- 28 Aug, 2020 1 commit
-
-
Marja Hölttä authored
This is the first step in a series of CLs. The goal is to make super property access faster. Design doc: https://docs.google.com/document/d/1b_wgtExmJDLb8206jpJol-g4vJAxPs1XjEx95hwRboI/edit?usp=sharing This CL: - Add bytecode LdaNamedPropertyFromSuper - IGNITION_HANDLER just calls Runtime::LoadFromSuper - JSGenericLowering::LowerJSLoadNamedFromSuper just replaces the node with a runtime call to Runtime::LoadFromSuper Bug: v8:9237 Change-Id: Id28e935294c5068dd6c54e6b860a77d61517fff5 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2327912 Commit-Queue: Marja Hölttä <marja@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Mythri Alle <mythria@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#69604}
-
- 15 Jul, 2020 1 commit
-
-
Georg Neis authored
Make JSContextSpecialization constant-fold import.meta loads if the meta object has already been created. Most of this CL was contributed by Gus Caplan. This is a verbatim copy of CL https://chromium-review.googlesource.com/c/v8/v8/+/2170982 which could not be landed due to the wrong email address being used. TBR=verwaest@chromium.org TBR=gsathya@chromium.org Bug: v8:7044 Change-Id: Ief45f3082dc756265904ff500305d32717071e81 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2299375Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#68875}
-
- 23 Jun, 2020 1 commit
-
-
Jakob Gruber authored
This extends the opcode macro lists to include both the long name (e.g.: JSAdd) and short name (Add) to reduce duplication. The change is only for JS operators for now but can be extended to others in the future. Drive-by: Base more predicates off the macro lists for robustness. Bug: v8:8888 Change-Id: I10debdf86166dbe9dac63a6df57938820a8af8d0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2255468 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#68477}
-
- 01 Apr, 2020 1 commit
-
-
Georg Neis authored
JSStoreGlobal can become a call into runtime code (SetProperty) that inspects the context in order to get the language mode. Thus always passing the native context is not good enough. Bug: chromium:1065737 Change-Id: Iba9537cd3de743a0967325acf7900190aa835b5f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2130280Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org> Auto-Submit: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#66946}
-
- 22 Oct, 2019 3 commits
-
-
Victor Gomes authored
Original change's description: > [runtime] Remove extension slots from context objects > > Context objects have an extension slot, which contains further > additional data that depends on the type of the context. > > This CL removes the extension slot from contexts that don't need > them, hence reducing memory. > > The following contexts will still have an extension slot: native, > module, await, block and with contexts. See objects/contexts.h for > what the slot is used for. > The following contexts will not have an extension slot anymore (they > were not used before): script, catch and builtin contexts. > Eval and function contexts only have the extension slot if they > contain a sloppy eval. > > Bug: v8:9744 > Change-Id: I8ca56c22fa02437bbac392ea72174ebfca80e030 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1863191 > Commit-Queue: Victor Gomes <victorgomes@google.com> > Reviewed-by: Toon Verwaest <verwaest@chromium.org> > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Reviewed-by: Peter Marshall <petermarshall@chromium.org> > Auto-Submit: Victor Gomes <victorgomes@google.com> > Cr-Commit-Position: refs/heads/master@{#64372} TBR=verwaest@chromium.org,jgruber@chromium.org,ulan@chromium.org,leszeks@chromium.org,petermarshall@chromium.org Bug: v8:9744 Change-Id: I8700ed2fa62c89e86c39bb16ac3167f38ea8d63f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1873695 Commit-Queue: Victor Gomes <victorgomes@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#64477}
-
Clemens Backes authored
This reverts commit 392a1217. Reason for revert: Several failures on mac64 gc stress: https://ci.chromium.org/p/v8/builders/ci/V8%20Mac64%20GC%20Stress/9747 Original change's description: > Reland "Reland "[runtime] Remove extension slots from context objects"" > > This is a reland of c48096d4 > > Original change's description: > > Reland "[runtime] Remove extension slots from context objects" > > > > This is a reland of c07c02e1 > > > > Original change's description: > > > [runtime] Remove extension slots from context objects > > > > > > Context objects have an extension slot, which contains further > > > additional data that depends on the type of the context. > > > > > > This CL removes the extension slot from contexts that don't need > > > them, hence reducing memory. > > > > > > The following contexts will still have an extension slot: native, > > > module, await, block and with contexts. See objects/contexts.h for > > > what the slot is used for. > > > The following contexts will not have an extension slot anymore (they > > > were not used before): script, catch and builtin contexts. > > > Eval and function contexts only have the extension slot if they > > > contain a sloppy eval. > > > > > > Bug: v8:9744 > > > Change-Id: I8ca56c22fa02437bbac392ea72174ebfca80e030 > > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1863191 > > > Commit-Queue: Victor Gomes <victorgomes@google.com> > > > Reviewed-by: Toon Verwaest <verwaest@chromium.org> > > > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > > > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > > > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > > > Reviewed-by: Peter Marshall <petermarshall@chromium.org> > > > Auto-Submit: Victor Gomes <victorgomes@google.com> > > > Cr-Commit-Position: refs/heads/master@{#64372} > > > > TBR=verwaest@chromium.org,jgruber@chromium.org,ulan@chromium.org,leszeks@chromium.org,petermarshall@chromium.org > > > > Bug: v8:9744 > > Change-Id: I0749cc2d8f59940c25841736634a70047116d647 > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1869192 > > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > > Reviewed-by: Peter Marshall <petermarshall@chromium.org> > > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > > Commit-Queue: Peter Marshall <petermarshall@chromium.org> > > Auto-Submit: Victor Gomes <victorgomes@google.com> > > Cr-Commit-Position: refs/heads/master@{#64380} > > TBR=verwaest@chromium.org,jgruber@chromium.org,ulan@chromium.org,leszeks@chromium.org,petermarshall@chromium.org > > Bug: v8:9744 > Change-Id: I621ffe98722f8c4defaf277b8d1666484ba2963f > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1872400 > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Reviewed-by: Peter Marshall <petermarshall@chromium.org> > Commit-Queue: Victor Gomes <victorgomes@google.com> > Cr-Commit-Position: refs/heads/master@{#64451} TBR=ulan@chromium.org,jgruber@chromium.org,petermarshall@chromium.org,leszeks@chromium.org,verwaest@chromium.org,victorgomes@google.com Change-Id: I99a71180c6a00a87478867a8210ff9ceb46cb3ee No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:9744 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1872405Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#64453}
-
Victor Gomes authored
This is a reland of c48096d4 Original change's description: > Reland "[runtime] Remove extension slots from context objects" > > This is a reland of c07c02e1 > > Original change's description: > > [runtime] Remove extension slots from context objects > > > > Context objects have an extension slot, which contains further > > additional data that depends on the type of the context. > > > > This CL removes the extension slot from contexts that don't need > > them, hence reducing memory. > > > > The following contexts will still have an extension slot: native, > > module, await, block and with contexts. See objects/contexts.h for > > what the slot is used for. > > The following contexts will not have an extension slot anymore (they > > were not used before): script, catch and builtin contexts. > > Eval and function contexts only have the extension slot if they > > contain a sloppy eval. > > > > Bug: v8:9744 > > Change-Id: I8ca56c22fa02437bbac392ea72174ebfca80e030 > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1863191 > > Commit-Queue: Victor Gomes <victorgomes@google.com> > > Reviewed-by: Toon Verwaest <verwaest@chromium.org> > > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > > Reviewed-by: Peter Marshall <petermarshall@chromium.org> > > Auto-Submit: Victor Gomes <victorgomes@google.com> > > Cr-Commit-Position: refs/heads/master@{#64372} > > TBR=verwaest@chromium.org,jgruber@chromium.org,ulan@chromium.org,leszeks@chromium.org,petermarshall@chromium.org > > Bug: v8:9744 > Change-Id: I0749cc2d8f59940c25841736634a70047116d647 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1869192 > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Reviewed-by: Peter Marshall <petermarshall@chromium.org> > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > Commit-Queue: Peter Marshall <petermarshall@chromium.org> > Auto-Submit: Victor Gomes <victorgomes@google.com> > Cr-Commit-Position: refs/heads/master@{#64380} TBR=verwaest@chromium.org,jgruber@chromium.org,ulan@chromium.org,leszeks@chromium.org,petermarshall@chromium.org Bug: v8:9744 Change-Id: I621ffe98722f8c4defaf277b8d1666484ba2963f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1872400Reviewed-by: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Commit-Queue: Victor Gomes <victorgomes@google.com> Cr-Commit-Position: refs/heads/master@{#64451}
-
- 27 Sep, 2019 1 commit
-
-
Mike Stanton authored
Almost everywhere, we use the ProcessedFeedback abstraction to query feedback in the compiler. The remaining exception is in handling RegExp, Object and Array literals. By bringing this in line with other feedback queries, we no longer need to serialize all feedback vector slots (possibly wasteful of memory), and offer a uniform way to pick up feedback everywhere. Bug: v8:7790, v8:9396 Change-Id: Ice42587595fe30bebfbd7835d2b2e9e49601c92e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1807358 Commit-Queue: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Cr-Commit-Position: refs/heads/master@{#64016}
-
- 09 Aug, 2019 1 commit
-
-
Swapnil Gaikwad authored
