Skip to content

V
V8
Switch branch/tag
  1. 14 Aug, 2018 2 commits
    • Benedikt Meurer's avatar
      [turbofan] Further optimize DataView accesses. · 5fecd146
      Benedikt Meurer authored 
      This adds support for unaligned load/store access to the DataView
backing store and uses byteswap operations to fix up the endianess
when necessary. This changes the Word32ReverseBytes operator to be
a required operator and adds the missing support on the Intel and
ARM platforms (on 64-bit platforms the Word64ReverseBytes operator
is also mandatory now).

This further improves the performance on the dataviewperf.js test
mentioned in the tracking bug by up to 40%, and at the same time
reduces the code complexity in the EffectControlLinearizer.

Bug: chromium:225811
Change-Id: I7c1ec826faf46a144a5a9068f8f815a5fd040997
Reviewed-on: https://chromium-review.googlesource.com/1174252Reviewed-by: 's avatarSigurd Schneider <sigurds@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55111}
      5fecd146
    • Leszek Swirski's avatar
      Revert "[turbofan] Further optimize DataView accesses." · 6a62d88e
      Leszek Swirski authored 
      This reverts commit c46915b9.

Reason for revert: Disasm failures https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux%20-%20debug/21727 

Original change's description:
> [turbofan] Further optimize DataView accesses.
> 
> This adds support for unaligned load/store access to the DataView
> backing store and uses byteswap operations to fix up the endianess
> when necessary. This changes the Word32ReverseBytes operator to be
> a required operator and adds the missing support on the Intel and
> ARM platforms (on 64-bit platforms the Word64ReverseBytes operator
> is also mandatory now).
> 
> This further improves the performance on the dataviewperf.js test
> mentioned in the tracking bug by up to 40%, and at the same time
> reduces the code complexity in the EffectControlLinearizer.
> 
> Bug: chromium:225811
> Change-Id: I296170b828c2ccc1c317ed37840b564aa14cdec2
> Reviewed-on: https://chromium-review.googlesource.com/1172777
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#55099}

TBR=sigurds@chromium.org,bmeurer@chromium.org

Change-Id: If7a62e3a1a4ad26823fcbd2ab6eb4c053ad11c49
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:225811
Reviewed-on: https://chromium-review.googlesource.com/1174171Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55107}
      6a62d88e
  3. 13 Aug, 2018 1 commit
    • Benedikt Meurer's avatar
      [turbofan] Further optimize DataView accesses. · c46915b9
      Benedikt Meurer authored 
      This adds support for unaligned load/store access to the DataView
backing store and uses byteswap operations to fix up the endianess
when necessary. This changes the Word32ReverseBytes operator to be
a required operator and adds the missing support on the Intel and
ARM platforms (on 64-bit platforms the Word64ReverseBytes operator
is also mandatory now).

This further improves the performance on the dataviewperf.js test
mentioned in the tracking bug by up to 40%, and at the same time
reduces the code complexity in the EffectControlLinearizer.

Bug: chromium:225811
Change-Id: I296170b828c2ccc1c317ed37840b564aa14cdec2
Reviewed-on: https://chromium-review.googlesource.com/1172777
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: 's avatarSigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55099}
      c46915b9
  5. 08 Aug, 2018 2 commits
  7. 27 Jul, 2018 1 commit
  9. 25 Jul, 2018 3 commits
  11. 19 Jul, 2018 1 commit
  13. 17 Jul, 2018 1 commit
    • Clemens Hammacher's avatar
      [turbofan] lea32 must create zero-extended value · b2b2583d
      Clemens Hammacher authored 
      The instruction selector currently sometimes emits a lea32 with an
offset of 0, which the code generator just ignores (emits no code at
all). This can result in the result of TruncateInt64ToInt32 to not be
zero extended.
This CL fixes that by disallowing lea32 instructions with 0 offset, and
fixing the instruction selector to generate a movl or just no code for
that case.

R=jarin@chromium.org

Bug: chromium:863810, v8:7947
Change-Id: I1b21fc5f0fda9ca3144917538c3d0bbf46601c33
Reviewed-on: https://chromium-review.googlesource.com/1137825Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54489}
      b2b2583d
  15. 10 Jul, 2018 1 commit
  17. 04 Jul, 2018 1 commit
  19. 02 Jul, 2018 1 commit
  21. 26 Jun, 2018 1 commit
    • Sigurd Schneider's avatar
      [turbofan] Support kRootRegisterBias on all platforms · ba39d635
      Sigurd Schneider authored 
      We had a kRootRegisterBias on x64 before. This CL ports the feature to
all other platforms as well. The root register bias is helpful to adjust
the value of the root register, which allows to better utilize signed
immediate offset constants in load instructions.

We currently use a separate add instruction to add kRootRegisterBias
in the code that initializes the root register. This could be improved
by adding a custom relocation mode ensuring that instead of the root
address, the root address plus the bias is inserted (and in this way
the add instruction can be omitted).

