- 17 Jun, 2019 1 commit
-
-
Igor Sheludko authored
Bug: v8:9353 Change-Id: Ie090f8f89eb4372845fe2c9d6aa74154c36f2d53 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1662291 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#62221}
-
- 11 Jun, 2019 1 commit
-
-
Igor Sheludko authored
Tbr: ulan@chromium.org Bug: v8:9353 Change-Id: I99533e21fd186f6d0191f4f500d1a3055a0f92c1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1648260 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#62082}
-
- 29 May, 2019 1 commit
-
-
Z Duong Nguyen-Huu authored
Bug: chromium:966460 Change-Id: I418eab656510fe3f799f552e75be10140d25bcab Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1625864Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com> Cr-Commit-Position: refs/heads/master@{#61922}
-
- 28 May, 2019 1 commit
-
-
Benedikt Meurer authored
This removes a special case from JSObject::WriteToField() where we didn't store anything in case of initializing a double field with the uninitialized sentinel. Instead we now store the hole NaN pattern there, as in other places. This makes it possible to do stricter checking in the TurboFan frontend when it comes to detecting bit patterns. Drive-by-fix: Refactor the related code in MigrateFastToFast() to make it easier to follow the control flow. Bug: v8:9299 Change-Id: Ic35d05c69fbbb136d422d29ce6abf2b09ebe22a6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631606Reviewed-by: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#61879}
-
- 27 May, 2019 3 commits
-
-
Benedikt Meurer authored
This is a reland of 4b86fea5 with copy&paste typo in CodeStubAssembler::AllocateByteArray() fixed (bug led to holes in new space, which was crashing reproducibly on the ia32 bot). Original change's description: > [typedarray] Move external/data pointer to JSTypedArray. > > As the next step in supporting huge typed arrays in V8, this moves the > external/data pointer from the FixedTypedArrayBase backing store to the > JSTypedArray instance itself, and replaces the special backing stores > with a plain ByteArray (removing all the code for the FixedTypedArrayBase > class hierarchy). By doing so, we can drastically simplify the system > around typed arrays. > > Note: Several places in the code base used to check the instance type > of the elements backing store of a JSTypedArray instead of checking the > elements kind on the JSTypedArray map directly. Those had to be fixed, > since the backing store is now always a ByteArray. > > Drive-by-fix: Move all the typed elements access related code into the > elements.cc file to properly encapsulate the accesses. > > Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow > Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183 > Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646 > Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535 > Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> > Reviewed-by: Peter Marshall <petermarshall@chromium.org> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > Reviewed-by: Simon Zünd <szuend@chromium.org> > Cr-Commit-Position: refs/heads/master@{#61855} Tbr: petermarshall@chromium.org Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183 Change-Id: I87fcdb28532c5f08cc227332a4d59546cb423810 Cq-Include-Trybots: luci.chromium.try:linux-rel, win7-rel Cq-Include-Trybots: luci.v8.try:v8_linux_shared_compile_rel Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631592Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#61864}
-
Clemens Hammacher authored
This reverts commit 4b86fea5. Reason for revert: Fails on linux shared: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20shared/31045 Original change's description: > [typedarray] Move external/data pointer to JSTypedArray. > > As the next step in supporting huge typed arrays in V8, this moves the > external/data pointer from the FixedTypedArrayBase backing store to the > JSTypedArray instance itself, and replaces the special backing stores > with a plain ByteArray (removing all the code for the FixedTypedArrayBase > class hierarchy). By doing so, we can drastically simplify the system > around typed arrays. > > Note: Several places in the code base used to check the instance type > of the elements backing store of a JSTypedArray instead of checking the > elements kind on the JSTypedArray map directly. Those had to be fixed, > since the backing store is now always a ByteArray. > > Drive-by-fix: Move all the typed elements access related code into the > elements.cc file to properly encapsulate