New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 42 users

Issue metadata

Status: Assigned
Owner:
Cc:
Components:
HW: All
NextAction: ----
OS: All
Priority: 2
Type: FeatureRequest


Sign in to add a comment

Improve performance of array builtins

Project Member Reported by mstarzinger@chromium.org, Feb 17 2012

Issue description

Most array builtins that iterate over array elements need to call [[HasProperty]] before calling [[Get]] to correctly verify whether an element is actually present at the time of access. We could merge those two accesses into one. This was introduced in r10737. The following builtins are affected:

* Array.prototype.every
* Array.prototype.filter
* Array.prototype.forEach
* Array.prototype.map
* Array.prototype.reduce
* Array.prototype.reduceRight
* Array.prototype.some
 

Comment 1 by habl...@google.com, Apr 29 2015

Status: Assigned

Comment 2 by cub...@gmail.com, Jun 9 2015

What's the status on this issue?
Cc: adamk@chromium.org
Re #2: About half a year ago, Adam implemented one optimization[1] that replaced the somewhat expensive [[HasProperty]] with a less expensive version for "JSArrays with packed elements".

[1] https://chromium.googlesource.com/v8/v8/+/6230641b83870c8659019ed0c2d907a79fff0200
Labels: -Type-Bug Type-FeatureRequest
Blockedon: chromium:167529
Components: Runtime
Labels: Performance HW-All OS-All
Owner: danno@chromium.org

Comment 7 Deleted

Blockedon: 5985
Blocking: 6019
Project Member

Comment 11 by bugdroid1@chromium.org, Mar 16 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/7de21c4d3b68976558879f126d83e86dc44c4f65

commit 7de21c4d3b68976558879f126d83e86dc44c4f65
Author: danno <danno@chromium.org>
Date: Thu Mar 16 15:34:01 2017

[builtins] Separate Array.prototype.* CSA builtins into two parts

Previous to this CL, CSA-optimized Array builtins--like forEach, some, and
every--were written in a single, monolithic block of CSA code.

This CL teases the code for each of these builtins apart into two chunks, a main
body with optimizations for fast cases, and a "continuation" builtin that
performs a spec-compliant, but slower version of the main loop of the
builtin. The general idea is that when the "fast" main body builtin encounters
an unexpected condition that invalidates assumptions allowing fast-case code, it
tail calls to the slow, correct version of the loop that finishes the builtin
execution.

This separation currently doens't really provide any specific advantage over the
combined version. However, it paves the way to TF-optimized inlined Array
builtins. Inlined Array builtins may trigger deopts during the execution of the
builtin's loop, and those deopt must continue execution from the point at which
they failed. With some massaging of the deoptimizer, it will be possible to make
those deopt points create an extra frame on the top of the stack which resumes
execution in the slow-loop builtin created in this CL.

BUG=v8:1956
LOG=N

Review-Url: https://codereview.chromium.org/2753793002
Cr-Commit-Position: refs/heads/master@{#43867}

[modify] https://crrev.com/7de21c4d3b68976558879f126d83e86dc44c4f65/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/7de21c4d3b68976558879f126d83e86dc44c4f65/src/builtins/builtins.h
[modify] https://crrev.com/7de21c4d3b68976558879f126d83e86dc44c4f65/src/code-factory.cc
[modify] https://crrev.com/7de21c4d3b68976558879f126d83e86dc44c4f65/src/code-factory.h
[modify] https://crrev.com/7de21c4d3b68976558879f126d83e86dc44c4f65/src/compiler/code-assembler.cc
[modify] https://crrev.com/7de21c4d3b68976558879f126d83e86dc44c4f65/src/interface-descriptors.h

Labels: Priority-2
Project Member

Comment 15 by bugdroid1@chromium.org, Apr 29 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/680356278ddc7577e3b967fcc92055522ce00856

commit 680356278ddc7577e3b967fcc92055522ce00856
Author: danno <danno@chromium.org>
Date: Sat Apr 29 07:36:10 2017

[turbofan] Avoid going through ArgumentsAdaptorTrampoline for select CSA/C++ builtins

This CL changes certain frequently-called Array builtins to use CodeStubArguments
rather than peek at the stack frames above array builtins to determine if options
arguments have been passed into them.

