1. 27 Apr, 2020 1 commit
  2. 20 Apr, 2020 1 commit
    • Georg Neis's avatar
      [turbofan] Harden type-based elimination of MaybeGrowFastElements · c85aa830
      Georg Neis authored
      ... against potential typer bugs. Instead of simply eliminating the
      operation, insert an aborting bounds check instead.
      
      Also move this transformation out of SimplifiedLowering, which is
      already complex enough without doing these kinds of optimizations.
      Unfortunately this will result in some missed optimization opportunities
      because we may have more precise types during SimplifiedLowering. Let's
      see if this makes a visible performance difference.
      
      Change-Id: I9c16ad33104c29fdba39bf729d69ee03fc9797d6
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2129633
      Commit-Queue: Georg Neis <neis@chromium.org>
      Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67222}
      c85aa830
  3. 24 May, 2019 1 commit
  4. 02 Jan, 2019 1 commit
  5. 22 Nov, 2018 1 commit
    • Sigurd Schneider's avatar
      [turbofan] Make typed optimization more powerful · 9b0e4e13
      Sigurd Schneider authored
      This CL moves optimization capabilities from typed lowering to typed
      optimization. In particular, this allows retyping of Speculative to
      number optimizations depending on their input types. This can save type
      checks if we know that inputs are already in SafeIntegerRange and uses
      are truncating to 32bit integers.
      
      This change recovers the performance lost to 31bit Smis on
      Octane/crypto on x64:
      32bit nosmis           avg 30,984.84 stddev 180.52
      31bit smis (w/o patch) avg 29,438.52 stddev 120.30  -4.99%
      31bit smis             avg 31,274.52 stddev 176.26  +0.93%  +6.24%
      
      Change-Id: I86d6e37305262336f4f7bd46aac0d2cbca11e8c1
      Bug: v8:8344
      Reviewed-on: https://chromium-review.googlesource.com/c/1323729
      Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
      Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#57717}
      9b0e4e13
  6. 18 Oct, 2018 1 commit
  7. 15 Oct, 2018 1 commit
  8. 17 Sep, 2018 2 commits
  9. 07 Sep, 2018 1 commit
    • Benedikt Meurer's avatar
      [turbofan] Introduce a pure StringConcat operator. · e56b6d24
      Benedikt Meurer authored
      This replaces the previous CheckStringAdd operator which deopts in case
      the combined length overflows with a dedicated pure StringConcat operator.
      This operator is similar to NewConsString in that it takes the resulting
      length plus the two input strings. The operator relies on the length
      being checked explicitly by the surrounding code instead of baking the
      check into the operator itself. This way TurboFan can eliminate
      redundant/unnecessary StringConcat operations, since they are pure now.
      
      This also unifies the treatment of string addition in JSTypedLowering,
      and generalizes the StringLength constant-folding to apply to more cases
      not just the JSAdd cases inside JSTypedLowering.
      
      Bug: v8:7902, v8:8015
      Change-Id: I987ec39815a9464fd5fd9c4f7b26b709f94f2b3f
      Reviewed-on: https://chromium-review.googlesource.com/1213205Reviewed-by: 's avatarMaya Lekova <mslekova@chromium.org>
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#55725}
      e56b6d24
  10. 23 Jul, 2018 1 commit
  11. 09 Jul, 2018 1 commit
  12. 06 Jul, 2018 1 commit
  13. 07 Jun, 2018 1 commit
  14. 28 Apr, 2018 1 commit
  15. 23 Mar, 2018 1 commit
  16. 22 Mar, 2018 1 commit
  17. 16 Mar, 2018 1 commit
    • Benedikt Meurer's avatar
      [turbofan] Remove unsound SeqString types. · 36426ab7
      Benedikt Meurer authored
      A value of type OtherSeqString can change its type to OtherNonSeqString
      via inplace internalization (and redirection via a ThinString). This can
      lead to out of bounds memory accesses and generally correctness bugs, as
      seen with crbug.com/822284.
      
      This change might affect performance in some cases, and we'll need to
      evaluate whether it's worth spending cycles on adding another mechanism
      that leverages the sequential string information in a safe way on a case
      by case basis.
      
      Bug: chromium:822284
      Change-Id: I0de77ec089a774236555f38c365f7548f454edfe
      Reviewed-on: https://chromium-review.googlesource.com/966021Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#51975}
      36426ab7
  18. 13 Mar, 2018 1 commit
  19. 27 Oct, 2017 2 commits
    • Benedikt Meurer's avatar
      [turbofan] Introduce SameValue operator. · c78a98bb
      Benedikt Meurer authored
      We now represent the SameValue operation explicitly in TurboFan and the
      operation can thus participate in all kinds of optimizations. Especially
      we get rid of the JSCall node in the general case, which blocks several
      optimizations across the call. The general, baseline performance is now
      always on par with StrictEqual.
      
