1. 24 May, 2019 1 commit
  2. 14 May, 2019 1 commit
  3. 06 May, 2019 1 commit
  4. 29 Apr, 2019 1 commit
    • Benedikt Meurer's avatar
      [runtime] Optimize general object spread. · 4995c85f
      Benedikt Meurer authored
      This adds a new %_CopyDataProperties intrinsic, that reuses most of the
      existing machinery that we already have in place for Object.assign() and
      computed property names in object literals. This speeds up the general
      case for object spread (where the spread is not the first item in an
      object literal) and brings it on par with Object.assign() at least - in
      most cases it's significantly faster than Object.assign().
      
      In the test case [1] referenced from the bug, the performance goes from
      
        objectSpreadLast: 3624 ms.
        objectAssignLast: 1938 ms.
      
      to
      
        objectSpreadLast: 646 ms.
        objectAssignLast: 1944 ms.
      
      which corresponds to a **5-6x performance boost**, making object spread
      faster than Object.assign() in general.
      
      Drive-by-fix: This refactors the Object.assign() fast-path in a way that
      it can be reused appropriately for object spread, and adds another new
      builtin SetDataProperties, which does the core of the Object.assign()
      work. We can teach TurboFan to inline Object.assign() based on the new
      SetDataProperties builtin at some later point to further optimize
      Object.assign().
      
      [1]: https://gist.github.com/bmeurer/0dae4a6b0e23f43d5a22d7c91476b6c0
      
      Bug: v8:9167
      Change-Id: I57bea7a8781c4a1e8ff3d394873c3cd4c5d73834
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587376Reviewed-by: 's avatarSathya Gunasekaran <gsathya@chromium.org>
      Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
      Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#61100}
      4995c85f
  5. 24 Apr, 2019 1 commit
    • Jakob Gruber's avatar
      [coverage] Reduce IncBlockCounter overhead · ae6a47ba
      Jakob Gruber authored
      When collecting JS block coverage, we track block execution counts on
      so-called CoverageInfo objects. Generated bytecode and native code
      contains inlined snippets of code to increment the appropriate
      counters.
      
      These used to be implemented as calls to the IncBlockCounter runtime
      function. Each call incurred the entire CEntry overhead.
      
      This CL reduces that overhead by moving logic over into a new
      IncBlockCounter TFS builtin. The builtin is called directly from
      bytecode, and lowered to the same builtin call for optimized code.
      
      Drive-by: Tweak CoverageInfo layout to generate faster code.
      
      Tbr: jarin@chromium.org
      Bug: v8:9149, v8:6000
      Change-Id: I2d7cb0db649edf7c56b5ef5a4683d27b1c34605c
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1571420Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
      Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Reviewed-by: 's avatarPeter Marshall <petermarshall@chromium.org>
      Commit-Queue: Jakob Gruber <jgruber@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#60981}
      ae6a47ba
  6. 11 Oct, 2018 1 commit
    • Benedikt Meurer's avatar
      [async] Introduce dedicated JSAsyncFunctionObject. · a63987a4
      Benedikt Meurer authored
      This JSAsyncFunctionObject represents the implicit generator object
      inside of async functions, and also holds the outer promise for the
      async functions. This in turn allows us to get rid of the .promise
      in the Parser / BytecodeGenerator completely, and will make it
      possible to build zero-cost async stack traces independent of the
      concrete synchronous part of the stack frame (which currently breaks
      in Node.js).
      
      In the bytecode all the async function operations now take this new
      JSAsyncFunctionObject instead of passing both the .generator_object
      and the .promise, which further simplifies and shrinks the bytecode.
      It also reduces the size of async function frames, potentially making
      the suspend/resume cheaper.
      
      This also changes `await` to use intrinsics instead of calling to
      special JSFunctions on the native context, and thus reduces the size of
      the native contexts.
      
      Drive-by-fix: Introduce a dedicated JSCreateAsyncFunctionObject operator
      to TurboFan.
      