BUG=v8:1956
LOG=N

Review-Url: https://codereview.chromium.org/2829093004
Cr-Commit-Position: refs/heads/master@{#44994}

[modify] https://crrev.com/680356278ddc7577e3b967fcc92055522ce00856/src/bootstrapper.cc
[modify] https://crrev.com/680356278ddc7577e3b967fcc92055522ce00856/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/680356278ddc7577e3b967fcc92055522ce00856/src/builtins/builtins-definitions.h
[modify] https://crrev.com/680356278ddc7577e3b967fcc92055522ce00856/src/code-factory.cc
[modify] https://crrev.com/680356278ddc7577e3b967fcc92055522ce00856/src/code-factory.h
[modify] https://crrev.com/680356278ddc7577e3b967fcc92055522ce00856/src/code-stub-assembler.cc
[modify] https://crrev.com/680356278ddc7577e3b967fcc92055522ce00856/src/code-stub-assembler.h
[modify] https://crrev.com/680356278ddc7577e3b967fcc92055522ce00856/src/compiler/code-assembler.cc
[modify] https://crrev.com/680356278ddc7577e3b967fcc92055522ce00856/src/interface-descriptors.h
[add] https://crrev.com/680356278ddc7577e3b967fcc92055522ce00856/test/mjsunit/regress/regress-709782.js

Project Member

Comment 16 by bugdroid1@chromium.org, Apr 29 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5896d38cfb9e3ae6be86b8aa22df258c78a7c758

commit 5896d38cfb9e3ae6be86b8aa22df258c78a7c758
Author: danno <danno@chromium.org>
Date: Sat Apr 29 09:44:07 2017

Revert of [turbofan] Avoid going through ArgumentsAdaptorTrampoline for CSA/C++ builtins (patchset #8 id:140001 of https://codereview.chromium.org/2829093004/ )

Reason for revert:
Nosnap failure

Original issue's description:
> [turbofan] Avoid going through ArgumentsAdaptorTrampoline for select CSA/C++ builtins
>
> This CL changes certain frequently-called Array builtins to use CodeStubArguments
> rather than peek at the stack frames above array builtins to determine if options
> arguments have been passed into them.
>
> BUG=v8:1956
> LOG=N
>
> Review-Url: https://codereview.chromium.org/2829093004
> Cr-Commit-Position: refs/heads/master@{#44994}
> Committed: https://chromium.googlesource.com/v8/v8/+/680356278ddc7577e3b967fcc92055522ce00856

TBR=mvstanton@chromium.org,ishell@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:1956

Review-Url: https://codereview.chromium.org/2851703005
Cr-Commit-Position: refs/heads/master@{#44995}

[modify] https://crrev.com/5896d38cfb9e3ae6be86b8aa22df258c78a7c758/src/bootstrapper.cc
[modify] https://crrev.com/5896d38cfb9e3ae6be86b8aa22df258c78a7c758/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/5896d38cfb9e3ae6be86b8aa22df258c78a7c758/src/builtins/builtins-definitions.h
[modify] https://crrev.com/5896d38cfb9e3ae6be86b8aa22df258c78a7c758/src/code-factory.cc
[modify] https://crrev.com/5896d38cfb9e3ae6be86b8aa22df258c78a7c758/src/code-factory.h
[modify] https://crrev.com/5896d38cfb9e3ae6be86b8aa22df258c78a7c758/src/code-stub-assembler.cc
[modify] https://crrev.com/5896d38cfb9e3ae6be86b8aa22df258c78a7c758/src/code-stub-assembler.h
[modify] https://crrev.com/5896d38cfb9e3ae6be86b8aa22df258c78a7c758/src/compiler/code-assembler.cc
[modify] https://crrev.com/5896d38cfb9e3ae6be86b8aa22df258c78a7c758/src/interface-descriptors.h
[delete] https://crrev.com/680356278ddc7577e3b967fcc92055522ce00856/test/mjsunit/regress/regress-709782.js

Project Member

Comment 17 by bugdroid1@chromium.org, Apr 29 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/7ca381e84792b83581d0199dfae2888781785273

commit 7ca381e84792b83581d0199dfae2888781785273
Author: danno <danno@chromium.org>
Date: Sat Apr 29 10:53:38 2017

[turbofan] Reland: Avoid going through ArgumentsAdaptorTrampoline for select CSA array builtins

This CL changes certain frequently-called Array builtins to use CodeStubArguments
rather than peek at the stack frames above array builtins to determine if options
arguments have been passed into them.

Previous failure cannot be reproed with failing config. Flake?

BUG=v8:1956
LOG=N

Review-Url: https://codereview.chromium.org/2829093004
Cr-Commit-Position: refs/heads/master@{#44996}

[modify] https://crrev.com/7ca381e84792b83581d0199dfae2888781785273/src/bootstrapper.cc
[modify] https://crrev.com/7ca381e84792b83581d0199dfae2888781785273/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/7ca381e84792b83581d0199dfae2888781785273/src/builtins/builtins-definitions.h
[modify] https://crrev.com/7ca381e84792b83581d0199dfae2888781785273/src/code-factory.cc
[modify] https://crrev.com/7ca381e84792b83581d0199dfae2888781785273/src/code-factory.h
[modify] https://crrev.com/7ca381e84792b83581d0199dfae2888781785273/src/code-stub-assembler.cc
[modify] https://crrev.com/7ca381e84792b83581d0199dfae2888781785273/src/code-stub-assembler.h
[modify] https://crrev.com/7ca381e84792b83581d0199dfae2888781785273/src/compiler/code-assembler.cc
[modify] https://crrev.com/7ca381e84792b83581d0199dfae2888781785273/src/interface-descriptors.h
[add] https://crrev.com/7ca381e84792b83581d0199dfae2888781785273/test/mjsunit/regress/regress-709782.js