Bug: v8:6666
Change-Id: I55cf02ab85d11e3c6d0d83a8f7905dbf924890f1
Reviewed-on: https://chromium-review.googlesource.com/1113539
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54023}
      ba39d635
  23. 19 Jun, 2018 1 commit
  25. 15 Jun, 2018 1 commit
  27. 14 Jun, 2018 2 commits
    • jgruber's avatar
      Fix stack check pattern matching for CSA code · 9ff644ae
      jgruber authored 
      The stack check instruction sequence is pattern-matched in
instruction-selector-{ia32,x64}.cc and replaced with its own specialized
opcode, for which we later generate an efficient stack check in a single
instruction.

But this pattern matching has never worked for CSA-generated code. The
matcher expected LoadStackPointer in the right operand and the external
reference load in the left operand. CSA generated exactly vice-versa.

This CL does a few things; it
1. reverts the recent change to load the
limit from smi roots:

Revert "[csa] Load the stack limit from smi roots"
This reverts commit 507c29c9.

2. tweaks the CSA instruction sequence to output what the matcher
expects.
3. refactors stack check matching into a new StackCheckMatcher class.
4. typifies CSA::PerformStackCheck as a drive-by.

Bug: v8:6666,v8:7844
Change-Id: I9bb879ac10bfe7187750c5f9e7834dc4accf28b5
Reviewed-on: https://chromium-review.googlesource.com/1099068Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
Reviewed-by: 's avatarSigurd Schneider <sigurds@chromium.org>
Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53737}
      9ff644ae
    • Michael Starzinger's avatar
      [wasm] Allow calling runtime stubs with stub linkage. · 87fe4013
      Michael Starzinger authored 
      This allows WebAssembly runtime stubs implemented as {WasmCode} to be
called with regular stub linkage. So far we have only been able to call
such stubs with WebAssembly linkage.

Also switch two more on-heap builtins over to WebAssembly runtime stubs.

R=clemensh@chromium.org
BUG=v8:7424

Change-Id: Ifa553b5908ee27a1be780c325a114449d7fe7001
Reviewed-on: https://chromium-review.googlesource.com/1100882Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53734}
      87fe4013
  29. 13 Jun, 2018 1 commit
  31. 08 Jun, 2018 1 commit
  33. 07 Jun, 2018 1 commit
  35. 06 Jun, 2018 2 commits
  37. 05 Jun, 2018 1 commit
  39. 04 Jun, 2018 1 commit
    • Michael Starzinger's avatar
      [wasm] Make stack check independent of the Isolate. · c96ac82c
      Michael Starzinger authored 
      This makes stack checks in WasmCode independent of the underlying
Isolate by loading the limit address from the WasmInstanceObject instead
of embedding it into the instruction stream. It hence removes the last
use of the Isolate field from WasmGraphBuilder.

Additionally this introduces the notion of a "runtime stub" which
represents stub code global to the NativeModule that can be directly
called from each WasmCode in the same module. These stubs can act as
trampolines via which Isolate-independent WasmCode can enter other V8
builtins or runtime functions that remain Isolate-dependent. They will
eventually replace the current "trampoline" in a NativeModule.

R=titzer@chromium.org
BUG=v8:7424

Change-Id: Ie1f5582ee656b1ab7716ea06316d6e21a0268e74
Reviewed-on: https://chromium-review.googlesource.com/1078732
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53487}
      c96ac82c
  41. 28 May, 2018 1 commit
  43. 25 May, 2018 1 commit
    • jgruber's avatar
      [builtins,x64] pc-relative builtin-to-builtin calls · e5630ea9
      jgruber authored 
      This addresses one of the major remaining slowdowns with embedded
builtins on x64.

When generating code for a call to a builtin callee from a builtin
caller, we'd look up the Code target object from the builtins constant
list, calculate the location of the first instruction, and jump to it.
Note that for embedded builtin callees, the Code object is itself only
a trampoline to the off-heap code and thus an additional indirection.
An example of the call sequence in pseudo-asm:

// Load from the constants list.
mov reg, [kRootPointer, kBuiltinsConstantListOffset]
mov reg, [reg, offset_of_the_code_constant]
// Calculate first instruction and call it.
add reg, Code::kHeaderOffset
call reg
// The trampoline forwards to the off-heap area.
mov kOffHeapTrampolineRegister, <off-heap instruction_start>
jmp kOffHeapTrampolineRegister

This CL changes calls to embedded builtin targets to use pc-relative
addressing. This reduces the above instruction sequence to:

call <pc-relative offset to target instruction_start>

Embedded-to-embedded calls jump directly to the embedded instruction
stream, bypassing the trampoline. Heap-to-embedded calls (and all
calls to heap-builtins) use pc-relative addressing targeting the
on-heap Code object.

