1. 28 Jul, 2020 1 commit
  2. 22 Jan, 2020 1 commit
  3. 09 Jan, 2020 1 commit
  4. 20 Dec, 2019 1 commit
    • Tobias Tebbi's avatar
      Revert "Extend GetIterator bytecode to perform JSReceiver check on object[Symbol.iterator]()" · 4671cb56
      Tobias Tebbi authored
      This reverts commit 91e3243d.
      
      Reason for revert: This deopts to the wrong point.
      
      Original change's description:
      > Extend GetIterator bytecode to perform JSReceiver check on object[Symbol.iterator]()
      > 
      > Current GetIterator bytecode loads and calls @@iterator property on a
      > given object. This change extends the bytecode functionality to check
      > whether the value returned after calling @@iterator property is a valid
      > JSReceiver. The bytecode throws SymbolIteratorInvalid exception if the
      > returned value is not a valid JSReceiver. This change absorbs the
      > functionality of additional two bytecodes - JumpIfJSReceiver and
      > CallRuntime, that are part of the iterator protocol in the GetIterator
      > bytecode.
      > 
      > Bug: v8:9489
      > Change-Id: I9e84cfe85eeb9a1b8a97ca0595375ac26ba1bbfd
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1792905
      > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
      > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
      > Commit-Queue: Swapnil Gaikwad <swapnilgaikwad@google.com>
      > Cr-Commit-Position: refs/heads/master@{#63704}
      
      TBR=rmcilroy@chromium.org,leszeks@chromium.org,tebbi@chromium.org,swapnilgaikwad@google.com
      
      # Not skipping CQ checks because original CL landed > 1 day ago.
      
      Bug: v8:9489
      Change-Id: I9324b5b01ead29912ad793a1e7b4d009643d7901
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1960288Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#65541}
      4671cb56
  5. 26 Nov, 2019 1 commit
  6. 17 Oct, 2019 1 commit
    • Toon Verwaest's avatar
      Reland^2 "[runtime] Move Context::native_context to the map" · 3cad6bf5
      Toon Verwaest authored
      This is a reland of c7c47c68.
      
      This makes TSAN happy in addition to:
      
      Previously I presumed that the context read from a frame in the profiler was
      a valid context. Turns out that on non-intel we're not guaranteed that the
      frame is properly set up. In the case we looked at, the profiler took a
      sample right before writing the frame marker indicating a builtin frame,
      causing the "context" pointer from that frame to be a bytecode array. Since
      we'll read random garbage on the stack as a possible context pointer, I made
      the code reading the native context from it a little more defensive.
      
      Bug: v8:9860
      Tbr: ulan@chromium.org, neis@chromium.org, ishell@chromium.org
      
      Original change's description:
      > [runtime] Move Context::native_context to the map
      >
      > Remove the native context slot from contexts by making context maps
      > native-context-specific. Now we require 2 loads to go from a context to the
      > native context, but we have 1 field fewer to store when creating contexts.
      >
      > Change-Id: I3c0d7c50c94060c4129db684f46a567de6f30e8d
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1859629
      > Commit-Queue: Toon Verwaest <verwaest@chromium.org>
      > Reviewed-by: Igor Sheludko <ishell@chromium.org>
      > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > Reviewed-by: Maya Lekova <mslekova@chromium.org>
      > Reviewed-by: Georg Neis <neis@chromium.org>
      > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#64296}
      
      Change-Id: I4d0ab4cbbb23a9ae616407f17ef8f35a0b68ddb4
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1864654
      Commit-Queue: Toon Verwaest <verwaest@chromium.org>
      Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Reviewed-by: 's avatarPeter Marshall <petermarshall@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#64360}
      3cad6bf5
  7. 16 Oct, 2019 2 commits
    • Sathya Gunasekaran's avatar
      Revert "Reland "[runtime] Move Context::native_context to the map"" · 38301e7b
      Sathya Gunasekaran authored
      This reverts commit c7c47c68.
      
