- 15 Dec, 2016 1 commit
-
-
mstarzinger authored
This fixes a corner case where the {FastCloneShallowArrayStub} was used for literals that are backed by a double backing store and would exceed limits for new-space allocations on 32-bit architectures. The stub in question does not support such literals, callers must use the runtime. Note that this fix is for Ignition as well as FullCodeGenerator. R=rmcilroy@chromium.org TEST=mjsunit/regress/regress-crbug-672792 BUG=chromium:672792 Review-Url: https://codereview.chromium.org/2570843002 Cr-Commit-Position: refs/heads/master@{#41713}
-
- 08 Dec, 2016 1 commit
-
-
bmeurer authored
First step towards making arguments and rest parameters optimizable by splitting the allocations for the actual object and the elements. The object allocations can already be escape analyzed this way, the elements would need special support in the deoptimizer and the escape analysis, but that can be done as a second separate step. R=jarin@chromium.org BUG=v8:5726 Review-Url: https://codereview.chromium.org/2557283002 Cr-Commit-Position: refs/heads/master@{#41573}
-
- 01 Dec, 2016 1 commit
-
-
mstarzinger authored
This ensure that all inline allocations generated by {JSCreateLowering} will fit into a regular heap page. Allocations targeting LO-space must be done via a slower runtime call. R=bmeurer@chromium.org BUG=chromium:669850 Review-Url: https://codereview.chromium.org/2533353003 Cr-Commit-Position: refs/heads/master@{#41412}
-
- 15 Nov, 2016 1 commit
-
-
cbruni authored
In case of an allocation failure in for-in over holey elements, use precise number of elements to allocate a smaller buffer for the collected indices. Drive-by-fix: make is_the_hole accept the isolate for faster checks. BUG=chromium:609761 Review-Url: https://codereview.chromium.org/2041963003 Cr-Commit-Position: refs/heads/master@{#41010}
-
- 14 Nov, 2016 1 commit
-
-
caitp authored
Adds a protector cell to prevent inlining (which will likely lead to deopt loops) when a JSArrayIterator's array transitions from a fast JSArray to a slow JSArray (such as, when the array is touched during iteration in a way which triggers a map transition). Also adds TODO comments relating to the spec update proposed by Dan at https://github.com/tc39/ecma262/pull/724 BUG=v8:5388 R=bmeurer@chromium.org, mstarzinger@chromium.org TBR=hpayer@chromium.org, ulan@chromium.org Review-Url: https://codereview.chromium.org/2484003002 Cr-Commit-Position: refs/heads/master@{#40970}
-
- 11 Nov, 2016 2 commits
-
-
bmeurer authored
This adds a new ExternalPointer type, which is an Internal type that is used for ExternalReferences and other pointer values, like the pointers into the asm.js heap. It also adds a PointerConstant operator, which we use to represents these raw constants (we can probably remove that particular operator again once WebAssembly ships with the validator). R=mvstanton@chromium.org BUG=v8:5267,v8:5270 Review-Url: https://codereview.chromium.org/2494753003 Cr-Commit-Position: refs/heads/master@{#40923}
-
bmeurer authored
The contract for TurboFan is that we use NumberConstants for any kind of number value until the representation selection picks concrete representations, i.e. Int32Constant or Float64Constant. We will soon be able to also guard this contract with DCHECKs. BUG=v8:5267 R=yangguo@chromium.org Review-Url: https://codereview.chromium.org/2499573002 Cr-Commit-Position: refs/heads/master@{#40908}
-
- 17 Oct, 2016 1 commit
-
-
bmeurer authored
Currently JSCreateLowering drops the type information for object literals, when inlining the JSCreateLiteralArray/Object nodes, which means we will not eliminate a couple of checks after the lowering. R=jarin@chromium.org Review-Url: https://codereview.chromium.org/2423913002 Cr-Commit-Position: refs/heads/master@{#40344}
