1. 11 Mar, 2019 1 commit
  2. 17 Sep, 2018 1 commit
  3. 15 Jun, 2018 1 commit
  4. 30 Apr, 2018 1 commit
    • Jaroslav Sevcik's avatar
      Replace array index masking with the poisoning approach. · f53dfd93
      Jaroslav Sevcik authored
      The idea is to mark all the branches and loads participating in array
      bounds checks, and let them contribute-to/use the poisoning register.
      In the code, the marks for array indexing operations now contain
      "Critical" in their name. By default (--untrusted-code-mitigations),
      we only instrument the "critical" operations with poisoning.
      
      With that in place, we also remove the array masking approach based
      on arithmetic.
      
      Since we do not propagate the poison through function calls,
      we introduce a node for poisoning an index that is passed through
      function call - the typical example is the bounds-checked index
      that is passed to the CharCodeAt builtin.
      
      Most of the code in this CL is threads through the three levels of
      protection (safe, critical, unsafe) for loads, branches and flags.
      
      Bug: chromium:798964
      
      Change-Id: Ief68e2329528277b3ba9156115b2a6dcc540d52b
      Reviewed-on: https://chromium-review.googlesource.com/995413
      Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
      Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#52883}
      f53dfd93
  5. 27 Feb, 2018 1 commit
  6. 02 Feb, 2018 1 commit
  7. 31 Jan, 2018 1 commit
  8. 23 Jan, 2018 1 commit
  9. 11 Dec, 2017 1 commit
  10. 16 Nov, 2017 1 commit
    • Tobias Tebbi's avatar
      Reland^6 "[turbofan] eagerly prune None types and deadness from the graph" · 19ac10e5
      Tobias Tebbi authored
      Reland of https://chromium-review.googlesource.com/c/v8/v8/+/727893
      The crashes should be fixed by https://chromium-review.googlesource.com/c/v8/v8/+/763531
      
      Original change's description:
      > Revert "Reland^5 "[turbofan] eagerly prune None types and deadness from the graph""
      > 
      > This reverts commit ac0661b3.
      > 
      > Reason for revert: Clusterfuzz unhappy: chromium:783019 chromium:783035
      > 
      > Original change's description:
      > > Reland^5 "[turbofan] eagerly prune None types and deadness from the graph"
      > >
      > > This gives up on earlier attempts to interpret DeadValue as a signal of
      > > unreachable code. This does not work because free-floating dead value
      > > nodes, and even pure branch nodes that use them, can get scheduled so
      > > early that they get reachable. Instead, we now eagerly remove branches
      > > that use DeadValue in DeadCodeElimination and replace DeadValue inputs
      > > to value phi nodes with dummy values.
      > >
      > > Reland of https://chromium-review.googlesource.com/715716
      > >
      > > Bug: chromium:741225 chromium:776256
      > > Change-Id: I251efd507c967d4a8882ad8fd2fd96c4185781fe
      > > Reviewed-on: https://chromium-review.googlesource.com/727893
      > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > > Cr-Commit-Position: refs/heads/master@{#49188}
      > 
      > TBR=jarin@chromium.org,tebbi@chromium.org
      > 
      > Bug: chromium:741225 chromium:776256 chromium:783019 chromium:783035
      > Change-Id: I6a8fa3a08ce2824a858ae01817688e63ed1f442e
      > Reviewed-on: https://chromium-review.googlesource.com/758770
      > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
      > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#49262}
      
      TBR=jarin@chromium.org,tebbi@chromium.org
      
      # Not skipping CQ checks because original CL landed > 1 day ago.
      
      Bug: chromium:741225 chromium:776256 chromium:783019 chromium:783035
      Change-Id: I6c02b4beb02997ec34015ed2f6791a93c70f5e36
      Reviewed-on: https://chromium-review.googlesource.com/772150
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#49429}
      19ac10e5
  11. 09 Nov, 2017 1 commit
    • Tobias Tebbi's avatar
      Revert "Reland^5 "[turbofan] eagerly prune None types and deadness from the graph"" · c899637d
      Tobias Tebbi authored
      This reverts commit ac0661b3.
      