      Reason for revert: breaks TSAN
      https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20TSAN/28738
      
      Original change's description:
      > Reland "[runtime] Move Context::native_context to the map"
      > 
      > This is a reland of f05bae1e
      > 
      > Previously I presumed that the context read from a frame in the profiler was
      > a valid context. Turns out that on non-intel we're not guaranteed that the
      > frame is properly set up. In the case we looked at, the profiler took a
      > sample right before writing the frame marker indicating a builtin frame,
      > causing the "context" pointer from that frame to be a bytecode array. Since
      > we'll read random garbage on the stack as a possible context pointer, I made
      > the code reading the native context from it a little more defensive.
      > 
      > Bug: v8:9860
      > 
      > Original change's description:
      > > [runtime] Move Context::native_context to the map
      > >
      > > Remove the native context slot from contexts by making context maps
      > > native-context-specific. Now we require 2 loads to go from a context to the
      > > native context, but we have 1 field fewer to store when creating contexts.
      > >
      > > Change-Id: I3c0d7c50c94060c4129db684f46a567de6f30e8d
      > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1859629
      > > Commit-Queue: Toon Verwaest <verwaest@chromium.org>
      > > Reviewed-by: Igor Sheludko <ishell@chromium.org>
      > > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > > Reviewed-by: Maya Lekova <mslekova@chromium.org>
      > > Reviewed-by: Georg Neis <neis@chromium.org>
      > > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
      > > Cr-Commit-Position: refs/heads/master@{#64296}
      > 
      > Change-Id: If9461e9b21d35a260d71c79d7f95e518cc429e09
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1864930
      > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > Reviewed-by: Igor Sheludko <ishell@chromium.org>
      > Reviewed-by: Georg Neis <neis@chromium.org>
      > Commit-Queue: Toon Verwaest <verwaest@chromium.org>
      > Auto-Submit: Toon Verwaest <verwaest@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#64314}
      
      TBR=ulan@chromium.org,neis@chromium.org,petermarshall@chromium.org,ishell@chromium.org,verwaest@chromium.org,mslekova@chromium.org,victorgomes@google.com
      
      Change-Id: I4f9edc62ea6f9f5857619ff0ad1a63cab4b33cc3
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: v8:9860
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1864937Reviewed-by: 's avatarSathya Gunasekaran  <gsathya@chromium.org>
      Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#64316}
      38301e7b
    • Toon Verwaest's avatar
      Reland "[runtime] Move Context::native_context to the map" · c7c47c68
      Toon Verwaest authored
      This is a reland of f05bae1e
      
      Previously I presumed that the context read from a frame in the profiler was
      a valid context. Turns out that on non-intel we're not guaranteed that the
      frame is properly set up. In the case we looked at, the profiler took a
      sample right before writing the frame marker indicating a builtin frame,
      causing the "context" pointer from that frame to be a bytecode array. Since
      we'll read random garbage on the stack as a possible context pointer, I made
      the code reading the native context from it a little more defensive.
      
      Bug: v8:9860
      
      Original change's description:
      > [runtime] Move Context::native_context to the map
      >
      > Remove the native context slot from contexts by making context maps
      > native-context-specific. Now we require 2 loads to go from a context to the
      > native context, but we have 1 field fewer to store when creating contexts.
      >
      > Change-Id: I3c0d7c50c94060c4129db684f46a567de6f30e8d
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1859629
      > Commit-Queue: Toon Verwaest <verwaest@chromium.org>
      > Reviewed-by: Igor Sheludko <ishell@chromium.org>
      > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > Reviewed-by: Maya Lekova <mslekova@chromium.org>
      > Reviewed-by: Georg Neis <neis@chromium.org>
      > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#64296}
      
      Change-Id: If9461e9b21d35a260d71c79d7f95e518cc429e09
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1864930Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Reviewed-by: 's avatarPeter Marshall <petermarshall@chromium.org>
      Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Commit-Queue: Toon Verwaest <verwaest@chromium.org>
      Auto-Submit: Toon Verwaest <verwaest@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#64314}
      c7c47c68
  8. 15 Oct, 2019 2 commits
  9. 16 Sep, 2019 1 commit
    • Georg Neis's avatar
      [turbofan] Fix and simplify optimization of access on global proxy · 97c89ebb
      Georg Neis authored
      We used to have two special cases for named accesses on the global
      proxy, one based on seeing the global proxy constant in the graph and
      on based on seeing the global proxy map either in the feedback or in
      the graph. A change I made a while ago accidentally disabled the second
      one. This CL restores that.
      