the accesses. > > Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow > Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183 > Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646 > Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535 > Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> > Reviewed-by: Peter Marshall <petermarshall@chromium.org> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > Reviewed-by: Simon Zünd <szuend@chromium.org> > Cr-Commit-Position: refs/heads/master@{#61855} TBR=ulan@chromium.org,yangguo@chromium.org,titzer@chromium.org,sigurds@chromium.org,petermarshall@chromium.org,bmeurer@chromium.org,szuend@chromium.org Change-Id: I0bc1f935de6063acf75a0f4bb8c0ba67428603fd No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183 Cq-Include-Trybots: luci.chromium.try:linux-rel, win7-rel Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631427Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#61856}
-
Benedikt Meurer authored
As the next step in supporting huge typed arrays in V8, this moves the external/data pointer from the FixedTypedArrayBase backing store to the JSTypedArray instance itself, and replaces the special backing stores with a plain ByteArray (removing all the code for the FixedTypedArrayBase class hierarchy). By doing so, we can drastically simplify the system around typed arrays. Note: Several places in the code base used to check the instance type of the elements backing store of a JSTypedArray instead of checking the elements kind on the JSTypedArray map directly. Those had to be fixed, since the backing store is now always a ByteArray. Drive-by-fix: Move all the typed elements access related code into the elements.cc file to properly encapsulate the accesses. Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183 Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646 Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Simon Zünd <szuend@chromium.org> Cr-Commit-Position: refs/heads/master@{#61855}
-
- 23 May, 2019 3 commits
-
-
Benedikt Meurer authored
There's a `Map::IsDictionaryMap()` method in addition to the `Map::is_dictionary_map()`, which apparently do very different things: The former checks whether the instance type of the Map is in a certain range (FIRST_DICTIONARY_TYPE to LAST_DICTIONARY_TYPE), while the latter checks the `is_dictionary_map` bit (which means that the backing store for the properties of a JSObject is in slow mode). To make matters worse there's also `CodeStubAssembler::IsDictionaryMap()`, which does the bit check similar to `Map::is_dictionary_map()`. And to make matters even worse the FIRST_DICTIONARY_TYPE to LAST_DICTIONARY_TYPE range also contains instance types for classes that aren't subclass of `Dictionary` (despite a comment stating the opposite). So in conclusion it's best to remove the confusing `Map::IsDictionaryMap()` method, which is anyways wrong, and just test explicitly for `NameDictionary`, `NumberDictionary` or `GlobalDictionary` in the appropriate places. Bug: v8:9183 Change-Id: If35f73261e3cc96938ebf499bf32be3ec725288b Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627330 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#61770}
-
Yang Guo authored
TBR=bmeurer@chromium.org,leszeks@chromium.org Bug: v8:9247 Change-Id: I8d14d0192ea8c705f8274e8e61a162531826edb6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1624220Reviewed-by: Yang Guo <yangguo@chromium.org> Reviewed-by: Hannes Payer <hpayer@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#61769}
-
Clemens Hammacher authored
This CL was generated by an automatic clang AST rewriter using this matcher expression: callExpr( callee( cxxMethodDecl( hasName("operator->"), ofClass(isSameOrDerivedFrom("v8::internal::Object")) ) ), argumentCountIs(1) ) The "->" at the expression location was then rewritten to ".". R=jkummerow@chromium.org TBR=mstarzinger@chromium.org,verwaest@chromium.org,yangguo@chromium.org Bug: v8:9183, v8:3770 No-Try: true No-Tree-Checks: true Change-Id: I0a7ecabdeafe51d0cf427f5280af0c7cab96869e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1624209Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Yang Guo <yangguo@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#61764}
-
- 21 May, 2019 2 commits
-
-
Toon Verwaest authored
Change-Id: Ifd8734aa682e238de54284c74209d236c7ac824f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1622110Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#61699}
-
Sigurd Schneider authored
