1. 28 Aug, 2020 1 commit
  2. 15 Jul, 2020 1 commit
  3. 23 Jun, 2020 1 commit
  4. 01 Apr, 2020 1 commit
  5. 22 Oct, 2019 3 commits
    • Victor Gomes's avatar
      Reland x3 "[runtime] Remove extension slots from context objects" · dbbdd0ec
      Victor Gomes authored
      Original change's description:
      > [runtime] Remove extension slots from context objects
      >
      > Context objects have an extension slot, which contains further
      > additional data that depends on the type of the context.
      >
      > This CL removes the extension slot from contexts that don't need
      > them, hence reducing memory.
      >
      > The following contexts will still have an extension slot: native,
      > module, await, block and with contexts. See objects/contexts.h for
      > what the slot is used for.
      > The following contexts will not have an extension slot anymore (they
      > were not used before): script, catch and builtin contexts.
      > Eval and function contexts only have the extension slot if they
      > contain a sloppy eval.
      >
      > Bug: v8:9744
      > Change-Id: I8ca56c22fa02437bbac392ea72174ebfca80e030
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1863191
      > Commit-Queue: Victor Gomes <victorgomes@google.com>
      > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
      > Reviewed-by: Jakob Gruber <jgruber@chromium.org>
      > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
      > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > Auto-Submit: Victor Gomes <victorgomes@google.com>
      > Cr-Commit-Position: refs/heads/master@{#64372}
      
      TBR=verwaest@chromium.org,jgruber@chromium.org,ulan@chromium.org,leszeks@chromium.org,petermarshall@chromium.org
      
      Bug: v8:9744
      Change-Id: I8700ed2fa62c89e86c39bb16ac3167f38ea8d63f
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1873695
      Commit-Queue: Victor Gomes <victorgomes@chromium.org>
      Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
      Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Reviewed-by: 's avatarPeter Marshall <petermarshall@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#64477}
      dbbdd0ec
    • Clemens Backes's avatar
      Revert "Reland "Reland "[runtime] Remove extension slots from context objects""" · 725e7dd7
      Clemens Backes authored
      This reverts commit 392a1217.
      
      Reason for revert: Several failures on mac64 gc stress: https://ci.chromium.org/p/v8/builders/ci/V8%20Mac64%20GC%20Stress/9747
      
      Original change's description:
      > Reland "Reland "[runtime] Remove extension slots from context objects""
      > 
      > This is a reland of c48096d4
      > 
      > Original change's description:
      > > Reland "[runtime] Remove extension slots from context objects"
      > >
      > > This is a reland of c07c02e1
      > >
      > > Original change's description:
      > > > [runtime] Remove extension slots from context objects
      > > >
      > > > Context objects have an extension slot, which contains further
      > > > additional data that depends on the type of the context.
      > > >
      > > > This CL removes the extension slot from contexts that don't need
      > > > them, hence reducing memory.
      > > >
      > > > The following contexts will still have an extension slot: native,
      > > > module, await, block and with contexts. See objects/contexts.h for
      > > > what the slot is used for.
      > > > The following contexts will not have an extension slot anymore (they
      > > > were not used before): script, catch and builtin contexts.
      > > > Eval and function contexts only have the extension slot if they
      > > > contain a sloppy eval.
      > > >
      > > > Bug: v8:9744
      > > > Change-Id: I8ca56c22fa02437bbac392ea72174ebfca80e030
      > > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1863191
      > > > Commit-Queue: Victor Gomes <victorgomes@google.com>
      > > > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
      > > > Reviewed-by: Jakob Gruber <jgruber@chromium.org>
      > > > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > > > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
      > > > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > > > Auto-Submit: Victor Gomes <victorgomes@google.com>
      > > > Cr-Commit-Position: refs/heads/master@{#64372}
      > >
      > > TBR=verwaest@chromium.org,jgruber@chromium.org,ulan@chromium.org,leszeks@chromium.org,petermarshall@chromium.org
      > >
      > > Bug: v8:9744
      > > Change-Id: I0749cc2d8f59940c25841736634a70047116d647
      > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1869192
      > > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
      > > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > > Commit-Queue: Leszek Swirski <leszeks@chromium.org>
      > > Commit-Queue: Peter Marshall <petermarshall@chromium.org>
      > > Auto-Submit: Victor Gomes <victorgomes@google.com>
      > > Cr-Commit-Position: refs/heads/master@{#64380}
      > 
      > TBR=verwaest@chromium.org,jgruber@chromium.org,ulan@chromium.org,leszeks@chromium.org,petermarshall@chromium.org
      > 
      > Bug: v8:9744
      > Change-Id: I621ffe98722f8c4defaf277b8d1666484ba2963f
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1872400
      > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
      > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > Commit-Queue: Victor Gomes <victorgomes@google.com>
      > Cr-Commit-Position: refs/heads/master@{#64451}
      
