com>
Cr-Commit-Position: refs/heads/master@{#51715}
2018-03-03 21:26:24 +00:00
Bill Budge
9568cea8bf [API] Remove ArrayBuffer::Allocator virtual memory methods.
- Removes Reserve, Free (overload) and SetProtection methods.
- Updates comment on enum which we still need to distinguish
  between allocated and reserved ArrayBuffers.

Bug: chromium:799573
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I1b4e08f97c22ae6b6af847fbcdde047be62fecf8
Reviewed-on: https://chromium-review.googlesource.com/924603
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Eric Holk <eholk@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51714}
2018-03-03 12:00:24 +00:00
v8-autoroll
8abd973b46 Update V8 DEPS.
Rolling v8/build: 9ca0348..0fc17e2

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/414af52..406b235

Rolling v8/tools/clang: 44042e5..36f3a71

TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org

Change-Id: Ibb539a47cdda6165ee6da03df253339be5a87bf5
Reviewed-on: https://chromium-review.googlesource.com/947824
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51713}
2018-03-03 04:59:54 +00:00
Jakob Kummerow
4534e8cc47 [DataView] Throw TypeError when buffer is detached
Per spec, accesses to a DataView object must throw a TypeError if
the underlying ArrayBuffer has been detached/neutered. Since that
implies a length of 0, we used to detect this as an out-of-bounds
access and throw a RangeError. Adding a separate check for buffer
detachedness lets us distinguish both cases properly.

Bug: v8:4895
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I1c1d4145dcd77dfb69f61062e14a6e8e538d45eb
Reviewed-on: https://chromium-review.googlesource.com/947585
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51712}
2018-03-03 01:50:22 +00:00
Jakob Kummerow
62d1f78245 [bigint] Fix throwing in Exponentiate()
When the multiplication steps fail, they have already thrown an
exception internally, so we should not throw another.
The power-of-two fast path erroneously did not throw at all for
a few input values.

Bug: chromium:818277
Change-Id: If90f6aa3e77fc72e3434daca3b898c77739933ab
Reviewed-on: https://chromium-review.googlesource.com/947254
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51711}
2018-03-03 00:59:42 +00:00
Jakob Kummerow
a2629d0365 [test] Update test262.status for BigInts
- Merge new fail expectations that are dupes of existing issues
  into the respective sections.
- Stop skipping tests we can run now.

Bug: v8:6791, v8:7511
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I4e17ff8eb5d2596561a138e34c441b00b761d7d2
Reviewed-on: https://chromium-review.googlesource.com/947321
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51710}
2018-03-03 00:30:42 +00:00
Georg Neis
2e2860f74f [ic] Introduce new IC for storing into array literals.
... and use it in the implementation of array literal spreads,
replacing calls to %AppendElement.

Array spreads in destructuring will be taken care of in a separate CL.

Bug: v8:5940, v8:7446
Change-Id: Idec52398902a7fd3c1244852cf73246f142404f0
Reviewed-on: https://chromium-review.googlesource.com/915364
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51709}
2018-03-02 21:12:57 +00:00
Jakob Kummerow
824358f07b [bigint] Make MSan happy: zero-initialize unused bits
There are some unused bits in a BigInt's bit field. We never read their
their values explicitly, but whenever the entire object is moved around
(for serialization, or GC), this uninitialized memory is accessed. This
patch fixes that by initializing the entire field after allocation of a
BigInt, not just the bits we actually use.

Bug: chromium:818109
Change-Id: I5a4d24c3240242157b902c696fa9bb779799280d
Reviewed-on: https://chromium-review.googlesource.com/946676
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51708}
2018-03-02 20:06:57 +00:00
Mathias Bynens
08e168d0ff [builtins] Refactor the ProxyConstructor builtin
This patch removes the ProxyConstructor_ConstructStub builtin,
merging its functionality into the refactored ProxyConstructor
TurboFan builtin.

This brings us closer to our goal of deprecating the `construct_stub`
field in `SharedFunctionInfo`.