Change-Id: I377e96fca2dff89a986b43f092ef7684d164cd9d Bug: v8:9264 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617679 Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#61695}
-
- 20 May, 2019 1 commit
-
-
Yang Guo authored
Code that is being moved primarily deal with layout of a JSObject, accessing properties and elements, and map transitions. NOTREECHECKS=true NOTRY=true Bug: v8:9247 Change-Id: Ibce5d5926ac4021c8d40c4dd109948775ce1da58 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1613994 Commit-Queue: Yang Guo <yangguo@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#61638}
-
- 15 May, 2019 2 commits
-
-
Toon Verwaest authored
Additionally pass WriteBarrierMode while building the object Change-Id: Ibc8ad592f822ee3b046406013cc36ae64f6b099b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1613251Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#61547}
-
Toon Verwaest authored
This avoids the need to throw range errors when we run out of stack, limiting us only by available memory. The main parser loop is implemented by two subloops. The first subloop finishes whenever it generates primitive values, empty arrays, or empty objects. If a non-empty object or array is started, the loop continues to parse its first member. The second subloop consumes produced values and either adds them to the parent array or object, or returns it. The second loop finishes whenever a next value needs to be produced. When the loop itself produces a finished array or object, the loop continues. Exceptions are handled by moving the cursor to end-of-input. Upon end-of-input, the first loop sets the continuation to "kFail". That causes the second loop to tear down continuation stack and related handle scopes, resulting in an empty handle. The CL additionally buffers all named properties and elements so we can immediately allocate a correctly shaped object. For object elements we'll take flat array or dictionary encoding depending on what is more efficient. This means that element handles are now allocated in their parent HandleScope, rather than having local handlescopes per-property (of big objects); which is why I've adjusted the handle-count test to not allocate as many properties. In the future it would be nice to not have to allocate (as many) handles since almost everything in the JSON graph will survive JSON parsing... Bug: chromium:710383 Change-Id: Ia3a7fd0ac260fb1c0e5f929276792b2f8e5fc0ca Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1609802Reviewed-by: Hannes Payer <hpayer@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#61533}
-
- 10 May, 2019 1 commit
-
-
Dan Elphick authored
This is a reland of f2e65226 Nothing has changed but https://chromium-review.googlesource.com/c/v8/v8/+/1585269 has been rolled back due to v8:9234. Original change's description: > Reland "[compiler] Don't collect source positions for the top frame" > > Fixed crashes by adding missing call to EnsureSourcePositionsAvailable, > which requires clearing and restoring the pending exception. > > > While most source positions were not collected even throwing exceptions, > > the top frame still was always collected as it was used to initialize > > the JSMessageObject. This skips even that frame, by storing the > > SharedFunctionInfo and bytecode offset in the JSMessageObject allowing > > it to lazily evaluate the actual source position. > > > > Also adds tests to test-api.cc that test each of the source position > > functions in isolation to ensure that they don't rely on previous > > invocations to call the source collection function. > > > > Since no source positions are now collected at the point when an > > exception is thrown, the mjsunit/stack-traces-overflow now passes again > > with the flag enabled. (cctest/test-cpu-profiler/Inlining2 is now the > > only failure). > > Bug: v8:8510 > Change-Id: Ifa5fe31d3db34a6c6d6a9cef3d646ad620dabd81 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1601270 > Commit-Queue: Dan Elphick <delphick@chromium.org> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> > Cr-Commit-Position: refs/heads/master@{#61372} TBR=ulan@chromium.org Bug: v8:8510 Change-Id: Iaa9e376f90d10c0f25d1bcc352808363e4ea8b4d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1605946Reviewed-by: Dan Elphick <delphick@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Commit-Queue: Dan Elphick <delphick@chromium.org> Cr-Commit-Position: refs/heads/master@{#61418}
-
- 09 May, 2019 2 commits
-
-
Maya Lekova authored