      Once the StrictEqual operator is also a simplified operator, we should
      start unifying the type based optimizations in SimplifiedLowering.
      
      In the micro-benchmark we go from
      
        testStrictEqual: 1422 ms.
        testObjectIs: 1520 ms.
        testManualSameValue: 1759 ms.
      
      to
      
        testStrictEqual: 1426 ms.
        testObjectIs: 1357 ms.
        testManualSameValue: 1766 ms.
      
      which gives the expected result.
      
      Bug: v8:7007
      Change-Id: I0de3ff6ff6209ab4c3edb69de6a16e387295a9c8
      Reviewed-on: https://chromium-review.googlesource.com/741228Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#48994}
      c78a98bb
    • Jaroslav Sevcik's avatar
      [turbofan] Make ConvertReceiver a simplified operator. · 70b1f15e
      Jaroslav Sevcik authored
      This enables proper wiring into ithe control flow chain.
      
      Bug: v8:7002,chromium:777574
      Change-Id: Idba59944ff6ab3c10c204bb74ace61d812e6297c
      Reviewed-on: https://chromium-review.googlesource.com/738183Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#48990}
      70b1f15e
  20. 20 Oct, 2017 1 commit
    • Benedikt Meurer's avatar
      [ic] Ensure that we make progress on KeyedLoadIC polymorphic name. · d5c19aa9
      Benedikt Meurer authored
      In the special case of KeyedLoadIC, where the key that is passed in is a
      Name that is always the same we only checked for identity in both the
      stub and the TurboFan case, which works fine for symbols and internalized
      strings, but doesn't really work with non-internalized strings, where
      the identity check will fail, the runtime will internalize the string,
      and the IC will then see the original internalized string again and not
      progress in the feedback lattice. This leads to tricky deoptimization
      loops in TurboFan and constantly missing ICs.
      
      This adds fixes the stub to always try to internalize strings first
      when the identity check fails and then doing the check again. If the
      name is not found in the string table we miss, since in that case the
      string cannot match the previously recorded feedback name (which is
      always a unique name).
      
      In TurboFan we represent this checks with new CheckEqualsSymbol and
      CheckEqualsInternalizedString operators, which validate the previously
      recorded feedback, and the CheckEqualsInternalizedString operator does
      the attempt to internalize the input.
      
      Bug: v8:6936, v8:6948, v8:6969
      Change-Id: I3f3b4a587c67f00f7c4b60d239eb98a9626fe04a
      Reviewed-on: https://chromium-review.googlesource.com/730224Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
      Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#48784}
      d5c19aa9
  21. 19 Oct, 2017 1 commit
    • Mike Stanton's avatar
      [Turbofan] Model JSToBoolean as a simplified operator · 78fc6668
      Mike Stanton authored
      Because the toboolean operator may lower to a builtin call (which is
      effectful in turbofan parlance after effect control linearization),
      it really should be encoded as a simplified operator, which can
      be optimized with respect for the effect chain in linearization.
      
      No new functionality here, rather a furniture rearrangement in
      the TurboFan node structure.
      
      Bug: v8:6929
      Change-Id: I371fd22941397d5c28d13bded2738161d8da8275
      Reviewed-on: https://chromium-review.googlesource.com/725721Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Commit-Queue: Michael Stanton <mvstanton@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#48727}
      78fc6668
  22. 16 Oct, 2017 1 commit
    • Mike Stanton's avatar
      [TurboFan] Model TypeOf as a simplified operator · 9b2a8c22
      Mike Stanton authored
      Because the typeof operator may lower to a builtin call (which is
      effectful in turbofan parlance after effect control linearization),
      it really should be encoded as a simplified operator, which can
      be optimized with respect for the effect chain in linearization.
      
      No new functionality here, rather a furniture rearrangement in
      the TurboFan node structure.
      
      BUG=v8:6929
      
      Change-Id: I38593e10956ebd57cecdd606c35f3f73efb1327e
      Reviewed-on: https://chromium-review.googlesource.com/718745Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Commit-Queue: Michael Stanton <mvstanton@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#48613}
      9b2a8c22
  23. 10 Aug, 2017 1 commit
  24. 19 Jul, 2017 1 commit
  25. 11 Jul, 2017 1 commit
    • Alexandre Talon's avatar
      [Turbofan] Enable reducers to report their name to make reducer tracing clearer · 7a75da34
      Alexandre Talon authored
      Each reducer now has a virtual reducer_name function, returning its name
      (the name of the class containing this reducer). This gets displayed when
      using the --trace_turbo_reduction flag. Also when using this flags more
      messages are displayed.
      
      Actually when a node is replaced in-place (which is called an update
      of the node), other reducers can still update it right after the
      in-place replacement. When a node is really replaced (not in-place),
      then we stop trying to apply reducers to it before we propagate the
      reduction through the relevant nodes.
      
