Skip to content

V
V8
Switch branch/tag
  1. 04 May, 2021 1 commit
  3. 03 May, 2021 3 commits
  5. 10 Jul, 2020 1 commit
  7. 29 Apr, 2020 1 commit
  9. 18 Mar, 2020 1 commit
  11. 12 Mar, 2020 1 commit
  13. 11 Mar, 2020 1 commit
  15. 05 Jul, 2019 1 commit
  17. 24 May, 2019 1 commit
  19. 23 May, 2019 3 commits
  21. 15 May, 2019 1 commit
  23. 18 Apr, 2019 1 commit
  25. 29 Mar, 2019 1 commit
  27. 19 Mar, 2019 1 commit
    • Benedikt Meurer's avatar
      [turbofan] Significantly improve ConsString creation performance. · d6a60a0e
      Benedikt Meurer authored 
      This change significantly improves the performance of string
concatenation in optimized code for the case where the resulting string
is represented as a ConsString. On the relevant test cases we go from

  serializeNaive: 10762 ms.
  serializeClever: 7813 ms.
  serializeConcat: 10271 ms.

to

  serializeNaive: 10278 ms.
  serializeClever: 5533 ms.
  serializeConcat: 10310 ms.

which represents a 30% improvement on the "clever" benchmark, which
tests specifically the ConsString creation performance.

This was accomplished via a couple of different steps, which are briefly
outlined here:

  1. The empty_string gets its own map, so that we can easily recognize
     and handle it appropriately in the TurboFan type system. This
     allows us to express (and assert) that the inputs to NewConsString
     are non-empty strings, making sure that TurboFan no longer creates
     "crippled ConsStrings" with empty left or right hand sides.
  2. Further split the existing String types in TurboFan to be able to
     distinguish between OneByte and TwoByte strings on the type system
     level. This allows us to avoid having to dynamically lookup the
     resulting ConsString map in case of ConsString creation (i.e. when
     we know that both input strings are OneByte strings or at least
     one of the input strings is TwoByte).
  3. We also introduced more finegrained feedback for the Add bytecode
     in the interpreter, having it collect feedback about ConsStrings,
     specifically ConsOneByteString and ConsTwoByteString. This feedback
     can be used by TurboFan to only inline the relevant code for what
     was seen so far. This allows us to remove the Octane/Splay specific
     magic in JSTypedLowering to detect ConsString creation, and instead
     purely rely on the feedback of what was seen so far (also making it
     possible to change the semantics of NewConsString to be a low-level
     operator, which is only introduced in SimplifiedLowering by looking
     at the input types of StringConcat).
  4. On top of the before mentioned type and interpreter changes we added
     new operators CheckNonEmptyString, CheckNonEmptyOneByteString, and
     CheckNonEmptyTwoByteString, which perform the appropriate (dynamic)
     checks.

There are several more improvements that are possible based on this, but
since the change was already quite big, we decided not to put everything
into the first change, but do some follow up tweaks to the type system,
and builtin optimizations later.

Tbr: mstarzinger@chromium.org
Bug: v8:8834, v8:8931, v8:8939, v8:8951
Change-Id: Ia24e17c6048bf2b04df966d3cd441f0edda05c93
Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Doc: https://bit.ly/fast-string-concatenation-in-javascript
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1499497
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: 's avatarYang Guo <yangguo@chromium.org>
Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Reviewed-by: 's avatarMythri Alle <mythria@chromium.org>
Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60318}
      d6a60a0e
  29. 11 Dec, 2018 1 commit
  31. 24 Oct, 2018 2 commits
    • Benedikt Meurer's avatar
      [turbofan] ReceiverOrNullOrUndefined feedback for JSEqual. · f19c4a59
      Benedikt Meurer authored 
      This changes the ReceiverOrOddball feedback on JSStrictEqual to
ReceiverOrNullOrUndefined feedback, which can also safely be
consumed by JSEqual (we cannot generally accept any oddball here
since booleans trigger implicit conversions, unfortunately).
Thus we replace the previously introduced CheckReceiverOrOddball
with CheckReceiverOrNullOrUndefined, and drop CheckOddball, since
we will no longer collect Oddball feedback separately.

TurboFan will then turn a JSEqual[ReceiverOrNullOrUndefined] into
a sequence like this:

```
left = CheckReceiverOrNullOrUndefined(left);
right = CheckReceiverOrNullOrUndefined(right);
result = if ObjectIsUndetectable(left) then
           ObjectIsUndetectable(right)
         else
           ReferenceEqual(left, right);
```

This significantly improves the peak performance of abstract equality
with Receiver, Null or Undefined inputs. On the test case outlined in
http://crbug.com/v8/8356 we go from

  naive: 2946 ms.
  tenary: 2134 ms.

to

  naive: 2230 ms.
  tenary: 2250 ms.

which corresponds to a 25% improvement on the abstract equality case.
For regular code this will probably yield more performance, since we
get rid of the JSEqual operator, which might have arbitrary side
effects and thus blocks all kinds of TurboFan optimizations. The
JSStrictEqual case is slightly slower now, since it has to rule out
booleans as well (even though that's not strictly necessary, but
consistency is key here).

This way developers can safely use `a == b` instead of doing a dance
like `a == null ? b == null : a === b` (which is what dart2js does
right now) when both `a` and `b` are known to be Receiver, Null or
Undefined. The abstract equality is not only faster to parse than
the tenary, but also generates a shorter bytecode sequence. In the
test case referenced in http://crbug.com/v8/8356 the bytecode for
`naive` is

```
StackCheck
Ldar a1
TestEqual a0, [0]
JumpIfFalse [5]
LdaSmi [1]
Return
LdaSmi [2]
Return
```

which is 14 bytes, whereas the `tenary` function generates

```
StackCheck
Ldar a0
TestUndetectable
JumpIfFalse [7]
Ldar a1
TestUndetectable
Jump [7]
Ldar a1
TestEqualStrict a0, [0]
JumpIfToBooleanFalse [5]
LdaSmi [1]
Return
LdaSmi [2]
Return
```

which is 24 bytes. So the `naive` version is 40% smaller and requires
fewer bytecode dispatches.