This reverts commit f2e65226. Reason for revert: Speculative revert, seems to break GC stress bot and block LKGR - https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/25701 Original change's description: > Reland "[compiler] Don't collect source positions for the top frame" > > Fixed crashes by adding missing call to EnsureSourcePositionsAvailable, > which requires clearing and restoring the pending exception. > > > While most source positions were not collected even throwing exceptions, > > the top frame still was always collected as it was used to initialize > > the JSMessageObject. This skips even that frame, by storing the > > SharedFunctionInfo and bytecode offset in the JSMessageObject allowing > > it to lazily evaluate the actual source position. > > > > Also adds tests to test-api.cc that test each of the source position > > functions in isolation to ensure that they don't rely on previous > > invocations to call the source collection function. > > > > Since no source positions are now collected at the point when an > > exception is thrown, the mjsunit/stack-traces-overflow now passes again > > with the flag enabled. (cctest/test-cpu-profiler/Inlining2 is now the > > only failure). > > Bug: v8:8510 > Change-Id: Ifa5fe31d3db34a6c6d6a9cef3d646ad620dabd81 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1601270 > Commit-Queue: Dan Elphick <delphick@chromium.org> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> > Cr-Commit-Position: refs/heads/master@{#61372} TBR=ulan@chromium.org,rmcilroy@chromium.org,delphick@chromium.org Change-Id: Ie590df6c308b38836afc5d417d03d2a63260bcb2 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:8510 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1602692Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Maya Lekova <mslekova@chromium.org> Cr-Commit-Position: refs/heads/master@{#61381}
-
Dan Elphick authored
Fixed crashes by adding missing call to EnsureSourcePositionsAvailable, which requires clearing and restoring the pending exception. > While most source positions were not collected even throwing exceptions, > the top frame still was always collected as it was used to initialize > the JSMessageObject. This skips even that frame, by storing the > SharedFunctionInfo and bytecode offset in the JSMessageObject allowing > it to lazily evaluate the actual source position. > > Also adds tests to test-api.cc that test each of the source position > functions in isolation to ensure that they don't rely on previous > invocations to call the source collection function. > > Since no source positions are now collected at the point when an > exception is thrown, the mjsunit/stack-traces-overflow now passes again > with the flag enabled. (cctest/test-cpu-profiler/Inlining2 is now the > only failure). Bug: v8:8510 Change-Id: Ifa5fe31d3db34a6c6d6a9cef3d646ad620dabd81 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1601270 Commit-Queue: Dan Elphick <delphick@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#61372}
-
- 08 May, 2019 1 commit
-
-
Mythri A authored
Bug: v8:8394, v8:8395 Change-Id: I1cbb87b67bef4d469abde99070b7870e2b8d0c90 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1601149 Commit-Queue: Mythri Alle <mythria@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#61340}
-
- 07 May, 2019 3 commits
-
-
Z Duong Nguyen-Huu authored
This is the follow-up for frozen, sealed packed elements kind. Design docs: bit.ly/fast-frozen-sealed-elements-in-v8 This change is only support the transition from holey elements to holey sealed elements (via object.seal) or to holey frozen elements (via object.freeze). Added tests for non-extensible, sealed, frozen holey elements in https://chromium-review.googlesource.com/c/v8/v8/+/1574503 and https://chromium-review.googlesource.com/c/v8/v8/+/1582481 Bug: v8:6831 Change-Id: Ia4373648f79f2ebebb390982a503145844a0c123 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1574777 Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#61307}
-
Dan Elphick authored