      Reason for revert: Clusterfuzz unhappy: chromium:783019 chromium:783035
      
      Original change's description:
      > Reland^5 "[turbofan] eagerly prune None types and deadness from the graph"
      >
      > This gives up on earlier attempts to interpret DeadValue as a signal of
      > unreachable code. This does not work because free-floating dead value
      > nodes, and even pure branch nodes that use them, can get scheduled so
      > early that they get reachable. Instead, we now eagerly remove branches
      > that use DeadValue in DeadCodeElimination and replace DeadValue inputs
      > to value phi nodes with dummy values.
      >
      > Reland of https://chromium-review.googlesource.com/715716
      >
      > Bug: chromium:741225 chromium:776256
      > Change-Id: I251efd507c967d4a8882ad8fd2fd96c4185781fe
      > Reviewed-on: https://chromium-review.googlesource.com/727893
      > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#49188}
      
      TBR=jarin@chromium.org,tebbi@chromium.org
      
      Bug: chromium:741225 chromium:776256 chromium:783019 chromium:783035
      Change-Id: I6a8fa3a08ce2824a858ae01817688e63ed1f442e
      Reviewed-on: https://chromium-review.googlesource.com/758770Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#49262}
      c899637d
  12. 07 Nov, 2017 1 commit
  13. 19 Oct, 2017 1 commit
    • Tobias Tebbi's avatar
      Revert "Reland^4 "[turbofan] eagerly prune None types and deadness from the graph"" · 2bf01995
      Tobias Tebbi authored
      This revert is manual, but almost completely automatic. 
      It was just blocked by a single-line irrelevant refactoring change.
      This reverts commit 1cee0e01.
      
      Reason for revert: chromium:776256
      
      Original change's description:
      > Reland^4 "[turbofan] eagerly prune None types and deadness from the graph"
      >
      > This fixes https://bugs.chromium.org/p/chromium/issues/detail?id=773954.
      > The issue was that in the EffectControlLinearizer, the effect input of an
      > {Unreachable} node was not updated, leaving a {Checkpoint} behind.
      >
      > This is a reland of 4cf47645
      > Original change's description:
      > > Reland^3 "[turbofan] eagerly prune None types and deadness from the graph"
      > >
      > > This fixes the issues
      > > https://bugs.chromium.org/p/chromium/issues/detail?id=772873
      > > and https://bugs.chromium.org/p/chromium/issues/detail?id=772872.
      > >
      > > One problem was that mutating an effect node into Unreachable confused
      > > the LoadElimination sidetables, so I just always create a new node now.
      > >
      > > The other problem was that UpdateBlockControl() was executed after
      > > UpdateEffectPhi() in the lazy case. This reverted the update to the Merge input.
      > > So now I make sure that UpdateEffectPhi() is always executed last.
      > >
      > > This is a reland of 6ddb5e7d
      > > Original change's description:
      > > > Reland^2 "[turbofan] eagerly prune None types and deadness from the graph"
      > > >
      > > > Now, the EffectControlLinearizer connects all occurrences of Unreachable to the
      > > > graph end. This fixes issues with later phases running DeadCodeElimination and
      > > > introducing new DeadValue nodes when processing uses of Unreachable.
      > > >
      > > > This is a reland of 3c4bc27f
      > > > Original change's description:
      > > > > Reland "[turbofan] eagerly prune None types and deadness from the graph"
      > > > >
      > > > > This is a reland of e1cdda25
      > > > > Original change's description:
      > > > > > [turbofan] eagerly prune None types and deadness from the graph
      > > > > >
      > > > > > In addition to using the {Dead} node to prune dead control nodes and nodes that
      > > > > > depend on them, we introduce a {DeadValue} node representing an impossible value
      > > > > > that can occur at any position in the graph. The extended {DeadCodeElimination}
      > > > > > prunes {DeadValue} and its uses, inserting a crashing {Unreachable} node into
      > > > > > the effect chain when possible. The remaining uses of {DeadValue} are handled
      > > > > > in {EffectControlLinearizer}, where we always have access to the effect chain.
      > > > > > In addition to explicitly introduced {DeadValue} nodes, we consider any value use
      > > > > > of a node with type {None} as dead.
      > > > > >
      > > > > > Bug: chromium:741225
      > > > > > Change-Id: Icc4b636d1d018c452ba1a2fa7cd3e00e522f1655
      > > > > > Reviewed-on: https://chromium-review.googlesource.com/641250
      > > > > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > > > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > > > > > Cr-Commit-Position: refs/heads/master@{#48208}
      > > > >
      > > > > Bug: chromium:741225
      > > > > Change-Id: I21316913dae02864f7a6d7c9269405a79f054138
      > > > > Reviewed-on: https://chromium-review.googlesource.com/692034
      > > > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > > > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > > > Cr-Commit-Position: refs/heads/master@{#48232}
      > > >
      > > > Bug: chromium:741225
      > > > Change-Id: I5702ec34856c075717162153adc765774453c45f
      > > > Reviewed-on: https://chromium-review.googlesource.com/702264
      > > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > > Cr-Commit-Position: refs/heads/master@{#48366}
      > >
      > > Bug: chromium:741225
      > > Change-Id: I4054a694d2521c2e1f0c4a3ad0f3cf100b5c536f
      > > Reviewed-on: https://chromium-review.googlesource.com/709214
      > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > > Cr-Commit-Position: refs/heads/master@{#48469}
      >
      > Bug: chromium:741225
      > Change-Id: Id9d4f3a3ae36cb3e38f80edcdba88efa7922ca24
      > Reviewed-on: https://chromium-review.googlesource.com/715716
      > Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
      > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#48660}
      