Project Member

Comment 18 by bugdroid1@chromium.org, Apr 29 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6953bb4012bf3b3e9e56f1fb7ba89e0294d278c8

commit 6953bb4012bf3b3e9e56f1fb7ba89e0294d278c8
Author: danno <danno@chromium.org>
Date: Sat Apr 29 10:58:50 2017

Revert of [turbofan] Avoid going through ArgumentsAdaptorTrampoline for CSA/C++ builtins (patchset #8 id:140001 of https://codereview.chromium.org/2829093004/ )

Reason for revert:
Still fails. Likely has to do with gc heap size for allocation site tests, mitigation pending...

Original issue's description:
> [turbofan] Reland: Avoid going through ArgumentsAdaptorTrampoline for select CSA array builtins
>
> This CL changes certain frequently-called Array builtins to use CodeStubArguments
> rather than peek at the stack frames above array builtins to determine if options
> arguments have been passed into them.
>
> Previous failure cannot be reproed with failing config. Flake?
>
> BUG=v8:1956
> LOG=N
>
> Review-Url: https://codereview.chromium.org/2829093004
> Cr-Commit-Position: refs/heads/master@{#44996}
> Committed: https://chromium.googlesource.com/v8/v8/+/7ca381e84792b83581d0199dfae2888781785273

TBR=mvstanton@chromium.org,ishell@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:1956

Review-Url: https://codereview.chromium.org/2851063002
Cr-Commit-Position: refs/heads/master@{#44997}

[modify] https://crrev.com/6953bb4012bf3b3e9e56f1fb7ba89e0294d278c8/src/bootstrapper.cc
[modify] https://crrev.com/6953bb4012bf3b3e9e56f1fb7ba89e0294d278c8/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/6953bb4012bf3b3e9e56f1fb7ba89e0294d278c8/src/builtins/builtins-definitions.h
[modify] https://crrev.com/6953bb4012bf3b3e9e56f1fb7ba89e0294d278c8/src/code-factory.cc
[modify] https://crrev.com/6953bb4012bf3b3e9e56f1fb7ba89e0294d278c8/src/code-factory.h
[modify] https://crrev.com/6953bb4012bf3b3e9e56f1fb7ba89e0294d278c8/src/code-stub-assembler.cc
[modify] https://crrev.com/6953bb4012bf3b3e9e56f1fb7ba89e0294d278c8/src/code-stub-assembler.h
[modify] https://crrev.com/6953bb4012bf3b3e9e56f1fb7ba89e0294d278c8/src/compiler/code-assembler.cc
[modify] https://crrev.com/6953bb4012bf3b3e9e56f1fb7ba89e0294d278c8/src/interface-descriptors.h
[delete] https://crrev.com/7ca381e84792b83581d0199dfae2888781785273/test/mjsunit/regress/regress-709782.js

Project Member

Comment 19 by bugdroid1@chromium.org, Apr 29 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/455f9df04c138c88c52ede7d3f0e91ea087c4ee6

commit 455f9df04c138c88c52ede7d3f0e91ea087c4ee6
Author: danno <danno@chromium.org>
Date: Sat Apr 29 11:40:48 2017

[turbofan] Reland: Avoid going through ArgumentsAdaptorTrampoline for select CSA array builtins

This CL changes certain frequently-called Array builtins to use CodeStubArguments
rather than peek at the stack frames above array builtins to determine if options
arguments have been passed into them.

Previous failure likely due to unfortunate/unluckily timed GC that moved due to
changed timing/allocation from this CL. Test mitigation for allocation-site-info.js
included.

BUG=v8:1956
LOG=N

Review-Url: https://codereview.chromium.org/2829093004
Cr-Commit-Position: refs/heads/master@{#44998}

[modify] https://crrev.com/455f9df04c138c88c52ede7d3f0e91ea087c4ee6/src/bootstrapper.cc
[modify] https://crrev.com/455f9df04c138c88c52ede7d3f0e91ea087c4ee6/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/455f9df04c138c88c52ede7d3f0e91ea087c4ee6/src/builtins/builtins-definitions.h
[modify] https://crrev.com/455f9df04c138c88c52ede7d3f0e91ea087c4ee6/src/code-factory.cc
[modify] https://crrev.com/455f9df04c138c88c52ede7d3f0e91ea087c4ee6/src/code-factory.h
[modify] https://crrev.com/455f9df04c138c88c52ede7d3f0e91ea087c4ee6/src/code-stub-assembler.cc
[modify] https://crrev.com/455f9df04c138c88c52ede7d3f0e91ea087c4ee6/src/code-stub-assembler.h
[modify] https://crrev.com/455f9df04c138c88c52ede7d3f0e91ea087c4ee6/src/compiler/code-assembler.cc
[modify] https://crrev.com/455f9df04c138c88c52ede7d3f0e91ea087c4ee6/src/interface-descriptors.h
[modify] https://crrev.com/455f9df04c138c88c52ede7d3f0e91ea087c4ee6/test/mjsunit/allocation-site-info.js
[add] https://crrev.com/455f9df04c138c88c52ede7d3f0e91ea087c4ee6/test/mjsunit/regress/regress-709782.js