This reverts commit 758700a7. Reason for revert: Broken Original change's description: > [compiler] Don't collect source positions for the top frame > > While most source positions were not collected even throwing exceptions, > the top frame still was always collected as it was used to initialize > the JSMessageObject. This skips even that frame, by storing the > SharedFunctionInfo and bytecode offset in the JSMessageObject allowing > it to lazily evaluate the actual source position. > > Also adds tests to test-api.cc that test each of the source position > functions in isolation to ensure that they don't rely on previous > invocations to call the source collection function. > > Since no source positions are now collected at the point when an > exception is thrown, the mjsunit/stack-traces-overflow now passes again > with the flag enabled. (cctest/test-cpu-profiler/Inlining2 is now the > only failure). > > Bug: v8:8510 > Change-Id: Ic5382bdbab65cd8838f0c84b544fabb1a9109d13 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587385 > Commit-Queue: Dan Elphick <delphick@chromium.org> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> > Cr-Commit-Position: refs/heads/master@{#61271} TBR=ulan@chromium.org,rmcilroy@chromium.org,delphick@chromium.org Change-Id: I3ee0b5db5f8a1b3255f68070dc10d27d0e013048 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:8510 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1598758Reviewed-by: Dan Elphick <delphick@chromium.org> Commit-Queue: Dan Elphick <delphick@chromium.org> Cr-Commit-Position: refs/heads/master@{#61273}
-
Dan Elphick authored
While most source positions were not collected even throwing exceptions, the top frame still was always collected as it was used to initialize the JSMessageObject. This skips even that frame, by storing the SharedFunctionInfo and bytecode offset in the JSMessageObject allowing it to lazily evaluate the actual source position. Also adds tests to test-api.cc that test each of the source position functions in isolation to ensure that they don't rely on previous invocations to call the source collection function. Since no source positions are now collected at the point when an exception is thrown, the mjsunit/stack-traces-overflow now passes again with the flag enabled. (cctest/test-cpu-profiler/Inlining2 is now the only failure). Bug: v8:8510 Change-Id: Ic5382bdbab65cd8838f0c84b544fabb1a9109d13 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587385 Commit-Queue: Dan Elphick <delphick@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#61271}
-
- 16 Apr, 2019 1 commit
-
-
Z Duong Nguyen-Huu authored
Just update merge conflict. The reverted CL is https://chromium-review.googlesource.com/c/v8/v8/+/1565470. Treat packed sealed, frozen element as packed element. Also rename to IsPackedFrozenOrSealedElementsKind. Bug: chromium:951988 Change-Id: I4e7cc0a0d43e1e1c109fa08231dd5396901f9614 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566235 Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#60881}
-
- 12 Apr, 2019 2 commits
-
-
Sathya Gunasekaran authored
This reverts commit 68ba8574. Reason for revert: breaks windows builds https://ci.chromium.org/p/v8/builders/ci/V8%20Win32%20-%20builder/27839 Original change's description: > Fix array.concat with double for sealed, frozen object > > Treat packed sealed, frozen element as packed element. > Also rename to IsPackedFrozenOrSealedElementsKind. > > Bug: chromium:951988 > Change-Id: Ia636f0a14a229e4c44772627728927db1b877f27 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565470 > Reviewed-by: Toon Verwaest <verwaest@chromium.org> > Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com> > Cr-Commit-Position: refs/heads/master@{#60831} TBR=jarin@chromium.org,ishell@chromium.org,verwaest@chromium.org,duongn@microsoft.com Change-Id: I84caf106dbdd2209aef0a994173e1c3982e9f7b1 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:951988 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565542Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#60832}
-
Z Duong Nguyen-Huu authored
Treat packed sealed, frozen element as packed element. Also rename to IsPackedFrozenOrSealedElementsKind. Bug: chromium:951988 Change-Id: Ia636f0a14a229e4c44772627728927db1b877f27 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565470Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com> Cr-Commit-Position: refs/heads/master@{#60831}
-
- 11 Apr, 2019 1 commit
-
-
Toon Verwaest authored
Previously we'd need to eagerly compile upon access to function.length for a lazy function. The preparser already computes function.length, however, so we can store that information in the already available preparse data. Change-Id: I19007c9db5839e8038291fb4433866303935f089 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564190 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#60767}
-
- 09 Apr, 2019 1 commit
-
-
Z Duong Nguyen-Huu authored
