- 21 Jun, 2017 2 commits
-
-
Ross McIlroy authored
Adds typed lowering of JSStringConcat to ConsString allocation if the following conditions hold: - All concatinations will result in a ConsString of >= ConString::kMinLength - No concatinations will result in a empty string in the RHS unless there is a sequential string in the LHS. This also means JSStringConcat needs an eager checkpoint since it can deopt if throwing a RangeError when the string length protector is valid. BUG=v8:6243 Change-Id: I01ca79f884df467c10f2c032c72d51b5199c1a3c Reviewed-on: https://chromium-review.googlesource.com/526636 Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by:
Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#46093}
-
bmeurer authored
Add a new JSConstructWithArrayLike operator that is backed by the ConstructWithArrayLike builtin (similar to what was done before for the JSCallWithArrayLike operator), and use that operator to optimize Reflect.construct inlining in TurboFan. This is handled uniformly with JSConstructWithSpread in the JSCallReducer. Also add missing test coverage for Reflect.construct in optimized code, especially for some interesting corner cases. R=petermarshall@chromium.org BUG=v8:4587,v8:5269 Review-Url: https://codereview.chromium.org/2949813002 Cr-Commit-Position: refs/heads/master@{#46087}
-
- 20 Jun, 2017 1 commit
-
-
bmeurer authored
Add a new JSCallWithArrayLike operator that is backed by the CallWithArrayLike builtin, and use that operator for both Function.prototype.apply and Reflect.apply inlining. Also unify the handling of JSCallWithArrayLike and JSCallWithSpread in the JSCallReducer to reduce the copy&paste overhead. Drive-by-fix: Add a lot of test coverage for Reflect.apply and Function.prototype.apply in optimized code, especially for some corner cases, which was missing so far. BUG=v8:4587,v8:5269 R=petermarshall@chromium.org Review-Url: https://codereview.chromium.org/2950773002 Cr-Commit-Position: refs/heads/master@{#46041}
-
- 13 Jun, 2017 1 commit
-
-
bmeurer authored
Port the baseline implementation of Object.prototype.isPrototypeOf to the CodeStubAssembler, sharing the existing prototype chain lookup logic with the instanceof / OrdinaryHasInstance implementation. Based on that, do the same in TurboFan, introducing a new JSHasInPrototypeChain operator, which encapsulates the central prototype chain walk logic. This speeds up Object.prototype.isPrototypeOf by more than a factor of four, so that the code A.prototype.isPrototypeOf(a) is now performance-wise on par with a instanceof A for the case where A is a regular constructor function and a is an instance of A. Since instanceof does more than just the fundamental prototype chain lookup, it was discovered in Node core that O.p.isPrototypeOf would be a more appropriate alternative for certain sanity checks, since it's less vulnerable to monkey-patching. In addition, the Object builtin would also avoid the performance-cliff associated with instanceof (due to the Symbol.hasInstance hook), as for example hit by https://github.com/nodejs/node/pull/13403#issuecomment-305915874. The main blocker was the missing performance of isPrototypeOf, since it was still a JS builtin backed by a runtime call. This CL also adds more test coverage for the Object.prototype.isPrototypeOf builtin, especially when called from optimized code. CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_chromium_rel_ng BUG=v8:5269,v8:5989,v8:6483 R=jgruber@chromium.org Review-Url: https://codereview.chromium.org/2934893002 Cr-Commit-Position: refs/heads/master@{#45925}
-
- 07 Jun, 2017 1 commit
-
-
Ross McIlroy authored
Adds support for lowering of ToPrimitiveToString and StringConcat bytecodes to the corresponding builtins. As part of this, moves the interpreter implementation of these operations into the appropriate builtin generators and add builtin support for them. Also adds TailCallRuntimeN operator to code-assembler which enables tail calling a runtime function when the arguments have already been pushed onto the stack. BUG=v8:6243 Change-Id: Id5c851bc42e4ff490d9a23a8990ae331c7eac73e Reviewed-on: https://chromium-review.googlesource.com/515362 Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by:
Jaroslav Sevcik <jarin@chromium.org> Reviewed-by:
Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#45756}
-
- 18 May, 2017 1 commit
-
-
bmeurer authored