-
- 10 Oct, 2016 1 commit
-
-
bmeurer authored
There were once plans to generate cross-context code with TurboFan, however that doesn't fit into the model anymore, and so all of this is essentially dead untested code (and thus most likely already broken in subtle ways). With this mode still in place it would also be a lot harder to make inlining based on SharedFunctionInfo work. BUG=v8:2206,v8:5499 R=jarin@chromium.org Review-Url: https://codereview.chromium.org/2406803002 Cr-Commit-Position: refs/heads/master@{#40109}
-
- 06 Oct, 2016 1 commit
-
-
mvstanton authored
With this CL, we devolve all Constants introduced as they are with an object handle into * Range - for integers * Nan * MinusZero * OtherNumberConstant - for doubles * HeapConstant We reduce the amount we have to inspect an object handle during optimization. Also, simplifications result. For example, you never have to check if a Range contains a HeapConstant. BUG= Review-Url: https://codereview.chromium.org/2381523002 Cr-Commit-Position: refs/heads/master@{#40041}
-
- 05 Oct, 2016 1 commit
-
-
bmeurer authored
If possible, take the constant map from the (known) native context for JSCreateIterResultObject, so that subsequent map checks can be eliminated in case of iterator inlining. R=jarin@chromium.org BUG=v8:3822 Review-Url: https://codereview.chromium.org/2394783002 Cr-Commit-Position: refs/heads/master@{#39974}
-
- 22 Sep, 2016 1 commit
-
-
mvstanton authored
BUG= Review-Url: https://codereview.chromium.org/2355253002 Cr-Commit-Position: refs/heads/master@{#39621}
-
- 06 Sep, 2016 1 commit
-
-
jochen authored
This will allow for chaining ScopeInfos together to form the same chains as contexts chains currently do. BUG=v8:5215 R=mstarzinger@chromium.org,marja@chromium.org,bmeurer@chromium.org,rmcilroy@chromium.org Review-Url: https://codereview.chromium.org/2314483002 Cr-Commit-Position: refs/heads/master@{#39192}
-
- 05 Sep, 2016 1 commit
-
-
jochen authored
Since the extension field is already used for the catch name, store a ContextExtension there instead. In the future, this will allow for chaining ScopeInfos together, so we no longer need a context chain for lazy parsing / compilation. BUG=v8:5215 R=bmeurer@chromium.org,neis@chromium.org,marja@chromium.org Review-Url: https://codereview.chromium.org/2302013002 Cr-Commit-Position: refs/heads/master@{#39164}
-
- 01 Sep, 2016 1 commit
-
-
bmeurer authored
We use a signaling NaN to represent the hole in FAST_HOLEY_DOUBLE_ELEMENTS backing stores, but on Intel processors, the C++ compiler may decide to (or be forced to due to calling conventions) use X87 registers for double values. However transfering to X87 registers automatically quietens the NaNs and there's no way to disable this. Therefore we should just always load the hole NaN from the canonical place identified by the address_of_hole_nan external reference instead, which might even be more efficient in some cases. R=jarin@chromium.org, jkummerow@chromium.org BUG=v8:5332 Review-Url: https://codereview.chromium.org/2303643002 Cr-Commit-Position: refs/heads/master@{#39062}
-
- 08 Aug, 2016 1 commit
-
-
bmeurer authored
This parameter was never used and doesn't seem like it would ever be useful, so it's gone now. R=epertoso@chromium.org Review-Url: https://codereview.chromium.org/2221043002 Cr-Commit-Position: refs/heads/master@{#38453}
-
- 03 Aug, 2016 1 commit
-
-
mstarzinger authored
This completely removes the ability from nodes to point directly to the frame state representing their eager bailout point. All nodes now either have zero or one frame state inputs. These frame states can by now be found via checkpoints in the graph. R=bmeurer@chromium.org BUG=v8:5021 Review-Url: https://codereview.chromium.org/2020323004 Cr-Commit-Position: refs/heads/master@{#38282}
