- 20 Jan, 2021 1 commit
-
-
Seth Brenith authored
This change adds Torque field definitions for ScopeInfo and begins to use the Torque-generated accessors in some places. It does not change the in-memory layout of ScopeInfo. Torque compiler changes: - Fix an issue where the parser created constexpr types for classes based on the class name rather than the `generates` clause. This meant that generated accessors referred to the imaginary type HashTable rather than the real C++ type FixedArray. - Don't pass Isolate* through the generated runtime functions that implement Torque macros. Maybe we'll need it eventually, but we don't right now and it complicates a lot of things. - Don't emit `kSomeFieldOffset` if some_field has an unknown offset. Instead, emit a member function `SomeFieldOffset()` which fetches the slice for some_field and returns its offset. - Emit an `AllocatedSize()` member function for classes which have complex length expressions. It fetches the slice for the last field and performs the multiply&add to compute the total object size. - Emit field accessors for fields with complex length expressions, using the new offset functions. - Fix a few minor bugs where Torque can write uncompilable code. With this change, most code still treats ScopeInfo like a FixedArray, so I would like to follow up with some additional changes: 1. Generate a GC visitor for ScopeInfo and use it 2. Generate accessors for struct-typed fields (indexed or otherwise), and use them 3. Get rid of the FixedArray-style get and set accessors; use TaggedField::load and similar instead 4. Inherit from HeapObject rather than FixedArrayBase to remove the unnecessary `length` field After that, there will only be one ugly part left: initialization. I think it's possible to generate a factory function that takes a bunch of iterator parameters and returns a fully-formed, verifiably correct ScopeInfo instance, but doing so is more complicated than the four mostly-mechanical changes listed above. Bug: v8:7793 Change-Id: I55fcfe9189e4d1613c68d49e378da5dc02597b36 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2357758Reviewed-by:
Toon Verwaest <verwaest@chromium.org> Reviewed-by:
Peter Marshall <petermarshall@chromium.org> Reviewed-by:
Dominik Inführ <dinfuehr@chromium.org> Reviewed-by:
Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com> Cr-Commit-Position: refs/heads/master@{#72187}
-
- 19 Jan, 2021 1 commit
-
-
Sathya Gunasekaran authored
This will allow us optimize the protector cell checks in the fast path from checking against the function object in every context to just doing a range check against the instance type. This patch adds new instance types for constructor functions that require such protector cell checks. Bug: v8:11256 Change-Id: Iea722f9c6326dfa470149dd02e689a23942097f4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2595442Reviewed-by:
Mythri Alle <mythria@chromium.org> Reviewed-by:
Ulan Degenbaev <ulan@chromium.org> Reviewed-by:
Nico Hartmann <nicohartmann@chromium.org> Reviewed-by:
Jakob Gruber <jgruber@chromium.org> Reviewed-by:
Camillo Bruni <cbruni@chromium.org> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#72146}
-
- 04 Dec, 2020 1 commit
-
-
Tobias Tebbi authored
Port String::Flatten to Torque (using a fast C call for the non-allocating part) and provide fast and easy access to sequential string data in Torque: GetStringData() flattens if necessary and computes slices that allow direct access. Applications: String.prototype.replaceAll, String.prototype.endsWith, and String.prototype.beginsWith now use GetStringData() and direct slice access instead of the slow StringCharCodeAt and they no longer bail out to the runtime for flattening. Drive-by changes: - Expose String instance type bits as bitfields and enums in Torque. - Fix method lookup in Torque to include superclass methods. - Use char8 and char16 types in more places. - Allow fast C calls with void return type. - Add Torque macros to create subslices. - Add no-GC scopes to runtime functions loading external string data. Bug: v8:7793 Change-Id: I763b9b24212770307c9b2fe9f070f21f65d68d58 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2565515 Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Reviewed-by:
Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#71611}
-
- 01 Dec, 2020 1 commit
-
-
Ross McIlroy authored