      TBR=jarin@chromium.org,tebbi@chromium.org,bmeurer@chromium.org
      
      
      Bug: chromium:741225 chromium:776256
      Change-Id: Iaf2af3cb6dea5fdece43297cb9d987e7decc726d
      Reviewed-on: https://chromium-review.googlesource.com/727804
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#48749}
      2bf01995
  14. 18 Oct, 2017 1 commit
    • Tobias Tebbi's avatar
      Reland^4 "[turbofan] eagerly prune None types and deadness from the graph" · 1cee0e01
      Tobias Tebbi authored
      This fixes https://bugs.chromium.org/p/chromium/issues/detail?id=773954.
      The issue was that in the EffectControlLinearizer, the effect input of an
      {Unreachable} node was not updated, leaving a {Checkpoint} behind.
      
      This is a reland of 4cf47645
      Original change's description:
      > Reland^3 "[turbofan] eagerly prune None types and deadness from the graph"
      > 
      > This fixes the issues 
      > https://bugs.chromium.org/p/chromium/issues/detail?id=772873 
      > and https://bugs.chromium.org/p/chromium/issues/detail?id=772872.
      > 
      > One problem was that mutating an effect node into Unreachable confused 
      > the LoadElimination sidetables, so I just always create a new node now.
      > 
      > The other problem was that UpdateBlockControl() was executed after 
      > UpdateEffectPhi() in the lazy case. This reverted the update to the Merge input.
      > So now I make sure that UpdateEffectPhi() is always executed last.
      > 
      > This is a reland of 6ddb5e7d
      > Original change's description:
      > > Reland^2 "[turbofan] eagerly prune None types and deadness from the graph"
      > > 
      > > Now, the EffectControlLinearizer connects all occurrences of Unreachable to the 
      > > graph end. This fixes issues with later phases running DeadCodeElimination and
      > > introducing new DeadValue nodes when processing uses of Unreachable.
      > > 
      > > This is a reland of 3c4bc27f
      > > Original change's description:
      > > > Reland "[turbofan] eagerly prune None types and deadness from the graph"
      > > > 
      > > > This is a reland of e1cdda25
      > > > Original change's description:
      > > > > [turbofan] eagerly prune None types and deadness from the graph
      > > > > 
      > > > > In addition to using the {Dead} node to prune dead control nodes and nodes that 
      > > > > depend on them, we introduce a {DeadValue} node representing an impossible value 
      > > > > that can occur at any position in the graph. The extended {DeadCodeElimination}
      > > > > prunes {DeadValue} and its uses, inserting a crashing {Unreachable} node into
      > > > > the effect chain when possible. The remaining uses of {DeadValue} are handled
      > > > > in {EffectControlLinearizer}, where we always have access to the effect chain.
      > > > > In addition to explicitly introduced {DeadValue} nodes, we consider any value use
      > > > > of a node with type {None} as dead.
      > > > > 
      > > > > Bug: chromium:741225
      > > > > Change-Id: Icc4b636d1d018c452ba1a2fa7cd3e00e522f1655
      > > > > Reviewed-on: https://chromium-review.googlesource.com/641250
      > > > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > > > > Cr-Commit-Position: refs/heads/master@{#48208}
      > > > 
      > > > Bug: chromium:741225
      > > > Change-Id: I21316913dae02864f7a6d7c9269405a79f054138
      > > > Reviewed-on: https://chromium-review.googlesource.com/692034
      > > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > > Cr-Commit-Position: refs/heads/master@{#48232}
      > > 
      > > Bug: chromium:741225
      > > Change-Id: I5702ec34856c075717162153adc765774453c45f
      > > Reviewed-on: https://chromium-review.googlesource.com/702264
      > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > Cr-Commit-Position: refs/heads/master@{#48366}
      > 
      > Bug: chromium:741225
      > Change-Id: I4054a694d2521c2e1f0c4a3ad0f3cf100b5c536f
      > Reviewed-on: https://chromium-review.googlesource.com/709214
      > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#48469}
      