      TBR=ulan@chromium.org,jgruber@chromium.org,petermarshall@chromium.org,leszeks@chromium.org,verwaest@chromium.org,victorgomes@google.com
      
      Change-Id: I99a71180c6a00a87478867a8210ff9ceb46cb3ee
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: v8:9744
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1872405Reviewed-by: 's avatarClemens Backes <clemensb@chromium.org>
      Commit-Queue: Clemens Backes <clemensb@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#64453}
      725e7dd7
    • Victor Gomes's avatar
      Reland "Reland "[runtime] Remove extension slots from context objects"" · 392a1217
      Victor Gomes authored
      This is a reland of c48096d4
      
      Original change's description:
      > Reland "[runtime] Remove extension slots from context objects"
      >
      > This is a reland of c07c02e1
      >
      > Original change's description:
      > > [runtime] Remove extension slots from context objects
      > >
      > > Context objects have an extension slot, which contains further
      > > additional data that depends on the type of the context.
      > >
      > > This CL removes the extension slot from contexts that don't need
      > > them, hence reducing memory.
      > >
      > > The following contexts will still have an extension slot: native,
      > > module, await, block and with contexts. See objects/contexts.h for
      > > what the slot is used for.
      > > The following contexts will not have an extension slot anymore (they
      > > were not used before): script, catch and builtin contexts.
      > > Eval and function contexts only have the extension slot if they
      > > contain a sloppy eval.
      > >
      > > Bug: v8:9744
      > > Change-Id: I8ca56c22fa02437bbac392ea72174ebfca80e030
      > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1863191
      > > Commit-Queue: Victor Gomes <victorgomes@google.com>
      > > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
      > > Reviewed-by: Jakob Gruber <jgruber@chromium.org>
      > > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
      > > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > > Auto-Submit: Victor Gomes <victorgomes@google.com>
      > > Cr-Commit-Position: refs/heads/master@{#64372}
      >
      > TBR=verwaest@chromium.org,jgruber@chromium.org,ulan@chromium.org,leszeks@chromium.org,petermarshall@chromium.org
      >
      > Bug: v8:9744
      > Change-Id: I0749cc2d8f59940c25841736634a70047116d647
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1869192
      > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
      > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > Commit-Queue: Leszek Swirski <leszeks@chromium.org>
      > Commit-Queue: Peter Marshall <petermarshall@chromium.org>
      > Auto-Submit: Victor Gomes <victorgomes@google.com>
      > Cr-Commit-Position: refs/heads/master@{#64380}
      
      TBR=verwaest@chromium.org,jgruber@chromium.org,ulan@chromium.org,leszeks@chromium.org,petermarshall@chromium.org
      
      Bug: v8:9744
      Change-Id: I621ffe98722f8c4defaf277b8d1666484ba2963f
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1872400Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
      Reviewed-by: 's avatarPeter Marshall <petermarshall@chromium.org>
      Commit-Queue: Victor Gomes <victorgomes@google.com>
      Cr-Commit-Position: refs/heads/master@{#64451}
      392a1217
  6. 27 Sep, 2019 1 commit
  7. 09 Aug, 2019 1 commit
  8. 11 Oct, 2018 1 commit
    • Benedikt Meurer's avatar
      [async] Introduce dedicated JSAsyncFunctionObject. · a63987a4
      Benedikt Meurer authored
      This JSAsyncFunctionObject represents the implicit generator object
      inside of async functions, and also holds the outer promise for the
      async functions. This in turn allows us to get rid of the .promise
      in the Parser / BytecodeGenerator completely, and will make it
      possible to build zero-cost async stack traces independent of the
      concrete synchronous part of the stack frame (which currently breaks
      in Node.js).
      
      In the bytecode all the async function operations now take this new
      JSAsyncFunctionObject instead of passing both the .generator_object
      and the .promise, which further simplifies and shrinks the bytecode.
      It also reduces the size of async function frames, potentially making
      the suspend/resume cheaper.
      
      This also changes `await` to use intrinsics instead of calling to
      special JSFunctions on the native context, and thus reduces the size of
      the native contexts.
      
      Drive-by-fix: Introduce a dedicated JSCreateAsyncFunctionObject operator
      to TurboFan.
      
