Skip to content

V
V8
Switch branch/tag
  1. 12 Jul, 2019 1 commit
  3. 08 Jul, 2019 1 commit
  5. 05 Jul, 2019 1 commit
  7. 04 Jul, 2019 2 commits
  9. 27 Jun, 2019 1 commit
  11. 26 Jun, 2019 1 commit
  13. 24 Jun, 2019 1 commit
    • Mathias Bynens's avatar
      [objects] Rename JSValue to JSPrimitiveWrapper · e428dfd7
      Mathias Bynens authored 
      We currently use the class name “JSValue” for JSObjects that wrap
primitive values. This name is a common source of confusion. This patch
switches to a name that’s more clear.

In addition to manual tweaks, the patch applies the following mechanical
global replacements:

before                          | after
--------------------------------|--------------------------------------
if_valueisnotvalue              | if_valueisnotwrapper
if_valueisvalue                 | if_valueiswrapper
js_value                        | js_primitive_wrapper
JS_VALUE_TYPE                   | JS_PRIMITIVE_WRAPPER_TYPE
JSPrimitiveWrapperType          | JSPrimitiveWrapper type
jsvalue                         | js_primitive_wrapper
JSValue                         | JSPrimitiveWrapper
_GENERATED_JSVALUE_FIELDS       | _GENERATED_JSPRIMITIVE_WRAPPER_FIELDS

Change-Id: I9d9edea784eab6067b013e1f781e4db2070f807c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1672942Reviewed-by: 's avatarTamer Tas <tmrts@chromium.org>
Reviewed-by: 's avatarMichael Stanton <mvstanton@chromium.org>
Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62337}
      e428dfd7
  15. 21 Jun, 2019 1 commit
    • Stephen Kyle's avatar
      [ptr-compr][ic] Compress references in StubCache · a1ba0a85
      Stephen Kyle authored 
      The stub cache doubles in size when switching to 64-bit. The references
stored in it are not currently compressed even with ptr-compr enabled.

This patch compresses those references so the table is the same size on
32- and 64-bit architectures, which is beneficial on benchmarks which
utilise the stub cache heavily.

Reducing the stub cache size has lead to an improvement of 0.7% in
runs/minute being observed on Speedometer on a Pixel device, and 0.4% on
a Pixel3 device.

Also add constructors to [Strong]TaggedValue to support compression.

Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Change-Id: I3b643d674356deaa129588189df7adfc91d15db4
Bug: v8:7703
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1635694
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Reviewed-by: 's avatarSantiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62308}
      a1ba0a85
  17. 19 Jun, 2019 1 commit
  19. 18 Jun, 2019 1 commit
  21. 14 Jun, 2019 1 commit
  23. 13 Jun, 2019 4 commits
  25. 12 Jun, 2019 4 commits
    • Benedikt Meurer's avatar
      [es9] Fix object cloning wrt. MutableHeapNumbers. · 80f7c4a8
      Benedikt Meurer authored 
      Previously the object cloning fast-path had a single loop which would
initialize the object _and_ at the same time clone MutableHeapNumbers.
But since that can trigger GCs, the heap verifier was a bit sad to see
double fields holding undefined values. This was flushed out by the CL
https://chromium-review.googlesource.com/1655291, which changed the GC
timing slightly and thus made the test crash in the verifier.

So instead of the one loop, we now have a second loop that takes care
of cloning any MutableHeapNumbers. This has the advantage that the first
loop can always run without write barriers.

Bug: chromium:964748, chromium:973045, v8:7611, v8:9114, v8:9183, v8:9343
Change-Id: I724a1c1e534243ce9ecde95bf0c07ca26363b515
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655307
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62114}
      80f7c4a8
    • Leszek Swirski's avatar
      Revert "[ic] Fix typo in Runtime_CloneObjectIC_Miss." · 510f4f2c
      Leszek Swirski authored 
      This reverts commit 823795fc.