      Moreover, given how things are set up now (this might have been
      different before), the first optimization is subsumed by the second
      one, so this CL also removes the first one.
      
      Finally, this CL records an accumulator hint in the case of a load,
      which improves precision of the serializer for concurrent inlining.
      
      Tbr: tebbi@chromium.org
      Bug: v8:7790
      Change-Id: I255afc6c79e5c5c900b3ccfcd8459d836d21e42b
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1801954
      Commit-Queue: Georg Neis <neis@chromium.org>
      Reviewed-by: 's avatarMichael Stanton <mvstanton@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63806}
      97c89ebb
  10. 12 Sep, 2019 1 commit
  11. 30 Aug, 2019 1 commit
  12. 20 Aug, 2019 1 commit
  13. 19 Aug, 2019 3 commits
    • Georg Neis's avatar
      Reland "[turbofan] Various serializer/broker improvements" · 4b1af9fc
      Georg Neis authored
      This is a reland of 29585a06 after
      removing an incorrect DCHECK.
      
      Original change's description:
      > [turbofan] Various serializer/broker improvements
      >
      > They are all somewhat entangled, sorry for the big CL.
      >
      > - Brokerize remaining feedback vector slots.
      > - Introduce Hints::SingleConstant helper.
      > - Introduce SerializationPolicy enum.
      > - Eliminate use of nullptr for megamorphic load/store ic feedback.
      >   Instead use the corresponding ProcessedFeedback with an empty list
      >   of maps or the like. new class MegamorphicFeedback.
      > - Separate processing of feedback from serialization. This eliminates
      >   code duplication.
      > - Be very careful when clearing hints not to overwrite hints that are
      >   being processed.
      > - Move AccessInfos out of NamedAccessFeedback. Always store them in
      >   property_access_infos_ map on broker. (This was actually unused
      >   before, somewhat by mistake.)
      > - Support map inference in concurrent inlining. Rewrite
      >   ElementAccessFeedback such that we can refine it with the set of
      >   inferred maps.
      >
      > TBR: mvstanton@chromium.org
      > Change-Id: I05e9eb250bdffc6dff29db01742550a86a41cb31
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752853
      > Commit-Queue: Georg Neis <neis@chromium.org>
      > Reviewed-by: Georg Neis <neis@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#63232}
      
      TBR: mvstanton@chromium.org
      Bug: v8:7790
      Change-Id: Ia4acd31b339a941ee065e1ae4835bb7b85d5685e
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758319Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Commit-Queue: Georg Neis <neis@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63241}
      4b1af9fc
    • Maya Lekova's avatar
      Revert "[turbofan] Various serializer/broker improvements" · 0645b26a
      Maya Lekova authored
      This reverts commit 29585a06.
      
      Reason for revert: Breaks GC stress bots - 
      https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/24009
      https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/27281
      
      Original change's description:
      > [turbofan] Various serializer/broker improvements
      > 
      > They are all somewhat entangled, sorry for the big CL.
      > 
      > - Brokerize remaining feedback vector slots.
      > - Introduce Hints::SingleConstant helper.
      > - Introduce SerializationPolicy enum.
      > - Eliminate use of nullptr for megamorphic load/store ic feedback.
      >   Instead use the corresponding ProcessedFeedback with an empty list
      >   of maps or the like. new class MegamorphicFeedback.
      > - Separate processing of feedback from serialization. This eliminates
      >   code duplication.
      > - Be very careful when clearing hints not to overwrite hints that are
      >   being processed.
      > - Move AccessInfos out of NamedAccessFeedback. Always store them in
      >   property_access_infos_ map on broker. (This was actually unused
      >   before, somewhat by mistake.)
      > - Support map inference in concurrent inlining. Rewrite
      >   ElementAccessFeedback such that we can refine it with the set of
      >   inferred maps.
      > 
      > TBR: mvstanton@chromium.org
      > Change-Id: I05e9eb250bdffc6dff29db01742550a86a41cb31
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752853
      > Commit-Queue: Georg Neis <neis@chromium.org>
      > Reviewed-by: Georg Neis <neis@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#63232}
      