Other relevant platforms (arm,arm64,mips,mips64) do not use pc-relative
calls. For these, we'll need a different solution, e.g. a table of
embedded builtin addresses reachable from the root pointer, similar to
the external reference table.

Bug: v8:6666
Change-Id: Ic0317d454e2da37d74eaecebcdfcbc0d5f5041ad
Reviewed-on: https://chromium-review.googlesource.com/1068732
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53349}
      e5630ea9
  45. 16 May, 2018 1 commit
  47. 15 May, 2018 1 commit
  49. 14 May, 2018 2 commits
    • Andreas Haas's avatar
      [turbofan] Binop Instructions can have up to 5 input operands · 1b11d98f
      Andreas Haas authored 
      The clusterfuzz issue crashes because VisitBinops expected only but 4
input operands but in the generated graph 5 input operands get created
The issue is fixed by increasing the size of the input operand buffer.

R=jarin@chromium.org

Bug: chromium:842501
Change-Id: I4bbb09a968e165e6f5a0a02d06eee97333f7aa38
Reviewed-on: https://chromium-review.googlesource.com/1056989Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53147}
      1b11d98f
    • Benedikt Meurer's avatar
      Revert "[turbofan][x64] Reduce compare-zero followed by flags-setting binop" · b2dc9468
      Benedikt Meurer authored 
      This reverts commit 42334363.

Reason for revert: Seems to lead to floating point exceptions, i.e. with this code:

```js
__v_0 = 'x'.repeat();
var __f_1 = (function __f_0() {
  "use asm";
  function __f_1(__v_5, __v_0) {
    __v_5 = __v_5 | 0;
    __v_0 = __v_0 | 0;
    return ((__v_5 >>> 4) % (__v_0 >>> 1073741824)) | -1073741825;
  }
  return { __f_1: __f_1 };
})().__f_1;
  for (var __v_5 = 0; __v_5 < 4294967296; __v_5 += 3999773) {__v_5 % __v_0 | 0, __f_1();
  }
```

Running with UBSan via `d8-ubsan-vptr-linux-release-v8-component-53134/d8 --random-seed=54105979 --disable-in-process-stack-traces --stress-marking=100 fuzz-02382.js`

Original change's description:
> [turbofan][x64] Reduce compare-zero followed by flags-setting binop
> 
> On IA architecture, arithmetic and shifting operations set the flags
> according to the computation result.
> 
>     subl rsi,0x1
>     REX.W movq rbx,[rbx+0x17]
>     cmpl rsi, 0                       <-- TO BE REDUCED
>     jnz 0x3f54d2dcef0
> ==>
>     REX.W movq rbx,[rbx+0x17]
>     subl rsi,0x1
>     jnz 0x3f54d2dcef0
> &
>     orl rdx,rbx
>     cmpl rdx,0x0                      <-- TO BE REDUCED
>     jnz 0x3f54d22b0f5
> ==>
>     orl rdx,rbx
>     jnz 0x3f54d22b0f5
> 
> Change-Id: If69c023712212ad7b9fa8b29f4b98274f7885e35
> Reviewed-on: https://chromium-review.googlesource.com/1051445
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Commit-Queue: Kanghua Yu <kanghua.yu@intel.com>
> Cr-Commit-Position: refs/heads/master@{#53118}

TBR=bmeurer@chromium.org,kanghua.yu@intel.com

# Not skipping CQ checks because original CL landed > 1 day ago.

Change-Id: I8a177b9268a2fefcd6877d8f33134e7e0c980926
Reviewed-on: https://chromium-review.googlesource.com/1057067Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53137}
      b2dc9468
  51. 11 May, 2018 1 commit
  53. 09 May, 2018 1 commit
  55. 07 May, 2018 1 commit
  57. 02 May, 2018 2 commits
  59. 30 Apr, 2018 1 commit
    • Jaroslav Sevcik's avatar
      Replace array index masking with the poisoning approach. · f53dfd93
      Jaroslav Sevcik authored 
      The idea is to mark all the branches and loads participating in array
bounds checks, and let them contribute-to/use the poisoning register.
In the code, the marks for array indexing operations now contain
"Critical" in their name. By default (--untrusted-code-mitigations),
we only instrument the "critical" operations with poisoning.

With that in place, we also remove the array masking approach based
on arithmetic.

Since we do not propagate the poison through function calls,
we introduce a node for poisoning an index that is passed through
function call - the typical example is the bounds-checked index
that is passed to the CharCodeAt builtin.

Most of the code in this CL is threads through the three levels of
protection (safe, critical, unsafe) for loads, branches and flags.

Bug: chromium:798964

Change-Id: Ief68e2329528277b3ba9156115b2a6dcc540d52b
Reviewed-on: https://chromium-review.googlesource.com/995413
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52883}
      f53dfd93
  61. 26 Apr, 2018 2 commits