      Bug: v8:7253, v8:7522
      Change-Id: I2305302285156aa1f71328ecac70377abdd92c80
      Ref: nodejs/node#11865
      Design-Document: http://bit.ly/v8-zero-cost-async-stack-traces
      Reviewed-on: https://chromium-review.googlesource.com/c/1273049
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarSathya Gunasekaran <gsathya@chromium.org>
      Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Reviewed-by: 's avatarMaya Lekova <mslekova@chromium.org>
      Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#56554}
      a63987a4
  9. 10 Oct, 2018 1 commit
    • Benedikt Meurer's avatar
      [async] Improve async function handling. · 0038e5f0
      Benedikt Meurer authored
      This change introduces new intrinsics used to desugar async functions
      in the Parser and the BytecodeGenerator, namely we introduce a new
      %_AsyncFunctionEnter intrinsic that constructs the generator object
      for the async function (and in the future will also create the outer
      promise for the async function). This generator object is internal
      and never escapes to user code, plus since async functions don't have
      a "prototype" property, we can just a single map here instead of tracking
      the prototype/initial_map on every async function. This saves one word
      per async function plus one initial_map per async function that was
      invoked at least once.
      
      We also introduce two new intrinsics %_AsyncFunctionReject, which
      rejects the outer promise with the caught exception, and another
      %_AsyncFunctionResolve, which resolves the outer promise with the
      right hand side of the `return` statement. These functions also perform
      the DevTools part of the job (aka popping from the promise stack and
      sending the debug event). This allows us to get rid of the implicit
      try-finally from async functions completely; because the finally
      block only called to the %AsyncFunctionPromiseRelease builtin, which
      was used to inform DevTools.
      
      In essence we now turn an async function like
      
      ```js
      async function f(x) { return await bar(x); }
      ```
      
      into something like this (in Parser and BytecodeGenerator respectively):
      
      ```
      function f(x) {
        .generator_object = %_AsyncFunctionEnter(.closure, this);
        .promise = %AsyncFunctionCreatePromise();
        try {
          .tmp = await bar(x);
          return %_AsyncFunctionResolve(.promise, .tmp);
        } catch (e) {
          return %_AsyncFunctionReject(.promise, e);
        }
      }
      ```
      
      Overall the bytecode for async functions gets significantly shorter
      already (and will get even shorter once we put the outer promise into
      the async function generator object). For example the bytecode for a
      simple async function
      
      ```js
      async function f(x) { return await x; }
      ```
      
      goes from 175 bytes to 110 bytes (a ~38% reduction in size), which
      is in particular due to the simplification around the try-finally
      removal.
      
      Overall this seems to improve the doxbee-async-es2017-native test by
      around 2-3%. On the test case mentioned in v8:8276 we go from
      1124ms to 441ms, which corresponds to a 60% reduction in total
      execution time!
      
      Tbr: marja@chromium.org
      Bug: v8:7253, v8:7522, v8:8276
      Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;luci.chromium.try:linux_chromium_rel_ng;master.tryserver.blink:linux_trusty_blink_rel
      Change-Id: Id29dc92de7490b387ff697860c900cee44c9a7a4
      Reviewed-on: https://chromium-review.googlesource.com/c/1269041
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarSathya Gunasekaran <gsathya@chromium.org>
      Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Reviewed-by: 's avatarMaya Lekova <mslekova@chromium.org>
      Reviewed-by: 's avatarYang Guo <yangguo@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#56502}
      0038e5f0
  10. 08 Oct, 2018 1 commit
    • Benedikt Meurer's avatar
      [turbofan] Introduce the notion of context-sensitivity for JS operators. · 51274d3c
      Benedikt Meurer authored
      This change adds predicates to check whether a given JavaScript operator
      needs the "current context" or if any surrounding context (including the
      "native context") does it. For example JSAdd doesn't ever need the
      current context, but actually only the native context. In the
      BytecodeGraphBuilder we use this predicate to check whether a given
      operator needs the current context, and if not, we just pass in the
      native context.
      
      Doing so we improve the performance on the benchmarks given in the
      tracking bug significantly, and go from something around
      
        arrayMap: 476 ms.
        arrayFilter: 312 ms.
        arrayEvery: 241 ms.
        arraySome: 152 ms.
      
      to
      
        arrayMap: 377 ms.
        arrayFilter: 296 ms.
        arrayEvery: 191 ms.
        arraySome: 91 ms.
      
      which is an up to 40% improvement. So for idiomatic modern JavaScript
      which uses higher order functions quite a lot, not just the builtins
      provided by the JSVM, this is going to improve peak performance
      noticably.
      
      This also makes it possible to completely eliminate all the allocations
      in the aliased sloppy arguments example
      
      ```js
      function foo(a) { return arguments.length; }
      ```
      
      concretely we don't allocate the function context anymore and we also
      don't allocate the arguments object anymore (the JSStackCheck was the
      reason why we did this in the past, because it was holding on to the
      current context, which also kept the allocation for the arguments
      alive).
      