This is the first in a series of changes to reduce the number of bytecodes generated for the iteration protocol based operations. The GetIterator bytecode introduced in this change currently loads the @@iterator symbol from an object that was previously done using the LdaNamedProperty bytecode. This change uses builtin-based mechanism that would be extended to perform additional operations in the future on absorbing the bytecodes associated with the GetIterator operation from the iteration protocol. Bug: v8:9489 Change-Id: I83b8b55c27bae8260bf227f355eeca1ba80cd8f0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1701852 Commit-Queue: Swapnil Gaikwad <swapnilgaikwad@google.com> Reviewed-by: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#63139}
-
- 11 Oct, 2018 1 commit
-
-
Benedikt Meurer authored
This JSAsyncFunctionObject represents the implicit generator object inside of async functions, and also holds the outer promise for the async functions. This in turn allows us to get rid of the .promise in the Parser / BytecodeGenerator completely, and will make it possible to build zero-cost async stack traces independent of the concrete synchronous part of the stack frame (which currently breaks in Node.js). In the bytecode all the async function operations now take this new JSAsyncFunctionObject instead of passing both the .generator_object and the .promise, which further simplifies and shrinks the bytecode. It also reduces the size of async function frames, potentially making the suspend/resume cheaper. This also changes `await` to use intrinsics instead of calling to special JSFunctions on the native context, and thus reduces the size of the native contexts. Drive-by-fix: Introduce a dedicated JSCreateAsyncFunctionObject operator to TurboFan. Bug: v8:7253, v8:7522 Change-Id: I2305302285156aa1f71328ecac70377abdd92c80 Ref: nodejs/node#11865 Design-Document: http://bit.ly/v8-zero-cost-async-stack-traces Reviewed-on: https://chromium-review.googlesource.com/c/1273049 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#56554}
-
- 10 Oct, 2018 1 commit
-
-
Benedikt Meurer authored
This change introduces new intrinsics used to desugar async functions in the Parser and the BytecodeGenerator, namely we introduce a new %_AsyncFunctionEnter intrinsic that constructs the generator object for the async function (and in the future will also create the outer promise for the async function). This generator object is internal and never escapes to user code, plus since async functions don't have a "prototype" property, we can just a single map here instead of tracking the prototype/initial_map on every async function. This saves one word per async function plus one initial_map per async function that was invoked at least once. We also introduce two new intrinsics %_AsyncFunctionReject, which rejects the outer promise with the caught exception, and another %_AsyncFunctionResolve, which resolves the outer promise with the right hand side of the `return` statement. These functions also perform the DevTools part of the job (aka popping from the promise stack and sending the debug event). This allows us to get rid of the implicit try-finally from async functions completely; because the finally block only called to the %AsyncFunctionPromiseRelease builtin, which was used to inform DevTools. In essence we now turn an async function like ```js async function f(x) { return await bar(x); } ``` into something like this (in Parser and BytecodeGenerator respectively): ``` function f(x) { .generator_object = %_AsyncFunctionEnter(.closure, this); .promise = %AsyncFunctionCreatePromise(); try { .tmp = await bar(x); return %_AsyncFunctionResolve(.promise, .tmp); } catch (e) { return %_AsyncFunctionReject(.promise, e); } } ``` Overall the bytecode for async functions gets significantly shorter already (and will get even shorter once we put the outer promise into the async function generator object). For example the bytecode for a simple async function ```js async function f(x) { return await x; } ``` goes from 175 bytes to 110 bytes (a ~38% reduction in size), which is in particular due to the simplification around the try-finally removal. Overall this seems to improve the doxbee-async-es2017-native test by around 2-3%. On the test case mentioned in v8:8276 we go from 1124ms to 441ms, which corresponds to a 60% reduction in total execution time! Tbr: marja@chromium.org Bug: v8:7253, v8:7522, v8:8276 Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;luci.chromium.try:linux_chromium_rel_ng;master.tryserver.blink:linux_trusty_blink_rel Change-Id: Id29dc92de7490b387ff697860c900cee44c9a7a4 Reviewed-on: https://chromium-review.googlesource.com/c/1269041 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#56502}
-
- 08 Oct, 2018 1 commit
-
-
Benedikt Meurer authored