In order to reduce the codegen size of dynamic map checks, add the ability to have an eager with resume deopt point, which can call a given builitin to perform a more detailed check than can be done in codegen, and then either deoptimizes itself (as if the calling code had performed an eager deopt) or resumes execution in the calling code after the check. In addition, support for adding extra arguments to a deoptimization continuation is added to enable us to pass the necessary arguments to the DynamicMapChecks builtin. Finally, a trampoline is added to the DynamicMapChecks which saves the registers that might be clobbered by that builtin, to avoid having to save them in the generated code. This trampoline also performs the deoptimization based on the result of the DynamicMapChecks builtin. In order to ensure both the trampoline and DynamicMapChecks builtin have the same call interface, and to limit the number of registers that need saving in the trampoline, the DynamicMapChecks builtin is moved to be a CSA builtin with a custom CallInterfaceDescriptor, that calls an exported Torque macro that implements the actual functionality. All told, this changes the codegen for a monomorphic dynamic map check from: movl rbx,<expected_map> cmpl [<object>-0x1],rbx jnz <deferred_call> resume_point: ... deferred_call: <spill registers> movl rax,<slot> movq rbx,<object> movq rcx,<handler> movq r10,<DynamicMapChecks> call r10 cmpq rax,0x0 jz <restore_regs> cmpq rax,0x1 jz <deopt_point_1> cmpq rax,0x2 jz <deopt_point_2> int3l restore_regs: <restore_regs> jmp <resume_point> ... deopt_point_1: call Deoptimization_Eager deopt_point_2: call Deoptimization_Bailout To: movl rax,<slot> movl rcx,<expected_map> movq rdx,<handler> cmpl [<object>-0x1],rcx jnz <deopt_point> resume_point: ... deopt_point: call DynamicMapChecksTrampoline jmp <resume_point> BUG=v8:10582 Change-Id: Ica4927b9acc963b9b73dc62d9379a7815335650f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2560197 Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by:
Georg Neis <neis@chromium.org> Reviewed-by:
Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#71545}
-
- 30 Nov, 2020 1 commit
-
-
Patrick Thier authored
Instead of using argc directly, all CSA builtins should use CodeStubArguments::GetLength(). Bug: v8:11112 Change-Id: Ib62d9d9240e8d42b6b7daed5bdf63f7ab0943fd9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2563879 Commit-Queue: Patrick Thier <pthier@chromium.org> Reviewed-by:
Victor Gomes <victorgomes@chromium.org> Reviewed-by:
Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#71504}
-
- 20 Nov, 2020 4 commits
-
-
Leszek Swirski authored
Because of LocalHeap safepoints, our existing assert scopes don't necessarily maintain the same guarantees as desired. In particular, DisallowHeapAllocation no longer guarantees that objects don't move. This patch transitions DisallowHeapAllocation to DisallowGarbageCollection, to ensure that code using this scope is also protected against safepoints. Change-Id: I0411425884f6849982611205fb17bb072881c722 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2540547 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by:
Peter Marshall <petermarshall@chromium.org> Reviewed-by:
Jakob Gruber <jgruber@chromium.org> Reviewed-by:
Clemens Backes <clemensb@chromium.org> Reviewed-by:
Ulan Degenbaev <ulan@chromium.org> Reviewed-by:
Tobias Tebbi <tebbi@chromium.org> Reviewed-by:
Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#71319}
-
Mythri A authored
Bug: v8:6949, v8:11074 Change-Id: I05326fd514ea33ccaa783f5964a338d84b370e84 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2550781Reviewed-by:
Santiago Aboy Solanes <solanes@chromium.org> Reviewed-by:
Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Mythri Alle <mythria@chromium.org> Cr-Commit-Position: refs/heads/master@{#71313}
-
Frank Emrich authored
This CL adds partial support for objects whose slow mode dictionaries are OrderedNameDictionaries. This is the case for all slow mode objects if V8_DICT_MODE_PROTOTYPES is enabled. Specifically, this CL contains bailouts to the runtime in places where the subsequent CSA or Torque code may have to access property dictionaries. These bailouts only happen if V8_DICT_MODE_PROTOTYPES is set, in which case the property dictionaries are of type OrderedNameDictionary, which cannot be handled by most CSA/Torque code. The idea is that these bailouts are temporary and will all be removed once we've implemented the actuall dictionary accesses in CSA/Torque. Bug: v8:7569, v8:11167 Change-Id: I8308b2f8ba2d4dbf7918da42f995ae270c825fff Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2545711 Commit-Queue: Frank Emrich <emrich@google.com> Reviewed-by:
Igor Sheludko <ishell@chromium.org> Reviewed-by:
Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#71311}
-
Frank Emrich authored