      Bug: v8:6200, v8:8060
      Change-Id: I1db56d00d6b510ce6337608c0fff16af96e95eef
      Design-Document: bit.ly/v8-turbofan-context-sensitive-js-operators
      Reviewed-on: https://chromium-review.googlesource.com/c/1267176Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#56441}
      51274d3c
  11. 21 Sep, 2018 1 commit
  12. 05 Sep, 2018 1 commit
    • Hai Dang's avatar
      Reland "[interpreter] Add bytecode for leading array spreads." · 5f8a4272
      Hai Dang authored
      This is a reland of 1c48d52b.
      
      It turned out that IterableToList doesn't always behave according to
      the ES operation with the same name. Specifically, it allows holey arrays
      to take its fast path, which produces an output array with holes where
      actually "undefined" elements should appear.
      
      This CL changes the version of IterableToList that is used for spreads
      (IterableToListWithSymbolLookup) such that holey arrays take the slow path.
      It also includes tests for such situations.
      
      Original change's description:
      > [interpreter] Add bytecode for leading array spreads.
      >
      > This CL improves the performance of creating [...a, b] or [...a].
      > If the array literal has a leading spread, this CL emits the bytecode
      > [CreateArrayFromIterable] to create the literal. CreateArrayFromIterable
      > is implemented by [IterableToListDefault] builtin to create the initial
      > array for the leading spread. IterableToListDefault has a fast path to
      > clone efficiently if the spread is an actual array.
      >
      > The bytecode generated is now shorter. Bytecode generation is refactored
      > into to BuildCreateArrayLiteral, which allows VisitCallSuper to benefit
      > from this optimization also.
      > For now, turbofan also lowers the bytecode to the builtin.
      >
      > The idiomatic use of [...a] to clone the array a now performs better
      > than a simple for-loop, but still does not match the performance of slice.
      >
      > Bug: v8:7980
      >
      > Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
      > Change-Id: Ibde659c82d3c7aa1b1777a3d2f6426ac8cc15e35
      > Reviewed-on: https://chromium-review.googlesource.com/1181024
      > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
      > Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
      > Reviewed-by: Jakob Gruber <jgruber@chromium.org>
      > Reviewed-by: Georg Neis <neis@chromium.org>
      > Commit-Queue: Georg Neis <neis@chromium.org>
      > Commit-Queue: Hai Dang <dhai@google.com>
      > Cr-Commit-Position: refs/heads/master@{#55520}
      
      Bug: v8:7980
      Change-Id: I0b5603a12d2b588327658bf0a9b214bd0f22e237
      Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
      Reviewed-on: https://chromium-review.googlesource.com/1201882
      Commit-Queue: Hai Dang <dhai@google.com>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#55639}
      5f8a4272
  13. 31 Aug, 2018 1 commit
    • Georg Neis's avatar
      Revert "[interpreter] Add bytecode for leading array spreads." · ef569028
      Georg Neis authored
      This reverts commit 1c48d52b.
      
      Reason for revert: Clusterfuzz found something.
      
      Original change's description:
      > [interpreter] Add bytecode for leading array spreads.
      > 
      > This CL improves the performance of creating [...a, b] or [...a].
      > If the array literal has a leading spread, this CL emits the bytecode
      > [CreateArrayFromIterable] to create the literal. CreateArrayFromIterable
      > is implemented by [IterableToListDefault] builtin to create the initial
      > array for the leading spread. IterableToListDefault has a fast path to
      > clone efficiently if the spread is an actual array.
      > 
      > The bytecode generated is now shorter. Bytecode generation is refactored
      > into to BuildCreateArrayLiteral, which allows VisitCallSuper to benefit
      > from this optimization also.
      > For now, turbofan also lowers the bytecode to the builtin.
      > 
      > The idiomatic use of [...a] to clone the array a now performs better
      > than a simple for-loop, but still does not match the performance of slice.
      > 
      > Bug: v8:7980
      > 
      > Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
      > Change-Id: Ibde659c82d3c7aa1b1777a3d2f6426ac8cc15e35
      > Reviewed-on: https://chromium-review.googlesource.com/1181024
      > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
      > Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
      > Reviewed-by: Jakob Gruber <jgruber@chromium.org>
      > Reviewed-by: Georg Neis <neis@chromium.org>
      > Commit-Queue: Georg Neis <neis@chromium.org>
      > Commit-Queue: Hai Dang <dhai@google.com>
      > Cr-Commit-Position: refs/heads/master@{#55520}
      
      TBR=rmcilroy@chromium.org,neis@chromium.org,sigurds@chromium.org,gsathya@chromium.org,jgruber@chromium.org,dhai@google.com
      
      Change-Id: I1c86ddcc24274da9f5a8dd3d8bf8d869cbb55cb6
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: v8:7980
      Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
      Reviewed-on: https://chromium-review.googlesource.com/1199303Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Commit-Queue: Georg Neis <neis@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#55544}
      ef569028
  14. 30 Aug, 2018 1 commit
    • Hai Dang's avatar
      [interpreter] Add bytecode for leading array spreads. · 1c48d52b
      Hai Dang authored
      This CL improves the performance of creating [...a, b] or [...a].
      If the array literal has a leading spread, this CL emits the bytecode
      [CreateArrayFromIterable] to create the literal. CreateArrayFromIterable
      is implemented by [IterableToListDefault] builtin to create the initial
      array for the leading spread. IterableToListDefault has a fast path to
      clone efficiently if the spread is an actual array.
      