This change adds predicates to check whether a given JavaScript operator needs the "current context" or if any surrounding context (including the "native context") does it. For example JSAdd doesn't ever need the current context, but actually only the native context. In the BytecodeGraphBuilder we use this predicate to check whether a given operator needs the current context, and if not, we just pass in the native context. Doing so we improve the performance on the benchmarks given in the tracking bug significantly, and go from something around arrayMap: 476 ms. arrayFilter: 312 ms. arrayEvery: 241 ms. arraySome: 152 ms. to arrayMap: 377 ms. arrayFilter: 296 ms. arrayEvery: 191 ms. arraySome: 91 ms. which is an up to 40% improvement. So for idiomatic modern JavaScript which uses higher order functions quite a lot, not just the builtins provided by the JSVM, this is going to improve peak performance noticably. This also makes it possible to completely eliminate all the allocations in the aliased sloppy arguments example ```js function foo(a) { return arguments.length; } ``` concretely we don't allocate the function context anymore and we also don't allocate the arguments object anymore (the JSStackCheck was the reason why we did this in the past, because it was holding on to the current context, which also kept the allocation for the arguments alive). Bug: v8:6200, v8:8060 Change-Id: I1db56d00d6b510ce6337608c0fff16af96e95eef Design-Document: bit.ly/v8-turbofan-context-sensitive-js-operators Reviewed-on: https://chromium-review.googlesource.com/c/1267176Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#56441}
-
- 21 Sep, 2018 1 commit
-
-
Benedikt Meurer authored
The JSToInteger operator is not used anywhere in TurboFan nowadays, so no point in keeping the dead code in the tree. Bug: v8:8015 Change-Id: If03ba63c4b932ba0aac60b9bbc89fee3909a93c6 Reviewed-on: https://chromium-review.googlesource.com/1238238Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#56126}
-
- 05 Sep, 2018 1 commit
-
-
Hai Dang authored
This is a reland of 1c48d52b. It turned out that IterableToList doesn't always behave according to the ES operation with the same name. Specifically, it allows holey arrays to take its fast path, which produces an output array with holes where actually "undefined" elements should appear. This CL changes the version of IterableToList that is used for spreads (IterableToListWithSymbolLookup) such that holey arrays take the slow path. It also includes tests for such situations. Original change's description: > [interpreter] Add bytecode for leading array spreads. > > This CL improves the performance of creating [...a, b] or [...a]. > If the array literal has a leading spread, this CL emits the bytecode > [CreateArrayFromIterable] to create the literal. CreateArrayFromIterable > is implemented by [IterableToListDefault] builtin to create the initial > array for the leading spread. IterableToListDefault has a fast path to > clone efficiently if the spread is an actual array. > > The bytecode generated is now shorter. Bytecode generation is refactored > into to BuildCreateArrayLiteral, which allows VisitCallSuper to benefit > from this optimization also. > For now, turbofan also lowers the bytecode to the builtin. > > The idiomatic use of [...a] to clone the array a now performs better > than a simple for-loop, but still does not match the performance of slice. > > Bug: v8:7980 > > Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng > Change-Id: Ibde659c82d3c7aa1b1777a3d2f6426ac8cc15e35 > Reviewed-on: https://chromium-review.googlesource.com/1181024 > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> > Reviewed-by: Sigurd Schneider <sigurds@chromium.org> > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > Reviewed-by: Georg Neis <neis@chromium.org> > Commit-Queue: Georg Neis <neis@chromium.org> > Commit-Queue: Hai Dang <dhai@google.com> > Cr-Commit-Position: refs/heads/master@{#55520} Bug: v8:7980 Change-Id: I0b5603a12d2b588327658bf0a9b214bd0f22e237 Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Reviewed-on: https://chromium-review.googlesource.com/1201882 Commit-Queue: Hai Dang <dhai@google.com> Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#55639}
-
- 31 Aug, 2018 1 commit
-
-
Georg Neis authored
This reverts commit 1c48d52b. Reason for revert: Clusterfuzz found something. Original change's description: > [interpreter] Add bytecode for leading array spreads. > > This CL improves the performance of creating [...a, b] or [...a]. > If the array literal has a leading spread, this CL emits the bytecode > [CreateArrayFromIterable] to create the literal. CreateArrayFromIterable > is implemented by [IterableToListDefault] builtin to create the initial > array for the leading spread. IterableToListDefault has a fast path to > clone efficiently if the spread is an actual array. > > The bytecode generated is now shorter. Bytecode generation is refactored > into to BuildCreateArrayLiteral, which allows VisitCallSuper to benefit > from this optimization also. > For now, turbofan also lowers the bytecode to the builtin. > > The idiomatic use of [...a] to clone the array a now performs better > than a simple for-loop, but still does not match the performance of slice. > > Bug: v8:7980 > > Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng > Change-Id: Ibde659c82d3c7aa1b1777a3d2f6426ac8cc15e35 > Reviewed-on: https://chromium-review.googlesource.com/1181024 > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> > Reviewed-by: Sigurd Schneider <sigurds@chromium.org> > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > Reviewed-by: Georg Neis <neis@chromium.org> > Commit-Queue: Georg Neis <neis@chromium.org> > Commit-Queue: Hai Dang <dhai@google.com> > Cr-Commit-Position: refs/heads/master@{#55520} TBR=rmcilroy@chromium.org,neis@chromium.org,sigurds@chromium.org,gsathya@chromium.org,jgruber@chromium.org,dhai@google.com Change-Id: I1c86ddcc24274da9f5a8dd3d8bf8d869cbb55cb6 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:7980 Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Reviewed-on: https://chromium-review.googlesource.com/1199303Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#55544}