      TBR=mvstanton@chromium.org,neis@chromium.org
      
      Change-Id: I88625d92fddf993db63661666c59af05a47b2b58
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758314Reviewed-by: 's avatarMaya Lekova <mslekova@chromium.org>
      Commit-Queue: Maya Lekova <mslekova@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63237}
      0645b26a
    • Georg Neis's avatar
      [turbofan] Various serializer/broker improvements · 29585a06
      Georg Neis authored
      They are all somewhat entangled, sorry for the big CL.
      
      - Brokerize remaining feedback vector slots.
      - Introduce Hints::SingleConstant helper.
      - Introduce SerializationPolicy enum.
      - Eliminate use of nullptr for megamorphic load/store ic feedback.
        Instead use the corresponding ProcessedFeedback with an empty list
        of maps or the like. new class MegamorphicFeedback.
      - Separate processing of feedback from serialization. This eliminates
        code duplication.
      - Be very careful when clearing hints not to overwrite hints that are
        being processed.
      - Move AccessInfos out of NamedAccessFeedback. Always store them in
        property_access_infos_ map on broker. (This was actually unused
        before, somewhat by mistake.)
      - Support map inference in concurrent inlining. Rewrite
        ElementAccessFeedback such that we can refine it with the set of
        inferred maps.
      
      TBR: mvstanton@chromium.org
      Change-Id: I05e9eb250bdffc6dff29db01742550a86a41cb31
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752853
      Commit-Queue: Georg Neis <neis@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63232}
      29585a06
  14. 09 Aug, 2019 1 commit
  15. 01 Aug, 2019 1 commit
  16. 25 Jul, 2019 1 commit
  17. 05 Jul, 2019 1 commit
  18. 24 Jun, 2019 1 commit
  19. 21 Jun, 2019 1 commit
  20. 20 May, 2019 3 commits
  21. 16 May, 2019 1 commit
  22. 10 May, 2019 1 commit
  23. 12 Apr, 2019 1 commit
  24. 09 Apr, 2019 1 commit
  25. 29 Mar, 2019 1 commit
  26. 14 Mar, 2019 1 commit
    • Georg Neis's avatar
      [turbofan] Preprocess feedback for global accesses (partially) · 04bb707e
      Georg Neis authored
      Main changes:
      - Rename ProcessedFeedback to ElementAccessFeedback and introduce a base class
        with the old name ProcessedFeedback.
      - Introduce another kind of ProcessedFeedback, namely GlobalAccessFeedback for
        the LoadGlobal/StoreGlobal IC. It's either a PropertyCell or a script context
        slot.
      - Produce such processed feedback in the serializer, when visiting LdaGlobal and
        similar bytecodes.
      - Consume it, and disallow heap access, in JSNativeContextSpecialization's
        ReduceJSLoadGlobal and ReduceJSStoreGlobal (for --concurrent-inlining).
      
      Minor changes:
      - Introduce a FeedbackSource class (pair of FeedbackVector and FeedbackSlot)
        that is used as the key of the processed feedback hash table. We already have
        two similar classes, FeedbackNexus and VectorSlotPair, but both are unsuitable
        for technical reasons (e.g. FeedbackNexus construction accesses the heap).
        Eventually we should remove VectorSlotPair.
      - Processed feedback is now returned as a pointer, which is nullptr if the
        original feedback wasn't interesting (e.g. megamorphic).
      
      The title says "partially" because the CL doesn't yet take into account named
      accesses where the receiver happens to be the global proxy.
      