Bug: v8:7503, v8:7518
Change-Id: Iee76ba1a116ba61a543da529ec55149df333dcca
Reviewed-on: https://chromium-review.googlesource.com/946488
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51707}
2018-03-02 19:47:27 +00:00
Georg Neis
97b3a968a5 [ic] Remove pointless macros and obsolete comments.
Change-Id: I8f842187d9a02657474c47f5ea1c3257a7ec9317
Reviewed-on: https://chromium-review.googlesource.com/916143
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51706}
2018-03-02 16:50:54 +00:00
Sigurd Schneider
b124085f37 Reland "[turbofan] Remove obsolete fast-path"
This is a reland of fdbb5bebb4

Original change's description:
> [turbofan] Remove obsolete fast-path
> 
> This is subsumed by an optimization is JSCallReducer now.
> 
> Bug: v8:7340, v8:7250
> Change-Id: I6c706177e410abd57ea24a7ffbbe2437733ed7c7
> Reviewed-on: https://chromium-review.googlesource.com/946088
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51697}

Bug: v8:7340, v8:7250
Change-Id: Ic370c82af78ab8916608f8d774ef1b50d99b894e
Reviewed-on: https://chromium-review.googlesource.com/946010
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51705}
2018-03-02 16:20:13 +00:00
Clemens Hammacher
cdf0c2e801 Account for different interpretations of "trivially copyable"
Unfortunately, different runtime libraries and/or compilers differ on
whether a class without any copy constructor, move constructor, copy
assignment and move assignment operator is considered trivially
copyable.
See discussion on https://crrev.com/c/941521.

This CL adds a comment about this, and deletes a test for this specific
case.

R=mstarzinger@chromium.org
CC=jyan@ca.ibm.com, ivica.bogosavljevic@mips.com

Change-Id: Ie07adda370e5e955b782e72356b50121477d4623
Reviewed-on: https://chromium-review.googlesource.com/944081
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51704}
2018-03-02 15:45:14 +00:00
Gabriel Charette
226da60f4a [v8] Do not do rely on hyper-threads for concurrent marking on Mac.
This should recover https://chromeperf.appspot.com/report?sid=4d751475ba95911f865aed7a822d55dde18304bc0cfd2f8409d1de9fe9695343
and https://arewefastyet.com/#machine=28&view=single&suite=octane&subtest=Splay

It will however regress this:
https://chromeperf.appspot.com/report?sid=020744195cfb20c373344b86b76385ce2919b53796b5c0651ba71c0625e8de19&start_rev=531511&end_rev=540262

R=ulan@chromium.org

Bug: chromium:812178, chromium:816541
Change-Id: Ia367d24b013c3f16d1dc2ae56d4c5ef23342845f
Reviewed-on: https://chromium-review.googlesource.com/946099
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Gabriel Charette <gab@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51703}
2018-03-02 15:36:54 +00:00
Benedikt Meurer
956ac923e6 [turbofan] Connect non-returning runtime calls to end.
This changes the BytecodeGraphBuilder to connect runtime calls that
don't return normally, but always throw exceptions, to End (via a Throw
node), instead of inserting Phis on the return values. This unblocks
the new optimization approach for array iteration.

Bug: v8:7510, v8:7514
Change-Id: Ic78216cc27034f191c4850e476f24e598c17deca
Reviewed-on: https://chromium-review.googlesource.com/946250
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51702}
2018-03-02 15:11:33 +00:00
Sigurd Schneider
bc9393000b [cleanup] Fix typo
Bug: v8:7310
Change-Id: I2e3c324babc4e7e51791c44290dffcf8829c15ce
Reviewed-on: https://chromium-review.googlesource.com/946252
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51701}
2018-03-02 14:46:13 +00:00
Hannes Payer
9776e267ef [heap] Don't modify free list entries when peeking into the free list top.
Bug: chromium:774108
Change-Id: I2765b5d48a53a5ef88ba0503dd47c7188ef2518a
Reviewed-on: https://chromium-review.googlesource.com/945789
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51700}
2018-03-02 14:39:03 +00:00
Tobias Tebbi
b8abd2736e [turbofan] remove type-widening NaN-addition folding
Folding _ + NaN => NaN can widen type None to a constant type, which leads to floating DeadValue nodes. This CL fixes this by removing the optimization. Alternatively, we should consider removing all nodes of type None in simplified lowering.