-
- 11 Jul, 2016 1 commit
-
-
mstarzinger authored
This extends pretenuring decisions based on allocation sites to heap numbers that are allocated as part of object literals. It ensures memory locality of a bigger enclosure of the deep copy of an object literal. R=bmeurer@chromium.org TEST=cctest/test-heap/OptimizedPretenuringMixedInObjectProperties Review-Url: https://codereview.chromium.org/2135933002 Cr-Commit-Position: refs/heads/master@{#37645}
-
- 06 Jul, 2016 2 commits
-
-
mvstanton authored
And in so doing, enable a handful of excluded tests. BUG= Review-Url: https://codereview.chromium.org/2127713003 Cr-Commit-Position: refs/heads/master@{#37559}
-
jarin authored
BUG=chromium:621147 Review-Url: https://codereview.chromium.org/2126623003 Cr-Commit-Position: refs/heads/master@{#37543}
-
- 20 Jun, 2016 1 commit
-
-
bmeurer authored
These are used to check for Smi or HeapObject, and we use them appropriately in JSNativeContextSpecialization, so we don't need to introduce dependencies on concrete control flow and/or concrete frame states. They will be optimized by a proper check elimination reducer, which will be added in a separate CL. R=jarin@chromium.org BUG=v8:4470 Review-Url: https://codereview.chromium.org/2082523002 Cr-Commit-Position: refs/heads/master@{#37096}
-
- 14 Jun, 2016 1 commit
-
-
cbruni authored
Reland of place all remaining Oddball checks with new function (patchset #1 id:1 of https://codereview.chromium.org/2060213002/ ) Reason for revert: Cannot reproduce gc-stress failures locally. Original issue's description: > Revert of Replace all remaining Oddball checks with new function (patchset #10 id:180001 of https://codereview.chromium.org/2043183003/ ) > > Reason for revert: > failing tests > > Original issue's description: > > Replace all remaining Oddball checks with new function > > > > This CL removes the IsUndefined() and Co. methods from Object and HeapObject. > > The new method all take the isolate as parameter. > > > > BUG= > > > > Committed: https://crrev.com/ccefb3ae5fe967288d568013fb04e8761eafebc5 > > Cr-Commit-Position: refs/heads/master@{#36921} > > TBR=mstarzinger@chromium.org,verwaest@chromium.org,yangguo@chromium.org,ahaas@chromium.org > # Skipping CQ checks because original CL landed less than 1 days ago. > NOPRESUBMIT=true > NOTREECHECKS=true > NOTRY=true > BUG= > > Committed: https://crrev.com/33b8bc24a12fb062100c0be84456faeb0b9fa5d1 > Cr-Commit-Position: refs/heads/master@{#36923} TBR=mstarzinger@chromium.org,verwaest@chromium.org,yangguo@chromium.org,ahaas@chromium.org BUG= Review-Url: https://codereview.chromium.org/2059173002 Cr-Commit-Position: refs/heads/master@{#36957}
-
- 13 Jun, 2016 3 commits
-
-
cbruni authored
Revert of Replace all remaining Oddball checks with new function (patchset #10 id:180001 of https://codereview.chromium.org/2043183003/ ) Reason for revert: failing tests Original issue's description: > Replace all remaining Oddball checks with new function > > This CL removes the IsUndefined() and Co. methods from Object and HeapObject. > The new method all take the isolate as parameter. > > BUG= > > Committed: https://crrev.com/ccefb3ae5fe967288d568013fb04e8761eafebc5 > Cr-Commit-Position: refs/heads/master@{#36921} TBR=mstarzinger@chromium.org,verwaest@chromium.org,yangguo@chromium.org,ahaas@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG= Review-Url: https://codereview.chromium.org/2060213002 Cr-Commit-Position: refs/heads/master@{#36923}
-
cbruni authored
This CL removes the IsUndefined() and Co. methods from Object and HeapObject. The new method all take the isolate as parameter. BUG= Review-Url: https://codereview.chromium.org/2043183003 Cr-Commit-Position: refs/heads/master@{#36921}
-
mstarzinger authored