Project Member

Comment 20 by bugdroid1@chromium.org, May 2 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2c995c8c50a39bb7177ce7e041f76ca97240ed98

commit 2c995c8c50a39bb7177ce7e041f76ca97240ed98
Author: danno <danno@chromium.org>
Date: Tue May 02 13:45:09 2017

[builtins] De-duplicate specification of array builtin parameter count

Previously, the parameter count for CSA-generated array builtins needed to be
specified both in the TFJ list of builtins as well as in the bootstrapper when
installing each builtin. This patch adds a utility function that returns the
arity of builtins, including CSA-generated array builtins, given the builtin's
name. This function is now used by the bootstrapper and thus removes the need
for the explicit duplication.

R=ishell@chromium.org
BUG=v8:1956
LOG=N

Review-Url: https://codereview.chromium.org/2852833002
Cr-Commit-Position: refs/heads/master@{#45033}

[modify] https://crrev.com/2c995c8c50a39bb7177ce7e041f76ca97240ed98/src/bootstrapper.cc
[modify] https://crrev.com/2c995c8c50a39bb7177ce7e041f76ca97240ed98/src/builtins/builtins.cc
[modify] https://crrev.com/2c995c8c50a39bb7177ce7e041f76ca97240ed98/src/builtins/builtins.h

Project Member

Comment 21 by bugdroid1@chromium.org, May 2 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/25b7e882f23fbf26d42fa755a90683030d29907f

commit 25b7e882f23fbf26d42fa755a90683030d29907f
Author: mathias <mathias@qiwi.be>
Date: Tue May 02 15:51:08 2017

[builtins] Fix typo in macro name

During code review, `CASE` was renamed to `TFJ_CASE`, but one occurrence still refers to the old name. This patch fixes that.

Ref. 2c995c8c50a39bb7177ce7e041f76ca97240ed98

R=danno@chromium.org
BUG=v8:1956
LOG=N

Review-Url: https://codereview.chromium.org/2854913002
Cr-Commit-Position: refs/heads/master@{#45040}

[modify] https://crrev.com/25b7e882f23fbf26d42fa755a90683030d29907f/src/builtins/builtins.cc

Project Member

Comment 22 by bugdroid1@chromium.org, Jun 9 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2a20ded9a163b2486a363c95c47b695cb453f273

commit 2a20ded9a163b2486a363c95c47b695cb453f273
Author: bmeurer <bmeurer@chromium.org>
Date: Fri Jun 09 09:03:33 2017

[turbofan] JSCreateClosure doesn't have any JS observable side effects.

The JSCreateClosure operator was not marked as Eliminatable, esp. it
wasn't marked as NoWrite (read: no JavaScript observable side-effect),
which lead to a weird performance cliff with the new Array builtin
inlining. For example

  a.forEach(c => c);

was not inlined, whereas

  const f = c => c;
  a.forEach(f);

was properly inlined, despite not causing any trouble for TurboFan in
general. The reason was that the JSCreateClosure for the arrow function
was marked as "can cause potential side effect", which it cannot. This
fixes the operator to be properly marked as Eliminatable, thus removing
this performance cliff.

BUG=v8:1956, v8:6475 
R=danno@chromium.org

Review-Url: https://codereview.chromium.org/2930933002
Cr-Commit-Position: refs/heads/master@{#45801}

[modify] https://crrev.com/2a20ded9a163b2486a363c95c47b695cb453f273/src/compiler/js-generic-lowering.cc
[modify] https://crrev.com/2a20ded9a163b2486a363c95c47b695cb453f273/src/compiler/js-operator.cc

Comment 23 by danno@chromium.org, Jun 22 2017

Inlining of Array.prototype.forEach in TF:

https://codereview.chromium.org/2803853005
Cc: mathias@chromium.org
Project Member

Comment 25 by bugdroid1@chromium.org, Jul 10 2017

Project Member

Comment 26 by bugdroid1@chromium.org, Jul 13 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/acca8e287dce39bda56f2b971d669438e562a967

commit acca8e287dce39bda56f2b971d669438e562a967
Author: Mike Stanton <mvstanton@chromium.org>
Date: Thu Jul 13 09:00:22 2017