      Bug: v8:7253, v8:7522
      Change-Id: I2305302285156aa1f71328ecac70377abdd92c80
      Ref: nodejs/node#11865
      Design-Document: http://bit.ly/v8-zero-cost-async-stack-traces
      Reviewed-on: https://chromium-review.googlesource.com/c/1273049
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarSathya Gunasekaran <gsathya@chromium.org>
      Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Reviewed-by: 's avatarMaya Lekova <mslekova@chromium.org>
      Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#56554}
      a63987a4
  7. 10 Oct, 2018 1 commit
    • Benedikt Meurer's avatar
      [async] Improve async function handling. · 0038e5f0
      Benedikt Meurer authored
      This change introduces new intrinsics used to desugar async functions
      in the Parser and the BytecodeGenerator, namely we introduce a new
      %_AsyncFunctionEnter intrinsic that constructs the generator object
      for the async function (and in the future will also create the outer
      promise for the async function). This generator object is internal
      and never escapes to user code, plus since async functions don't have
      a "prototype" property, we can just a single map here instead of tracking
      the prototype/initial_map on every async function. This saves one word
      per async function plus one initial_map per async function that was
      invoked at least once.
      
      We also introduce two new intrinsics %_AsyncFunctionReject, which
      rejects the outer promise with the caught exception, and another
      %_AsyncFunctionResolve, which resolves the outer promise with the
      right hand side of the `return` statement. These functions also perform
      the DevTools part of the job (aka popping from the promise stack and
      sending the debug event). This allows us to get rid of the implicit
      try-finally from async functions completely; because the finally
      block only called to the %AsyncFunctionPromiseRelease builtin, which
      was used to inform DevTools.
      
      In essence we now turn an async function like
      
      ```js
      async function f(x) { return await bar(x); }
      ```
      
      into something like this (in Parser and BytecodeGenerator respectively):
      
      ```
      function f(x) {
        .generator_object = %_AsyncFunctionEnter(.closure, this);
        .promise = %AsyncFunctionCreatePromise();
        try {
          .tmp = await bar(x);
          return %_AsyncFunctionResolve(.promise, .tmp);
        } catch (e) {
          return %_AsyncFunctionReject(.promise, e);
        }
      }
      ```
      
      Overall the bytecode for async functions gets significantly shorter
      already (and will get even shorter once we put the outer promise into
      the async function generator object). For example the bytecode for a
      simple async function
      
      ```js
      async function f(x) { return await x; }
      ```
      
      goes from 175 bytes to 110 bytes (a ~38% reduction in size), which
      is in particular due to the simplification around the try-finally
      removal.
      
      Overall this seems to improve the doxbee-async-es2017-native test by
      around 2-3%. On the test case mentioned in v8:8276 we go from
      1124ms to 441ms, which corresponds to a 60% reduction in total
      execution time!
      
      Tbr: marja@chromium.org
      Bug: v8:7253, v8:7522, v8:8276
      Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;luci.chromium.try:linux_chromium_rel_ng;master.tryserver.blink:linux_trusty_blink_rel
      Change-Id: Id29dc92de7490b387ff697860c900cee44c9a7a4
      Reviewed-on: https://chromium-review.googlesource.com/c/1269041
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarSathya Gunasekaran <gsathya@chromium.org>
      Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Reviewed-by: 's avatarMaya Lekova <mslekova@chromium.org>
      Reviewed-by: 's avatarYang Guo <yangguo@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#56502}
      0038e5f0
  8. 21 Sep, 2018 1 commit
  9. 20 Sep, 2018 1 commit
    • Benedikt Meurer's avatar
      [cleanup] Remove a lot of dead intrinsics/runtime functions. · 44c24bf8
      Benedikt Meurer authored
      The following runtime functions (and their intrinsic counter parts) are
      completely unused/obsolete by now
      
        - %ToInteger
        - %GeneratorGetInputOrDebugPos
      
      and in addition the intrinsics for %_ToNumber and %_IsJSProxy are also
      dead (according to code coverage and manual verification), so drop them
      as well (their runtime function counterparts are still somewhat used).
      
      Bug: v8:8015
      Change-Id: I60d53762dd9717fb43de38cb490b46676c467212
      Reviewed-on: https://chromium-review.googlesource.com/1235923Reviewed-by: 's avatarYang Guo <yangguo@chromium.org>
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#56076}
      44c24bf8
  10. 17 Sep, 2018 1 commit
  11. 21 Aug, 2018 1 commit
  12. 14 May, 2018 1 commit
  13. 20 Feb, 2018 1 commit
    • Benedikt Meurer's avatar
      [async-await] Turn await closures into intrinsics. · d97bb317
      Benedikt Meurer authored
      There's no need to have the AsyncFunctionAwait/AsyncGeneratorAwait
      operations as separate closures that are called via JavaScript calling
      convention, but instead we can just have them as intrinsics (with the
      goal to eventually turn them into IC stubs).
      