This fixes FastNewStrictArgumentsStub and FastNewRestParameterStub to no longer assume that the strict arguments object being allocated will fit into new-space. The case where said object needs to move to large object space is now handled in the runtime. R=bmeurer@chromium.org TEST=mjsunit/regress/regress-crbug-614727 BUG=chromium:614727 Review-Url: https://codereview.chromium.org/2054853002 Cr-Commit-Position: refs/heads/master@{#36917}
-
- 27 May, 2016 1 commit
-
-
mvstanton authored
We get less "pollution" of type feedback if we have one vector per native context, rather than one for the whole system. This CL moves the vector appropriately. BUG= Review-Url: https://codereview.chromium.org/1906823002 Cr-Commit-Position: refs/heads/master@{#36539}
-
- 11 May, 2016 1 commit
-
-
bmeurer authored
Make JSCreateArguments eliminatable, and remove the need for frame states on JSCreateArguments nodes being lowered to (optimized) stub calls. Only the runtime fallback needs a frame state, because in that case we need to ask the deoptimizer for arguments to inlined functions. R=jarin@chromium.org Review-Url: https://codereview.chromium.org/1965013005 Cr-Commit-Position: refs/heads/master@{#36154}
-
- 10 May, 2016 1 commit
-
-
bmeurer authored
This adds a new pass MemoryOptimizer that walks over the effect chain from Start and lowers all Allocate, LoadField, StoreField, LoadElement, and StoreElement nodes, trying to fold allocations into allocation groups and eliminate write barriers on StoreField and StoreElement if possible (i.e. if the object belongs to the current allocation group and that group allocates in new space). R=hpayer@chromium.org, jarin@chromium.org BUG=v8:4931, chromium:580959 LOG=n Review-Url: https://codereview.chromium.org/1963583004 Cr-Commit-Position: refs/heads/master@{#36128}
-
- 03 May, 2016 1 commit
-
-
jkummerow authored
Omitting the initializer will give zero-initialization which is equivalent to kNoWriteBarrier. Review-Url: https://codereview.chromium.org/1942293002 Cr-Commit-Position: refs/heads/master@{#35989}
-
- 14 Apr, 2016 1 commit
-
-
mstarzinger authored
This changes closure creation to lower to inline allocations when possible instead of going through the FastNewClosureStub. It allows us to leverage all advantages of inline allocations on closures. Note that it is only safe to embed the raw entry point of the compile lazy stub into the code, because that stub is immortal and immovable. R=mvstanton@chromium.org Review URL: https://codereview.chromium.org/1573153002 Cr-Commit-Position: refs/heads/master@{#35499}
-
- 19 Feb, 2016 2 commits
-
-
bmeurer authored
No need to limit JSCreate inlining to JS_OBJECT_TYPE, since we can handle everything that the FastNewObjectStub can deal with. Also we don't need to restrict the number of inobject properties, as that is already taken care of by the runtime anyways (limited by the initial slack for the constructor). And last but not least, we can of course inline allocations for subclasses as long as the new.target is a JSFunction and it's initial map's constructor points back to the target (same condition as for the FastNewObjectStub fast case). R=jarin@chromium.org BUG=v8:4493 LOG=n Review URL: https://codereview.chromium.org/1711883003 Cr-Commit-Position: refs/heads/master@{#34138}
-
bmeurer authored
Move the already existing fast case for %NewObject into a dedicated FastNewObjectStub that we can utilize in places where we would otherwise fallback to %NewObject immediately, which is rather expensive. Also use FastNewObjectStub as the generic implementation of JSCreate, which should make constructor inlining based on SharedFunctionInfo (w/o specializing to a concrete closure) viable soon. R=jarin@chromium.org Review URL: https://codereview.chromium.org/1708313002 Cr-Commit-Position: refs/heads/master@{#34136}
-