      Bug: chromium:741225
      Change-Id: Id9d4f3a3ae36cb3e38f80edcdba88efa7922ca24
      Reviewed-on: https://chromium-review.googlesource.com/715716Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#48660}
      1cee0e01
  15. 12 Oct, 2017 1 commit
    • Benedikt Meurer's avatar
      Revert "Reland^3 "[turbofan] eagerly prune None types and deadness from the graph"" · e29fd74c
      Benedikt Meurer authored
      This reverts commit 4cf47645.
      
      Reason for revert: Broken effect chains detected by Clusterfuzz. Playing it safe for the 63 branch.
      
      Original change's description:
      > Reland^3 "[turbofan] eagerly prune None types and deadness from the graph"
      > 
      > This fixes the issues 
      > https://bugs.chromium.org/p/chromium/issues/detail?id=772873 
      > and https://bugs.chromium.org/p/chromium/issues/detail?id=772872.
      > 
      > One problem was that mutating an effect node into Unreachable confused 
      > the LoadElimination sidetables, so I just always create a new node now.
      > 
      > The other problem was that UpdateBlockControl() was executed after 
      > UpdateEffectPhi() in the lazy case. This reverted the update to the Merge input.
      > So now I make sure that UpdateEffectPhi() is always executed last.
      > 
      > This is a reland of 6ddb5e7d
      > Original change's description:
      > > Reland^2 "[turbofan] eagerly prune None types and deadness from the graph"
      > > 
      > > Now, the EffectControlLinearizer connects all occurrences of Unreachable to the 
      > > graph end. This fixes issues with later phases running DeadCodeElimination and
      > > introducing new DeadValue nodes when processing uses of Unreachable.
      > > 
      > > This is a reland of 3c4bc27f
      > > Original change's description:
      > > > Reland "[turbofan] eagerly prune None types and deadness from the graph"
      > > > 
      > > > This is a reland of e1cdda25
      > > > Original change's description:
      > > > > [turbofan] eagerly prune None types and deadness from the graph
      > > > > 
      > > > > In addition to using the {Dead} node to prune dead control nodes and nodes that 
      > > > > depend on them, we introduce a {DeadValue} node representing an impossible value 
      > > > > that can occur at any position in the graph. The extended {DeadCodeElimination}
      > > > > prunes {DeadValue} and its uses, inserting a crashing {Unreachable} node into
      > > > > the effect chain when possible. The remaining uses of {DeadValue} are handled
      > > > > in {EffectControlLinearizer}, where we always have access to the effect chain.
      > > > > In addition to explicitly introduced {DeadValue} nodes, we consider any value use
      > > > > of a node with type {None} as dead.
      > > > > 
      > > > > Bug: chromium:741225
      > > > > Change-Id: Icc4b636d1d018c452ba1a2fa7cd3e00e522f1655
      > > > > Reviewed-on: https://chromium-review.googlesource.com/641250
      > > > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > > > > Cr-Commit-Position: refs/heads/master@{#48208}
      > > > 
      > > > Bug: chromium:741225
      > > > Change-Id: I21316913dae02864f7a6d7c9269405a79f054138
      > > > Reviewed-on: https://chromium-review.googlesource.com/692034
      > > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > > Cr-Commit-Position: refs/heads/master@{#48232}
      > > 
      > > Bug: chromium:741225
      > > Change-Id: I5702ec34856c075717162153adc765774453c45f
      > > Reviewed-on: https://chromium-review.googlesource.com/702264
      > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > Cr-Commit-Position: refs/heads/master@{#48366}
      > 
      > Bug: chromium:741225
      > Change-Id: I4054a694d2521c2e1f0c4a3ad0f3cf100b5c536f
      > Reviewed-on: https://chromium-review.googlesource.com/709214
      > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#48469}
      
      TBR=jarin@chromium.org,tebbi@chromium.org
      
      Change-Id: Icf6a6af4feaafd4bde28cb7b996735ff91bb3810
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: chromium:741225
      Reviewed-on: https://chromium-review.googlesource.com/715096Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#48482}
      e29fd74c
  16. 11 Oct, 2017 1 commit
    • Tobias Tebbi's avatar
      Reland^3 "[turbofan] eagerly prune None types and deadness from the graph" · 4cf47645
      Tobias Tebbi authored
      This fixes the issues 
      https://bugs.chromium.org/p/chromium/issues/detail?id=772873 
      and https://bugs.chromium.org/p/chromium/issues/detail?id=772872.
      