[Turbofan] Inline Array.prototype.map

Bug: v8:1956
Change-Id: I41af0cf5eb2fbb9f1d9d4172f3f546bcc2a715dc
Reviewed-on: https://chromium-review.googlesource.com/548639
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46618}
[modify] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/src/builtins/builtins-definitions.h
[modify] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/src/builtins/builtins.cc
[modify] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/src/compiler/access-builder.cc
[modify] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/src/compiler/access-builder.h
[modify] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/src/compiler/effect-control-linearizer.cc
[modify] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/src/compiler/effect-control-linearizer.h
[modify] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/src/compiler/js-call-reducer.h
[modify] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/src/compiler/js-create-lowering.h
[modify] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/src/compiler/load-elimination.cc
[modify] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/src/compiler/load-elimination.h
[modify] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/src/compiler/opcodes.h
[modify] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/src/compiler/simplified-lowering.cc
[modify] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/src/compiler/simplified-operator.cc
[modify] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/src/compiler/simplified-operator.h
[modify] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/src/compiler/typer.cc
[modify] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/src/compiler/verifier.cc
[add] https://crrev.com/acca8e287dce39bda56f2b971d669438e562a967/test/mjsunit/optimized-map.js

Project Member

Comment 27 by bugdroid1@chromium.org, Jul 19 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6ab0241d70e4251606fd1ef884b95c11f769d752

commit 6ab0241d70e4251606fd1ef884b95c11f769d752
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Wed Jul 19 09:52:53 2017

[turbofan] Handle exceptional edges in ReduceArrayMap.

This adds handling for exceptional control projections when lowering
calls to {Array.prototype.map} in the call reducer.

R=mvstanton@chromium.org
TEST=mjsunit/optimized-map
BUG=v8:1956

Change-Id: If39ee836bbc3406a7fca4bad0d2c9321130cae2a
Reviewed-on: https://chromium-review.googlesource.com/575928
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46755}
[modify] https://crrev.com/6ab0241d70e4251606fd1ef884b95c11f769d752/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/6ab0241d70e4251606fd1ef884b95c11f769d752/test/mjsunit/optimized-map.js

Project Member

Comment 28 by bugdroid1@chromium.org, Jul 24 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d07365f9de631c71175e59681b813636997dc35a

commit d07365f9de631c71175e59681b813636997dc35a
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Mon Jul 24 09:04:11 2017

[turbofan] Handle exceptional edges in ReduceArrayForEach.

This adds handling for exceptional control projections when lowering
calls to {Array.prototype.forEach} in the call reducer.

R=jarin@chromium.org
TEST=mjsunit/optimized-foreach
BUG=v8:1956

Change-Id: I282048b203814cbc1c90df983879578b210f92fb
Reviewed-on: https://chromium-review.googlesource.com/574542
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46834}
[modify] https://crrev.com/d07365f9de631c71175e59681b813636997dc35a/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/d07365f9de631c71175e59681b813636997dc35a/test/mjsunit/optimized-foreach.js

Project Member

Comment 29 by bugdroid1@chromium.org, Jul 28 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/3fba4b7089897ddd739274d095de4abdd7dde3bb

commit 3fba4b7089897ddd739274d095de4abdd7dde3bb
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Fri Jul 28 05:11:38 2017

[js-perf-test] Add microbenchmarks for Array.prototype.join/toString.

Bug: v8:1956
Change-Id: Ic4c67392af2337ac35f9473073dae01264c5ac00
Reviewed-on: https://chromium-review.googlesource.com/590428
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46957}
[add] https://crrev.com/3fba4b7089897ddd739274d095de4abdd7dde3bb/test/js-perf-test/Array/join.js
[modify] https://crrev.com/3fba4b7089897ddd739274d095de4abdd7dde3bb/test/js-perf-test/Array/run.js
[add] https://crrev.com/3fba4b7089897ddd739274d095de4abdd7dde3bb/test/js-perf-test/Array/to-string.js
[modify] https://crrev.com/3fba4b7089897ddd739274d095de4abdd7dde3bb/test/js-perf-test/JSTests.json

Change in flight for Array.prototype.filter, adding optimized support: https://chromium-review.googlesource.com/c/v8/v8/+/657021
Project Member

Comment 32 by bugdroid1@chromium.org, Sep 19 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/47b63806fcf544cacc779fc08694dacdd9886e26

commit 47b63806fcf544cacc779fc08694dacdd9886e26
Author: Jaroslav Sevcik <jarin@chromium.org>
Date: Tue Sep 19 14:33:39 2017

Revert "[Turbofan] Array.prototype.filter inlining."

This reverts commit 37aa13fe3b434f5fe778ab4bc69c56c6bd526383.