Reason for revert: Breaks mjsunit/es9/regress/regress-904167 on bots (https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20debug/26342)

Original change's description:
> [ic] Fix typo in Runtime_CloneObjectIC_Miss.
> 
> https://chromium-review.googlesource.com/1649554 introduced a typo into
> Runtime_CloneObjectIC_Miss, where it wouldn't update the IC state UNLESS
> the source map is deprecated, which is the wrong way around of course.
> 
> Bug: chromium:973045, v8:7611, v8:9114, v8:9183, v8:9343
> Change-Id: I7d6e0709e66ce4aaaf4a628d64ab801b84c8993c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655291
> Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62106}

TBR=bmeurer@chromium.org,verwaest@chromium.org

Change-Id: Ie651523c556b220e57ec5e11e37b0a67936bb291
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:973045, v8:7611, v8:9114, v8:9183, v8:9343
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655299Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62110}
      510f4f2c
    • Benedikt Meurer's avatar
      [counters] Introduce proper bottleneck for FunctionCallback. · ea420655
      Benedikt Meurer authored 
      API calls made via the CallApiCallback builtin, which is used from the
ICs and optimized code, are currently misattributed to the wrong counter
InvokeFunctionCallback instead of FunctionCallback. In addition we don't
use the C trampoline when only runtime call stats are enabled, but the
Chrome DevTools profiler is not active, which means that these calls
will not be attrituted properly at all, and that had to be worked around
using all kinds of tricks (i.e. disabling fast-paths in ICs when RCS is
active and not inlining calls/property accesses into optimized code
depending on the state of RCS).

All of this was really brittle and only due to the fact that the central
builtin didn't properly check for RCS (in addition to checking for the
CDT profiler). With this fix it's now handled in a central place and
attributed to the correct category, so user code doesn't need to worry
about RCS anymore and can just call straight into the fast-path.

Drive-by-fix: Do the same for AccessorInfo getter calls, which share the
core hand-written native code with the API callback logic.

Bug: v8:9183
Change-Id: Id0cd99d3dd676635fe3272b67cd76a19a9a9cea4
Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1651470
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62109}
      ea420655
    • Benedikt Meurer's avatar
      [ic] Fix typo in Runtime_CloneObjectIC_Miss. · 823795fc
      Benedikt Meurer authored 
      https://chromium-review.googlesource.com/1649554 introduced a typo into
Runtime_CloneObjectIC_Miss, where it wouldn't update the IC state UNLESS
the source map is deprecated, which is the wrong way around of course.

Bug: chromium:973045, v8:7611, v8:9114, v8:9183, v8:9343
Change-Id: I7d6e0709e66ce4aaaf4a628d64ab801b84c8993c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655291
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62106}
      823795fc
  27. 11 Jun, 2019 3 commits
  29. 08 Jun, 2019 2 commits
    • Benedikt Meurer's avatar
      [cleanup] Remove obsolete comment. · 848379c3
      Benedikt Meurer authored 
      The introduction of the FeedbackVector solved the problem of
inconsistent feedback between ICs in unoptimized and optimized
code.

Bug: v8:2029, v8:9183
Tbr: jkummerow@chromium.org
Change-Id: Id61033c1661e5a2efb740988552de76f7f148d0d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1649566Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62065}
      848379c3
    • Benedikt Meurer's avatar
      [interpreter] Do ToObject implicitly as part of CloneObject. · 92c6af8a
      Benedikt Meurer authored 
      The CloneObject bytecode was only able to handle objects, null and
undefined, and explicit bytecode had to be generated to perform the
ToObject outside the bytecode (unlike the other IC bytecodes that
just perform the ToObject implicitly). That means the simplest possible
object cloning would also generate a sequence of 5 bytecodes (at least):

```
   Mov <register>, a0
   JumpIfNull @1
   JumpIfUndefined @1
   ToObject <register>
1: CloneObject <register>
```

That is quite wasteful and unnecessary, since the core logic in the
runtime already does the ToObject properly anyways. This change
refactors the CloneObjectIC slightly to behave more like the other ICs
and do the ToObject implicitly when necessary.