      The bytecode generated is now shorter. Bytecode generation is refactored
      into to BuildCreateArrayLiteral, which allows VisitCallSuper to benefit
      from this optimization also.
      For now, turbofan also lowers the bytecode to the builtin.
      
      The idiomatic use of [...a] to clone the array a now performs better
      than a simple for-loop, but still does not match the performance of slice.
      
      Bug: v8:7980
      
      Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
      Change-Id: Ibde659c82d3c7aa1b1777a3d2f6426ac8cc15e35
      Reviewed-on: https://chromium-review.googlesource.com/1181024Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Reviewed-by: 's avatarSigurd Schneider <sigurds@chromium.org>
      Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Commit-Queue: Georg Neis <neis@chromium.org>
      Commit-Queue: Hai Dang <dhai@google.com>
      Cr-Commit-Position: refs/heads/master@{#55520}
      1c48d52b
  15. 23 Jul, 2018 1 commit
  16. 20 Jul, 2018 1 commit
    • Caitlin Potter's avatar
      [runtime] use new CloneObject bytecode for some ObjectLiteralSpread cases · b6f7ea58
      Caitlin Potter authored
      As discussed in
      https://docs.google.com/document/d/1sBdGe8RHgeYP850cKSSgGABTyfMdvaEWLy-vertuTCo/edit?ts=5b3ba5cc#,
      
      this CL introduces a new bytecode (CloneObject), and a new IC type.
      
      In this prototype implementation, the type feedback looks like the
      following:
      
      Uninitialized case:
        { uninitialized_sentinel, uninitialized_sentinel }
      Monomorphic case:
        { weak 'source' map, strong 'result' map }
      Polymorphic case:
        { WeakFixedArray with { weak 'source' map, strong 'result' map }, cleared value }
      Megamorphic case:
        { megamorphic_sentinel, cleared_Value }
      
      In the fast case, Object cloning is done by allocating an object with
      the saved result map, and a shallow clone of the fast properties from
      the source object, as well as cloned fast elements from the source object.
      If at any point the fast case can't be taken, the IC transitions to the
      slow case and remains there.
      
      This prototype CL does not include any TurboFan optimization, and the
      CloneObject operation is merely reduced to a stub call.
      
      It may still be possible to get some further improvements by somehow
      incorporating compile-time boilerplate elements into the cloned object,
      or simplifying how the boilerplate elements are inserted into the
      object.
      
      In terms of performance, we improve the ObjectSpread score in JSTests/ObjectLiteralSpread/
      by about 8x, with substantial improvements over the Babel and ObjectAssign scores.
      
      R=gsathya@chromium.org, mvstanton@chromium.org, rmcilroy@chromium.org, neis@chromium.org, bmeurer@chromium.org
      BUG=v8:7611
      
      Change-Id: I79e1796eb77016fb4feba0e1d3bb9abb348c183e
      Reviewed-on: https://chromium-review.googlesource.com/1127472
      Commit-Queue: Caitlin Potter <caitp@igalia.com>
      Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Reviewed-by: 's avatarMichael Stanton <mvstanton@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#54595}
      b6f7ea58
  17. 19 Jul, 2018 1 commit
    • Sigurd Schneider's avatar
      Revert "[turbofan] Inline Number constructor in certain cases" · c7a9af61
      Sigurd Schneider authored
      This reverts commit 9eca23e9.
      
      Reason for revert: Clusterfuzz correctness issue
      
      Original change's description:
      > [turbofan] Inline Number constructor in certain cases
      > 
      > This CL adds inlining for the Number constructor if new.target is not
      > present. The lowering is BigInt compatible, i.e. it converts BigInts to
      > numbers.
      > 
      > Bug: v8:7904
      > Change-Id: If03b9f872d82e50b6ded7709069181c33dc44e82
      > Reviewed-on: https://chromium-review.googlesource.com/1118557
      > Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
      > Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
      > Reviewed-by: Georg Neis <neis@chromium.org>
      > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#54454}
      
      TBR=jarin@chromium.org,neis@chromium.org,sigurds@chromium.org,bmeurer@chromium.org
      