      One problem was that mutating an effect node into Unreachable confused 
      the LoadElimination sidetables, so I just always create a new node now.
      
      The other problem was that UpdateBlockControl() was executed after 
      UpdateEffectPhi() in the lazy case. This reverted the update to the Merge input.
      So now I make sure that UpdateEffectPhi() is always executed last.
      
      This is a reland of 6ddb5e7d
      Original change's description:
      > Reland^2 "[turbofan] eagerly prune None types and deadness from the graph"
      > 
      > Now, the EffectControlLinearizer connects all occurrences of Unreachable to the 
      > graph end. This fixes issues with later phases running DeadCodeElimination and
      > introducing new DeadValue nodes when processing uses of Unreachable.
      > 
      > This is a reland of 3c4bc27f
      > Original change's description:
      > > Reland "[turbofan] eagerly prune None types and deadness from the graph"
      > > 
      > > This is a reland of e1cdda25
      > > Original change's description:
      > > > [turbofan] eagerly prune None types and deadness from the graph
      > > > 
      > > > In addition to using the {Dead} node to prune dead control nodes and nodes that 
      > > > depend on them, we introduce a {DeadValue} node representing an impossible value 
      > > > that can occur at any position in the graph. The extended {DeadCodeElimination}
      > > > prunes {DeadValue} and its uses, inserting a crashing {Unreachable} node into
      > > > the effect chain when possible. The remaining uses of {DeadValue} are handled
      > > > in {EffectControlLinearizer}, where we always have access to the effect chain.
      > > > In addition to explicitly introduced {DeadValue} nodes, we consider any value use
      > > > of a node with type {None} as dead.
      > > > 
      > > > Bug: chromium:741225
      > > > Change-Id: Icc4b636d1d018c452ba1a2fa7cd3e00e522f1655
      > > > Reviewed-on: https://chromium-review.googlesource.com/641250
      > > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > > > Cr-Commit-Position: refs/heads/master@{#48208}
      > > 
      > > Bug: chromium:741225
      > > Change-Id: I21316913dae02864f7a6d7c9269405a79f054138
      > > Reviewed-on: https://chromium-review.googlesource.com/692034
      > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > Cr-Commit-Position: refs/heads/master@{#48232}
      > 
      > Bug: chromium:741225
      > Change-Id: I5702ec34856c075717162153adc765774453c45f
      > Reviewed-on: https://chromium-review.googlesource.com/702264
      > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#48366}
      
      Bug: chromium:741225
      Change-Id: I4054a694d2521c2e1f0c4a3ad0f3cf100b5c536f
      Reviewed-on: https://chromium-review.googlesource.com/709214
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#48469}
      4cf47645
  17. 09 Oct, 2017 2 commits
    • Tobias Tebbi's avatar
      Revert "Reland^2 "[turbofan] eagerly prune None types and deadness from the graph"" · 738e773b
      Tobias Tebbi authored
      This reverts commit 6ddb5e7d.
      
      Reason for revert: chromium:772873 chromium:772872
      
      Original change's description:
      > Reland^2 "[turbofan] eagerly prune None types and deadness from the graph"
      > 
      > Now, the EffectControlLinearizer connects all occurrences of Unreachable to the 
      > graph end. This fixes issues with later phases running DeadCodeElimination and
      > introducing new DeadValue nodes when processing uses of Unreachable.
      > 
      > This is a reland of 3c4bc27f
      > Original change's description:
      > > Reland "[turbofan] eagerly prune None types and deadness from the graph"
      > > 
      > > This is a reland of e1cdda25
      > > Original change's description:
      > > > [turbofan] eagerly prune None types and deadness from the graph
      > > > 
      > > > In addition to using the {Dead} node to prune dead control nodes and nodes that 
      > > > depend on them, we introduce a {DeadValue} node representing an impossible value 
      > > > that can occur at any position in the graph. The extended {DeadCodeElimination}
      > > > prunes {DeadValue} and its uses, inserting a crashing {Unreachable} node into
      > > > the effect chain when possible. The remaining uses of {DeadValue} are handled
      > > > in {EffectControlLinearizer}, where we always have access to the effect chain.
      > > > In addition to explicitly introduced {DeadValue} nodes, we consider any value use
      > > > of a node with type {None} as dead.
      > > > 
      > > > Bug: chromium:741225
      > > > Change-Id: Icc4b636d1d018c452ba1a2fa7cd3e00e522f1655
      > > > Reviewed-on: https://chromium-review.googlesource.com/641250
      > > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > > > Cr-Commit-Position: refs/heads/master@{#48208}
      > > 
      > > Bug: chromium:741225
      > > Change-Id: I21316913dae02864f7a6d7c9269405a79f054138
      > > Reviewed-on: https://chromium-review.googlesource.com/692034
      > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > Cr-Commit-Position: refs/heads/master@{#48232}
      > 
      > Bug: chromium:741225
      > Change-Id: I5702ec34856c075717162153adc765774453c45f
      > Reviewed-on: https://chromium-review.googlesource.com/702264
      > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#48366}
      
