- 11 Sep, 2017 19 commits
-
-
Jakob Gruber authored
This is a reland of da6aab43 Original change's description: > [snapshot] Temporarily enable --lazy-deserialization > > Flip the flag for one day to determine impact and flush out bugs. > Please add crashes and regressions to https://crbug.com/v8/6796. > > Bug: v8:6624,v8:6796 > Change-Id: I8b0581c40d956e01f94e9098ff935fdd5af36156 > Reviewed-on: https://chromium-review.googlesource.com/651408 > Commit-Queue: Jakob Gruber <jgruber@chromium.org> > Reviewed-by: Yang Guo <yangguo@chromium.org> > Reviewed-by: Michael Hablich <hablich@chromium.org> > Cr-Commit-Position: refs/heads/master@{#47893} Bug: v8:6624, v8:6796 Change-Id: I7df43925ccb2e6c1d3455439690526b0e1a6a747 Reviewed-on: https://chromium-review.googlesource.com/660218Reviewed-by:
Michael Hablich <hablich@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47952}
-
Mike Stanton authored
Since we don't have a full-codegen compiler anymore, we no longer generate Code::FUNCTION kind. Nice! Here is some cleanup. Bug: v8:6409 Change-Id: I05634e4ca85c4037b49a4346f4e8bae8042b8762 Reviewed-on: https://chromium-review.googlesource.com/657817 Commit-Queue: Michael Stanton <mvstanton@chromium.org> Reviewed-by:
Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#47951}
-
Andreas Haas authored
The wasm code for asm.js modules is generated by us and does not come from the user. Therefore we do not need to check in release builds that experimental opcodes are not used for asm.js, a DCHECK is sufficient. R=clemensh@chromium.org Change-Id: I0c7135bfb03eafd2a39e648d57eff8e3a4440c3f Reviewed-on: https://chromium-review.googlesource.com/659938Reviewed-by:
Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#47950}
-
Peter Marshall authored
We call this ~140 times from addReferences() and AddStubCache, which caused size to increase. Bug: Change-Id: Ib08d435abb82b3e07121adf023f96f6f0b33733e Reviewed-on: https://chromium-review.googlesource.com/660120Reviewed-by:
Jakob Gruber <jgruber@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#47949}
-
Toon Verwaest authored
Bug: v8:5269 Change-Id: Ie649a83435f74b6dd705991c264085f28b12736c Reviewed-on: https://chromium-review.googlesource.com/655438 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by:
Benedikt Meurer <bmeurer@chromium.org> Reviewed-by:
Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#47948}
-
jgruber authored
This fixes two issues related to Code object allocation: Code objects need to be aligned to kCodeAlignment (= 32), and the instruction cache needs to be flushed after deserialization. Both bugs combined manifested as a crash at a basically arbitrary point in the code after the Runtime::kDeserializeLazy call: 0x286bc8dc: blx r12 // Call to Runtime::kDeserializeLazy, // generated through // GenerateTailCallToReturnedCode. 0x286bc8e0: mov r2, r0 // This seemingly innocent register move // crashes hard. Bug: v8:6624,v8:6796 Change-Id: I88c7eaf57ac851745fb7e800c92b0f5978b33466 Reviewed-on: https://chromium-review.googlesource.com/660119Reviewed-by:Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47947}
-
Andreas Haas authored
The wasm valiation incorrectly allowed simd locals, even without the experimental flag turned on. This was not noted in the generated code because simd opcodes were forbidden, but the interpreter could not handle these locals. R=clemensh@chromium.org Bug: chromium:763697 Change-Id: I11d924ac21e50bce81d0504c2c7b252105a89f80 Reviewed-on: https://chromium-review.googlesource.com/660117 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by:
-
Michael Starzinger authored
R=clemensh@chromium.org Change-Id: If0554f01068fb76228e85cfe120630eda86de41d Reviewed-on: https://chromium-review.googlesource.com/659997Reviewed-by:
-
Clemens Hammacher authored