      # Not skipping CQ checks because original CL landed > 1 day ago.
      
      Bug: v8:7904
      Change-Id: Ie5fa6c1262b8acc33edb672a0124f4458fcded86
      Reviewed-on: https://chromium-review.googlesource.com/1142777Reviewed-by: 's avatarSigurd Schneider <sigurds@chromium.org>
      Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#54544}
      c7a9af61
  18. 16 Jul, 2018 1 commit
  19. 11 Jun, 2018 1 commit
    • Sigurd Schneider's avatar
      [turbofan] Add inlining for RegExp#test · 394d53d1
      Sigurd Schneider authored
      This CL adds a TFS stub for RegExp#test and moves several checks to
      the JSCallReducer. In particular, the JSCallReducer checks that
       - property {exec} on the regexp is still the original exec
       - property {lastIndex} on the regexp is a non-negative smi
      The stub does not repeat these checks in release mode.
      
      This effectively means that if the regexp is known, we can perform these
      checks at compile time, and get away with a map dependency.
      
      Bug: v8:7779, v8:7200
      
      Change-Id: I0c6d711d4f1d2f6f325a1c02855b0e1b62e014c8
      Reviewed-on: https://chromium-review.googlesource.com/1074654
      Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
      Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#53630}
      394d53d1
  20. 26 Apr, 2018 1 commit
  21. 24 Apr, 2018 1 commit
  22. 19 Apr, 2018 1 commit
  23. 18 Apr, 2018 1 commit
  24. 15 Mar, 2018 1 commit
    • Benedikt Meurer's avatar
      [turbofan] Teach TurboFan about the TypedArray constructor. · 0875778f
      Benedikt Meurer authored
      This introduces a new JSCreateTypedArray operator, backed by a dedicated
      CreateTypedArray builtin, and adds support to lowering new TypedArray
      calls to this operator. This way we avoid the overhead of going through
      the generic construct stub machinery for hot code. This not only
      recovers the performance regression on the typed array constructor
      benchmarks, but even improves slightly beyond what we had in 6.6.
      
      We might in the future try to fully inline the TypedArray constructor
      into optimized code for certain cases.
      
      Bug: chromium:820726, v8:7503, v8:7518
      Change-Id: Ied465924d5695db576d533792f1db68456b9b5ea
      Reviewed-on: https://chromium-review.googlesource.com/959010
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarPeter Marshall <petermarshall@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#51973}
      0875778f
  25. 20 Feb, 2018 1 commit
    • Benedikt Meurer's avatar
      [turbofan] Optimize promise resolution. · be6d1292
      Benedikt Meurer authored
      This CL introduces new operators JSFulfillPromise and JSPromiseResolve,
      corresponding to the specification operations with the same name, and
      uses that to lower calls to Promise.resolve() builtin to JSPromiseResolve.
      
      We also optimize JSPromiseResolve and JSResolvePromise further based on
      information found about the value/resolution in the graph. This applies
      to both Promise.resolve() builtin calls and implicit resolve operations
      in async functions and async generators.
      
      On a very simple microbenchmark like
      
        console.time('resolve');
        for (let i = 0; i < 1e8; ++i) Promise.resolve({i});
        console.timeEnd('resolve');
      
      this CL reduces the execution time from around 3049ms to around 947ms,
      which is a pretty significant 3x improvement. On the wikipedia benchmark
      we observe an improvement around 2% with this CL.
      
      Bug: v8:7253
      Change-Id: Ic69086cdc1b724f35dbe83305795539c562ab817
      Reviewed-on: https://chromium-review.googlesource.com/913488Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#51387}
      be6d1292
  26. 13 Feb, 2018 1 commit
    • Benedikt Meurer's avatar
      [builtins] Refactor the promise resolution and rejection logic. · c0412961
      Benedikt Meurer authored
      This introduces dedicated builtins
      
        - FulfillPromise,
        - RejectPromise, and
        - ResolvePromise,
      
      which perform the corresponding operations from the language
      specification, and removes the redundant entry points and the
      excessive inlining of these operations into other builtins. We
      also add the same logic on the C++ side, so that we don't need
      to go into JavaScript land when resolving/rejecting from the
      API.
      
      The C++ side has a complete implementation, including full support
      for the debugger and the current PromiseHook machinery. This is to
      avoid constantly crossing the boundary for those cases, and to also
      simplify the CSA side (and soon the TurboFan side), where we only
      do the fast-path and bail out to the runtime for the general handling.
      
      On top of this we introduce %_RejectPromise and %_ResolvePromise,
      which are entry points used by the bytecode and parser desugarings
      for async functions, and also used by the V8 Extras API. Thanks to
      this we can uniformly optimize these in TurboFan, where we have
      corresponding operators JSRejectPromise and JSResolvePromise, which
      currently just call into the builtins, but middle-term can be further
      optimized, i.e. to skip the "then" lookup for JSResolvePromise when
      we know something about the resolution.
      