Design docs: bit.ly/fast-frozen-sealed-elements-in-v8 This change is only support the transition from packed elements to packed sealed elements (via object.seal) or to packed frozen elements (via object.freeze). Added tests for non-extensible, sealed, frozen packed elements in https://chromium-review.googlesource.com/c/v8/v8/+/1474559 Added tests for non-extensible array in optimized code in https://chromium-review.googlesource.com/c/v8/v8/+/1531030 and https://chromium-review.googlesource.com/c/v8/v8/+/1544274 Using JSTests/ObjectFreeze micro-benchmarks for release build Before: TaggedTemplate-Numbers(Score): 0.967 TaggedTemplateLoose-Numbers(Score): 8.82 After: TaggedTemplate-Numbers(Score): 1.51 TaggedTemplateLoose-Numbers(Score): 8.89 Bug: v8:6831 Change-Id: Ib1089f1bc02eafb8d76ffe617f8fa3e406abd5a4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1474559Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com> Cr-Commit-Position: refs/heads/master@{#60723}
-
- 01 Apr, 2019 2 commits
-
-
Mythri A authored
It is not safe to access flags from concurrent marking visitor. We access FLAG_flush_bytecode and FLAG_stress_flush_bytecode when visiting SharedFunctionInfo and JSFunction to decide if we need to collect bytecode. This cl adds a bytecode_flushing_mode which will be initialized when creating the visitor. This way we can avoid accessing flags. Bug: v8:9045 Change-Id: I84bf09ec2dd1543abad54bd87f8bf953830b89e7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1541108Reviewed-by: Hannes Payer <hpayer@chromium.org> Commit-Queue: Mythri Alle <mythria@chromium.org> Cr-Commit-Position: refs/heads/master@{#60553}
-
Georg Neis authored
... from Object to HeapObject, as they are never Smis. Change-Id: I4cbe12985091ed1b1e94dab2803a977ae3e25224 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1541104 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#60543}
-
- 25 Mar, 2019 2 commits
-
-
Mythri authored
Allocate feedback vectors lazily when the function's interrupt budget has reached a specified threshold. This cl introduces a new field in the ClosureFeedbackCellArray to track the interrupt budget for allocating feedback vectors. Using the interrupt budget on the bytecode array could cause problems when there are closures across native contexts and we may delay allocating feedback vectors in one of them causing unexpected performance cliffs. In the long term we may want to remove interrupt budget from bytecode array and use context specific budget for tiering up decisions as well. Bug: v8:8394 Change-Id: Ia8fbb71f5e8543a92f14c44aa762973da82d445c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1520719 Commit-Queue: Mythri Alle <mythria@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#60450}
-
Z Duong Nguyen-Huu authored
EmbedderDataArray, JSMessageObject, JSSet, JSMap, JSWeakSet, JSWeakMap Bug: v8:8952 Change-Id: I996d9e18006184b8ac7be7d362e8faf36e44aaef Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1534304Reviewed-by: Simon Zünd <szuend@chromium.org> Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com> Cr-Commit-Position: refs/heads/master@{#60420}
-
- 12 Mar, 2019 1 commit
-
-
Mythri authored
We want to allocate feedback vectors lazily in lite mode. To do that, we should create closures with the correct feedback cell. This cl allocates feedback cell arrays to hold these feedback cells in lite mode. This cl also modifies the compile lazy to builtin to expect these arrays in the feedback cell. Drive-by fix: InterpreterEntryTrampoline no longer has argument count in a register. So updated comments and removed unnecessary push/pop of this register. Bug: v8:8394 Change-Id: I10d8ca67cebce61a284f0c80b200e1f0c24577a2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1511274Reviewed-by: Hannes Payer <hpayer@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Commit-Queue: Mythri Alle <mythria@chromium.org> Cr-Commit-Position: refs/heads/master@{#60189}
-
- 06 Mar, 2019 1 commit
-
-
Georg Neis authored
...mainly by giving a more precise type to global_proxy getters. Change-Id: If4aef6b25baa2c641a45b177c59690e3ebfc3985 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1505578 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#60072}
-
- 04 Mar, 2019 1 commit
-
-
Igor Sheludko authored
This CL also gives up trying to maintain double and system word fields at aligned addresses because currently it's not always maintained (v8:8875) and Torque object definitions do not support padding fields (v8:8863). Given that both platforms where pointer compression is going to be enabled (x64 and arm64) support loading of doubles and full words from 4-byte aligned addresses we are fine. Bug: v8:7703 Change-Id: I99fc6da5a0927f4db9b8fb24c7cc0bfc416523bc Reviewed-on: https://chromium-review.googlesource.com/c/1496974 Auto-Submit: Igor Sheludko <ishell@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#60013}