Reason for revert: Suspected to break 63.0.3219 Canary

Original change's description:
> [Turbofan] Array.prototype.filter inlining.
> 
> Support inlining of Array.prototype.filter in TurboFan.
> 
> Bug: v8:1956
> Change-Id: Iba4d683aaa86c6104e8a1cf4d0f549a0c516576a
> Reviewed-on: https://chromium-review.googlesource.com/657021
> Commit-Queue: Michael Stanton <mvstanton@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48040}

TBR=mvstanton@chromium.org,mstarzinger@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:1956
Change-Id: I125a8caf128890d788e040adfe2fc76bd8d1fbea
Reviewed-on: https://chromium-review.googlesource.com/672783
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48083}
[modify] https://crrev.com/47b63806fcf544cacc779fc08694dacdd9886e26/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/47b63806fcf544cacc779fc08694dacdd9886e26/src/builtins/builtins-definitions.h
[modify] https://crrev.com/47b63806fcf544cacc779fc08694dacdd9886e26/src/builtins/builtins.cc
[modify] https://crrev.com/47b63806fcf544cacc779fc08694dacdd9886e26/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/47b63806fcf544cacc779fc08694dacdd9886e26/src/compiler/js-call-reducer.h
[delete] https://crrev.com/77836fec59288a8c060d9357af4f5c83a807b077/test/mjsunit/optimized-filter.js
[modify] https://crrev.com/47b63806fcf544cacc779fc08694dacdd9886e26/test/mjsunit/regress/regress-crbug-747062.js

Project Member

Comment 33 by bugdroid1@chromium.org, Oct 9 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5bd74f312481e2d5a8a399ada75da84615b38770

commit 5bd74f312481e2d5a8a399ada75da84615b38770
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Mon Oct 09 18:09:23 2017

[turbofan] Don't leak "the hole" into the callback function.

The contract in TurboFan is that "the hole" is never passed to "user
JavaScript", which we unfortunately still don't check strictly. Now
the inlined code for Array#forEach properly checks for "the hole",
but the type of the element Node passed to the callback function
doesn't reflect that. So introduce a proper TypeGuard here to reflect
this check.

This will also improve code generation for iteration of HOLEY arrays
better and might improve performance a bit.

Bug: v8:1956
Change-Id: Ib6b3c444b16fcf44551bda1b39f976d66b9362ab
Reviewed-on: https://chromium-review.googlesource.com/705954
Reviewed-by: Daniel Clifford <danno@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48400}
[modify] https://crrev.com/5bd74f312481e2d5a8a399ada75da84615b38770/src/compiler/js-call-reducer.cc

Project Member

Comment 34 by bugdroid1@chromium.org, Oct 18 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9fd029ef25a0b4937d5298f4bdaecdb771842117

commit 9fd029ef25a0b4937d5298f4bdaecdb771842117
Author: Mike Stanton <mvstanton@chromium.org>
Date: Wed Oct 18 17:09:27 2017

[Turbofan] Array.prototype.filter inlining.

Support inlining of Array.prototype.filter in TurboFan.

(relanding with fix for chromium:766635, visible in the
 diff between patchsets 2 and 3)

Bug: v8:1956,chromium:766635
Change-Id: Ia50be6770602513e3d91d17e2b2ca9d3b0e8b42a
Reviewed-on: https://chromium-review.googlesource.com/721119
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48697}
[modify] https://crrev.com/9fd029ef25a0b4937d5298f4bdaecdb771842117/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/9fd029ef25a0b4937d5298f4bdaecdb771842117/src/builtins/builtins-definitions.h
[modify] https://crrev.com/9fd029ef25a0b4937d5298f4bdaecdb771842117/src/builtins/builtins.cc
[modify] https://crrev.com/9fd029ef25a0b4937d5298f4bdaecdb771842117/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/9fd029ef25a0b4937d5298f4bdaecdb771842117/src/compiler/js-call-reducer.h
[modify] https://crrev.com/9fd029ef25a0b4937d5298f4bdaecdb771842117/src/deoptimizer.cc
[add] https://crrev.com/9fd029ef25a0b4937d5298f4bdaecdb771842117/test/mjsunit/optimized-filter.js
[modify] https://crrev.com/9fd029ef25a0b4937d5298f4bdaecdb771842117/test/mjsunit/regress/regress-crbug-747062.js
[add] https://crrev.com/9fd029ef25a0b4937d5298f4bdaecdb771842117/test/mjsunit/regress/regress-crbug-766635.js

Comment 35 by danno@google.com, Oct 20 2017

Attaching test case use to test micro-benchmark slice performance.
test_slice.js
1.7 KB View Download
Project Member

Comment 36 by bugdroid1@chromium.org, Oct 20 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d672142f3826cb79d2e4b61fdf60df58fa86f026

commit d672142f3826cb79d2e4b61fdf60df58fa86f026
Author: Mike Stanton <mvstanton@chromium.org>
Date: Fri Oct 20 13:00:28 2017

Array.prototype.filter builtin should respect initial ElementsKind

If the input array is a JSArray with fast elements, it makes sense
to create an output array of the same ElementsKind when possible.

