Skip to content

V
V8
Switch branch/tag
  1. 22 Aug, 2019 3 commits
  3. 20 Aug, 2019 1 commit
  5. 08 Aug, 2019 1 commit
  7. 05 Aug, 2019 1 commit
    • Mythri A's avatar
      Reland "[ic] Don't transition to premonomorphic state" · 2999cea5
      Mythri A authored 
      This is a reland of 159df248

Original change's description:
> [ic] Don't transition to premonomorphic state
> 
> We used to use premonomorphic state to delay initializing the ICs.
> This optimization was to avoid the cost of setting up handlers if the
> code executed only once. With lazy feedback allocation we no longer
> need this.
> 
> This cl also renames LoadIC_Uninitialized to LoadIC_Nofeedback and
> StoreIC_Uninitialized to StoreIC_Nofeedback since we now miss to
> runtime in the uninitialized state and use the builtin when there
> is no feedback.
> 
> 
> Change-Id: I1633e61ea74664da51348e362c34c47a017a264a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1683525
> Commit-Queue: Mythri Alle <mythria@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63020}

Change-Id: Ica7eb65649615c2f8410d5b815a98b55cb1cfc4d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1731000
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63082}
      2999cea5
  9. 01 Aug, 2019 2 commits
  11. 24 Jun, 2019 1 commit
    • Mathias Bynens's avatar
      [objects] Rename JSValue to JSPrimitiveWrapper · e428dfd7
      Mathias Bynens authored 
      We currently use the class name “JSValue” for JSObjects that wrap
primitive values. This name is a common source of confusion. This patch
switches to a name that’s more clear.

In addition to manual tweaks, the patch applies the following mechanical
global replacements:

before                          | after
--------------------------------|--------------------------------------
if_valueisnotvalue              | if_valueisnotwrapper
if_valueisvalue                 | if_valueiswrapper
js_value                        | js_primitive_wrapper
JS_VALUE_TYPE                   | JS_PRIMITIVE_WRAPPER_TYPE
JSPrimitiveWrapperType          | JSPrimitiveWrapper type
jsvalue                         | js_primitive_wrapper
JSValue                         | JSPrimitiveWrapper
_GENERATED_JSVALUE_FIELDS       | _GENERATED_JSPRIMITIVE_WRAPPER_FIELDS

Change-Id: I9d9edea784eab6067b013e1f781e4db2070f807c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1672942Reviewed-by: 's avatarTamer Tas <tmrts@chromium.org>
Reviewed-by: 's avatarMichael Stanton <mvstanton@chromium.org>
Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62337}
      e428dfd7
  13. 18 Jun, 2019 1 commit
  15. 13 Jun, 2019 3 commits
  17. 12 Jun, 2019 3 commits
    • Leszek Swirski's avatar
      Revert "[ic] Fix typo in Runtime_CloneObjectIC_Miss." · 510f4f2c
      Leszek Swirski authored 
      This reverts commit 823795fc.

Reason for revert: Breaks mjsunit/es9/regress/regress-904167 on bots (https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20debug/26342)

Original change's description:
> [ic] Fix typo in Runtime_CloneObjectIC_Miss.
> 
> https://chromium-review.googlesource.com/1649554 introduced a typo into
> Runtime_CloneObjectIC_Miss, where it wouldn't update the IC state UNLESS
> the source map is deprecated, which is the wrong way around of course.
> 
> Bug: chromium:973045, v8:7611, v8:9114, v8:9183, v8:9343
> Change-Id: I7d6e0709e66ce4aaaf4a628d64ab801b84c8993c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655291
> Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62106}

TBR=bmeurer@chromium.org,verwaest@chromium.org

Change-Id: Ie651523c556b220e57ec5e11e37b0a67936bb291
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:973045, v8:7611, v8:9114, v8:9183, v8:9343
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655299Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62110}
      510f4f2c
    • Benedikt Meurer's avatar
      [counters] Introduce proper bottleneck for FunctionCallback. · ea420655
      Benedikt Meurer authored 
      API calls made via the CallApiCallback builtin, which is used from the
ICs and optimized code, are currently misattributed to the wrong counter
InvokeFunctionCallback instead of FunctionCallback. In addition we don't
use the C trampoline when only runtime call stats are enabled, but the
Chrome DevTools profiler is not active, which means that these calls
will not be attrituted properly at all, and that had to be worked around
using all kinds of tricks (i.e. disabling fast-paths in ICs when RCS is
active and not inlining calls/property accesses into optimized code
depending on the state of RCS).

All of this was really brittle and only due to the fact that the central
builtin didn't properly check for RCS (in addition to checking for the
CDT profiler). With this fix it's now handled in a central place and
attributed to the correct category, so user code doesn't need to worry
about RCS anymore and can just call straight into the fast-path.