Bug: chromium:817225
Change-Id: I2a126b360d70d3626f8a3c5e73ac72dc980ac8b3
Reviewed-on: https://chromium-review.googlesource.com/946129
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51699}
2018-03-02 14:19:59 +00:00
Sigurd Schneider
8bc7861f9c Revert "[turbofan] Remove obsolete fast-path"
This reverts commit fdbb5bebb4.

Reason for revert: typo in patch

Original change's description:
> [turbofan] Remove obsolete fast-path
> 
> This is subsumed by an optimization is JSCallReducer now.
> 
> Bug: v8:7340, v8:7250
> Change-Id: I6c706177e410abd57ea24a7ffbbe2437733ed7c7
> Reviewed-on: https://chromium-review.googlesource.com/946088
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51697}

TBR=sigurds@chromium.org,bmeurer@chromium.org

Change-Id: I3d11c8512c0edf55325a34035d10a1efcffbd057
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7340, v8:7250
Reviewed-on: https://chromium-review.googlesource.com/946288
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51698}
2018-03-02 14:18:55 +00:00
Sigurd Schneider
fdbb5bebb4 [turbofan] Remove obsolete fast-path
This is subsumed by an optimization is JSCallReducer now.

Bug: v8:7340, v8:7250
Change-Id: I6c706177e410abd57ea24a7ffbbe2437733ed7c7
Reviewed-on: https://chromium-review.googlesource.com/946088
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51697}
2018-03-02 13:45:42 +00:00
Camillo Bruni
1f307ba52f [runtime] Add BOILERPLATE_DESCRIPTION_TYPE InstanceType
Bug: v8:7266
Change-Id: I2835ec79aaa2821aca288685a3f230a7f8029186
Reviewed-on: https://chromium-review.googlesource.com/941948
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51696}
2018-03-02 13:43:27 +00:00
Camillo Bruni
bb862bbc50 [callbacks] Clean up PropertyCallbackArguments
This CL removes the last method taking a raw callback as argument.

Bug: chromium:782550
Change-Id: Ia7f19120be7dcb2648f11cd3cdb8880f8818490d
Reviewed-on: https://chromium-review.googlesource.com/822198
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51695}
2018-03-02 13:42:22 +00:00
Mathias Bynens
279085d852 [builtins] Refactor the NumberConstructor builtin
This patch removes the NumberConstructor_ConstructStub builtin,
merging its functionality into the refactored NumberConstructor
TurboFan builtin.

This brings us closer to our goal of deprecating the `construct_stub`
field in `SharedFunctionInfo`.

Bug: v8:7503, v8:7518
Change-Id: Ia407a2d43cda9fc7b26e13274fd79f110b6232ca
Reviewed-on: https://chromium-review.googlesource.com/946008
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51694}
2018-03-02 13:15:42 +00:00
Camillo Bruni
c00764b6c2 [tools] Even more HeapStats improvements
- Add B/KiB/MiB units to histograms
- Auto select fileReader to open dialog when pressing enter

Bug: v8:7266
Change-Id: I6fa56d2fa112f6ddbd541304cd26a1f6bd9322ce
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/946128
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51693}
2018-03-02 12:49:12 +00:00
Camillo Bruni
edff752080 [factory] Use NewFixedArrayWithMap where possible
This prevents us from accidentally overwriting the default map of the
empty_fixed_array since NewFixedArray might just return that.