Bug: v8:7611, v8:9114, v8:9183, v8:9343
Change-Id: I11973e90bf875f154a5a7739287bee17041e4a7a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1649554Reviewed-by: 's avatarMythri Alle <mythria@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62064}
      92c6af8a
  31. 07 Jun, 2019 1 commit
  33. 03 Jun, 2019 1 commit
  35. 31 May, 2019 2 commits
    • Benedikt Meurer's avatar
      [feedback-vector] Don't go MEGAMORPHIC due to dying handlers. · 40c68926
      Benedikt Meurer authored 
      This fixes a problem where ICs for transitioning stores go MEGAMORPHIC
if the transition target map dies in between invocations of the IC,
which is totally possible, since we only hold on weakly to these
transition targets (both from the FeedbackVectors and also from the
TransitonArrays).

The root problem here was an inconsistency in how the maps and handlers
are being reported by the FeedbackVector. On the on hand side the method
FeedbackVector::ExtractMaps() will report all receiver maps that are
still present (i.e. which haven't died themselves), but then the other
method FeedbackVector::FindHandlers() will only report handlers that are
still alive (i.e. which in case of transition target maps being used as
handlers haven't died yet). If the length of these lists don't match the
IC chickens out and goes MEGAMORPHIC. But this is exactly the case with
the transitioning stores, where there's no handler anymore, i.e. as can
be seen in this simple example:

```
// Flags: --expose-gc
function C() { this.x = 1; }
new C();
new C();
gc();     // map with the `C.x` property dies
new C();  // now the STORE_IC in C goes MEGAMORPHIC
```

So the problem is that we have these two methods that don't agree with
each other. Now FeedbackVector::ExtractMaps() is also used by TurboFan
and it even reports receiver maps for PREMONOMORPHIC state, which is
different from the use case that the ICs need. So I replaced the
FeedbackVector::FindHandlers() with a completely new method
FeedbackVector::ExtractMapsAndHandlers(), which returns both the maps
and handlers, exactly as the ICs need it. And only returns pairs for
which both the receiver map and the handler are still alive.

This fixes the odd problem that sometimes STORE_ICs going MEGAMORPHIC
for no apparent reason. Due to the weakness of the transition target
maps, they can still die and cause deoptimizations, but at least
TurboFan will now be able to reoptimize again later with the new maps
and still generate proper code.

Bug: v8:9316
Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
Change-Id: I74c8b60f792f310dc813f997e69efe9ad434296a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1637878
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: 's avatarMichael Stanton <mvstanton@chromium.org>
Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61948}
      40c68926
    • Benedikt Meurer's avatar
      [map] Remove Map::has_hidden_prototype(). · 2f379994
      Benedikt Meurer authored 
      The `FunctionTemplate::SetHiddenPrototype()` API was removed in a
previous CL, after being deprecated since beginning of the year. This
removes all the logic behind it, leaving us with just the special case
of the JSGlobalProxy which has the JSGlobalObject as its hidden prototype.

This gives us back one bit in `Map::bit_field2` and removes quite a bit
of complexity from the code base (especially due to previous work from
verwaest@ in this area).

Bug: v8:9267
Change-Id: Id04b59686212fe35a63c9451aa3e045f0766b9cc
Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1619752
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Reviewed-by: 's avatarYang Guo <yangguo@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61938}
      2f379994
  37. 28 May, 2019 1 commit
  39. 27 May, 2019 4 commits
    • Benedikt Meurer's avatar
      Reland "[typedarray] Move external/data pointer to JSTypedArray." · 70bd7cf0
      Benedikt Meurer authored 
      This is a reland of 4b86fea5 with
copy&paste typo in CodeStubAssembler::AllocateByteArray() fixed
(bug led to holes in new space, which was crashing reproducibly
on the ia32 bot).

Original change's description:
> [typedarray] Move external/data pointer to JSTypedArray.
>
> As the next step in supporting huge typed arrays in V8, this moves the
> external/data pointer from the FixedTypedArrayBase backing store to the
> JSTypedArray instance itself, and replaces the special backing stores
> with a plain ByteArray (removing all the code for the FixedTypedArrayBase
> class hierarchy). By doing so, we can drastically simplify the system
> around typed arrays.
>
> Note: Several places in the code base used to check the instance type
> of the elements backing store of a JSTypedArray instead of checking the
> elements kind on the JSTypedArray map directly. Those had to be fixed,
> since the backing store is now always a ByteArray.
>
> Drive-by-fix: Move all the typed elements access related code into the
> elements.cc file to properly encapsulate the accesses.
>
> Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
> Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
> Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646
> Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61855}