Drive-by-fix: Do the same for AccessorInfo getter calls, which share the
core hand-written native code with the API callback logic.

Bug: v8:9183
Change-Id: Id0cd99d3dd676635fe3272b67cd76a19a9a9cea4
Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1651470
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62109}
      ea420655
    • Benedikt Meurer's avatar
      [ic] Fix typo in Runtime_CloneObjectIC_Miss. · 823795fc
      Benedikt Meurer authored 
      https://chromium-review.googlesource.com/1649554 introduced a typo into
Runtime_CloneObjectIC_Miss, where it wouldn't update the IC state UNLESS
the source map is deprecated, which is the wrong way around of course.

Bug: chromium:973045, v8:7611, v8:9114, v8:9183, v8:9343
Change-Id: I7d6e0709e66ce4aaaf4a628d64ab801b84c8993c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655291
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62106}
      823795fc
  19. 11 Jun, 2019 2 commits
  21. 08 Jun, 2019 2 commits
    • Benedikt Meurer's avatar
      [cleanup] Remove obsolete comment. · 848379c3
      Benedikt Meurer authored 
      The introduction of the FeedbackVector solved the problem of
inconsistent feedback between ICs in unoptimized and optimized
code.

Bug: v8:2029, v8:9183
Tbr: jkummerow@chromium.org
Change-Id: Id61033c1661e5a2efb740988552de76f7f148d0d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1649566Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62065}
      848379c3
    • Benedikt Meurer's avatar
      [interpreter] Do ToObject implicitly as part of CloneObject. · 92c6af8a
      Benedikt Meurer authored 
      The CloneObject bytecode was only able to handle objects, null and
undefined, and explicit bytecode had to be generated to perform the
ToObject outside the bytecode (unlike the other IC bytecodes that
just perform the ToObject implicitly). That means the simplest possible
object cloning would also generate a sequence of 5 bytecodes (at least):

```
   Mov <register>, a0
   JumpIfNull @1
   JumpIfUndefined @1
   ToObject <register>
1: CloneObject <register>
```

That is quite wasteful and unnecessary, since the core logic in the
runtime already does the ToObject properly anyways. This change
refactors the CloneObjectIC slightly to behave more like the other ICs
and do the ToObject implicitly when necessary.

Bug: v8:7611, v8:9114, v8:9183, v8:9343
Change-Id: I11973e90bf875f154a5a7739287bee17041e4a7a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1649554Reviewed-by: 's avatarMythri Alle <mythria@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62064}
      92c6af8a
  23. 31 May, 2019 1 commit
    • Benedikt Meurer's avatar
      [feedback-vector] Don't go MEGAMORPHIC due to dying handlers. · 40c68926
      Benedikt Meurer authored 
      This fixes a problem where ICs for transitioning stores go MEGAMORPHIC
if the transition target map dies in between invocations of the IC,
which is totally possible, since we only hold on weakly to these
transition targets (both from the FeedbackVectors and also from the
TransitonArrays).

The root problem here was an inconsistency in how the maps and handlers
are being reported by the FeedbackVector. On the on hand side the method
FeedbackVector::ExtractMaps() will report all receiver maps that are
still present (i.e. which haven't died themselves), but then the other
method FeedbackVector::FindHandlers() will only report handlers that are
still alive (i.e. which in case of transition target maps being used as
handlers haven't died yet). If the length of these lists don't match the
IC chickens out and goes MEGAMORPHIC. But this is exactly the case with
the transitioning stores, where there's no handler anymore, i.e. as can
be seen in this simple example:

```
// Flags: --expose-gc
function C() { this.x = 1; }
new C();
new C();
gc();     // map with the `C.x` property dies
new C();  // now the STORE_IC in C goes MEGAMORPHIC
```

So the problem is that we have these two methods that don't agree with
each other. Now FeedbackVector::ExtractMaps() is also used by TurboFan
and it even reports receiver maps for PREMONOMORPHIC state, which is
different from the use case that the ICs need. So I replaced the
FeedbackVector::FindHandlers() with a completely new method
FeedbackVector::ExtractMapsAndHandlers(), which returns both the maps
and handlers, exactly as the ICs need it. And only returns pairs for
which both the receiver map and the handler are still alive.

This fixes the odd problem that sometimes STORE_ICs going MEGAMORPHIC
for no apparent reason. Due to the weakness of the transition target
maps, they can still die and cause deoptimizations, but at least
TurboFan will now be able to reoptimize again later with the new maps
and still generate proper code.

Bug: v8:9316
Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
Change-Id: I74c8b60f792f310dc813f997e69efe9ad434296a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1637878
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: 's avatarMichael Stanton <mvstanton@chromium.org>
Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61948}
      40c68926
  25. 28 May, 2019 1 commit
  27. 27 May, 2019 4 commits
    • Benedikt Meurer's avatar
      Reland "[typedarray] Move external/data pointer to JSTypedArray." · 70bd7cf0
      Benedikt Meurer authored 
      This is a reland of 4b86fea5 with
copy&paste typo in CodeStubAssembler::AllocateByteArray() fixed
(bug led to holes in new space, which was crashing reproducibly
on the ia32 bot).