      TBR=jarin@chromium.org,tebbi@chromium.org
      
      Change-Id: Ib0f59b8463681abf6a9158112515aefae3c76b5f
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: chromium:741225
      Reviewed-on: https://chromium-review.googlesource.com/707275Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#48407}
      738e773b
    • Tobias Tebbi's avatar
      Reland^2 "[turbofan] eagerly prune None types and deadness from the graph" · 6ddb5e7d
      Tobias Tebbi authored
      Now, the EffectControlLinearizer connects all occurrences of Unreachable to the 
      graph end. This fixes issues with later phases running DeadCodeElimination and
      introducing new DeadValue nodes when processing uses of Unreachable.
      
      This is a reland of 3c4bc27f
      Original change's description:
      > Reland "[turbofan] eagerly prune None types and deadness from the graph"
      > 
      > This is a reland of e1cdda25
      > Original change's description:
      > > [turbofan] eagerly prune None types and deadness from the graph
      > > 
      > > In addition to using the {Dead} node to prune dead control nodes and nodes that 
      > > depend on them, we introduce a {DeadValue} node representing an impossible value 
      > > that can occur at any position in the graph. The extended {DeadCodeElimination}
      > > prunes {DeadValue} and its uses, inserting a crashing {Unreachable} node into
      > > the effect chain when possible. The remaining uses of {DeadValue} are handled
      > > in {EffectControlLinearizer}, where we always have access to the effect chain.
      > > In addition to explicitly introduced {DeadValue} nodes, we consider any value use
      > > of a node with type {None} as dead.
      > > 
      > > Bug: chromium:741225
      > > Change-Id: Icc4b636d1d018c452ba1a2fa7cd3e00e522f1655
      > > Reviewed-on: https://chromium-review.googlesource.com/641250
      > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > > Cr-Commit-Position: refs/heads/master@{#48208}
      > 
      > Bug: chromium:741225
      > Change-Id: I21316913dae02864f7a6d7c9269405a79f054138
      > Reviewed-on: https://chromium-review.googlesource.com/692034
      > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#48232}
      
      Bug: chromium:741225
      Change-Id: I5702ec34856c075717162153adc765774453c45f
      Reviewed-on: https://chromium-review.googlesource.com/702264Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#48366}
      6ddb5e7d
  18. 30 Sep, 2017 1 commit
    • Tobias Tebbi's avatar
      Revert "Reland "[turbofan] eagerly prune None types and deadness from the graph"" · 4651f644
      Tobias Tebbi authored
      This reverts commit 3c4bc27f.
      
      Reason for revert: https://bugs.chromium.org/p/chromium/issues/detail?id=770257
      
      Original change's description:
      > Reland "[turbofan] eagerly prune None types and deadness from the graph"
      > 
      > This is a reland of e1cdda25
      > Original change's description:
      > > [turbofan] eagerly prune None types and deadness from the graph
      > > 
      > > In addition to using the {Dead} node to prune dead control nodes and nodes that 
      > > depend on them, we introduce a {DeadValue} node representing an impossible value 
      > > that can occur at any position in the graph. The extended {DeadCodeElimination}
      > > prunes {DeadValue} and its uses, inserting a crashing {Unreachable} node into
      > > the effect chain when possible. The remaining uses of {DeadValue} are handled
      > > in {EffectControlLinearizer}, where we always have access to the effect chain.
      > > In addition to explicitly introduced {DeadValue} nodes, we consider any value use
      > > of a node with type {None} as dead.
      > > 
      > > Bug: chromium:741225
      > > Change-Id: Icc4b636d1d018c452ba1a2fa7cd3e00e522f1655
      > > Reviewed-on: https://chromium-review.googlesource.com/641250
      > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > > Cr-Commit-Position: refs/heads/master@{#48208}
      > 
      > Bug: chromium:741225
      > Change-Id: I21316913dae02864f7a6d7c9269405a79f054138
      > Reviewed-on: https://chromium-review.googlesource.com/692034
      > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#48232}
      