We already had an optimization to turn Function.prototype.apply with arguments object, i.e. function foo() { return bar.apply(this, arguments); } into a special operator JSCallForwardVarargs, which avoids the allocation and deconstruction of the arguments object, but just passes along the incoming parameters. We can do the same for rest parameters and spread calls/constructs, i.e. class A extends B { constructor(...args) { super(...args); } } or function foo(...args) { return bar(1, 2, 3, ...args); } where we basically pass along the parameters (plus maybe additional statically known parameters). For this, we introduce a new JSConstructForwardVarargs operator and generalize the CallForwardVarargs builtins that are backing this. BUG=v8:6407,v8:6278,v8:6344 R=jarin@chromium.org Review-Url: https://codereview.chromium.org/2890023004 Cr-Commit-Position: refs/heads/master@{#45388}
-
- 08 May, 2017 1 commit
-
-
mvstanton authored
Intrinsic and generic lowering for generator object creation. In a follow-on, create lowering will be addressed. BUG=v8:6352 Review-Url: https://codereview.chromium.org/2862213002 Cr-Commit-Position: refs/heads/master@{#45171}
-
- 07 Mar, 2017 1 commit
-
-
Michael Starzinger authored
The parser already changes all negative equality comparison operations to their positive pendants in {ParserBase::ParseBinaryExpression}. No other source of the Token::NE exists in the system. We can remove all handling from the compiler and interpreter backends. R=bmeurer@chromium.org Change-Id: I58722c08dd8e498f20c65886fce86b8172737b10 Reviewed-on: https://chromium-review.googlesource.com/449716Reviewed-by:
Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#43627}
-
- 03 Mar, 2017 1 commit
-
-
bmeurer authored
We don't need the JSStrictNotEqual operator in the compiler, because this is never generated by the BytecodeGraphBuilder, and the code in the AstGraphBuilder was dead code. Also remove the backing builtin StrictNotEqual. R=mstarzinger@chromium.org BUG=v8:5267 Review-Url: https://codereview.chromium.org/2727003006 Cr-Commit-Position: refs/heads/master@{#43594}
-
- 17 Feb, 2017 1 commit
-
-
Igor Sheludko authored
... which is used for initializing properties with non compile time values. Currently we use StoreOwnIC only for storing properties that already exist in the boilerplate therefore we can reuse StoreIC dispatcher. The proper StoreOwnIC dispatcher will be implemented in a separate CL. BUG=v8:5495, v8:4414 Change-Id: I9c33fdb8499ec5be2c7fce1ecb6ce7aa285e5844 Reviewed-on: https://chromium-review.googlesource.com/443588Reviewed-by:
Jakob Kummerow <jkummerow@chromium.org> Reviewed-by:
Michael Starzinger <mstarzinger@chromium.org> Reviewed-by:
Ross McIlroy <rmcilroy@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#43285}
-
- 02 Feb, 2017 1 commit
-
-
mstarzinger authored
The operator in question does not call arbitrary JavaSciprt, nor throw, nor trigger a lazy deoptimization. Nodes hence do not need a frame-state representing the "after" state of the operation. R=bmeurer@chromium.org Review-Url: https://codereview.chromium.org/2672763002 Cr-Commit-Position: refs/heads/master@{#42891}
-
- 01 Feb, 2017 2 commits
-
-
petermarshall authored
Review-Url: https://codereview.chromium.org/2666783007 Cr-Commit-Position: refs/heads/master@{#42847}
-
petermarshall authored
Review-Url: https://codereview.chromium.org/2662263002 Cr-Commit-Position: refs/heads/master@{#42836}
-
- 27 Jan, 2017 1 commit
-
-
yangguo authored
Previously, when restarting a frame, we would rewrite all frames between the debugger activation and the frame to restart to squash them, and replace the return address with that of a builtin to leave that rewritten frame, and restart the function by calling it. We now simply remember the frame to drop to, and upon returning from the debugger, we check whether to drop the frame, load the new FP, and restart the function. R=jgruber@chromium.org, mstarzinger@chromium.org BUG=v8:5587 Review-Url: https://codereview.chromium.org/2636913002 Cr-Commit-Position: refs/heads/master@{#42725}
-
- 26 Jan, 2017 1 commit
-
-
bmeurer authored
We turn a JSCallFunction node for f.apply(receiver, arguments) into a JSCallForwardVarargs node, when the arguments refers to the arguments of the outermost optimized code object, i.e. not an inlined arguments, and the apply method refers to Function.prototype.apply, and there's no other user of arguments except in frame states. We also replace the arguments node in the graph with a marker for the Deoptimizer similar to Crankshaft to make sure we don't materialize unused arguments just for the sake of deoptimization. We plan to replace this with a saner EscapeAnalysis based solution soon. R=jarin@chromium.org BUG=v8:5267,v8:5726 Review-Url: https://codereview.chromium.org/2655233002 Cr-Commit-Position: refs/heads/master@{#42680}