-
- 25 Feb, 2019 1 commit
-
-
Z Duong Nguyen-Huu authored
Bug: v8:6831 Change-Id: I6e9f6fc718928f2f86d3b3c2dd144a6636b05790 Reviewed-on: https://chromium-review.googlesource.com/c/1481895 Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Simon Zünd <szuend@chromium.org> Cr-Commit-Position: refs/heads/master@{#59844}
-
- 15 Feb, 2019 1 commit
-
-
Jakob Kummerow authored
This takes heap-inl.h out of the "Giant Include Cluster". Naturally, that means adding a bunch of explicit includes in a bunch of places that relied on transitively including them before. As of this patch, no header file outside src/heap/ includes heap-inl.h. Bug: v8:8562,v8:8499 Change-Id: I65fa763f90e66afc30d105b9277792721f05a6d4 Reviewed-on: https://chromium-review.googlesource.com/c/1459659 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Cr-Commit-Position: refs/heads/master@{#59617}
-
- 13 Feb, 2019 2 commits
-
-
Toon Verwaest authored
We should just always get an Object in rather than both Object and Object* where the former is dealt with through operator->. Change-Id: I2d2542f37a357d4c410cc5f07c8e3563e66660b7 Reviewed-on: https://chromium-review.googlesource.com/c/1470104Reviewed-by: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#59553}
-
tzik authored
This updates the type of contexts to NativeContext instead of Context, namely on GetFunctionRealm(), GetCreationContext(), and JSGlobalObject::native_context. They should be semantically NativeContexts, but the return type hides the underlying NativeContext, and causes its user to cast the context to native. Change-Id: I2f234b0df8c2dcaeab25cb543e09d80d12ca7369 Reviewed-on: https://chromium-review.googlesource.com/c/1469541Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Taiju Tsuiki <tzik@chromium.org> Cr-Commit-Position: refs/heads/master@{#59543}
-
- 09 Feb, 2019 1 commit
-
-
Jakob Kummerow authored
HeapObject::SizeFromMap() was too large to get inlined anyway. HeapObject::IsFoo() predicates should be implemented in foo-inl.h, because that's what they depend on. This patch also fixes up includes: dropping unnecessary ones from object-inl.h, and adding them in other places that previously relied on getting them transitively. Bug: v8:8562 Change-Id: Id062bed67257d9dc1899f2d71f44cf69a1368c83 Reviewed-on: https://chromium-review.googlesource.com/c/1450778Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#59478}
-
- 04 Feb, 2019 1 commit
-
-
Takuto Ikuta authored
This is a reland of 83908b86 Fix: check V8_INTL_SUPPORT macro in js-objects.cc Original change's description: > Reland "Extract JSObject class from objects.cc" > > This is a reland of b8c821f4 > > Fix: include src/string-stream.h for compile failure > https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux%20-%20builder/39320 > > Original change's description: > > Extract JSObject class from objects.cc > > > > I extracted following class member functions to js-objects.cc > > * JSReceiver > > * JSObject > > * JSBoundFunction > > * JSFunction > > * JSGlobalObject > > * JSDate > > * JSMessageObject > > > > Declaration of all above class are in js-objects.h. > > > > I also moved AllocationSite::DigestTransitionFeedback used in JSObject::UpdateAllocationSite > > and ShouldConvertToSlowElements used in JSObject and JSArray > > > > This patch makes compile time of objects.cc from 17.6s to 14.1s on Z840 Linux. > > And js-objects.cc takes 8.69s for compile. > > > > Bug: v8:7629 > > Change-Id: I989f22363667445dd28d7f8c06c81ff79d6ed45f > > Reviewed-on: https://chromium-review.googlesource.com/c/1447916 > > Commit-Queue: Takuto Ikuta <tikuta@chromium.org> > > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> > > Reviewed-by: Marja Hölttä <marja@chromium.org> > > Cr-Commit-Position: refs/heads/master@{#59288} > > Bug: v8:7629 > Bug: v8:8562 > Change-Id: Iac2227c5f0c5a4072d16814ecae481fb4720e4f5 > Reviewed-on: https://chromium-review.googlesource.com/c/1449951 > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> > Commit-Queue: Takuto Ikuta <tikuta@chromium.org> > Cr-Commit-Position: refs/heads/master@{#59318} Bug: v8:7629, v8:8562 Change-Id: If8870bd579d8597d08981a83492f60595e081a65 Reviewed-on: https://chromium-review.googlesource.com/c/1452097Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Takuto Ikuta <tikuta@chromium.org> Cr-Commit-Position: refs/heads/master@{#59329}
-