      TBR=jarin@chromium.org,tebbi@chromium.org
      
      Change-Id: Ied8da411a9c8cbe4ed2e1d3e98a76162c2834c97
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: chromium:741225 chromium:770257
      Reviewed-on: https://chromium-review.googlesource.com/693235Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#48246}
      4651f644
  19. 29 Sep, 2017 1 commit
    • Tobias Tebbi's avatar
      Reland "[turbofan] eagerly prune None types and deadness from the graph" · 3c4bc27f
      Tobias Tebbi authored
      This is a reland of e1cdda25
      Original change's description:
      > [turbofan] eagerly prune None types and deadness from the graph
      > 
      > In addition to using the {Dead} node to prune dead control nodes and nodes that 
      > depend on them, we introduce a {DeadValue} node representing an impossible value 
      > that can occur at any position in the graph. The extended {DeadCodeElimination}
      > prunes {DeadValue} and its uses, inserting a crashing {Unreachable} node into
      > the effect chain when possible. The remaining uses of {DeadValue} are handled
      > in {EffectControlLinearizer}, where we always have access to the effect chain.
      > In addition to explicitly introduced {DeadValue} nodes, we consider any value use
      > of a node with type {None} as dead.
      > 
      > Bug: chromium:741225
      > Change-Id: Icc4b636d1d018c452ba1a2fa7cd3e00e522f1655
      > Reviewed-on: https://chromium-review.googlesource.com/641250
      > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#48208}
      
      Bug: chromium:741225
      Change-Id: I21316913dae02864f7a6d7c9269405a79f054138
      Reviewed-on: https://chromium-review.googlesource.com/692034Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#48232}
      3c4bc27f
  20. 28 Sep, 2017 2 commits
    • Clemens Hammacher's avatar
      Revert "[turbofan] eagerly prune None types and deadness from the graph" · 324e0a7a
      Clemens Hammacher authored
      This reverts commit e1cdda25.
      
      Reason for revert: Fails 'constructor-inlining' on GC-Stress bot: https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/15270
      
      Original change's description:
      > [turbofan] eagerly prune None types and deadness from the graph
      > 
      > In addition to using the {Dead} node to prune dead control nodes and nodes that 
      > depend on them, we introduce a {DeadValue} node representing an impossible value 
      > that can occur at any position in the graph. The extended {DeadCodeElimination}
      > prunes {DeadValue} and its uses, inserting a crashing {Unreachable} node into
      > the effect chain when possible. The remaining uses of {DeadValue} are handled
      > in {EffectControlLinearizer}, where we always have access to the effect chain.
      > In addition to explicitly introduced {DeadValue} nodes, we consider any value use
      > of a node with type {None} as dead.
      > 
      > Bug: chromium:741225
      > Change-Id: Icc4b636d1d018c452ba1a2fa7cd3e00e522f1655
      > Reviewed-on: https://chromium-review.googlesource.com/641250
      > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#48208}
      
      TBR=jarin@chromium.org,tebbi@chromium.org
      
      Change-Id: I9c175d47e2ee4b11a36ed90421202f2354610398
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: chromium:741225
      Reviewed-on: https://chromium-review.googlesource.com/690080Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
      Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#48210}
      324e0a7a
    • Tobias Tebbi's avatar
      [turbofan] eagerly prune None types and deadness from the graph · e1cdda25
      Tobias Tebbi authored
      In addition to using the {Dead} node to prune dead control nodes and nodes that 
      depend on them, we introduce a {DeadValue} node representing an impossible value 
      that can occur at any position in the graph. The extended {DeadCodeElimination}
      prunes {DeadValue} and its uses, inserting a crashing {Unreachable} node into
      the effect chain when possible. The remaining uses of {DeadValue} are handled
      in {EffectControlLinearizer}, where we always have access to the effect chain.
      In addition to explicitly introduced {DeadValue} nodes, we consider any value use
      of a node with type {None} as dead.
      