-
- 23 Jan, 2017 1 commit
-
-
petermarshall authored
Add the operator in preparation for actual perf work. The operator is replaced by the same runtime call as before, during lowering. BUG=v8:5511 Review-Url: https://codereview.chromium.org/2639233002 Cr-Commit-Position: refs/heads/master@{#42593}
-
- 19 Dec, 2016 1 commit
-
-
henrique.ferreiro authored
This is so that a NotSuperConstructor error is thrown before evaluating the arguments to the super constructor. Besides updating the runtime function, a new bytecode GetSuperConstructor is introduced. BUG=v8:5336 Review-Url: https://codereview.chromium.org/2504553003 Cr-Commit-Position: refs/heads/master@{#41788}
-
- 12 Dec, 2016 1 commit
-
-
petermarshall authored
Add the operator in preparation for actual perf work. The operator is replaced by the same runtime call as before, during lowering. The CallConstructWithSpreadParameters is a bit silly at the moment, but will hold more once we add feedback. BUG=v8:5659 Review-Url: https://codereview.chromium.org/2561103003 Cr-Commit-Position: refs/heads/master@{#41636}
-
- 18 Nov, 2016 2 commits
-
-
franzih authored
BUG=v8:5624 Review-Url: https://codereview.chromium.org/2518513002 Cr-Commit-Position: refs/heads/master@{#41119}
-
bmeurer authored
This is the TurboFan counterpart of http://crrev.com/2504263004, but it is a bit more involved, since in TurboFan we always inline the appropriate call to the @@hasInstance handler, and by that we can optimize a lot more patterns of instanceof than Crankshaft, and even yield fast instanceof for custom @@hasInstance handlers (which we can now properly inline as well). Also we now properly optimize Function.prototype[@@hasInstance], even if the right hand side of an instanceof doesn't have the Function.prototype as its direct prototype. For the baseline case, we still rely on the global protector cell, but we can address that in a follow-up as well, and make it more robust in general. TEST=mjsunit/compiler/instanceof BUG=v8:5640 R=yangguo@chromium.org Review-Url: https://codereview.chromium.org/2511223003 Cr-Commit-Position: refs/heads/master@{#41092}
-
- 03 Aug, 2016 2 commits
-
-
mstarzinger authored
This completely removes the ability from nodes to point directly to the frame state representing their eager bailout point. All nodes now either have zero or one frame state inputs. These frame states can by now be found via checkpoints in the graph. R=bmeurer@chromium.org BUG=v8:5021 Review-Url: https://codereview.chromium.org/2020323004 Cr-Commit-Position: refs/heads/master@{#38282}
-
mstarzinger authored
This removes the frame state input representing the before-state from nodes having any int32 bitwise operator. Lowering that inserts number conversions of the inputs has to be disabled when deoptimization is enabled, because the frame state layout is no longer known. R=epertoso@chromium.org BUG=v8:5021,v8:4746 Review-Url: https://codereview.chromium.org/2194383004 Cr-Commit-Position: refs/heads/master@{#38280}
-
- 01 Aug, 2016 1 commit
-
-
mstarzinger authored
This removes the frame state input representing the before-state from nodes having any shift operator. Any lowering that woult insert number conversions of the inputs has already been disabled when deoptimization is enabled, because the frame state layout is no longer known. R=epertoso@chromium.org BUG=v8:5021 Review-Url: https://codereview.chromium.org/2190743003 Cr-Commit-Position: refs/heads/master@{#38194}
-
- 11 Jul, 2016 1 commit
-
-
mstarzinger authored
This removes the frame state input representing the before-state from nodes having any comparison operator. Lowering that inserts number conversions of the inputs has to be disabled when deoptimization is enabled, because the frame state layout is no longer known. R=jarin@chromium.org BUG=v8:5021 Review-Url: https://codereview.chromium.org/2134173002 Cr-Commit-Position: refs/heads/master@{#37646}
-
- 08 Jul, 2016 1 commit
-
-
mstarzinger authored
This removes the frame state input representing the before-state from nodes having the {JSDivide} or the {JSModulus} operator. Lowering that inserts number conversions of the inputs has to be disabled when deoptimization is enabled, because the frame state layout is no longer known. R=jarin@chromium.org BUG=v8:5021 Review-Url: https://codereview.chromium.org/2121153003 Cr-Commit-Position: refs/heads/master@{#37608}