Bug: v8:1956
Change-Id: Ie9c937cf1751ccbbbe7cc76f40e1e1a0328ed37c
Reviewed-on: https://chromium-review.googlesource.com/730748
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48789}
[modify] https://crrev.com/d672142f3826cb79d2e4b61fdf60df58fa86f026/src/builtins/builtins-array-gen.cc
[add] https://crrev.com/d672142f3826cb79d2e4b61fdf60df58fa86f026/test/mjsunit/filter-element-kinds.js

Project Member

Comment 37 by bugdroid1@chromium.org, Oct 23 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b3d849905e0be612b9c1e1a931e86de74bf1d8ec

commit b3d849905e0be612b9c1e1a931e86de74bf1d8ec
Author: Mike Stanton <mvstanton@chromium.org>
Date: Mon Oct 23 19:29:50 2017

[Turbofan] Reland Array.prototype.filter inlining.

Support inlining of Array.prototype.filter in TurboFan.

Bug: v8:1956
Change-Id: If50e230d14461063d378c0591dc27dea43371afa
Reviewed-on: https://chromium-review.googlesource.com/733089
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48846}
[modify] https://crrev.com/b3d849905e0be612b9c1e1a931e86de74bf1d8ec/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/b3d849905e0be612b9c1e1a931e86de74bf1d8ec/src/builtins/builtins-definitions.h
[modify] https://crrev.com/b3d849905e0be612b9c1e1a931e86de74bf1d8ec/src/builtins/builtins.cc
[modify] https://crrev.com/b3d849905e0be612b9c1e1a931e86de74bf1d8ec/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/b3d849905e0be612b9c1e1a931e86de74bf1d8ec/src/compiler/js-call-reducer.h
[modify] https://crrev.com/b3d849905e0be612b9c1e1a931e86de74bf1d8ec/src/deoptimizer.cc
[modify] https://crrev.com/b3d849905e0be612b9c1e1a931e86de74bf1d8ec/test/mjsunit/filter-element-kinds.js
[add] https://crrev.com/b3d849905e0be612b9c1e1a931e86de74bf1d8ec/test/mjsunit/optimized-filter.js
[modify] https://crrev.com/b3d849905e0be612b9c1e1a931e86de74bf1d8ec/test/mjsunit/regress/regress-crbug-747062.js
[add] https://crrev.com/b3d849905e0be612b9c1e1a931e86de74bf1d8ec/test/mjsunit/regress/regress-crbug-766635.js
[add] https://crrev.com/b3d849905e0be612b9c1e1a931e86de74bf1d8ec/test/mjsunit/regress/regress-crbug-776511.js

Project Member

Comment 38 by bugdroid1@chromium.org, Oct 24 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6452b26a4bd746928937124d674e6dc3b9031396

commit 6452b26a4bd746928937124d674e6dc3b9031396
Author: Daniel Clifford <danno@chromium.org>
Date: Tue Oct 24 06:39:47 2017

Reimplement Array.prototype.slice in CSA and C++

Previously, V8's slice was implemented in a combination of C++ and a 
Javascript fallback. The disadvantage of this approach was that the
fast-path required a call through the CEntryStub, which introduced
considerable overhead for small arrays with fast elements kinds.

Now the implementation primarily uses the CSA to generate both the
full spec-complaint implementation as well as fast paths for argument
objects and arrays with fast elements kinds. The CSA implementation
uses a C++ implementation fallback in select situations where the the
complexity of a CSA implementation would be too great and the
CEntryStub overhead is not decisive (e.g. slices of dictionary
elements arrays).

Performance results on semi-random arrays with small number of
elements (old vs. new):

smi copy: 48.7 ms vs. 12 ms
smi slice: 43.5 ms 14.8 ms
object copy: 35.5 ms 7.7 ms
object slice: 38.7 ms 8.8 ms
dictionary slice: 2398.3 ms vs. 5.4 ms
fast sloppy arguments slice: 9.6 ms vs. 7.2 ms
slow sloppy arguments slice: 28.9 ms vs. 8.5 ms

As a bonus, the new implementation is fully spec-compliant and fixes
at least one existing bug.

The design document for Array.prototype builtin rework can be found
at https://goo.gl/wFHe2n