-
- 30 Aug, 2018 1 commit
-
-
Hai Dang authored
This CL improves the performance of creating [...a, b] or [...a]. If the array literal has a leading spread, this CL emits the bytecode [CreateArrayFromIterable] to create the literal. CreateArrayFromIterable is implemented by [IterableToListDefault] builtin to create the initial array for the leading spread. IterableToListDefault has a fast path to clone efficiently if the spread is an actual array. The bytecode generated is now shorter. Bytecode generation is refactored into to BuildCreateArrayLiteral, which allows VisitCallSuper to benefit from this optimization also. For now, turbofan also lowers the bytecode to the builtin. The idiomatic use of [...a] to clone the array a now performs better than a simple for-loop, but still does not match the performance of slice. Bug: v8:7980 Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Change-Id: Ibde659c82d3c7aa1b1777a3d2f6426ac8cc15e35 Reviewed-on: https://chromium-review.googlesource.com/1181024Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Commit-Queue: Hai Dang <dhai@google.com> Cr-Commit-Position: refs/heads/master@{#55520}
-
- 23 Jul, 2018 1 commit
-
-
Sigurd Schneider authored
This is a reland of 9eca23e9 Adds a deopt continuation, which fixes JavaScript stack traces to contain the number constructor after inlining. Original change's description: > [turbofan] Inline Number constructor in certain cases > > This CL adds inlining for the Number constructor if new.target is not > present. The lowering is BigInt compatible, i.e. it converts BigInts to > numbers. > > Bug: v8:7904 > Change-Id: If03b9f872d82e50b6ded7709069181c33dc44e82 > Reviewed-on: https://chromium-review.googlesource.com/1118557 > Commit-Queue: Sigurd Schneider <sigurds@chromium.org> > Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> > Reviewed-by: Georg Neis <neis@chromium.org> > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> > Cr-Commit-Position: refs/heads/master@{#54454} Bug: v8:7904 Change-Id: Ic416e5ba81fa3a0f59ae4afa80df83c46a759487 Reviewed-on: https://chromium-review.googlesource.com/1146581 Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#54609}
-
- 20 Jul, 2018 1 commit
-
-
Caitlin Potter authored
As discussed in https://docs.google.com/document/d/1sBdGe8RHgeYP850cKSSgGABTyfMdvaEWLy-vertuTCo/edit?ts=5b3ba5cc#, this CL introduces a new bytecode (CloneObject), and a new IC type. In this prototype implementation, the type feedback looks like the following: Uninitialized case: { uninitialized_sentinel, uninitialized_sentinel } Monomorphic case: { weak 'source' map, strong 'result' map } Polymorphic case: { WeakFixedArray with { weak 'source' map, strong 'result' map }, cleared value } Megamorphic case: { megamorphic_sentinel, cleared_Value } In the fast case, Object cloning is done by allocating an object with the saved result map, and a shallow clone of the fast properties from the source object, as well as cloned fast elements from the source object. If at any point the fast case can't be taken, the IC transitions to the slow case and remains there. This prototype CL does not include any TurboFan optimization, and the CloneObject operation is merely reduced to a stub call. It may still be possible to get some further improvements by somehow incorporating compile-time boilerplate elements into the cloned object, or simplifying how the boilerplate elements are inserted into the object. In terms of performance, we improve the ObjectSpread score in JSTests/ObjectLiteralSpread/ by about 8x, with substantial improvements over the Babel and ObjectAssign scores. R=gsathya@chromium.org, mvstanton@chromium.org, rmcilroy@chromium.org, neis@chromium.org, bmeurer@chromium.org BUG=v8:7611 Change-Id: I79e1796eb77016fb4feba0e1d3bb9abb348c183e Reviewed-on: https://chromium-review.googlesource.com/1127472 Commit-Queue: Caitlin Potter <caitp@igalia.com> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#54595}
-
- 19 Jul, 2018 1 commit
-
-
Sigurd Schneider authored
This reverts commit 9eca23e9. Reason for revert: Clusterfuzz correctness issue Original change's description: > [turbofan] Inline Number constructor in certain cases > > This CL adds inlining for the Number constructor if new.target is not > present. The lowering is BigInt compatible, i.e. it converts BigInts to > numbers. > > Bug: v8:7904 > Change-Id: If03b9f872d82e50b6ded7709069181c33dc44e82 > Reviewed-on: https://chromium-review.googlesource.com/1118557 > Commit-Queue: Sigurd Schneider <sigurds@chromium.org> > Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> > Reviewed-by: Georg Neis <neis@chromium.org> > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> > Cr-Commit-Position: refs/heads/master@{#54454} TBR=jarin@chromium.org,neis@chromium.org,sigurds@chromium.org,bmeurer@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: v8:7904 Change-Id: Ie5fa6c1262b8acc33edb672a0124f4458fcded86 Reviewed-on: https://chromium-review.googlesource.com/1142777Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Cr-Commit-Position: refs/heads/master@{#54544}