-
- 05 Jul, 2016 2 commits
-
-
mstarzinger authored
This removes the frame state input representing the before-state from nodes having the {JSAdd} or the {JSSubtract} operator. Lowering that inserts number conversions of the inputs has to be disabled when deoptimization is enabled, because the frame state layout is no longer known. R=jarin@chromium.org BUG=v8:5021 Review-Url: https://codereview.chromium.org/2125593002 Cr-Commit-Position: refs/heads/master@{#37522}
-
mstarzinger authored
This removes the frame state input representing the before-state from nodes having the {JSMultiply} operator. Lowering that inserts number conversions of the inputs has to be disabled when deoptimization is enabled, because the frame state layout is no longer known. R=jarin@chromium.org BUG=v8:5021 Review-Url: https://codereview.chromium.org/2111193002 Cr-Commit-Position: refs/heads/master@{#37517}
-
- 03 Jun, 2016 3 commits
-
-
mstarzinger authored
This implements propagation of frame states from checkpoints to all deoptimization points inserted by the EffectControlLinearizer. It also allows us to remove the eager frame state input from all the checked conversion operations. R=jarin@chromium.org BUG=v8:5021 Review-Url: https://codereview.chromium.org/2033143002 Cr-Commit-Position: refs/heads/master@{#36710}
-
mstarzinger authored
These speculative binary operators are simplified operators and should not need a frame state themselves. These eager bailout points can by now be found via checkpoints in the graph, whereas frame states attached to nodes directly should always represent lazy bailout points. R=jarin@chromium.org BUG=v8:5021 Review-Url: https://codereview.chromium.org/2037673002 Cr-Commit-Position: refs/heads/master@{#36705}
-
mstarzinger authored
This removes the frame state input representing the before-state from nodes performing property accesses. These frame states can by now be found via checkpoints in the graph. R=jarin@chromium.org BUG=v8:5021 Review-Url: https://codereview.chromium.org/2034673002 Cr-Commit-Position: refs/heads/master@{#36699}
-
- 02 Jun, 2016 3 commits
-
-
mstarzinger authored
This removes the frame state input representing the before-state from nodes having the {JSCallRuntime} operator. These frame states can by now be found via checkpoints in the graph. It also makes the predicate for runtime function ids (i.e. {Linkage::NeedsFrameStateInput}) binary. R=jarin@chromium.org BUG=v8:5021 Review-Url: https://codereview.chromium.org/2018353004 Cr-Commit-Position: refs/heads/master@{#36679}
-
jarin authored
This introduces optimized number operations based on type feedback. Summary of changes: 1. Typed lowering produces SpeculativeNumberAdd/Subtract for JSAdd/Subtract if there is suitable feedback. The speculative nodes are connected to both the effect chain and the control chain and they retain the eager frame state. 2. Simplified lowering now executes in three phases: a. Propagation phase computes truncations by traversing the graph from uses to definitions until checkpoint is reached. It also records type-check decisions for later typing phase, and computes representation. b. The typing phase computes more precise types base on the speculative types (and recomputes representation for affected nodes). c. The lowering phase performs lowering and inserts representation changes and/or checks. 3. Effect-control linearization lowers the checks to machine graphs. Notes: - SimplifiedLowering will be refactored to have handling of each operation one place and with clearer input/output protocol for each sub-phase. I would prefer to do this once we have more operations implemented, and the pattern is clearer. - The check operations (Checked<A>To<B>) should have some flags that would affect the kind of truncations that they can handle. E.g., if we know that a node produces a number, we can omit the oddball check in the CheckedTaggedToFloat64 lowering. - In future, we want the typer to reuse the logic from OperationTyper. BUG=v8:4583 LOG=n Review-Url: https://codereview.chromium.org/1921563002 Cr-Commit-Position: refs/heads/master@{#36674}
-
mstarzinger authored
This removes the frame state input representing the before-state from nodes having the {JSCallFunction} or {JSCallConstruct} operator. These frame states can by now be found via checkpoints in the graph. R=bmeurer@chromium.org BUG=v8:5021 Review-Url: https://codereview.chromium.org/2025573003 Cr-Commit-Position: refs/heads/master@{#36669}