This CL adds partial support for objects whose slow mode dictionaries are OrderedNameDictionaries. This is the case for all slow mode objects if V8_DICT_MODE_PROTOTYPES is enabled. Specifically, this CL contains minor changes to CSA code, short of actually performing ordered dictionary lookups using CSA implementations of these lookups. Bug: v8:7569 Change-Id: I0dab0f21000ca3b9b170ace58787ec639d587e64 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2540590 Commit-Queue: Frank Emrich <emrich@google.com> Reviewed-by:
Marja Hölttä <marja@chromium.org> Reviewed-by:
Igor Sheludko <ishell@chromium.org> Reviewed-by:
Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/master@{#71304}
-
- 19 Nov, 2020 1 commit
-
-
Z Nguyen-Huu authored
Bug: v8:11177 Change-Id: Ib4bbdca5fe9811731c15edae5f58243113dd119f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2548080 Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com> Reviewed-by:
Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#71296}
-
- 13 Nov, 2020 1 commit
-
-
Frank Emrich authored
Previously, CodeStubAssembler::AllocateOrderedHashTable() would allocate hash tables of the (statically known) minimum capacity in- dicated by the concrete table type. This CL adds AllocateOrderedHashTableWithCapacity, which is inspired by AllocateNameDictionary. It takes a Node<IntPtrT> indicating the desired capacity. Bug: v8:7569 Change-Id: I4bf28f69286e52773319a1ae37d33b2f55175a84 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2503950 Commit-Queue: Frank Emrich <emrich@google.com> Reviewed-by:
Ulan Degenbaev <ulan@chromium.org> Reviewed-by:
Igor Sheludko <ishell@chromium.org> Reviewed-by:
Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#71175}
-
- 12 Nov, 2020 1 commit
-
-
Ross McIlroy authored
BUG=v8:6949,v8:11074 Change-Id: Ia5a52dcf42559d97eb6fd4a24f4abd3c40226017 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2531792 Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by:
Santiago Aboy Solanes <solanes@chromium.org> Cr-Commit-Position: refs/heads/master@{#71160}
-
- 11 Nov, 2020 1 commit
-
-
Igor Sheludko authored
This CL * renames Name::hash_field field to raw_hash_field. * all local variables that store raw_hash_field value are also renamed to raw_hash_field where possible. Bug: chromium:1133527, v8:11074 Change-Id: I17313f386110b33a64f629cc2b9d4afd1e06c6c0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2471999Reviewed-by:
Peter Marshall <petermarshall@chromium.org> Reviewed-by:
Ulan Degenbaev <ulan@chromium.org> Reviewed-by:
Jakob Gruber <jgruber@chromium.org> Reviewed-by:
Toon Verwaest <verwaest@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#71114}
-
- 09 Nov, 2020 2 commits
-
-
Santiago Aboy Solanes authored
Remove for: * Word32T * String * SharedFunctionInfo * MaybeObject Bug: v8:6949, v8:11074 Change-Id: I6facf1692697a4776a88ceae8a817f57af40c351 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2523322Reviewed-by:
Ross McIlroy <rmcilroy@chromium.org> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Cr-Commit-Position: refs/heads/master@{#71051}
-
Santiago Aboy Solanes authored
Remove for: * Number * BoolT * Context * HeapObject Bug: v8:6949, v8:11074 Change-Id: Id9f96314c93c75094a2440e1903b56e0649111b2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2523312Reviewed-by:
Mythri Alle <mythria@chromium.org> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Cr-Commit-Position: refs/heads/master@{#71042}
-
- 06 Nov, 2020 4 commits
-
-
Santiago Aboy Solanes authored
Remove for: * DescriptorArray * TransitionArray * Name * Uint32T * JSReceiver * JSFunction * JSObject * JSArray * FixedArrayBase * NativeContext * WeakFixedArray Bug: v8:6949, v8:11074 Change-Id: I5ef9e2d023758baa869018966a2a800f7a40104b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2523194 Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Reviewed-by:
Mythri Alle <mythria@chromium.org> Cr-Commit-Position: refs/heads/master@{#71014}
-
Santiago Aboy Solanes authored
Also, remove CSA (slow) asserts of "IsMap(map)" where possible. Bug: v8:6949, v8:11074 Change-Id: I99c1ede426681a4ec8e7d8a3cc0138557850e164 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2521155Reviewed-by:
Dan Elphick <delphick@chromium.org> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Cr-Commit-Position: refs/heads/master@{#71013}
-
Santiago Aboy Solanes authored
Both to and from kind are PACKED_DOUBLE_ELEMENTS (constant defined above) so we can safely inline and TNodify this call. Bug: v8:6949, v8:11074 Change-Id: Ia9d5e162fdd833dcc4589bc87f6feb18947d2d2a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2521154Reviewed-by:
Ross McIlroy <rmcilroy@chromium.org> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Cr-Commit-Position: refs/heads/master@{#71012}
-
Santiago Aboy Solanes authored
Create two versions of StoreElement: One for RawPtrT and the other one for FixedArrayBase. They have some common code, but the FixedArrayBase one has more cases that it allows. This can be simplified if/when we have access to "if constexpr". Bug: v8:6949, v8:11074 Change-Id: Ifa12fb0688f41c77fa7ec26749c5f725169faace Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2521149 Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Reviewed-by:
Dan Elphick <delphick@chromium.org> Cr-Commit-Position: refs/heads/master@{#71007}
-
- 03 Nov, 2020 1 commit
-
-
Frank Emrich authored
This CL adds partial support for objects whose slow mode dictionaries are OrderedNameDictionaries. This is the case for all slow mode objects if V8_DICT_MODE_PROTOTYPES is enabled. Bug: v8:7569 Change-Id: I0b5a0d751e6551e78121569ddefd9e00c164cc5a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2489692Reviewed-by:
Ulan Degenbaev <ulan@chromium.org> Reviewed-by:
Igor Sheludko <ishell@chromium.org> Commit-Queue: Frank Emrich <emrich@google.com> Cr-Commit-Position: refs/heads/master@{#70952}
-
- 29 Oct, 2020 1 commit
-
-
Shu-yu Guo authored
Fix super calls so that arguments are evaluated before the super constructor is checked to be in fact a constructor. A new bytecode is introduced to split the IsConstructor check out from the current GetSuperConstructor bytecode. Bug: v8:10111 Change-Id: I3af99e32a34d99493806bb01b547d6f671cdc9de Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2493077 Commit-Queue: Shu-yu Guo <syg@chromium.org> Reviewed-by:
Ross McIlroy <rmcilroy@chromium.org> Reviewed-by:
Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#70881}
-
- 20 Oct, 2020 1 commit
-
-
Marja Hölttä authored
With non-super loads (receiver == lookup_start_object), we don't hit the code in AccessorAssembler::GenericPropertyLoad calling CSA::TryGetOwnProperty if the receiver (the lookup_start_object) is a SMI. But with super property loads, if we set up lookup_start_object the right way, we will hit this code. The code was assuming receiver is a HeapObject, which is too restrictive. The receiver is only used for the accessor call, so it's ok to make the type more generic. Bug: v8:9237, chromium:1139786 Change-Id: I3167ccfb54a49ac1c401040a6f02fc1f3b98d9d1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2484366Reviewed-by:
Igor Sheludko <ishell@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#70647}
-
- 19 Oct, 2020 1 commit
-
-
Frank Emrich authored
This changes OrderedHashMap, OrderedHashSet, and OrderedNameDictionary as follows: - Create a dedicated allocation function AllocateEmpty to create zero- element instances of these classes - Fix bugs resulting from using these zero-element versions Further, this CL - provides a canonical empty versions of OrderedNameDictionary - changes the types of the canonical ordered hash table and hash set from FixedArray to the actual subclasses Bug: v8:7569 Change-Id: I0fe1215e7d164617afa777c8b3208a0857ab6edd Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2476315 Commit-Queue: Frank Emrich <emrich@google.com> Reviewed-by:
Igor Sheludko <ishell@chromium.org> Reviewed-by:
Ulan Degenbaev <ulan@chromium.org> Reviewed-by:
Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#70604}
-
- 16 Oct, 2020 1 commit
-
-
Igor Sheludko authored
... and add respective regression tests. This CL also adds similar regression tests for TransitionArray but it doesn't have the same issue as DescriptorArray. Bug: chromium:1133527 Change-Id: I668a90f126d76af0a39816ce8697cb29bc65d01b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2465833Reviewed-by:
Toon Verwaest <verwaest@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#70570}
-
- 14 Oct, 2020 2 commits
-
-
Victor Gomes authored
Change-Id: I2f262f4545de9e421310094d0dfab2f6147869b5 Bug: v8:10201 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2466116Reviewed-by:
Junliang Yan <junyan@redhat.com> Reviewed-by:
Andreas Haas <ahaas@chromium.org> Reviewed-by:
Tobias Tebbi <tebbi@chromium.org> Reviewed-by:
Michael Achenbach <machenbach@chromium.org> Reviewed-by:
Michael Lippautz <mlippautz@chromium.org> Reviewed-by:
Leszek Swirski <leszeks@chromium.org> Reviewed-by:
Igor Sheludko <ishell@chromium.org> Commit-Queue: Victor Gomes <victorgomes@chromium.org> Cr-Commit-Position: refs/heads/master@{#70502}
-
Jakob Gruber authored