With jumbo builds, we get spurious errors if several .cc files define the same preprocessor macro without undefining it. This is also disallowed by the style guide. This patch adds a presubmit check to check that each #define is eventually followed by a corresponding #undef. Special care has to be taken for conditionally defined macros. Here, the logic to check that there are not multiple defines and that they are undefined in all cases is not perfect; it's optimistic in order to avoid false positives. R=mstarzinger@chromium.org, machenbach@chromium.org Bug: v8:6811 Change-Id: I55cde499399d97a5eb02fbc5ecfa34e6a8099d06 Reviewed-on: https://chromium-review.googlesource.com/657104 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by:
Michael Achenbach <machenbach@chromium.org> Reviewed-by:
-
Clemens Hammacher authored
Cleanup before enabling the presubmit check: https://chromium-review.googlesource.com/c/v8/v8/+/657104 Bug: v8:6811 R=ahaas@chromium.org CC=mstarzinger@chromium.org Change-Id: Ifbf9210464b46dfdb5e04fbedc41d30e11536f74 Reviewed-on: https://chromium-review.googlesource.com/657422Reviewed-by:
Andreas Haas <ahaas@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#47943}
-
Benedikt Meurer authored
The Typer put the wrong type on String#index and String#lastIndexOf builtins, with an off by one on the upper bound. Bug: chromium:762874 Change-Id: Ia4c29bc2e8e1c85b6a7ae0b99f8aaabf839a5932 Reviewed-on: https://chromium-review.googlesource.com/660000Reviewed-by:
Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#47942}
-
Andreas Haas authored
In the test case the module contained a memory which got exported by the name 'main'. The fuzzer crashed when it tried to cast the memory to a function to execute it. This CL checks that 'main' is a function before doint the cast. R=clemensh@chromium.org Bug: chromium:763349 Change-Id: I9a21413c8038a7547f8b59057afea2870b15499a Reviewed-on: https://chromium-review.googlesource.com/659978Reviewed-by:
-
Benedikt Meurer authored
TurboFan wasn't able to inline calls to Array.prototype.push which didn't have exactly one parameter. This was a rather artifical limitation and was mostly due to the way the MaybeGrowFastElements operator was implemented (which was not ideal by itself). Refactoring this a bit, allows us to inline the operation in general, independent of the number of values to push. Array#push with multiple parameters is used quite a lot inside Ember (as discovered by Apple, i.e. https://bugs.webkit.org/show_bug.cgi?id=175823) and is also dominating the Six-Speed/SpreadLiterals/ES5 benchmark (see https://twitter.com/SpiderMonkeyJS/status/906528938452832257 from the SpiderMonkey folks). The micro-benchmark mentioned in the tracking bug (v8:6808) improves from arrayPush0: 2422 ms. arrayPush1: 2567 ms. arrayPush2: 4092 ms. arrayPush3: 4308 ms. to arrayPush0: 798 ms. arrayPush1: 2563 ms. arrayPush2: 2623 ms. arrayPush3: 2773 ms. with this change, effectively removing the odd 50-60% performance cliff that was associated with going from one parameter to two or more. Bug: v8:2229, v8:6808 Change-Id: Iffe4c1233903c04c3dc2062aad39d99769c8ab57 Reviewed-on: https://chromium-review.googlesource.com/657582Reviewed-by:
-
Ivica Bogosavljevic authored
Fix 408f252b Bug: Change-Id: Ibed235d76ceb9a6adc818a5e06b1ba28fe365cba Reviewed-on: https://chromium-review.googlesource.com/659619Reviewed-by:
-
Franziska Hinkelmann authored
If Coverage goes out of scope, ScriptData, FunctionData, or BlockData still rely on Coverage's coverage_. Make coverage_ a shared_ptr owned by all four classes. Bug: Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng Change-Id: Ifab5d05184cc5db0fd0a935254b967286295e63f Reviewed-on: https://chromium-review.googlesource.com/657381Reviewed-by:
-
Franziska Hinkelmann authored
Bug: v8:5933 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng Change-Id: If7d69844a309285ff53edb38688c3c647217fea2 Reviewed-on: https://chromium-review.googlesource.com/657379Reviewed-by:
-
Benedikt Meurer authored