      Drive-by-fix: Tail call to the ResumeGenerator builtin when resuming
      an async function. The earlier restrictions no only apply with the new
      machinery.
      
      Bug: v8:7253
      Change-Id: I0c4d04dae15b4211158fc07151adafda69d4faec
      Reviewed-on: https://chromium-review.googlesource.com/924703Reviewed-by: 's avatarYang Guo <yangguo@chromium.org>
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#51382}
      d97bb317
  14. 15 Feb, 2018 1 commit
  15. 13 Feb, 2018 1 commit
    • Benedikt Meurer's avatar
      [builtins] Refactor the promise resolution and rejection logic. · c0412961
      Benedikt Meurer authored
      This introduces dedicated builtins
      
        - FulfillPromise,
        - RejectPromise, and
        - ResolvePromise,
      
      which perform the corresponding operations from the language
      specification, and removes the redundant entry points and the
      excessive inlining of these operations into other builtins. We
      also add the same logic on the C++ side, so that we don't need
      to go into JavaScript land when resolving/rejecting from the
      API.
      
      The C++ side has a complete implementation, including full support
      for the debugger and the current PromiseHook machinery. This is to
      avoid constantly crossing the boundary for those cases, and to also
      simplify the CSA side (and soon the TurboFan side), where we only
      do the fast-path and bail out to the runtime for the general handling.
      
      On top of this we introduce %_RejectPromise and %_ResolvePromise,
      which are entry points used by the bytecode and parser desugarings
      for async functions, and also used by the V8 Extras API. Thanks to
      this we can uniformly optimize these in TurboFan, where we have
      corresponding operators JSRejectPromise and JSResolvePromise, which
      currently just call into the builtins, but middle-term can be further
      optimized, i.e. to skip the "then" lookup for JSResolvePromise when
      we know something about the resolution.
      
      In TurboFan we can also already inline the default PromiseCapability
      [[Reject]] and [[Resolve]] functions, although this is not as effective
      as it can be right now, until we have inlining support for the Promise
      constructor (being worked on by petermarshall@ right now) and/or SFI
      based CALL_IC feedback.
      
      Overall this change is meant as a refactoring without significant
      performance impact anywhere; it seems to improve performance of
      simple async functions a bit, but otherwise is neutral.
      
      Bug: v8:7253
      Change-Id: Id0b979f9b2843560e38cd8df4b02627dad4b6d8c
      Reviewed-on: https://chromium-review.googlesource.com/911632Reviewed-by: 's avatarSathya Gunasekaran <gsathya@chromium.org>
      Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#51260}
      c0412961
  16. 24 Jan, 2018 1 commit
  17. 18 Oct, 2017 1 commit
  18. 15 Sep, 2017 1 commit
  19. 10 Aug, 2017 1 commit
  20. 08 Aug, 2017 1 commit
  21. 31 Jul, 2017 1 commit
  22. 25 Jul, 2017 1 commit
  23. 14 Jul, 2017 1 commit
    • Caitlin Potter's avatar
      [generators] remove SuspendFlags enum and related code · 53553f5d
      Caitlin Potter authored
      SuspendFlags was originally used by the suspend operation to determine
      which field to record the bytecode offset of a suspended generator, and
      the value the generator was resumed with. For async generators, await
      operations would use a separate field, in order to preserve the previous
      yield input value. This was important to ensure `function.sent`
      continued to function correctly.
      
      As function.sent is being retired, this allows the removal of support
      for that. Given that this was the only real need for SuspendFlags in the
      first place (with other uses tacked on as a hack), this involves several
      other changes as well:
      
      - Modification of MacroAssembler AssertGeneratorObject. No longer
        accepts a SuspendFlags parameter to determine which type of check to
        perform.
      - Removal of `flags` operand from SuspendGenerator bytecode, and the
        GeneratorStore js-operator.
      - Removal of `flags` parameter from ResumeGeneratorTrampoline builtins.
      - Removal of Runtime functions, interpreter intrinsics and
        AccessBuilders associated with the [[await_input_or_debug_pos]] field
        in JSAsyncGeneratorObject, as this field no longer exists.
      - Addition of a new `Yield` AST node (subclass of Suspend) in order to
        prevent the need for the other SuspendFlag values.
      