-
- 16 Jul, 2018 1 commit
-
-
Sigurd Schneider authored
This CL adds inlining for the Number constructor if new.target is not present. The lowering is BigInt compatible, i.e. it converts BigInts to numbers. Bug: v8:7904 Change-Id: If03b9f872d82e50b6ded7709069181c33dc44e82 Reviewed-on: https://chromium-review.googlesource.com/1118557 Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#54454}
-
- 11 Jun, 2018 1 commit
-
-
Sigurd Schneider authored
This CL adds a TFS stub for RegExp#test and moves several checks to the JSCallReducer. In particular, the JSCallReducer checks that - property {exec} on the regexp is still the original exec - property {lastIndex} on the regexp is a non-negative smi The stub does not repeat these checks in release mode. This effectively means that if the regexp is known, we can perform these checks at compile time, and get away with a map dependency. Bug: v8:7779, v8:7200 Change-Id: I0c6d711d4f1d2f6f325a1c02855b0e1b62e014c8 Reviewed-on: https://chromium-review.googlesource.com/1074654 Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#53630}
-
- 26 Apr, 2018 1 commit
-
-
Sigurd Schneider authored
This CL also removes the JSBuiltinReducer, which is no longer needed. Bug: v8:7340, v8:7250 Change-Id: I28896f6ce0d352047ea1cb7ea6de490818840faf Reviewed-on: https://chromium-review.googlesource.com/1027853 Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#52799}
-
- 24 Apr, 2018 1 commit
-
-
Sigurd Schneider authored
This CL introduces a JSOperator for Array.isArray and moves the corresponding lowering to JSCallReducer and JSTypedLowering. Bug: v8:7340, v8:7250 Change-Id: Iaa7ced2ad34bec8cccc9da1041007261168cf4b3 Reviewed-on: https://chromium-review.googlesource.com/1025092 Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#52757}
-
- 19 Apr, 2018 1 commit
-
-
Sigurd Schneider authored
This also adds a javascript operator JSCreateObject and an associated TFS stub that handles Object.create in cases where only a prototype, but no additional properties are provided. Bug: v8:7250 Change-Id: Ib1fd529a10a553c3718222356319bd6ccffbdf30 Reviewed-on: https://chromium-review.googlesource.com/1013576 Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#52680}
-
- 18 Apr, 2018 1 commit
-
-
Sigurd Schneider authored
The framestate is necessary, because the PerformPromiseThen builtin calls into the runtime function PromiseRevokeReject, which ultimately calls back into the embedder. Node may execute JavaScript in the callback, and the missing framestate can then make our stack frame walker unhappy. Bug: v8:7659 Change-Id: I47391fd2b9b3c10ef26204a41e58f8082243c702 Reviewed-on: https://chromium-review.googlesource.com/1015361Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Cr-Commit-Position: refs/heads/master@{#52663}
-
- 15 Mar, 2018 1 commit
-
-
Benedikt Meurer authored
This introduces a new JSCreateTypedArray operator, backed by a dedicated CreateTypedArray builtin, and adds support to lowering new TypedArray calls to this operator. This way we avoid the overhead of going through the generic construct stub machinery for hot code. This not only recovers the performance regression on the typed array constructor benchmarks, but even improves slightly beyond what we had in 6.6. We might in the future try to fully inline the TypedArray constructor into optimized code for certain cases. Bug: chromium:820726, v8:7503, v8:7518 Change-Id: Ied465924d5695db576d533792f1db68456b9b5ea Reviewed-on: https://chromium-review.googlesource.com/959010 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#51973}
-
- 20 Feb, 2018 1 commit
-
-
Benedikt Meurer authored
This CL introduces new operators JSFulfillPromise and JSPromiseResolve, corresponding to the specification operations with the same name, and uses that to lower calls to Promise.resolve() builtin to JSPromiseResolve. We also optimize JSPromiseResolve and JSResolvePromise further based on information found about the value/resolution in the graph. This applies to both Promise.resolve() builtin calls and implicit resolve operations in async functions and async generators. On a very simple microbenchmark like console.time('resolve'); for (let i = 0; i < 1e8; ++i) Promise.resolve({i}); console.timeEnd('resolve'); this CL reduces the execution time from around 3049ms to around 947ms, which is a pretty significant 3x improvement. On the wikipedia benchmark we observe an improvement around 2% with this CL. Bug: v8:7253 Change-Id: Ic69086cdc1b724f35dbe83305795539c562ab817 Reviewed-on: https://chromium-review.googlesource.com/913488Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#51387}
-
- 13 Feb, 2018 1 commit
-
-
Benedikt Meurer authored