It's quite common today to use Function#apply together with typed arrays, for example to construct a String from character codes (or code points) within a Uint8Array or Uint16Array, i.e. String.fromCharCode.apply(undefined, uint8array) is seen quite often on the web. But there are other interesting cases like Math.max.apply(undefined, float64array) to compute the maximum value in a Float64Array, which is definitely not the fastest implementation, but quite convenient and readable. Unfortunately these cases hit the super-slow-path of the Function#apply machinery in V8 currently, because Function#apply doesn't have any fast-path for TypedArrays. This CL adds a proper fast-path to CreateListFromArrayLike to the ElementsAccessor, which can be used as long as the typed array that's passed wasn't neutered. With this fast-path in place, the performance on the micro-benchmark mentioned in the issue improves from stringFromCharCode: 6386 ms. stringFromCodePoint: 8752 ms. to stringFromCharCode: 1932 ms. stringFromCodePoint: 4262 ms. which corresponds to a 2.0x-3.3x improvement. Bug: v8:2435 Change-Id: I4d39666e53644b11d5856982b005928e26f296fe Reviewed-on: https://chromium-review.googlesource.com/657405Reviewed-by:
-
Jeremy Roman authored
It is legal to stringify other kinds of values, like strings and numbers. Since Local<Object> is convertible to Local<Value>, this is unlikely to break callers. Bug: v8:6810 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng Change-Id: Ie8e97c86308d62cdf0a2a17490a6e20de58fc76e Reviewed-on: https://chromium-review.googlesource.com/657633Reviewed-by:
-
Jaroslav Sevcik authored
[turbofan] Reland^3 "Polymorphic inlining - try merge map check dispatch with function call dispatch." This reverts commit ae28e0cf. Bug: chromium:758096 Change-Id: I6541bd1ba46cd5dfb942ed3f3d382e047fb1f3e6 Reviewed-on: https://chromium-review.googlesource.com/657401Reviewed-by:
-
- 09 Sep, 2017 1 commit
-
-
Anisha Rohra authored
Port 9e995e12 Port 408f252b Up to now, each architecture defined all Register types as structs, with lots of redundancy. An often found comment noted that they cannot be classes due to initialization order problems. As these problems are gone with C++11 constexpr constants, I now tried making Registers classes again. All register types now inherit from RegisterBase, which provides a default set of methods and named constructors (like ::from_code, code(), bit(), is_valid(), ...). This design allows to guarantee an interesting property: Each register is either valid, or it's the no_reg register. There are no other invalid registers. This is guaranteed statically by the constexpr constructor, and dynamically by ::from_code. I decided to disallow the default constructor completely, so instead of "Register reg;" you now need "Register reg = no_reg;". This makes explicit how the Register is initialized. I did this change to the x64, ia32, arm, arm64, mips and mips64 ports. Overall, code got much more compact and more safe. In theory, it should also increase performance (since the is_valid() check is simpler), but this is probably not measurable. R=bjaideep@ca.ibm.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com BUG= LOG=N Change-Id: I2e87efc8790290c64fd6c0a2d093326710b30ed3 Reviewed-on: https://chromium-review.googlesource.com/658065Reviewed-by:
Jaideep Bajwa <bjaideep@ca.ibm.com> Commit-Queue: Jaideep Bajwa <bjaideep@ca.ibm.com> Cr-Commit-Position: refs/heads/master@{#47933}
-
- 08 Sep, 2017 20 commits
-
-
Sathya Gunasekaran authored
Bug: v8:5967 Change-Id: I10388495158fe72ff06cc0f9f9a7b9522705f6e6 Reviewed-on: https://chromium-review.googlesource.com/658301Reviewed-by:
Adam Klein <adamk@chromium.org> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#47932}
-
Alexander Timokhin authored
We should add this define to external_config because it is used in public include v8.h (e.g.: https://cs.chromium.org/chromium/src/v8/include/v8.h?l=272&rcl=5cd6565d5ad06a8cb5a1d9d502d15a54e4fa5bbe) Change-Id: Idf29830a43f348fbf658fada0036c65ab410b155 Reviewed-on: https://chromium-review.googlesource.com/657397Reviewed-by:
Sathya Gunasekaran <gsathya@chromium.org> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#47931}
-
Clemens Hammacher authored
Even though we were generating additional arguments with default value in the case that the caller was not providing enough, we then passed the original pointer, leading to potential out-of-bounds accesses. R=ahaas@chromium.org Bug: chromium:763294,chromium:763297 Change-Id: Id18622d0d40e0408e26a5fc6f97494b5f9e18d17 Reviewed-on: https://chromium-review.googlesource.com/657699Reviewed-by:
-
Ben Smith authored