Bug: chromium:898455, v8:8356
Change-Id: If3961b2518b4438700706b3bd6071d546305e233
Reviewed-on: https://chromium-review.googlesource.com/c/1297315Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56948}
      f19c4a59
    • Benedikt Meurer's avatar
      [turbofan] Collect and consume (ReceiverOr)Oddball feedback for StrictEqual. · 8f00d61d
      Benedikt Meurer authored 
      This CL introduces proper Oddball and ReceiverOrOddball states for the
CompareOperationFeedback, and updates the StrictEqual IC to collect this
feedback as well. Previously it would not collect Oddball feedback, not
even in the sense of NumberOrOddball, since that's not usable for the
SpeculativeNumberEqual.

The new feedback is handled via newly introduced CheckReceiverOrOddball
and CheckOddball operators in TurboFan, introduced by JSTypedLowering.
Just like with the Receiver feedback, it's enough to check one side and
do a ReferenceEqual afterwards, since strict equal can only yield true
if both sides refer to the same instance.

This improves the benchmark mentioned in http://crbug.com/v8/8356 from

  naive: 2950 ms.
  tenary: 2456 ms.

to around

  naive: 2996 ms.
  tenary: 2192 ms.

which corresponds to a roughly 10% improvement in the case for the
tenary pattern, which is currently used by dart2js. In real world
scenarios this will probably help even more, since TurboFan is able
to optimize across the strict equality, i.e. there's no longer a stub
call forcibly spilling all registers that are live across the call.

This new feedback will be used as a basis for the JSEqual support for
ReceiverOrOddball, which will allow dart2js switching to the shorter
a==b form, at the same peak performance.

Bug: v8:8356
Change-Id: Iafbf5d64fcc9312f9e575b54c32c631ce9b572b2
Reviewed-on: https://chromium-review.googlesource.com/c/1297309Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56925}
      8f00d61d
  33. 15 Oct, 2018 1 commit
  35. 18 Sep, 2018 1 commit
    • Georg Neis's avatar
      [turbofan] Get rid of HeapObjectType-related heap reads. · 253c2469
      Georg Neis authored 
      This removes the last unconditional read accesses to the heap, but
required a significant refactoring.

- Remove HeapObjectRef::type().
- Change HeapObjectData::Is* testers to look at the instance type
  in HeapObjectData::map().

- Remove ObjectRef::oddball_type()
- Add MapRef::oddball_type()
- Add MapRef::is_undetectable().
- Add MapRef::is_callable().

- Remove JSHeapBroker::HeapObjectTypeFromMap()
- Remove Type::For(JSHeapBroker*, Handle<Map>)
- Add BitsetType::Lub(MapRef).
- Add Type::For(MapRef).
- Add Type::For(HeapObjectType).

- Add HeapObjectRef::GetHeapObjectType(). THIS IS TEMPORARY.

As the last item suggests, I couldn't actually remove the
HeapObjectType class yet. See the explanation in the code.

Bug: v8:7790
Change-Id: I508e4bd5337277b0050f2204392fc36f41032fe9
Reviewed-on: https://chromium-review.googlesource.com/1228033Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Reviewed-by: 's avatarMaya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55994}
      253c2469
  37. 03 Sep, 2018 1 commit
    • Benedikt Meurer's avatar
      [turbofan] Improve typing of ToNumeric and ToNumber. · b8981122
      Benedikt Meurer authored 
      The previous typing rules for ToNumeric and ToNumber didn't match on the
NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric
nodes into ToNumber nodes, and generally lead to worse typings in the
graph, and thus worse code generation. This change improves the existing
typing rules and turns ToNumber into a chokepoint again.

Bug: chromium:879898, v8:8015
Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4
Reviewed-on: https://chromium-review.googlesource.com/1201522Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55595}
      b8981122
  39. 31 Aug, 2018 1 commit
  41. 23 Jul, 2018 1 commit
  43. 18 Jul, 2018 1 commit
  45. 17 Jul, 2018 1 commit
  47. 18 Jun, 2018 1 commit
  49. 14 Jun, 2018 1 commit
  51. 12 Jun, 2018 1 commit
  53. 07 Jun, 2018 2 commits
  55. 28 May, 2018 1 commit
  57. 25 May, 2018 1 commit
  59. 30 Apr, 2018 1 commit
  61. 28 Apr, 2018 1 commit
  63. 25 Apr, 2018 1 commit
  65. 19 Mar, 2018 1 commit
  67. 16 Mar, 2018 1 commit
    • Benedikt Meurer's avatar
      [turbofan] Remove unsound SeqString types. · 36426ab7
      Benedikt Meurer authored 
      A value of type OtherSeqString can change its type to OtherNonSeqString
via inplace internalization (and redirection via a ThinString). This can
lead to out of bounds memory accesses and generally correctness bugs, as
seen with crbug.com/822284.

This change might affect performance in some cases, and we'll need to
evaluate whether it's worth spending cycles on adding another mechanism
that leverages the sequential string information in a safe way on a case
by case basis.

Bug: chromium:822284
Change-Id: I0de77ec089a774236555f38c365f7548f454edfe
Reviewed-on: https://chromium-review.googlesource.com/966021Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51975}
      36426ab7