Original change's description:
> [typedarray] Move external/data pointer to JSTypedArray.
>
> As the next step in supporting huge typed arrays in V8, this moves the
> external/data pointer from the FixedTypedArrayBase backing store to the
> JSTypedArray instance itself, and replaces the special backing stores
> with a plain ByteArray (removing all the code for the FixedTypedArrayBase
> class hierarchy). By doing so, we can drastically simplify the system
> around typed arrays.
>
> Note: Several places in the code base used to check the instance type
> of the elements backing store of a JSTypedArray instead of checking the
> elements kind on the JSTypedArray map directly. Those had to be fixed,
> since the backing store is now always a ByteArray.
>
> Drive-by-fix: Move all the typed elements access related code into the
> elements.cc file to properly encapsulate the accesses.
>
> Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
> Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
> Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646
> Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61855}

Tbr: petermarshall@chromium.org
Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
Change-Id: I87fcdb28532c5f08cc227332a4d59546cb423810
Cq-Include-Trybots: luci.chromium.try:linux-rel, win7-rel
Cq-Include-Trybots: luci.v8.try:v8_linux_shared_compile_rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631592Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61864}
      70bd7cf0
    • Clemens Hammacher's avatar
      Revert "[typedarray] Move external/data pointer to JSTypedArray." · e4db146a
      Clemens Hammacher authored 
      This reverts commit 4b86fea5.

Reason for revert: Fails on linux shared: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20shared/31045

Original change's description:
> [typedarray] Move external/data pointer to JSTypedArray.
> 
> As the next step in supporting huge typed arrays in V8, this moves the
> external/data pointer from the FixedTypedArrayBase backing store to the
> JSTypedArray instance itself, and replaces the special backing stores
> with a plain ByteArray (removing all the code for the FixedTypedArrayBase
> class hierarchy). By doing so, we can drastically simplify the system
> around typed arrays.
> 
> Note: Several places in the code base used to check the instance type
> of the elements backing store of a JSTypedArray instead of checking the
> elements kind on the JSTypedArray map directly. Those had to be fixed,
> since the backing store is now always a ByteArray.
> 
> Drive-by-fix: Move all the typed elements access related code into the
> elements.cc file to properly encapsulate the accesses.
> 
> Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
> Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
> Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646
> Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61855}

TBR=ulan@chromium.org,yangguo@chromium.org,titzer@chromium.org,sigurds@chromium.org,petermarshall@chromium.org,bmeurer@chromium.org,szuend@chromium.org

Change-Id: I0bc1f935de6063acf75a0f4bb8c0ba67428603fd
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
Cq-Include-Trybots: luci.chromium.try:linux-rel, win7-rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631427Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61856}
      e4db146a
    • Benedikt Meurer's avatar
      [typedarray] Move external/data pointer to JSTypedArray. · 4b86fea5
      Benedikt Meurer authored 
      As the next step in supporting huge typed arrays in V8, this moves the
external/data pointer from the FixedTypedArrayBase backing store to the
JSTypedArray instance itself, and replaces the special backing stores
with a plain ByteArray (removing all the code for the FixedTypedArrayBase
class hierarchy). By doing so, we can drastically simplify the system
around typed arrays.

Note: Several places in the code base used to check the instance type
of the elements backing store of a JSTypedArray instead of checking the
elements kind on the JSTypedArray map directly. Those had to be fixed,
since the backing store is now always a ByteArray.

Drive-by-fix: Move all the typed elements access related code into the
elements.cc file to properly encapsulate the accesses.

Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646
Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: 's avatarPeter Marshall <petermarshall@chromium.org>
Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
Reviewed-by: 's avatarSimon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61855}
      4b86fea5
    • Joyee Cheung's avatar
      Fix compilation of V8_TRACE_FEEDBACK_UPDATES V8_TRACE_IGNITION · 0ec82d51
      Joyee Cheung authored 
      The `->` operator should be changed to `.` after
https://chromium-review.googlesource.com/c/v8/v8/+/1624209

Change-Id: Ie16adaa17bfc7caaa589ed3881a8716e98ea36b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1628793Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/master@{#61848}
      0ec82d51
  29. 23 May, 2019 3 commits
  31. 22 May, 2019 3 commits
  33. 21 May, 2019 1 commit
  35. 20 May, 2019 1 commit
  37. 17 May, 2019 1 commit
  39. 16 May, 2019 2 commits
  41. 15 May, 2019 1 commit
  43. 14 May, 2019 1 commit
  45. 10 May, 2019 1 commit