      In TurboFan we can also already inline the default PromiseCapability
      [[Reject]] and [[Resolve]] functions, although this is not as effective
      as it can be right now, until we have inlining support for the Promise
      constructor (being worked on by petermarshall@ right now) and/or SFI
      based CALL_IC feedback.
      
      Overall this change is meant as a refactoring without significant
      performance impact anywhere; it seems to improve performance of
      simple async functions a bit, but otherwise is neutral.
      
      Bug: v8:7253
      Change-Id: Id0b979f9b2843560e38cd8df4b02627dad4b6d8c
      Reviewed-on: https://chromium-review.googlesource.com/911632Reviewed-by: 's avatarSathya Gunasekaran <gsathya@chromium.org>
      Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#51260}
      c0412961
  27. 29 Nov, 2017 1 commit
    • Georg Neis's avatar
      No longer desugar the exponentiation (**) operator. · b97567a9
      Georg Neis authored
      Prior to this change, the exponentiation operator was rewritten by the
      parser to a call of the Math.pow builtin. However, Math.pow does not
      accept BigInt arguments, while the exponentiation operator must accept
      them.
      
      This CL
      - removes the parser's special treatment of ** and **=, treating them
        like any other binary op instead.
      - adds a TFC builtin Exponentiate that does the right thing for
        all inputs.
      - adds interpreter bytecodes Exp and ExpSmi whose handlers call the
        Exponentiate builtin. For simplicity, they currently always collect
        kAny feedback.
      - adds a Turbofan operator JSExponentiate with a typed-lowering to
        the existing NumberPow and a generic-lowering to the Exponentiate
        builtin. There is currently no speculative lowering.
      
      Note that exponentiation for BigInts is actually not implemented yet,
      so we can't yet test it.
      
      Bug: v8:6791
      Change-Id: Id90914c9c3fce310ce01e715c09eaa9f294f4f8a
      Reviewed-on: https://chromium-review.googlesource.com/785694Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
      Reviewed-by: 's avatarSathya Gunasekaran <gsathya@chromium.org>
      Reviewed-by: 's avatarYang Guo <yangguo@chromium.org>
      Reviewed-by: 's avatarMythri Alle <mythria@chromium.org>
      Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Commit-Queue: Georg Neis <neis@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#49696}
      b97567a9
  28. 28 Nov, 2017 1 commit
  29. 23 Nov, 2017 1 commit
  30. 21 Nov, 2017 3 commits
  31. 01 Sep, 2017 1 commit
    • Benedikt Meurer's avatar
      [turbofan] Optimize fast enum cache driven for..in. · f1ec44e2
      Benedikt Meurer authored
      This CL adds support to optimize for..in in fast enum-cache mode to the
      same degree that it was optimized in Crankshaft, without adding the same
      deoptimization loop that Crankshaft had with missing enum cache indices.
      That means code like
      
        for (var k in o) {
          var v = o[k];
          // ...
        }
      
      and code like
      
        for (var k in o) {
          if (Object.prototype.hasOwnProperty.call(o, k)) {
            var v = o[k];
            // ...
          }
        }
      
      which follows the https://eslint.org/docs/rules/guard-for-in linter
      rule, can now utilize the enum cache indices if o has only fast
      properties on the receiver, which speeds up the access o[k]
      significantly and reduces the pollution of the global megamorphic
      stub cache.
      
      For example the micro-benchmark in the tracking bug v8:6702 now runs
      faster than ever before:
      
       forIn: 1516 ms.
       forInHasOwnProperty: 1674 ms.
       forInHasOwnPropertySafe: 1595 ms.
       forInSum: 2051 ms.
       forInSumSafe: 2215 ms.
      
      Compared to numbers from V8 5.8 which is the last version running with
      Crankshaft
      
       forIn: 1641 ms.
       forInHasOwnProperty: 1719 ms.
       forInHasOwnPropertySafe: 1802 ms.
       forInSum: 2226 ms.
       forInSumSafe: 2409 ms.
      
      and V8 6.0 which is the current stable version with TurboFan:
      
       forIn: 1713 ms.
       forInHasOwnProperty: 5417 ms.
       forInHasOwnPropertySafe: 5324 ms.
       forInSum: 7556 ms.
       forInSumSafe: 11067 ms.
      
      It also improves the throughput on the string-fasta benchmark by
      around 7-10%, and there seems to be a ~5% improvement on the
      Speedometer/React benchmark locally.
      
      For this to work, the ForInPrepare bytecode was split into
      ForInEnumerate and ForInPrepare, which is very similar to how it was
      handled in Fullcodegen initially. In TurboFan we introduce a new
      operator LoadFieldByIndex that does the dynamic property load.
      