- 15 Feb, 2016 4 commits
-
-
bmeurer authored
Turn the fast case of ArgumentsAccessStub into a new stub FastNewSloppyArgumentsStub, which is similar to the existing FastNewStrictArgumentsStub, although not polished yet, and the slow case always went to the runtime anyway, so we can just directly emit a runtime call there. R=mstarzinger@chromium.org Committed: https://crrev.com/55b0b4f6d572531eec00ab6ebd8f6feb7c584e04 Cr-Commit-Position: refs/heads/master@{#33973} Review URL: https://codereview.chromium.org/1695633003 Cr-Commit-Position: refs/heads/master@{#33986}
-
machenbach authored
Revert of [runtime] Turn ArgumentAccessStub into FastNewSloppyArgumentsStub. (patchset #2 id:20001 of https://codereview.chromium.org/1695633003/ ) Reason for revert: [Sheriff] Breaks ASAN with mipsel compile: https://build.chromium.org/p/client.v8/builders/V8%20Linux%20ASAN%20mipsel%20-%20debug%20builder/builds/4558/ Original issue's description: > [runtime] Turn ArgumentAccessStub into FastNewSloppyArgumentsStub. > > Turn the fast case of ArgumentsAccessStub into a new stub > FastNewSloppyArgumentsStub, which is similar to the existing > FastNewStrictArgumentsStub, although not polished yet, and the slow > case always went to the runtime anyway, so we can just directly emit > a runtime call there. > > R=mstarzinger@chromium.org > > Committed: https://crrev.com/55b0b4f6d572531eec00ab6ebd8f6feb7c584e04 > Cr-Commit-Position: refs/heads/master@{#33973} TBR=mstarzinger@chromium.org,jarin@chromium.org,bmeurer@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true Review URL: https://codereview.chromium.org/1701653002 Cr-Commit-Position: refs/heads/master@{#33976}
-
bmeurer authored
Turn the fast case of ArgumentsAccessStub into a new stub FastNewSloppyArgumentsStub, which is similar to the existing FastNewStrictArgumentsStub, although not polished yet, and the slow case always went to the runtime anyway, so we can just directly emit a runtime call there. R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/1695633003 Cr-Commit-Position: refs/heads/master@{#33973}
-
bmeurer authored
This adds initial support for inline allocation of object and array literals to the JSCreateLowering pass. It's basically identical to what Crankshaft does. This also unstages the TurboFan escape analysis, as the lowering seems to trigger a bunch of bugs in it; those bugs will be fixed separately, and we will re-enable escape analysis afterwards. R=jarin@chromium.org Review URL: https://codereview.chromium.org/1698783002 Cr-Commit-Position: refs/heads/master@{#33972}
-
- 12 Feb, 2016 1 commit
-
-
bmeurer authored
The FastNewStrictArgumentsStub is very similar to the recently added FastNewRestParameterStub, it's actually almost a copy of it, except that it doesn't have the fast case we have for the empty rest parameter. This patch improves strict arguments in TurboFan and fullcodegen by up to 10x compared to the previous version. Also introduce proper JSSloppyArgumentsObject and JSStrictArgumentsObject for the in-object properties instead of having them as constants in the Heap class. Drive-by-fix: Use this stub and the FastNewRestParameterStub in the interpreter to avoid the runtime call overhead for strict arguments and rest parameter creation. R=jarin@chromium.org TBR=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/1693513002 Cr-Commit-Position: refs/heads/master@{#33925}
-
- 08 Feb, 2016 1 commit
-
-
bmeurer authored
This moves the JSCreate related functionality from JSTypedLowering into a dedicated JSCreateLowering reducer. This is in preparation of landing the support for optimized literals in TurboFan, which would blow up JSTypedLowering quite seriously otherwise. R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/1678833002 Cr-Commit-Position: refs/heads/master@{#33813}
-