1. 27 Nov, 2018 1 commit
  2. 08 Nov, 2018 1 commit
  3. 07 Nov, 2018 1 commit
    • Caitlin Potter's avatar
      [CloneObjectIC] clone MutableHeapNumbers instead of referencing them · bf84766a
      Caitlin Potter authored
      Adds a helper macro "CloneIfMutablePrimitive", which tests if the
      operand is a MutableHeapNumber, and if so, clones it, otherwise
      returning the original value.
      
      Also modifies the signature of "CopyPropertyArrayValues" to take a
      "DestroySource" enum, indicating whether or not the resulting object is
      supplanting the source object or not, and removes all default
      parameters from that macro (which were not used anyways).
      
      This corrects the issue reported in chromium:901301, where
      StaNamedOwnProperty was replacing the value of a MutableHeapNumber
      referenced by both the cloned object and the source object.
      
      BUG=chromium:901301, v8:7611
      R=cbruni@chromium.org, jkummerow@chromium.org
      
      Change-Id: I43df1ddc84dfa4840e680b6affeba452ce0b6629
      Reviewed-on: https://chromium-review.googlesource.com/c/1318096
      Commit-Queue: Caitlin Potter <caitp@igalia.com>
      Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
      Reviewed-by: 's avatarCamillo Bruni <cbruni@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#57304}
      bf84766a
  4. 11 Sep, 2018 1 commit
    • Caitlin Potter's avatar
      [CloneObjectIC] add CSA implementation of slow case · fbcf0221
      Caitlin Potter authored
      The CSA implementation is a separate handler so that TF has the
      opportunity to reduce to a direct call, skipping some of the dispatching
      in the CloneObjectIC stub.
      
      This patch moves the looping over a source object's keys and values into the
      base CodeStubAssembler, so that it can be shared between ObjectAssignFast
      and CloneObjectIC_Slow.
      
      During each step of the loop, storing is delegated to a new SetPropertyInLiteral
      helper in KeyedStoreGenericGenerator, which performs a store without consulting
      the prototype chain, and automatically reconfigures accessors into data
      properties regardless of their attributes.
      
      BUG=v8:8067, v8:7611
      R=ishell@chromium.org, jkummerow@chromium.org
      
      Change-Id: I06ae89f37e9b4265aab67389cf68a96529f90578
      Reviewed-on: https://chromium-review.googlesource.com/1182122
      Commit-Queue: Caitlin Potter <caitp@igalia.com>
      Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#55806}
      fbcf0221
  5. 04 Aug, 2018 1 commit
  6. 01 Aug, 2018 1 commit
  7. 31 Jul, 2018 2 commits
  8. 27 Jul, 2018 2 commits
  9. 25 Jul, 2018 1 commit
    • Caitlin Potter's avatar
      [runtime] fix ClusterFuzz regressions (and remaining nits) in CloneObject · d6efcbf0
      Caitlin Potter authored
      Includes fixes for several ClusterFuzz regressions:
      
      1) fix an invalid Handle-cast in ic.cc (chromium:866282)
      
      2) fix for improper accounting of used/unused inobject
      fields, found by clusterfuzz (chromium:866357).
      
      3) fix number of control outputs for the JSCloneObject
      operator to be used by IfSuccess and IfException nodes (chromium:866727).
      
      4) fix property constness in out-of-object properties of fast-cloned
      object to be compatible with DCHECKs in StoreIC (chromium:866861).
      
      Also includes the fixups missing from the initial commit, and
      regression tests
      
      BUG=v8:7611, chromium:866282, chromium:866357, chromium:866727, chromium:866861
      R=jkummerow@chromium.org, mvstanton@chromium.org
      TBR=rmcilroy@chromium.org
      
      Change-Id: I77220308482f16db2893c0dcebec36530d0f5540
      Reviewed-on: https://chromium-review.googlesource.com/1146297
      Commit-Queue: Caitlin Potter <caitp@igalia.com>
      Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
      Reviewed-by: 's avatarMichael Stanton <mvstanton@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#54706}
      d6efcbf0
  10. 20 Jul, 2018 1 commit
    • Caitlin Potter's avatar
      [runtime] use new CloneObject bytecode for some ObjectLiteralSpread cases · b6f7ea58
      Caitlin Potter authored
      As discussed in
      https://docs.google.com/document/d/1sBdGe8RHgeYP850cKSSgGABTyfMdvaEWLy-vertuTCo/edit?ts=5b3ba5cc#,
      
      this CL introduces a new bytecode (CloneObject), and a new IC type.
      
      In this prototype implementation, the type feedback looks like the
      following:
      
      Uninitialized case:
        { uninitialized_sentinel, uninitialized_sentinel }
      Monomorphic case:
        { weak 'source' map, strong 'result' map }
      Polymorphic case:
        { WeakFixedArray with { weak 'source' map, strong 'result' map }, cleared value }
      Megamorphic case:
        { megamorphic_sentinel, cleared_Value }
      
      In the fast case, Object cloning is done by allocating an object with
      the saved result map, and a shallow clone of the fast properties from
      the source object, as well as cloned fast elements from the source object.
      If at any point the fast case can't be taken, the IC transitions to the
      slow case and remains there.
      
      This prototype CL does not include any TurboFan optimization, and the
      CloneObject operation is merely reduced to a stub call.
      
      It may still be possible to get some further improvements by somehow
      incorporating compile-time boilerplate elements into the cloned object,
      or simplifying how the boilerplate elements are inserted into the
      object.
      
      In terms of performance, we improve the ObjectSpread score in JSTests/ObjectLiteralSpread/
      by about 8x, with substantial improvements over the Babel and ObjectAssign scores.
      
      R=gsathya@chromium.org, mvstanton@chromium.org, rmcilroy@chromium.org, neis@chromium.org, bmeurer@chromium.org
      BUG=v8:7611
      
      Change-Id: I79e1796eb77016fb4feba0e1d3bb9abb348c183e
      Reviewed-on: https://chromium-review.googlesource.com/1127472
      Commit-Queue: Caitlin Potter <caitp@igalia.com>
      Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Reviewed-by: 's avatarMichael Stanton <mvstanton@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#54595}
      b6f7ea58
  11. 20 Feb, 2018 1 commit
  12. 28 Nov, 2017 1 commit
  13. 17 Nov, 2017 1 commit
  14. 25 Oct, 2017 1 commit