Tbr: petermarshall@chromium.org
Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
Change-Id: I87fcdb28532c5f08cc227332a4d59546cb423810
Cq-Include-Trybots: luci.chromium.try:linux-rel, win7-rel
Cq-Include-Trybots: luci.v8.try:v8_linux_shared_compile_rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631592Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61864}
      70bd7cf0
    • Clemens Hammacher's avatar
      Revert "[typedarray] Move external/data pointer to JSTypedArray." · e4db146a
      Clemens Hammacher authored 
      This reverts commit 4b86fea5.

Reason for revert: Fails on linux shared: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20shared/31045

Original change's description:
> [typedarray] Move external/data pointer to JSTypedArray.
> 
> As the next step in supporting huge typed arrays in V8, this moves the
> external/data pointer from the FixedTypedArrayBase backing store to the
> JSTypedArray instance itself, and replaces the special backing stores
> with a plain ByteArray (removing all the code for the FixedTypedArrayBase
> class hierarchy). By doing so, we can drastically simplify the system
> around typed arrays.
> 
> Note: Several places in the code base used to check the instance type
> of the elements backing store of a JSTypedArray instead of checking the
> elements kind on the JSTypedArray map directly. Those had to be fixed,
> since the backing store is now always a ByteArray.
> 
> Drive-by-fix: Move all the typed elements access related code into the
> elements.cc file to properly encapsulate the accesses.
> 
> Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
> Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
> Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646
> Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61855}

TBR=ulan@chromium.org,yangguo@chromium.org,titzer@chromium.org,sigurds@chromium.org,petermarshall@chromium.org,bmeurer@chromium.org,szuend@chromium.org

Change-Id: I0bc1f935de6063acf75a0f4bb8c0ba67428603fd
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
Cq-Include-Trybots: luci.chromium.try:linux-rel, win7-rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631427Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61856}
      e4db146a
    • Benedikt Meurer's avatar
      [typedarray] Move external/data pointer to JSTypedArray. · 4b86fea5
      Benedikt Meurer authored 
      As the next step in supporting huge typed arrays in V8, this moves the
external/data pointer from the FixedTypedArrayBase backing store to the
JSTypedArray instance itself, and replaces the special backing stores
with a plain ByteArray (removing all the code for the FixedTypedArrayBase
class hierarchy). By doing so, we can drastically simplify the system
around typed arrays.

Note: Several places in the code base used to check the instance type
of the elements backing store of a JSTypedArray instead of checking the
elements kind on the JSTypedArray map directly. Those had to be fixed,
since the backing store is now always a ByteArray.

Drive-by-fix: Move all the typed elements access related code into the
elements.cc file to properly encapsulate the accesses.

Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646
Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: 's avatarPeter Marshall <petermarshall@chromium.org>
Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
Reviewed-by: 's avatarSimon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61855}
      4b86fea5
    • Joyee Cheung's avatar
      Fix compilation of V8_TRACE_FEEDBACK_UPDATES V8_TRACE_IGNITION · 0ec82d51
      Joyee Cheung authored 
      The `->` operator should be changed to `.` after
https://chromium-review.googlesource.com/c/v8/v8/+/1624209

Change-Id: Ie16adaa17bfc7caaa589ed3881a8716e98ea36b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1628793Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/master@{#61848}
      0ec82d51
  41. 24 May, 2019 1 commit
  43. 23 May, 2019 4 commits
  45. 22 May, 2019 1 commit
    • Mythri A's avatar
      [ic] In KeyedStoreIC use the new receiver map instead of computing transitions · 6cb093cd
      Mythri A authored 
      KeyedStoreIC computes the expected transition to the map based on the
incoming receiver map, the index and the value that is being stored.
Since we already store the element into the object, the runtime would
have already computed these transitions and it is possible to use the
new map of the object instead of recomputing the map. Though we would
need additional checks to see the newly transitioned map is indeed
a more generic elements transition and not an unexpected transition.

Bug: v8:8394
Change-Id: If6819895e5d20dd76bb062c6064593bf3a920778
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1621937
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61743}
      6cb093cd