Change-Id: Id2fd20db1c07ec0289905ce5b0e12b5530a60229
Reviewed-on: https://chromium-review.googlesource.com/942923
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51692}
2018-03-02 12:24:52 +00:00
Sigurd Schneider
2daca1c6a8 Reland "[turbofan] Preserve order of compares in switches"
This is a reland of b8bc26d099

Original change's description:
> [turbofan] Preserve order of compares in switches
> 
> This CL makes sure that control flow optimization does
> not change the order of switches that ultimately get
> lowered to a series of comparisons anyway.
> 
> Bug: v8:7326
> Change-Id: If004de6b71a7e9504d37754c847ca108a64e49db
> Reviewed-on: https://chromium-review.googlesource.com/941952
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51679}

Bug: v8:7326
Change-Id: Ifbe61dece499c98bbd49fa3ae9b99ccf4e955ddc
Reviewed-on: https://chromium-review.googlesource.com/945770
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51691}
2018-03-02 12:03:42 +00:00
Camillo Bruni
767c954972 [tools] Improve HeapStats
- Categorize more instance types
- Fix GC selection dropdown labels
- Show GC times in seconds
- Collapse file reader after loading

Bug: v8:7266
Change-Id: If967ebdb887105e808cfc8fb3bc92f9da5c91fd2
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/945908
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51690}
2018-03-02 11:46:01 +00:00
Michael Starzinger
a6f84875bb [wasm] Simplify offset declaration of WebAssembly objects.
R=clemensh@chromium.org
BUG=v8:7509

Change-Id: If4c199535f9a039f648c54bc72094dbc4218607d
Reviewed-on: https://chromium-review.googlesource.com/945731
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51689}
2018-03-02 11:43:11 +00:00
Sigurd Schneider
3ea2d6b06f [cctests] Disable flaky cctest test-heap-profiler/SamplingHeapProfiler
Bug: v8:7444
Change-Id: Ib4f5134ff57127a5ce4d57dbc42e52111ab938ff
Reviewed-on: https://chromium-review.googlesource.com/940941
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51688}
2018-03-02 10:57:21 +00:00
Michael Starzinger
d623fcae9c [wasm] Turn {WasmSharedModuleData} into a proper {Struct}.
This makes sure that the object can be identified by a unique instance
type and hence is not accidentally confused with other FixedArrays on
the heap.

R=clemensh@chromium.org
BUG=v8:7509

Change-Id: Ib3dcdb4559821d0ad9ca8cced37754e0e3c1d578
Reviewed-on: https://chromium-review.googlesource.com/943781
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51687}
2018-03-02 10:34:22 +00:00
Georg Neis
82345e9fbf Reland "[parsing] inline ArrayLiteral creation for spread calls"
This reverts commit f48e734903.

Reason for revert: innocent!!

Original change's description:
> Revert "[parsing] inline ArrayLiteral creation for spread calls"
> 
> This reverts commit 93fc3841c3.
> 
> Reason for revert: may break node.js integration
> 
> Original change's description:
> > [parsing] inline ArrayLiteral creation for spread calls
> > 
> > Instead of using runtime calls to generate the Array Literal passed to
> > %reflect_call / %reflect_construct, we create an ArrayLiteral from the
> > list of arguments, and perform spreads using the interpreter mechanism for
> > spreading in ArrayLiterals (thus, the spreading becomes inline). This
> > array literal is still passed to %reflect_call / %reflect_construct as
> > before.
> > 
> > This cuts the runtime for bench-spread-call.js -> testSpread roughly in
> > half, and will likely improve further once
> > https://chromium-review.googlesource.com/c/v8/v8/+/915364 has landed.
> > 
> > BUG=v8:7446
> > R=​neis@chromium.org, adamk@chromium.org
> > 
> > Change-Id: I74a6acd3a60aad422e4ac575275c7b567659d8ad
> > Reviewed-on: https://chromium-review.googlesource.com/939587
> > Commit-Queue: Georg Neis <neis@chromium.org>
> > Reviewed-by: Georg Neis <neis@chromium.org>
> > Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#51678}
> 
> TBR=adamk@chromium.org,neis@chromium.org,caitp@igalia.com,bmeurer@chromium.org
> 
> Change-Id: I4730077591bce0e5e7b2ce7d59678e8b7135cc08
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug: v8:7446
> Reviewed-on: https://chromium-review.googlesource.com/945769
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51682}

TBR=adamk@chromium.org,neis@chromium.org,sigurds@chromium.org,caitp@igalia.com,bmeurer@chromium.org

Change-Id: I977513bea06a4f3fba03fa4a89270298475422e2
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7446
Reviewed-on: https://chromium-review.googlesource.com/945808
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51686}
2018-03-02 10:03:42 +00:00
Clemens Hammacher
6195ebe160 [wasm] Fix DCHECK for lazy compilation
Table inits can contain imported functions, hence their code will be a
wasm-to-wasm wrapper.
Fix a DCHECK and add a regression test.