TSAN finds data races in generated JavaScript code that use access the SharedArrayBuffer backing store racily. These are races, but they are OK in the sense that the JavaScript memory model allows for the potential bad behavior they could introduce (e.g. potentially tearing reads). Relaxed atomics could be used here instead, but that could introduce performance regressions. This change adds TSAN annotations to the TypedArray reads/writes to prevent TSAN from warning about them. Bug: chromium:722871 Change-Id: I0776475f02a352b678ade7d32ed6bd4a6be98c36 Reviewed-on: https://chromium-review.googlesource.com/656509 Commit-Queue: Ben Smith <binji@chromium.org> Reviewed-by:
-
Benedikt Meurer authored
The previous %StringCharCodeAt runtime entry (and the inlined intrinsic) are obsolete and not used anymore (except in dedicated tests for this runtime function), so remove it. And rename the %StringCharCodeAtRT function, which is actually used to %StringCharCodeAt instead to have a consistent naming scheme for runtime fallbacks. Bug: v8:5049 Change-Id: I619429ef54f6efea61fc51ab9ed1d5cfe4417f99 Reviewed-on: https://chromium-review.googlesource.com/657719 Commit-Queue: Yang Guo <yangguo@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by:
-
Michael Starzinger authored
R=mvstanton@chromium.org BUG=v8:6409 Change-Id: I9252055a395287381d2646fedc59c8c376333694 Reviewed-on: https://chromium-review.googlesource.com/652469Reviewed-by:
Michael Stanton <mvstanton@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#47927}
-
Clemens Hammacher authored
This is a cleanup for a presubmit check that might get enabled soon: https://chromium-review.googlesource.com/c/v8/v8/+/657104 R=ahaas@chromium.org CC=mstarzinger@chromium.org Change-Id: Id431f2d4e8fcbb88a777b63e3fb136fa8ceac70a Reviewed-on: https://chromium-review.googlesource.com/657400 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by:
-
Camillo Bruni authored
Change-Id: I61d9e2555fa6063e6e047f7cadb9fbcf4cdba312 Reviewed-on: https://chromium-review.googlesource.com/654869 Commit-Queue: Camillo Bruni <cbruni@chromium.org> Reviewed-by:
Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#47925}
-
Marja Hölttä authored
This reverts commit de9269f3. Something's still wrong in the encoding handling (see bug). Bug: chromium:763106 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng Change-Id: Icd19dd42b84b9d090e191375a2942b9941110bcf Reviewed-on: https://chromium-review.googlesource.com/657386 Commit-Queue: Marja Hölttä <marja@chromium.org> Reviewed-by:
Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#47924}
-
Anna Henningsen authored
This can be useful when there may be multiple callbacks attached by code that's not directly tied to a single isolate, e.g. working on a per-context basis. This also allows rephrasing the global non-isolate APIs in terms of this new API, rather than working around it inside `src/heap`. TBR=hpayer@chromium.org Bug: Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng Change-Id: I2e490ec40d1a34ea812f25f41ef9741d2116d965 Reviewed-on: https://chromium-review.googlesource.com/647548Reviewed-by:
-
Jaroslav Sevcik authored
The advantage of an explicit Abort that the interpreter and the compiler know that aborting cannot continue or throw or deopt. As a result we generate less code and we do not confuse the compiler if the environment is not set up for throwing (as in the generator dispatch that fails validation in crbug.com/762057). Bug: chromium:762057 Change-Id: I3e88f78be32f31ac49b1845595255f802c405ed7 Reviewed-on: https://chromium-review.googlesource.com/657025 Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by:
Leszek Swirski <leszeks@chromium.org> Reviewed-by:
Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#47922}
-
Michael Starzinger authored
R=clemensh@chromium.org Change-Id: I35a69e690a0647e1e6092bf881007198b252d3e8 Reviewed-on: https://chromium-review.googlesource.com/657577Reviewed-by:
-
Franziska Hinkelmann authored