      Before a message got printed only for the last reduction it went
      through. So in case a node was reduced in-place several times
      in a row, only the last update was printed, or none at all if after
      being reduced in-place it got reduced by being replaced by another
      node: only the non-in-place replacement was showed. 
      
      Now each time an in-place reduction is applied to a node, a message
      gets printed.
      
      Bug: 
      Change-Id: Id0f816fecd44c01d0253966c6decc4861be0c2fa
      Reviewed-on: https://chromium-review.googlesource.com/563365Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
      Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Commit-Queue: Alexandre Talon <alexandret@google.com>
      Cr-Commit-Position: refs/heads/master@{#46552}
      7a75da34
  26. 08 Jun, 2017 2 commits
  27. 06 Jun, 2017 1 commit
  28. 29 May, 2017 1 commit
  29. 12 Apr, 2017 1 commit
    • bmeurer's avatar
      [turbofan] Properly represent the float64 hole. · 8c0c5e81
      bmeurer authored
      The hole NaN should also have proper Type::Hole, and not silently hide
      in the Type::Number. This way we can remove all the special casing for
      the hole NaN, and we also finally get the CheckNumber right.
      
      This also allows us to remove some ducktape from the Deoptimizer, as for
      escape analyzed FixedDoubleArrays we always pass the hole value now to
      represent the actual holes.
      
      Also-By: jarin@chromium.org
      BUG=chromium:684208,chromium:709753,v8:5267
      R=jarin@chromium.org
      
      Review-Url: https://codereview.chromium.org/2814013003
      Cr-Commit-Position: refs/heads/master@{#44603}
      8c0c5e81
  30. 07 Apr, 2017 1 commit
    • bmeurer's avatar
      [turbofan] Introduce a SpeculativeToNumber operator. · e6ca0146
      bmeurer authored
      Add a dedicated operator for ToNumber(x) with feedback instead of
      translating to SpeculativeNumberMultiply(x,1), which allows us to
      treat the case where x is already a Number specially, ignoring the
      feedback on the operator. This recovers most of the regression in
      the crypto benchmark.
      
      BUG=chromium:709398,v8:6214,v8:5267
      R=jarin@chromium.org
      
      Review-Url: https://codereview.chromium.org/2802113003
      Cr-Commit-Position: refs/heads/master@{#44484}
      e6ca0146
  31. 30 Jan, 2017 1 commit
  32. 04 Jan, 2017 1 commit
    • bmeurer's avatar
      [turbofan] Recognize and optimize flooring integer division. · 2a60fd49
      bmeurer authored
      Recognize the special
      
        NumberFloor(NumberDivide(lhs, rhs))
      
      subgraph in TypedOptimization, where both lhs and rhs are in the
      Unsigned32 range, and the result is a PlainNumber, and replace the
      NumberFloor with a NumberToUint32 truncation.
      
      This could be done in a cleaner way if we have a dedicated type for all
      double values in the Unsigned32 range, but that would complicate the
      type system quite a bit.
      
      R=jarin@chromium.org
      BUG=v8:5267
      
      Review-Url: https://codereview.chromium.org/2614663002
      Cr-Commit-Position: refs/heads/master@{#42063}
      2a60fd49
  33. 09 Nov, 2016 1 commit
  34. 17 Oct, 2016 2 commits
  35. 29 Aug, 2016 1 commit
    • bmeurer's avatar
      [turbofan] Remove the unused asm.js types from TypeCache. · f5a37d13
      bmeurer authored
      For asm.js we now have a dedicated AsmTyper, that uses it's own type
      system (which is tailored towards asm.js), and so we don't need the
      special asm.js types anymore in the TypeCache. This also moves the
      TypeCache into the src/compiler directory, because it doesn't make
      sense to use outside anyways.
      
      TBR=ahaas@chromium.org
      R=jarin@chromium.org
      BUG=v8:5267
      
      Review-Url: https://codereview.chromium.org/2289573002
      Cr-Commit-Position: refs/heads/master@{#38964}
      f5a37d13
  36. 26 Aug, 2016 1 commit
    • bmeurer's avatar
      [turbofan] Separate typed optimizations from JSTypedLowering. · f154c75a
      bmeurer authored
      Introduce a new TypedOptimization reducer that contains the type
      based optimization reduction steps, which are not (directly)
      related to lowering JavaScript operators based on types (which is
      what JSTypedLowering is supposed to do).
      
      This also addresses a chicken-and-egg problem that we see in the
      Octane/Mandreel benchmark where type based constant folding isn't
      applied to the numeric comparison operators introduced by the
      JSTypedLowering itself, and thus gives up to 10% speedup for the
      benchmark.
      
      BUG=v8:5267
      
      Review-Url: https://codereview.chromium.org/2280673003
      Cr-Commit-Position: refs/heads/master@{#38928}
      f154c75a