R=ahaas@chromium.org

Bug: chromium:817380
Change-Id: I836be589e1ae66839ccd470154c8dea488e6bc1f
Reviewed-on: https://chromium-review.googlesource.com/943107
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51685}
2018-03-02 09:48:11 +00:00
Benedikt Meurer
1525374ff5 [es2015] Extend the array iterator protector.
Previously the array iterator protector only guarded the lookup of the
@@iterator symbol on the initial Array.prototype, and we had to use an
additional map check on the %ArrayIteratorPrototype% to ensure that no
one messed with the next() method.  This CL extends the array iterator
protector to also guard the lookup of %ArrayIteratorPrototype%.next.

This simplifies the code quite a bit and makes it more robust for cases
where someone has to install additional methods on the iterator
prototype, i.e. a custom async iterator.

Bug: v8:7510, v8:7514
Change-Id: Ie6080bb837a91a2b60b224597121470614210660
Reviewed-on: https://chromium-review.googlesource.com/945728
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51684}
2018-03-02 09:34:31 +00:00
Sigurd Schneider
240a8c353c [turbofan] Migrate String.p.concat to JSCallReducer
Bug: v8:7250, v8:7340
Change-Id: Ic302a811dd827fc1692240c225b3e580a54a3a2f
Reviewed-on: https://chromium-review.googlesource.com/943422
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51683}
2018-03-02 09:31:11 +00:00
Sigurd Schneider
f48e734903 Revert "[parsing] inline ArrayLiteral creation for spread calls"
This reverts commit 93fc3841c3.

Reason for revert: may break node.js integration

Original change's description:
> [parsing] inline ArrayLiteral creation for spread calls
> 
> Instead of using runtime calls to generate the Array Literal passed to
> %reflect_call / %reflect_construct, we create an ArrayLiteral from the
> list of arguments, and perform spreads using the interpreter mechanism for
> spreading in ArrayLiterals (thus, the spreading becomes inline). This
> array literal is still passed to %reflect_call / %reflect_construct as
> before.
> 
> This cuts the runtime for bench-spread-call.js -> testSpread roughly in
> half, and will likely improve further once
> https://chromium-review.googlesource.com/c/v8/v8/+/915364 has landed.
> 
> BUG=v8:7446
> R=​neis@chromium.org, adamk@chromium.org
> 
> Change-Id: I74a6acd3a60aad422e4ac575275c7b567659d8ad
> Reviewed-on: https://chromium-review.googlesource.com/939587
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51678}

TBR=adamk@chromium.org,neis@chromium.org,caitp@igalia.com,bmeurer@chromium.org

Change-Id: I4730077591bce0e5e7b2ce7d59678e8b7135cc08
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7446
Reviewed-on: https://chromium-review.googlesource.com/945769
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51682}
2018-03-02 09:29:32 +00:00
Sigurd Schneider
9ca27e1822 Revert "[turbofan] Preserve order of compares in switches"
This reverts commit b8bc26d099.

Reason for revert: may break node.js integration

Original change's description:
> [turbofan] Preserve order of compares in switches
> 
> This CL makes sure that control flow optimization does
> not change the order of switches that ultimately get
> lowered to a series of comparisons anyway.
> 
> Bug: v8:7326
> Change-Id: If004de6b71a7e9504d37754c847ca108a64e49db
> Reviewed-on: https://chromium-review.googlesource.com/941952
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51679}

TBR=jarin@chromium.org,sigurds@chromium.org,bmeurer@chromium.org

Change-Id: Ideb551e0831c686dc7c247b77f59ff3485c30181
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7326
Reviewed-on: https://chromium-review.googlesource.com/945768
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51681}
2018-03-02 09:26:32 +00:00