This is a reland of 16cd5995 Changes since the original CL: generic lowering support for ForInPrepare and ForInNext. Original change's description: > [nci] Prepare JSForInPrepare and JSForInNext for feedback input > > These two operators are still missing feedback collection in generic > lowering (reminder: all operations that collect FB in the interpreter > must also collect FB in generic lowering). > > This CL prepares for that by adding the feedback vector as an input, > and additionally adds node wrappers to improve useability. > > The actual collection logic will be added in a following CL. > > Bug: v8:8888 > Change-Id: I04627eedb2dc237dc4e417091c44d2a95bd98f5f > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2454712 > Commit-Queue: Jakob Gruber <jgruber@chromium.org> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org> > Cr-Commit-Position: refs/heads/master@{#70372} Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel_ng Bug: v8:8888 Change-Id: Idc294ffd2a24922edd08db6897d32d5724956995 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2459373 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by:
Ross McIlroy <rmcilroy@chromium.org> Reviewed-by:
Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#70496}
-
- 13 Oct, 2020 3 commits
-
-
Igor Sheludko authored
This is a reland of 3593ee83 The MSAN doesn't seem to be considering initializing stores via inline assembly as such (in a new cctest helper GetStackPointer()), so this reland attempt fixes the issue and ensures that the MSAN bot is happy. Original change's description: > Reland "[csa] Fix semantics of PopAndReturn" > > This is a reland of 5e5eaf79 > > This CL fixes the "function returns address of local variable" issue > which GCC was complaining about by using inline assembly instead of > address of a local for getting stack pointer approximation. > > Original change's description: > > [csa] Fix semantics of PopAndReturn > > > > This CL prohibits using PopAndReturn from the builtins that > > have calling convention with arguments on the stack. > > > > This CL also updates the PopAndReturn tests so that even off-by-one > > errors in the number of poped arguments are caught which was not the > > case before. > > > > Motivation: > > > > PopAndReturn is supposed to be using ONLY in CSA/Torque builtins for > > dropping ALL JS arguments that are currently located on the stack. > > Disallowing PopAndReturn in builtins with stack arguments simplifies > > semantics of this instruction because in case of presence of declared > > stack parameters it's impossible to distinguish the following cases: > > 1) stack parameter is included in JS arguments (and therefore it will > > be dropped as a part of 'pop' number of arguments), > > 2) stack parameter is NOT included in JS arguments (and therefore it > > should be dropped in ADDITION to the 'pop' number of arguments). > > > > This issue wasn't noticed before because builtins with stack parameters > > relied on adapter frames machinery to ensure that the expected > > parameters are present on the stack, but on the same time the adapter > > frame tearing down code was effectively recovering the stack pointer > > potentially broken by the CSA builtin. > > > > Once we get rid of the arguments adapter frames keeping stack pointer > > in a valid state becomes crucial. > > > > Bug: v8:5269, v8:10201 > > Change-Id: Id3ea9730bb0d41d17999c73136c4dfada374a822 > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2460819 > > Commit-Queue: Igor Sheludko <ishell@chromium.org> > > Reviewed-by: Tobias Tebbi <tebbi@chromium.org> > > Cr-Commit-Position: refs/heads/master@{#70454} > > Tbr: tebbi@chromium.org > Bug: v8:5269 > Bug: v8:10201 > Change-Id: Ic1a05fcc4efd2068538bff28189545cfd2617d9b > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2465839 > Reviewed-by: Igor Sheludko <ishell@chromium.org> > Reviewed-by: Victor Gomes <victorgomes@chromium.org> > Commit-Queue: Igor Sheludko <ishell@chromium.org> > Cr-Commit-Position: refs/heads/master@{#70483} Tbr: tebbi@chromium.org Cq-Include-Trybots: luci.v8.try:v8_linux64_msan_rel_ng Bug: v8:5269 Bug: v8:10201 Change-Id: Ib09af2d1260bb42ac26aabface14e6b83b3efec4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2467847 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by:
Igor Sheludko <ishell@chromium.org> Reviewed-by:
Victor Gomes <victorgomes@chromium.org> Cr-Commit-Position: refs/heads/master@{#70492}
-
Clemens Backes authored