      Bug: v8:7790
      Change-Id: I4404d98636b91a8f2d5667115944bae4773a4770
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1518184
      Commit-Queue: Georg Neis <neis@chromium.org>
      Reviewed-by: 's avatarMaya Lekova <mslekova@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#60240}
      04bb707e
  27. 01 Mar, 2019 1 commit
    • Matt Gardner's avatar
      Reland "Optimize `in` operator" · 803ad324
      Matt Gardner authored
      The original was reverted for breaking webkit layout tests:
      https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8-Blink%20Linux%2064/30270
      
      It also caused the following clusterfuzz failures:
      
      chromium:935832
      This was a correctness bug due to not properly handling the case of arrays with prototypes other
      than Array.prototype. Accesses that were TheHole were not being handled property, both in bounds
      holes in holey arrays and out of bounds on either holey or packed arrays. Handling was incorrect
      both in access-assembler and in Turbofan.
      
      chromium:935932
      This bug was that there was no handling for Has checks on the global object. Turbofan was emitting
      code for a store (the 'else' condition on 'access_mode == AccessMode::kLoad'). It hit a DCHECK in
      debug builds but in release could show up in different places. This is the bug that caused the
      webkit layout test failure that led to the revert.
      
      Both bugs are fixed by in CL, and tests are added for those cases.
      
      Bug: v8:8733, chromium:935932, chromium:935832
      Change-Id: Iba0dfcfce6e15d2c0815a7670ece67bc13ba1925
      Reviewed-on: https://chromium-review.googlesource.com/c/1493132Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarSigurd Schneider <sigurds@chromium.org>
      Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Commit-Queue: Matt Gardner <magardn@microsoft.com>
      Cr-Commit-Position: refs/heads/master@{#59958}
      803ad324
  28. 26 Feb, 2019 2 commits
  29. 25 Feb, 2019 1 commit
  30. 19 Feb, 2019 1 commit
  31. 13 Feb, 2019 1 commit
  32. 12 Feb, 2019 1 commit
    • Georg Neis's avatar
      Reland^4 "[turbofan] Use feedback when reducing global loads/stores." · 96585c3a
      Georg Neis authored
      This is a reland of 8683116e without
      changes. The previous issues should be gone thanks to
      ba1d0f25.
      
      Original change's description:
      > Reland^3 "[turbofan] Use feedback when reducing global loads/stores."
      >
      > This is a reland of 2d2c1374 without
      > changes. Offending chromium tests have been modified.
      >
      > Original change's description:
      > > Reland^2 "[turbofan] Use feedback when reducing global loads/stores."
      > >
      > > This reverts commit ac85ab0a. A
      > > chromium test caused trouble and was taken care of in
      > > https://chromium-review.googlesource.com/c/1384064.
      > >
      > > Original change's description:
      > > > [turbofan] Use feedback when reducing global loads/stores.
      > > >
      > > > We already record the script context location or the property cell
      > > > as feedback of the global load/store IC, so Turbofan doesn't need
      > > > to do the lookups again.
      > >
      > > TBR=sigurds@chromium.org
      > >
      > > Change-Id: I58bcd9bceec2f9cf401f7b0fc4460a6da6cd0abc
      > > Reviewed-on: https://chromium-review.googlesource.com/c/1386404
      > > Commit-Queue: Georg Neis <neis@chromium.org>
      > > Reviewed-by: Georg Neis <neis@chromium.org>
      > > Cr-Commit-Position: refs/heads/master@{#58393}
      >
      > Change-Id: Ic6734201a6c45f2752488ab44b16859776802f51
      > Reviewed-on: https://chromium-review.googlesource.com/c/1408252
      > Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
      > Commit-Queue: Georg Neis <neis@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#58769}
      
      TBR=bmeurer@chromium.org
      
      Change-Id: I80890e2605711045ec6997843d031b61ea27d5e4
      Reviewed-on: https://chromium-review.googlesource.com/c/1463779
      Commit-Queue: Georg Neis <neis@chromium.org>
      Reviewed-by: 's avatarSigurd Schneider <sigurds@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#59518}
      96585c3a
  33. 11 Feb, 2019 1 commit