      This also removes the CheckMapValue operator again in favor of
      just using LoadField, ReferenceEqual and CheckIf, which work
      automatically with the EscapeAnalysis and the
      BranchConditionElimination.
      
      Bug: v8:6702
      Change-Id: I91235413eea478ba77ace7bd14bb2f62e155dd9a
      Reviewed-on: https://chromium-review.googlesource.com/645949
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarYang Guo <yangguo@chromium.org>
      Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#47768}
      f1ec44e2
  32. 19 Jul, 2017 1 commit
  33. 21 Jun, 2017 2 commits
    • Ross McIlroy's avatar
      [TurboFan] Enable typed lowering of JSStringConcat to ConsString allocation. · 69a645d3
      Ross McIlroy authored
      Adds typed lowering of JSStringConcat to ConsString allocation if the
      following conditions hold:
       - All concatinations will result in a ConsString of >= ConString::kMinLength
       - No concatinations will result in a empty string in the RHS unless there is
         a sequential string in the LHS.
      
      This also means JSStringConcat needs an eager checkpoint since it can
      deopt if throwing a RangeError when the string length protector is valid.
      
      BUG=v8:6243
      
      Change-Id: I01ca79f884df467c10f2c032c72d51b5199c1a3c
      Reviewed-on: https://chromium-review.googlesource.com/526636
      Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
      Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#46093}
      69a645d3
    • bmeurer's avatar
      [turbofan] Introduce new JSConstructWithArrayLike operator. · 21701297
      bmeurer authored
      Add a new JSConstructWithArrayLike operator that is backed by the
      ConstructWithArrayLike builtin (similar to what was done before
      for the JSCallWithArrayLike operator), and use that operator to
      optimize Reflect.construct inlining in TurboFan. This is handled
      uniformly with JSConstructWithSpread in the JSCallReducer.
      
      Also add missing test coverage for Reflect.construct in optimized
      code, especially for some interesting corner cases.
      
      R=petermarshall@chromium.org
      BUG=v8:4587,v8:5269
      
      Review-Url: https://codereview.chromium.org/2949813002
      Cr-Commit-Position: refs/heads/master@{#46087}
      21701297
  34. 20 Jun, 2017 1 commit
    • bmeurer's avatar
      [turbofan] Introduce new JSCallWithArrayLike operator. · 767ce788
      bmeurer authored
      Add a new JSCallWithArrayLike operator that is backed by the
      CallWithArrayLike builtin, and use that operator for both
      Function.prototype.apply and Reflect.apply inlining. Also unify
      the handling of JSCallWithArrayLike and JSCallWithSpread in
      the JSCallReducer to reduce the copy&paste overhead.
      
      Drive-by-fix: Add a lot of test coverage for Reflect.apply and
      Function.prototype.apply in optimized code, especially for some
      corner cases, which was missing so far.
      
      BUG=v8:4587,v8:5269
      R=petermarshall@chromium.org
      
      Review-Url: https://codereview.chromium.org/2950773002
      Cr-Commit-Position: refs/heads/master@{#46041}
      767ce788
  35. 13 Jun, 2017 1 commit
    • bmeurer's avatar
      [builtins] Properly optimize Object.prototype.isPrototypeOf. · b11c557d
      bmeurer authored
      Port the baseline implementation of Object.prototype.isPrototypeOf to
      the CodeStubAssembler, sharing the existing prototype chain lookup logic
      with the instanceof / OrdinaryHasInstance implementation. Based on that,
      do the same in TurboFan, introducing a new JSHasInPrototypeChain
      operator, which encapsulates the central prototype chain walk logic.
      
      This speeds up Object.prototype.isPrototypeOf by more than a factor of
      four, so that the code
      
        A.prototype.isPrototypeOf(a)
      
      is now performance-wise on par with
      
        a instanceof A
      
      for the case where A is a regular constructor function and a is an
      instance of A.
      
      Since instanceof does more than just the fundamental prototype chain
      lookup, it was discovered in Node core that O.p.isPrototypeOf would
      be a more appropriate alternative for certain sanity checks, since
      it's less vulnerable to monkey-patching. In addition, the Object
      builtin would also avoid the performance-cliff associated with
      instanceof (due to the Symbol.hasInstance hook), as for example hit
      by https://github.com/nodejs/node/pull/13403#issuecomment-305915874.
      The main blocker was the missing performance of isPrototypeOf, since
      it was still a JS builtin backed by a runtime call.
      
      This CL also adds more test coverage for the
      Object.prototype.isPrototypeOf builtin, especially when called from
      optimized code.
      
      CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_chromium_rel_ng
      BUG=v8:5269,v8:5989,v8:6483
      R=jgruber@chromium.org
      
      Review-Url: https://codereview.chromium.org/2934893002
      Cr-Commit-Position: refs/heads/master@{#45925}
      b11c557d