      Bug: chromium:741225
      Change-Id: Icc4b636d1d018c452ba1a2fa7cd3e00e522f1655
      Reviewed-on: https://chromium-review.googlesource.com/641250
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#48208}
      e1cdda25
  21. 25 Sep, 2017 1 commit
  22. 12 Jul, 2017 1 commit
    • Mythri's avatar
      [TurboFan] In branch-elimination create ControlPathConditions only if needed · 2ea3b16c
      Mythri authored
      In branch elimination phase, control paths are updated when visiting
      the nodes. We first create a control path and then check if it is
      same as the exisiting one. If it is the same we discard the newly
      created one. Since these are created in the zone memory the memory
      will not be released till the entire pass is over. This cl changes
      it to first check if the control path has changed and create a new
      path only if it has changed.
      
      Bug: chromium:725664,v8:6150
      Change-Id: I67fbea13036f85999c7ed366c571f8dc1c17a023
      Reviewed-on: https://chromium-review.googlesource.com/563406Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Commit-Queue: Mythri Alle <mythria@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#46598}
      2ea3b16c
  23. 22 May, 2017 1 commit
  24. 04 Apr, 2017 1 commit
  25. 10 Feb, 2017 1 commit
  26. 10 Jan, 2017 1 commit
    • leszeks's avatar
      [turbofan] Allow indexed access to node inputs/input_edges · 6873f14b
      leszeks authored
      Node::InputCount() and ::InputAt() have to check for inline/out-of-line
      inputs every time they are called. The compiler doesn't seem to be very
      good at caching the result of this check, meaning that it (and all its
      jumps) would happen for every node access.
      
      Previously we would get around this sometimes, by using Node::inputs(),
      which returned a Node::Inputs iterable over node inputs. However,
      sometimes node access is more convenient using an index, or we also
      want to access the count. This patch adds an index accessor and 'count'
      method to Node::Inputs, and replaces several uses of InputCount and
      InputAt with this accessor.
      
      Review-Url: https://codereview.chromium.org/2617123002
      Cr-Commit-Position: refs/heads/master@{#42179}
      6873f14b
  27. 03 Jan, 2017 2 commits
  28. 18 Jul, 2016 1 commit
    • bmeurer's avatar
      [turbofan] Add support for eager/soft deoptimization reasons. · db635d5b
      bmeurer authored
      So far TurboFan wasn't adding the deoptimization reasons for eager/soft
      deoptimization exits that can be used by either the DevTools profiler or
      the --trace-deopt flag. This adds basic support for deopt reasons on
      Deoptimize, DeoptimizeIf and DeoptimizeUnless nodes and threads through
      the reasons to the code generation.
      
      Also moves the DeoptReason to it's own file (to resolve include cycles)
      and drops unused reasons.
      
      R=jarin@chromium.org
      
      Review-Url: https://codereview.chromium.org/2161543002
      Cr-Commit-Position: refs/heads/master@{#37823}
      db635d5b
  29. 11 Jul, 2016 1 commit
    • bmeurer's avatar
      [turbofan] Eliminate a few redundant bounds checks. · 4f976328
      bmeurer authored
      Usually loops run from 0 to some array length l, which means the
      induction variable i will probably have type Unsigned32, just like
      the length l. The CheckBounds operation lowers to an Uint32LessThan
      comparison, so if we also lower the user level i < l comparison to
      Uint32LessThan (whenever possible), we get some bounds check elimination
      for free (via value numbering plus branch condition elimination).
      
      This merges the branch condition elimination phase with the late
      optimization phase to make this magic happen.
      
      R=jarin@chromium.org
      BUG=v8:4930,v8:5141
      
      Review-Url: https://codereview.chromium.org/2135123002
      Cr-Commit-Position: refs/heads/master@{#37629}
      4f976328
  30. 24 May, 2016 1 commit
  31. 24 Feb, 2016 1 commit
  32. 17 Oct, 2015 1 commit
    • jarin's avatar
      [turbofan] Redundant branch elimination. · 106aecf2
      jarin authored
      Removes a branch that checks for a condition that has been checked on dominators of the branch.
      
      This introduces a new reducer that propagates the list of checked conditions (and their boolean values) through the control flow graph. If it encounters a branch checking a condition with a known value, the branch is eliminated.
      
      The analysis relies on loops being reducible: if a condition has been checked on all paths to loop entry, then it is checked in the loop (regardless what of the conditions checked inside the loop).
      
      The implementation is fairly naive and could be improved:
      
      - all the operation on the condition lists could be made allocation-free when revisited.
      
      - we could try to use a map structure rather than a linked list (to make
      lookups faster).
      
      - the merging of control flow could be changed to take into account
        conditions from non-dominating paths (as long as all paths check
        the condition).
      
      Review URL: https://codereview.chromium.org/1376293005
      
      Cr-Commit-Position: refs/heads/master@{#31347}
      106aecf2