      BUG=v8:5855
      TBR=bmeurer@chromium.org
      
      Change-Id: Iff2881e4742497fe5b774915e988c3d9d8fbe487
      Reviewed-on: https://chromium-review.googlesource.com/570485
      Commit-Queue: Caitlin Potter <caitp@igalia.com>
      Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#46683}
      53553f5d
  24. 11 Jul, 2017 1 commit
    • Alexandre Talon's avatar
      [Turbofan] Enable reducers to report their name to make reducer tracing clearer · 7a75da34
      Alexandre Talon authored
      Each reducer now has a virtual reducer_name function, returning its name
      (the name of the class containing this reducer). This gets displayed when
      using the --trace_turbo_reduction flag. Also when using this flags more
      messages are displayed.
      
      Actually when a node is replaced in-place (which is called an update
      of the node), other reducers can still update it right after the
      in-place replacement. When a node is really replaced (not in-place),
      then we stop trying to apply reducers to it before we propagate the
      reduction through the relevant nodes.
      
      Before a message got printed only for the last reduction it went
      through. So in case a node was reduced in-place several times
      in a row, only the last update was printed, or none at all if after
      being reduced in-place it got reduced by being replaced by another
      node: only the non-in-place replacement was showed. 
      
      Now each time an in-place reduction is applied to a node, a message
      gets printed.
      
      Bug: 
      Change-Id: Id0f816fecd44c01d0253966c6decc4861be0c2fa
      Reviewed-on: https://chromium-review.googlesource.com/563365Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
      Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Commit-Queue: Alexandre Talon <alexandret@google.com>
      Cr-Commit-Position: refs/heads/master@{#46552}
      7a75da34
  25. 08 May, 2017 1 commit
  26. 26 Apr, 2017 1 commit
  27. 04 Apr, 2017 2 commits
  28. 29 Mar, 2017 1 commit
    • Caitlin Potter's avatar
      [async-iteration] implement AsyncGenerator · bf463c4d
      Caitlin Potter authored
      - Introduce new struct AsyncGeneratorRequest, which holds
        information pertinent to resuming execution of an
        AsyncGenerator, such as the Promise associated with the async
        generator request. It is intended to be used as a singly
        linked list, and holds a pointer to the next item in te queue.
      
      - Introduce JSAsyncGeneratorObject (subclass of
        JSGeneratorObject), which includes several new internal fields
        (`queue` which contains a singly linked list of
        AsyncGeneratorRequest objects, and `await_input` which
        contains the sent value from an Await expression (This is
        necessary to prevent function.sent (used by yield*) from
        having the sent value observably overwritten during
        execution).
      
      - Modify SuspendGenerator to accept a set of Flags, which
        indicate whether the suspend is for a Yield or Await, and
        whether it takes place on an async generator or ES6
        generator.
      
      - Introduce interpreter intrinsics and TF intrinsic lowering for
        accessing the await input of an async generator
      
      - Modify the JSGeneratorStore operator to understand whether or
        not it's suspending for a normal yield, or an AsyncGenerator
        Await. This ensures appropriate registers are stored.
      
      - Add versions of ResumeGeneratorTrampoline which store the
        input value in a different field depending on wether it's an
        AsyncGenerator Await resume, or an ordinary resume. Also modifies
        whether debug code will assert that the generator object is a
        JSGeneratorObject or a JSAsyncGeneratorObject depending on the
        resume type.
      