This introduces dedicated builtins - FulfillPromise, - RejectPromise, and - ResolvePromise, which perform the corresponding operations from the language specification, and removes the redundant entry points and the excessive inlining of these operations into other builtins. We also add the same logic on the C++ side, so that we don't need to go into JavaScript land when resolving/rejecting from the API. The C++ side has a complete implementation, including full support for the debugger and the current PromiseHook machinery. This is to avoid constantly crossing the boundary for those cases, and to also simplify the CSA side (and soon the TurboFan side), where we only do the fast-path and bail out to the runtime for the general handling. On top of this we introduce %_RejectPromise and %_ResolvePromise, which are entry points used by the bytecode and parser desugarings for async functions, and also used by the V8 Extras API. Thanks to this we can uniformly optimize these in TurboFan, where we have corresponding operators JSRejectPromise and JSResolvePromise, which currently just call into the builtins, but middle-term can be further optimized, i.e. to skip the "then" lookup for JSResolvePromise when we know something about the resolution. In TurboFan we can also already inline the default PromiseCapability [[Reject]] and [[Resolve]] functions, although this is not as effective as it can be right now, until we have inlining support for the Promise constructor (being worked on by petermarshall@ right now) and/or SFI based CALL_IC feedback. Overall this change is meant as a refactoring without significant performance impact anywhere; it seems to improve performance of simple async functions a bit, but otherwise is neutral. Bug: v8:7253 Change-Id: Id0b979f9b2843560e38cd8df4b02627dad4b6d8c Reviewed-on: https://chromium-review.googlesource.com/911632Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#51260}
-
- 29 Nov, 2017 1 commit
-
-
Georg Neis authored
Prior to this change, the exponentiation operator was rewritten by the parser to a call of the Math.pow builtin. However, Math.pow does not accept BigInt arguments, while the exponentiation operator must accept them. This CL - removes the parser's special treatment of ** and **=, treating them like any other binary op instead. - adds a TFC builtin Exponentiate that does the right thing for all inputs. - adds interpreter bytecodes Exp and ExpSmi whose handlers call the Exponentiate builtin. For simplicity, they currently always collect kAny feedback. - adds a Turbofan operator JSExponentiate with a typed-lowering to the existing NumberPow and a generic-lowering to the Exponentiate builtin. There is currently no speculative lowering. Note that exponentiation for BigInts is actually not implemented yet, so we can't yet test it. Bug: v8:6791 Change-Id: Id90914c9c3fce310ce01e715c09eaa9f294f4f8a Reviewed-on: https://chromium-review.googlesource.com/785694Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Reviewed-by: Mythri Alle <mythria@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#49696}
-
- 28 Nov, 2017 1 commit
-
-
Georg Neis authored
... in the same style as the previous CLs for negation and bitwise-not. R=jarin@chromium.org Bug: v8:6791 Change-Id: I0aa96a72421e90c8c82a39dd4264fdcf00967504 Reviewed-on: https://chromium-review.googlesource.com/779141 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#49658}
-
- 23 Nov, 2017 1 commit
-
-
Toon Verwaest authored
Bug: Change-Id: I4577db5ae6b9623815969deb03b311bd3b550d75 Reviewed-on: https://chromium-review.googlesource.com/787310Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#49602}
-
- 21 Nov, 2017 3 commits
-
-
Georg Neis authored
This introduces a JSBitwiseNot operator and lowers it either to a speculative xor with -1 (when we have Number feedback) or to a stub call. The stub is also new. Bug: v8:6791 Change-Id: I362e52de8a741dc5db044c406543878e407eb2ed Reviewed-on: https://chromium-review.googlesource.com/778839 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#49539}
-
Georg Neis authored
This introduces a JSNegate operator and lowers it either to a speculative multiplication with -1 (when we have Number feedback) or to a stub call. The stub is also new. R=jarin@chromium.org Bug: v8:6791 Change-Id: I8e20333fe49cc6088d2d10777be982e42eed2412 Reviewed-on: https://chromium-review.googlesource.com/774718 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#49538}
-
Georg Neis authored
TBR: rmcilroy@chromium.org Bug: v8:6791 Change-Id: I4ac2bdce353d987a2fe45149d8556b6591569a01 Reviewed-on: https://chromium-review.googlesource.com/771191 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#49528}
-
- 01 Sep, 2017 1 commit
-
-
Benedikt Meurer authored