-
- 01 Jun, 2016 1 commit
-
-
mstarzinger authored
This is a first step towards explicit checkpoints in the graph. For now we still use the explicit eager bailout points in the AstGraphBuilder that are marked by the FrameStateBeforeAndAfter helper. Eventually these will be implicitly emitted by expression visits having a side-effect. R=bmeurer@chromium.org BUG=v8:5021 Review-Url: https://codereview.chromium.org/2018403002 Cr-Commit-Position: refs/heads/master@{#36638}
-
- 01 Apr, 2016 1 commit
-
-
bmeurer authored
These operators will be easier to optimize, and we can remove some unnecessary clutter from the intrinsic lowering. Drive-by-cleanup: Some alpha sorting of the type conversion operator business. R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/1848243002 Cr-Commit-Position: refs/heads/master@{#35197}
-
- 11 Feb, 2016 1 commit
-
-
bmeurer authored
Add dedicated %LoadLookupSlot, %LoadLookupSlotInsideTypeof, %LoadLookupSlotForCall, %StoreLookupSlot_Sloppy and %StoreLookupSlot_Strict runtime entry points and use them appropriately in the various compilers. This way we can finally drop the machine operators from the JS graph level completely in TurboFan. Also drop the funky JSLoadDynamic operator from TurboFan, which was by now just a small wrapper around the runtime call to %LoadLookupSlot. R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/1683103002 Cr-Commit-Position: refs/heads/master@{#33880}
-
- 09 Dec, 2015 1 commit
-
-
bmeurer authored
Creating a with context cannot lazy/eager deoptimize, so we don't need to pass a frame state. R=jarin@chromium.org Review URL: https://codereview.chromium.org/1508373002 Cr-Commit-Position: refs/heads/master@{#32711}
-
- 25 Nov, 2015 3 commits
-
-
machenbach authored
Reland of [turbofan] Introduce proper JSCreateLiteralRegExp operator. (patchset #1 id:1 of https://codereview.chromium.org/1472423002/ ) Reason for revert: [Sheriff] Wrong revert. Original issue's description: > Revert of [turbofan] Introduce proper JSCreateLiteralRegExp operator. (patchset #2 id:20001 of https://codereview.chromium.org/1475973002/ ) > > Reason for revert: > Broke "V8 Linux64 GC Stress - custom snapshot". > > http://build.chromium.org/p/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/2824 > > Original issue's description: > > [turbofan] Introduce proper JSCreateLiteralRegExp operator. > > > > This adds a new JavaScript level operator for regexp literal creation, > > similar to what we already have for array and object literals. This > > once gets lowered to a call to the FastCloneRegExpStub always. > > > > R=mstarzinger@chromium.org > > > > Committed: https://crrev.com/8659c5d1d287177369ce179a8d0b910192d840d9 > > Cr-Commit-Position: refs/heads/master@{#32288} > > TBR=mstarzinger@chromium.org,bmeurer@chromium.org > NOPRESUBMIT=true > NOTREECHECKS=true > NOTRY=true > > Committed: https://crrev.com/168683d270d44f05f28acaf7d34c32d0250d2a4c > Cr-Commit-Position: refs/heads/master@{#32292} TBR=mstarzinger@chromium.org,bmeurer@chromium.org,ishell@chromium.org NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true Review URL: https://codereview.chromium.org/1478823002 Cr-Commit-Position: refs/heads/master@{#32293}
-
ishell authored
Revert of [turbofan] Introduce proper JSCreateLiteralRegExp operator. (patchset #2 id:20001 of https://codereview.chromium.org/1475973002/ ) Reason for revert: Broke "V8 Linux64 GC Stress - custom snapshot". http://build.chromium.org/p/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/2824 Original issue's description: > [turbofan] Introduce proper JSCreateLiteralRegExp operator. > > This adds a new JavaScript level operator for regexp literal creation, > similar to what we already have for array and object literals. This > once gets lowered to a call to the FastCloneRegExpStub always. > > R=mstarzinger@chromium.org > > Committed: https://crrev.com/8659c5d1d287177369ce179a8d0b910192d840d9 > Cr-Commit-Position: refs/heads/master@{#32288} TBR=mstarzinger@chromium.org,bmeurer@chromium.org NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true Review URL: https://codereview.chromium.org/1472423002 Cr-Commit-Position: refs/heads/master@{#32292}
-
bmeurer authored
This adds a new JavaScript level operator for regexp literal creation, similar to what we already have for array and object literals. This once gets lowered to a call to the FastCloneRegExpStub always. R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/1475973002 Cr-Commit-Position: refs/heads/master@{#32288}
-