This reverts commit 3593ee83. Reason for revert: MSan issues: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/34798 Original change's description: > Reland "[csa] Fix semantics of PopAndReturn" > > This is a reland of 5e5eaf79 > > This CL fixes the "function returns address of local variable" issue > which GCC was complaining about by using inline assembly instead of > address of a local for getting stack pointer approximation. > > Original change's description: > > [csa] Fix semantics of PopAndReturn > > > > This CL prohibits using PopAndReturn from the builtins that > > have calling convention with arguments on the stack. > > > > This CL also updates the PopAndReturn tests so that even off-by-one > > errors in the number of poped arguments are caught which was not the > > case before. > > > > Motivation: > > > > PopAndReturn is supposed to be using ONLY in CSA/Torque builtins for > > dropping ALL JS arguments that are currently located on the stack. > > Disallowing PopAndReturn in builtins with stack arguments simplifies > > semantics of this instruction because in case of presence of declared > > stack parameters it's impossible to distinguish the following cases: > > 1) stack parameter is included in JS arguments (and therefore it will > > be dropped as a part of 'pop' number of arguments), > > 2) stack parameter is NOT included in JS arguments (and therefore it > > should be dropped in ADDITION to the 'pop' number of arguments). > > > > This issue wasn't noticed before because builtins with stack parameters > > relied on adapter frames machinery to ensure that the expected > > parameters are present on the stack, but on the same time the adapter > > frame tearing down code was effectively recovering the stack pointer > > potentially broken by the CSA builtin. > > > > Once we get rid of the arguments adapter frames keeping stack pointer > > in a valid state becomes crucial. > > > > Bug: v8:5269, v8:10201 > > Change-Id: Id3ea9730bb0d41d17999c73136c4dfada374a822 > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2460819 > > Commit-Queue: Igor Sheludko <ishell@chromium.org> > > Reviewed-by: Tobias Tebbi <tebbi@chromium.org> > > Cr-Commit-Position: refs/heads/master@{#70454} > > Tbr: tebbi@chromium.org > Bug: v8:5269 > Bug: v8:10201 > Change-Id: Ic1a05fcc4efd2068538bff28189545cfd2617d9b > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2465839 > Reviewed-by: Igor Sheludko <ishell@chromium.org> > Reviewed-by: Victor Gomes <victorgomes@chromium.org> > Commit-Queue: Igor Sheludko <ishell@chromium.org> > Cr-Commit-Position: refs/heads/master@{#70483} TBR=tebbi@chromium.org,ishell@chromium.org,victorgomes@chromium.org Change-Id: Icbd71d744a519a58e49feb917109228631b9d9a3 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:5269 Bug: v8:10201 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2467846Reviewed-by:
Clemens Backes <clemensb@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#70485}
-
Igor Sheludko authored
This is a reland of 5e5eaf79 This CL fixes the "function returns address of local variable" issue which GCC was complaining about by using inline assembly instead of address of a local for getting stack pointer approximation. Original change's description: > [csa] Fix semantics of PopAndReturn > > This CL prohibits using PopAndReturn from the builtins that > have calling convention with arguments on the stack. > > This CL also updates the PopAndReturn tests so that even off-by-one > errors in the number of poped arguments are caught which was not the > case before. > > Motivation: > > PopAndReturn is supposed to be using ONLY in CSA/Torque builtins for > dropping ALL JS arguments that are currently located on the stack. > Disallowing PopAndReturn in builtins with stack arguments simplifies > semantics of this instruction because in case of presence of declared > stack parameters it's impossible to distinguish the following cases: > 1) stack parameter is included in JS arguments (and therefore it will > be dropped as a part of 'pop' number of arguments), > 2) stack parameter is NOT included in JS arguments (and therefore it > should be dropped in ADDITION to the 'pop' number of arguments). > > This issue wasn't noticed before because builtins with stack parameters > relied on adapter frames machinery to ensure that the expected > parameters are present on the stack, but on the same time the adapter > frame tearing down code was effectively recovering the stack pointer > potentially broken by the CSA builtin. > > Once we get rid of the arguments adapter frames keeping stack pointer > in a valid state becomes crucial. > > Bug: v8:5269, v8:10201 > Change-Id: Id3ea9730bb0d41d17999c73136c4dfada374a822 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2460819 > Commit-Queue: Igor Sheludko <ishell@chromium.org> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org> > Cr-Commit-Position: refs/heads/master@{#70454} Tbr: tebbi@chromium.org Bug: v8:5269 Bug: v8:10201 Change-Id: Ic1a05fcc4efd2068538bff28189545cfd2617d9b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2465839Reviewed-by:
Igor Sheludko <ishell@chromium.org> Reviewed-by:
Victor Gomes <victorgomes@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#70483}
-
- 12 Oct, 2020 2 commits
-
-
Zhi An Ng authored
This reverts commit 5e5eaf79. Reason for revert: Failure on V8 Linux gcc https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20gcc/8929? Original change's description: > [csa] Fix semantics of PopAndReturn > > This CL prohibits using PopAndReturn from the builtins that > have calling convention with arguments on the stack. > > This CL also updates the PopAndReturn tests so that even off-by-one > errors in the number of poped arguments are caught which was not the > case before. > > Motivation: > > PopAndReturn is supposed to be using ONLY in CSA/Torque builtins for > dropping ALL JS arguments that are currently located on the stack. > Disallowing PopAndReturn in builtins with stack arguments simplifies > semantics of this instruction because in case of presence of declared > stack parameters it's impossible to distinguish the following cases: > 1) stack parameter is included in JS arguments (and therefore it will > be dropped as a part of 'pop' number of arguments), > 2) stack parameter is NOT included in JS arguments (and therefore it > should be dropped in ADDITION to the 'pop' number of arguments). > > This issue wasn't noticed before because builtins with stack parameters > relied on adapter frames machinery to ensure that the expected > parameters are present on the stack, but on the same time the adapter > frame tearing down code was effectively recovering the stack pointer > potentially broken by the CSA builtin. > > Once we get rid of the arguments adapter frames keeping stack pointer > in a valid state becomes crucial. > > Bug: v8:5269, v8:10201 > Change-Id: Id3ea9730bb0d41d17999c73136c4dfada374a822 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2460819 > Commit-Queue: Igor Sheludko <ishell@chromium.org> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org> > Cr-Commit-Position: refs/heads/master@{#70454} TBR=tebbi@chromium.org,ishell@chromium.org Change-Id: I2673982a8f51cbecf421af11b0ce5ad5031fb406 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:5269 Bug: v8:10201 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2465656Reviewed-by:
Zhi An Ng <zhin@chromium.org> Commit-Queue: Zhi An Ng <zhin@chromium.org> Cr-Commit-Position: refs/heads/master@{#70458}
-
Igor Sheludko authored
This CL prohibits using PopAndReturn from the builtins that have calling convention with arguments on the stack. This CL also updates the PopAndReturn tests so that even off-by-one errors in the number of poped arguments are caught which was not the case before. Motivation: PopAndReturn is supposed to be using ONLY in CSA/Torque builtins for dropping ALL JS arguments that are currently located on the stack. Disallowing PopAndReturn in builtins with stack arguments simplifies semantics of this instruction because in case of presence of declared stack parameters it's impossible to distinguish the following cases: 1) stack parameter is included in JS arguments (and therefore it will be dropped as a part of 'pop' number of arguments), 2) stack parameter is NOT included in JS arguments (and therefore it should be dropped in ADDITION to the 'pop' number of arguments). This issue wasn't noticed before because builtins with stack parameters relied on adapter frames machinery to ensure that the expected parameters are present on the stack, but on the same time the adapter frame tearing down code was effectively recovering the stack pointer potentially broken by the CSA builtin. Once we get rid of the arguments adapter frames keeping stack pointer in a valid state becomes crucial. Bug: v8:5269, v8:10201 Change-Id: Id3ea9730bb0d41d17999c73136c4dfada374a822 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2460819 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by:
Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#70454}
-
- 09 Oct, 2020 1 commit
-
-
Samuel Groß authored
This change tags pointers in the external pointer table with a type dependent value in order to prevent type confusions between different external pointers. Bug: v8:10391 Change-Id: I5a83178e5ac46d49a99c91047816926120d801d3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2443133Reviewed-by:
Andreas Haas <ahaas@chromium.org> Reviewed-by:
Leszek Swirski <leszeks@chromium.org> Reviewed-by:
Igor Sheludko <ishell@chromium.org> Reviewed-by:
Georg Neis <neis@chromium.org> Reviewed-by:
Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Samuel Groß <saelo@google.com> Cr-Commit-Position: refs/heads/master@{#70430}
-
- 29 Sep, 2020 2 commits
-
-
Samuel Groß authored
This change moves external pointers into a separate table and turns external pointers in heap objects into indices into that table. This CL implements one of two possible ownership models for the table entries. With this one, every heap object owns its table entries, and they are allocated when the owning object is allocated. As such, setting external pointer fields does not require allocation of table entries. On the other hand, table indices cannot be shared between multiple objects. This CL does not yet implement freeing of external pointer table entires. This will later happen by a table garbage collector. Bug: v8:10391 Change-Id: I4d37785295c25a7d1dcbc9871dd5887b9d788a4f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2235700Reviewed-by:
Igor Sheludko <ishell@chromium.org> Reviewed-by:
Ulan Degenbaev <ulan@chromium.org> Reviewed-by:
Jakob Gruber <jgruber@chromium.org> Reviewed-by:
Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Samuel Groß <saelo@google.com> Cr-Commit-Position: refs/heads/master@{#70204}
-
Santiago Aboy Solanes authored
We used to have a loop that it was used for JSReceivers. However, this was not used as a proper loop since at most it would have two loop iterations. Then, it could be changed to a Branch case. Since I was refactoring the method, I also de-duplicated code by using the common code from PlainPrimitiveNonNumberToNumber. In order to do so, said method was renamed to TryPlain... and was reworked as well. Bug: v8:6949, v8:10933 Change-Id: I860601a3b9e8bdeed052dcd237a767ac7ed80c92 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2435110 Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Reviewed-by:
Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#70202}
-
- 28 Sep, 2020 1 commit
-
-
Santiago Aboy Solanes authored
Previously ToNumber could be called with an empty context. In a previous CL (https://crrev.com/c/v8/v8/+/2078580) we added DCHECKS to make sure that some paths were not using the empty context. Now we are doing the next step of adding a primitive to separate the cases. Small update from delphick@ to get the builtin descriptor right. Bug: v8:6949, v8:10933 Change-Id: Ie40b169f680f60a08eb26fac1fcfcef7d6169e65 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2428863 Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Reviewed-by:
Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#70162}
-
- 25 Sep, 2020 1 commit
-
-
Santiago Aboy Solanes authored
Bug: v8:9708, v8:6949 Change-Id: Ic219e0eb18648166a712493039f96e067ad47418 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2395555Reviewed-by:
Mythri Alle <mythria@chromium.org> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Cr-Commit-Position: refs/heads/master@{#70141}
-
- 14 Sep, 2020 1 commit
-
-
Camillo Bruni authored
Bug: v8:10763 Change-Id: I8e8f7924928175516e7ba2500f4660dc160158b2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2409278Reviewed-by:
Igor Sheludko <ishell@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#69871}
-
- 10 Sep, 2020 1 commit
-
-
Camillo Bruni authored
Bug: v8:10763 Change-Id: I959661854e5b138186406d4d6fda77558200d454 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2402878Reviewed-by:
Igor Sheludko <ishell@chromium.org> Reviewed-by:
Victor Gomes <victorgomes@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#69820}
-
- 08 Sep, 2020 1 commit
-
-
Leszek Swirski authored
Change FeedbackVector into a Torque-generated class, simplifying its C++ implementation. As a drive-by, also get rid of the lower-cased, integer-indexed slot accessors, and replace the calls that needed this integer index with FeedbackSlot (potentially with a new WithOffset adjustment for extra data slots). Change-Id: Ie4f7e99b462ef95419edab46b4ac7ceecae9a05f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2398638 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by:
Dominik Inführ <dinfuehr@chromium.org> Reviewed-by:
Igor Sheludko <ishell@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#69749}
-
- 03 Sep, 2020 1 commit
-
-
Santiago Aboy Solanes authored
There is an int version that will be TNodified in a follow-up CL. Bug: v8:9708, v8:6949 Change-Id: I3a47cb352396dfe9dea426b6396216c06e0e3254 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2387963 Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Reviewed-by:
Dan Elphick <delphick@chromium.org> Cr-Commit-Position: refs/heads/master@{#69695}
-