This CL adds support to optimize for..in in fast enum-cache mode to the same degree that it was optimized in Crankshaft, without adding the same deoptimization loop that Crankshaft had with missing enum cache indices. That means code like for (var k in o) { var v = o[k]; // ... } and code like for (var k in o) { if (Object.prototype.hasOwnProperty.call(o, k)) { var v = o[k]; // ... } } which follows the https://eslint.org/docs/rules/guard-for-in linter rule, can now utilize the enum cache indices if o has only fast properties on the receiver, which speeds up the access o[k] significantly and reduces the pollution of the global megamorphic stub cache. For example the micro-benchmark in the tracking bug v8:6702 now runs faster than ever before: forIn: 1516 ms. forInHasOwnProperty: 1674 ms. forInHasOwnPropertySafe: 1595 ms. forInSum: 2051 ms. forInSumSafe: 2215 ms. Compared to numbers from V8 5.8 which is the last version running with Crankshaft forIn: 1641 ms. forInHasOwnProperty: 1719 ms. forInHasOwnPropertySafe: 1802 ms. forInSum: 2226 ms. forInSumSafe: 2409 ms. and V8 6.0 which is the current stable version with TurboFan: forIn: 1713 ms. forInHasOwnProperty: 5417 ms. forInHasOwnPropertySafe: 5324 ms. forInSum: 7556 ms. forInSumSafe: 11067 ms. It also improves the throughput on the string-fasta benchmark by around 7-10%, and there seems to be a ~5% improvement on the Speedometer/React benchmark locally. For this to work, the ForInPrepare bytecode was split into ForInEnumerate and ForInPrepare, which is very similar to how it was handled in Fullcodegen initially. In TurboFan we introduce a new operator LoadFieldByIndex that does the dynamic property load. This also removes the CheckMapValue operator again in favor of just using LoadField, ReferenceEqual and CheckIf, which work automatically with the EscapeAnalysis and the BranchConditionElimination. Bug: v8:6702 Change-Id: I91235413eea478ba77ace7bd14bb2f62e155dd9a Reviewed-on: https://chromium-review.googlesource.com/645949 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#47768}
-
- 19 Jul, 2017 1 commit
-
-
Ross McIlroy authored
There remained a few of regressions and we didn't see any significant improvement in the real world with this turned on. This CL reverts all the StringConcat bytecode work which landed. BUG=v8:6243 Change-Id: I832eb72e880ad41411dbec8fe29f71ef0f2025c8 Reviewed-on: https://chromium-review.googlesource.com/575130 Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#46769}
-
- 21 Jun, 2017 2 commits
-
-
Ross McIlroy authored
Adds typed lowering of JSStringConcat to ConsString allocation if the following conditions hold: - All concatinations will result in a ConsString of >= ConString::kMinLength - No concatinations will result in a empty string in the RHS unless there is a sequential string in the LHS. This also means JSStringConcat needs an eager checkpoint since it can deopt if throwing a RangeError when the string length protector is valid. BUG=v8:6243 Change-Id: I01ca79f884df467c10f2c032c72d51b5199c1a3c Reviewed-on: https://chromium-review.googlesource.com/526636 Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#46093}
-
bmeurer authored
Add a new JSConstructWithArrayLike operator that is backed by the ConstructWithArrayLike builtin (similar to what was done before for the JSCallWithArrayLike operator), and use that operator to optimize Reflect.construct inlining in TurboFan. This is handled uniformly with JSConstructWithSpread in the JSCallReducer. Also add missing test coverage for Reflect.construct in optimized code, especially for some interesting corner cases. R=petermarshall@chromium.org BUG=v8:4587,v8:5269 Review-Url: https://codereview.chromium.org/2949813002 Cr-Commit-Position: refs/heads/master@{#46087}
-
- 20 Jun, 2017 1 commit
-
-
bmeurer authored
Add a new JSCallWithArrayLike operator that is backed by the CallWithArrayLike builtin, and use that operator for both Function.prototype.apply and Reflect.apply inlining. Also unify the handling of JSCallWithArrayLike and JSCallWithSpread in the JSCallReducer to reduce the copy&paste overhead. Drive-by-fix: Add a lot of test coverage for Reflect.apply and Function.prototype.apply in optimized code, especially for some corner cases, which was missing so far. BUG=v8:4587,v8:5269 R=petermarshall@chromium.org Review-Url: https://codereview.chromium.org/2950773002 Cr-Commit-Position: refs/heads/master@{#46041}
-
- 13 Jun, 2017 1 commit
-
-
bmeurer authored
Port the baseline implementation of Object.prototype.isPrototypeOf to the CodeStubAssembler, sharing the existing prototype chain lookup logic with the instanceof / OrdinaryHasInstance implementation. Based on that, do the same in TurboFan, introducing a new JSHasInPrototypeChain operator, which encapsulates the central prototype chain walk logic. This speeds up Object.prototype.isPrototypeOf by more than a factor of four, so that the code A.prototype.isPrototypeOf(a) is now performance-wise on par with a instanceof A for the case where A is a regular constructor function and a is an instance of A. Since instanceof does more than just the fundamental prototype chain lookup, it was discovered in Node core that O.p.isPrototypeOf would be a more appropriate alternative for certain sanity checks, since it's less vulnerable to monkey-patching. In addition, the Object builtin would also avoid the performance-cliff associated with instanceof (due to the Symbol.hasInstance hook), as for example hit by https://github.com/nodejs/node/pull/13403#issuecomment-305915874. The main blocker was the missing performance of isPrototypeOf, since it was still a JS builtin backed by a runtime call. This CL also adds more test coverage for the Object.prototype.isPrototypeOf builtin, especially when called from optimized code. CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_chromium_rel_ng BUG=v8:5269,v8:5989,v8:6483 R=jgruber@chromium.org Review-Url: https://codereview.chromium.org/2934893002 Cr-Commit-Position: refs/heads/master@{#45925}
-