JavaScript is a dynamically typed language. But most code is written with fixed types in mind. When debugging JavaScript, it is helpful to know the types of variables and parameters at runtime. It is often hard to infer types for complex code. Type profiling provides this information at runtime. Node.js uses the inspector protocol. This CL allows Node.js users to access and analyse type profile for via Node modules or the in-procress api. Type Profile helps developers to analyze their code for correctness and performance. Design doc: https://docs.google.com/a/google.com/document/d/1O1uepXZXBI6IwiawTrYC3ohhiNgzkyTdjn3R8ysbYgk/edit?usp=sharing Add `takeTypeProfile` to the inspector protocol. It returns a list of TypeProfileForScripts, which in turn contains the type profile for each function. We can use TypeProfile data to annotate JavaScript code. Sample script with data from TypeProfile: function f(/*Object, number, undefined*/a, /*Array, number, null*/b, /*boolean, Object, symbol*/c) { return 'bye'; /*string*/}; f({}, [], true); f(3, 2.3, {a: 42}); f(undefined, null, Symbol('hello'));/*string*/ Bug: v8:5933 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_chromium_rel_ng Change-Id: I626bfb886b752f90b9c86cc6953601558b18b60d Reviewed-on: https://chromium-review.googlesource.com/508588 Commit-Queue: Franziska Hinkelmann <franzih@chromium.org> Reviewed-by:
Pavel Feldman <pfeldman@chromium.org> Reviewed-by:
Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Reviewed-by:
Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#47920}
-
Michael Starzinger authored
R=clemensh@chromium.org Change-Id: I4e2108beee792e54d4ff54c36fd326a058272b73 Reviewed-on: https://chromium-review.googlesource.com/657179Reviewed-by:
-
Yuki Shiino authored
Map::kBitFieldOffset should be loaded as a byte data. This patch fixes the loading instruction of Map::kBitFieldOffset in lazy accessors. Bug: v8:6795, v8:6156 Change-Id: I8fbc88ed44fb43a24335fc81f75b7199ca80212c Reviewed-on: https://chromium-review.googlesource.com/656862 Commit-Queue: Yuki Shiino <yukishiino@chromium.org> Reviewed-by:
-
Michael Starzinger authored
This removes logic related to healing of the optimized code slot within the feedback vector from the {FastNewClosure} builtin. The underlying code will by now self-heal making it obsolete during closure creation. It will also simplify future inline allocation of closures. R=jarin@chromium.org BUG=v8:6563 Change-Id: If57fe00e3a98c2af423a833c98a465a669b8f3bc Reviewed-on: https://chromium-review.googlesource.com/649551Reviewed-by: -
Georg Neis authored
R=petermarshall@chromium.org Bug: Change-Id: I4c14032aa1bd4fad39cf3db36556d53a529a52b3 Reviewed-on: https://chromium-review.googlesource.com/654865Reviewed-by:
Peter Marshall <petermarshall@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#47916}
-
Daniel Bevenius authored
Bug: Change-Id: I236e6efe4142741ae8dc7e4ca4acdf8a65890c16 Reviewed-on: https://chromium-review.googlesource.com/647534Reviewed-by:
-
Michael Starzinger authored
This removes the ability to create a copy of a code-stub with a given replacement pattern applied. It is in preparation of having the ability to write-protect code objects. R=ishell@chromium.org BUG=v8:6409 Change-Id: Id7528b3bfc53ece73d8c58b0ac96c6e5702a9d45 Reviewed-on: https://chromium-review.googlesource.com/654605Reviewed-by:
Igor Sheludko <ishell@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#47914}
-
Benedikt Meurer authored
Add support to the JSCallReducer to recognize JSConstruct nodes where the target is the Object constructor, and reduce them to JSCreate nodes if either (a) no value is passed to the Object constructor, or (b) the target and new.target are definitely not identical, by checking whether both target and new.target are different HeapConstants (if they are not, then the JSCreateLowering will not be able to do a lot with the JSCreate anyways). This should cover the relevant cases for subclassing appropriately. It fixes the 3-4x slowdown on the micro-benchmark mentioned in the linked bug, baseNoExtends: 752 ms. baseExtendsObject: 752 ms. baseExtendsViaFactory: 751 ms. and thus removes the performance cliff. R=jarin@chromium.org Bug: v8:6801 Change-Id: Id265fd1399302a67b5790a6d0156679920c58bdd Reviewed-on: https://chromium-review.googlesource.com/657019Reviewed-by:
-