      BUG=v8:5855
      R=bmeurer@chromium.org, rmcilroy@chromium.org, jgruber@chromium.org,
      littledan@chromium.org, neis@chromium.org
      TBR=marja@chromium.org
      
      Change-Id: I9d58df1d344465fc937fe7eed322424204497187
      Reviewed-on: https://chromium-review.googlesource.com/446961
      Commit-Queue: Caitlin Potter <caitp@igalia.com>
      Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Reviewed-by: 's avatarHannes Payer <hpayer@chromium.org>
      Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#44240}
      bf463c4d
  29. 12 Feb, 2017 2 commits
  30. 09 Feb, 2017 1 commit
  31. 20 Jan, 2017 1 commit
    • bmeurer's avatar
      [turbofan] Properly implement %_ClassOf intrinsic. · 3e407093
      bmeurer authored
      The %_ClassOf intrinsic roughly corresponds to the deprecated ES5
      [[Class]] internal property, and should not be used anymore ideally.
      However since we still have quite a couple of uses of this intrinsic
      in the self hosted JavaScript builtins, we would tank some builtins
      like Map, Set, WeakMap, WeakSet, etc. quite significantly unless we
      also support this intrinsic until the builtins are all migrated to
      C++/CSA builtins.
      
      R=yangguo@chromium.org
      BUG=v8:5267
      
      Review-Url: https://codereview.chromium.org/2647833004
      Cr-Commit-Position: refs/heads/master@{#42530}
      3e407093
  32. 19 Jan, 2017 1 commit
    • bmeurer's avatar
      [turbofan] Recognize a couple of collection.js intrinsics. · d389e49b
      bmeurer authored
      Right now running the Map and Set builtins with I+TF would tank
      seriously because these builtins are still built on top of a
      couple of classic intrinsics that TurboFan doesn't understand.
      Middle-term the idea is to replace the Map and Set builtins with
      a CodeStubAssembler based solution, but for that might not be
      ready in time, so adding support for a couple of the critical
      intrinsics to mitigate the tankage a bit, namely
      
       - %_JSCollectionGetTable,
       - %_TheHole, and
       - %_StringGetRawHashField.
      
      Together these double the score on most of the existing performance
      tests for collections.
      
      R=yangguo@chromium.org
      BUG=v8:5267
      
      Review-Url: https://codereview.chromium.org/2647733002
      Cr-Commit-Position: refs/heads/master@{#42521}
      d389e49b
  33. 17 Jan, 2017 1 commit
    • neis's avatar
      [generators] Always call function with closure context when resuming. · c5948b98
      neis authored
      The resume trampolin used to call the generator function with the context of the
      last suspension rather than the closure's context.  While that was fine for
      Ignition, Turbofan got utterly confused.  With this CL, the resume trampolin
      always passes in the closure's context (like in the very first call of the
      generator function).  The generator function itself then restores its previously
      current context by reading it from the generator object and doing a
      PushContext.
      
      BUG=chromium:681171
      
      Review-Url: https://codereview.chromium.org/2639533002
      Cr-Commit-Position: refs/heads/master@{#42407}
      c5948b98
  34. 22 Dec, 2016 1 commit
  35. 04 Dec, 2016 1 commit
  36. 25 Oct, 2016 1 commit
    • jgruber's avatar
      [regexp] Remove unused code · 77ddcfb3
      jgruber authored
      This CL removes code that is now unused since the port of regexp.js has been
      completed. Removed functions / classes are:
      
      * regexp.js (GetSubstitution moved to string.js)
      * RegExpConstructResult stub
      * RegExpFlags intrinsic
      * RegExpSource intrinsic
      * RegExpInitializeAndCompile runtime function
      
      BUG=v8:5339
      
      Review-Url: https://codereview.chromium.org/2448463002
      Cr-Commit-Position: refs/heads/master@{#40547}
      77ddcfb3
  37. 17 Oct, 2016 1 commit
  38. 25 Jul, 2016 1 commit
    • bmeurer's avatar
      [turbofan] Avoid introducing machine operators during typed lowering. · 5bed1516
      bmeurer authored
      Introducing machine operators early causes trouble for the typing,
      truncation analysis and representation selection, so we should rather
      stick to simplified operators instead. Now there's only the for-in case
      left, which is not clear how we can handle this in a better way.
      
      Drive-by-fix: Also don't introduce Int32Constant and Word32Shl in
      JSTypedLowering, but use NumberConstant and proper NumberShiftLeft
      operators instead.
      
      R=jarin@chromium.org
      BUG=chromium:630951
      
      Review-Url: https://codereview.chromium.org/2182453002
      Cr-Commit-Position: refs/heads/master@{#38008}
      5bed1516