Bug: v8:1956,v8:6601,v8:6710,v8:6978
Change-Id: Ia0155bedcf39b4577605ff754f416c2af938efb7
Reviewed-on: https://chromium-review.googlesource.com/574710
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48853}
[modify] https://crrev.com/6452b26a4bd746928937124d674e6dc3b9031396/src/bootstrapper.cc
[modify] https://crrev.com/6452b26a4bd746928937124d674e6dc3b9031396/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/6452b26a4bd746928937124d674e6dc3b9031396/src/builtins/builtins-definitions.h
[modify] https://crrev.com/6452b26a4bd746928937124d674e6dc3b9031396/src/code-factory.cc
[modify] https://crrev.com/6452b26a4bd746928937124d674e6dc3b9031396/src/code-factory.h
[modify] https://crrev.com/6452b26a4bd746928937124d674e6dc3b9031396/src/code-stub-assembler.h
[modify] https://crrev.com/6452b26a4bd746928937124d674e6dc3b9031396/src/debug/debug-evaluate.cc
[modify] https://crrev.com/6452b26a4bd746928937124d674e6dc3b9031396/src/elements.cc
[modify] https://crrev.com/6452b26a4bd746928937124d674e6dc3b9031396/src/flag-definitions.h
[modify] https://crrev.com/6452b26a4bd746928937124d674e6dc3b9031396/src/runtime/runtime-array.cc
[modify] https://crrev.com/6452b26a4bd746928937124d674e6dc3b9031396/src/runtime/runtime.h
[modify] https://crrev.com/6452b26a4bd746928937124d674e6dc3b9031396/test/cctest/compiler/test-run-stubs.cc
[modify] https://crrev.com/6452b26a4bd746928937124d674e6dc3b9031396/test/mjsunit/mjsunit.status
[add] https://crrev.com/6452b26a4bd746928937124d674e6dc3b9031396/test/mjsunit/splice-proxy.js

Project Member

Comment 39 by bugdroid1@chromium.org, Nov 8 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2b2dd99545748437f4ea5bd176ed1e22adb179ec

commit 2b2dd99545748437f4ea5bd176ed1e22adb179ec
Author: Mike Stanton <mvstanton@chromium.org>
Date: Wed Nov 08 09:19:23 2017

[TurboFan] Support Double arrays in Array.prototype.filter inlining.

Bug: v8:1956
Change-Id: I8e35ab6614dbf98facb6c9053fa5c50d4afeda42
Reviewed-on: https://chromium-review.googlesource.com/729019
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49211}
[modify] https://crrev.com/2b2dd99545748437f4ea5bd176ed1e22adb179ec/src/compiler/js-call-reducer.cc

Blockedon: 7165
Blockedon: chromium:791045
Project Member

Comment 42 by bugdroid1@chromium.org, Dec 5 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/99b5f699abda3e470e0d22a8d48f6bd4a9976895

commit 99b5f699abda3e470e0d22a8d48f6bd4a9976895
Author: peterwmwong <peter.wm.wong@gmail.com>
Date: Tue Dec 05 07:23:13 2017

[builtins] Port Array.p.{find,findIndex} to CSA

- Removes JS implementation and InnerArrayFind/InnerArrayFindIndex
- Adds TFJ, with TFS for slow continuation path

Some quick benchmarks show ~2x improvement for unoptimized code
and up to 16% improvement against optimized code (diminishes with
larger arrays as iterating dominates).

https://github.com/peterwmwong/v8-perf/blob/master/array-find-findIndex/README.md

Bug:  chromium:791045 , v8:1956, v8:5049,  v8:7165 
Change-Id: Ie16252ed495bbd91fe548b16d5ef6764de791a50
Reviewed-on: https://chromium-review.googlesource.com/804704
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49851}
[modify] https://crrev.com/99b5f699abda3e470e0d22a8d48f6bd4a9976895/src/bootstrapper.cc
[modify] https://crrev.com/99b5f699abda3e470e0d22a8d48f6bd4a9976895/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/99b5f699abda3e470e0d22a8d48f6bd4a9976895/src/builtins/builtins-definitions.h
[modify] https://crrev.com/99b5f699abda3e470e0d22a8d48f6bd4a9976895/src/debug/debug-evaluate.cc
[modify] https://crrev.com/99b5f699abda3e470e0d22a8d48f6bd4a9976895/src/js/array.js
[modify] https://crrev.com/99b5f699abda3e470e0d22a8d48f6bd4a9976895/test/mjsunit/array-iteration.js
[modify] https://crrev.com/99b5f699abda3e470e0d22a8d48f6bd4a9976895/test/mjsunit/es6/array-find.js
[modify] https://crrev.com/99b5f699abda3e470e0d22a8d48f6bd4a9976895/test/mjsunit/es6/array-findindex.js

Project Member

Comment 43 by bugdroid1@chromium.org, Dec 5 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e0e1a5e56456682fa73f136267f2ff873218ef46

commit e0e1a5e56456682fa73f136267f2ff873218ef46
Author: peterwmwong <peter.wm.wong@gmail.com>
Date: Tue Dec 05 13:43:51 2017

[js-perf-test] Add Array.p.find microbenchmarks

Bug:  chromium:791045 , v8:1956,  v8:7165 
Change-Id: I5c5cf74376f61f71591a8c67fbc9d1584a2b9128
Reviewed-on: https://chromium-review.googlesource.com/807748
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49864}
[add] https://crrev.com/e0e1a5e56456682fa73f136267f2ff873218ef46/test/js-perf-test/Array/find.js
[modify] https://crrev.com/e0e1a5e56456682fa73f136267f2ff873218ef46/test/js-perf-test/Array/run.js
[modify] https://crrev.com/e0e1a5e56456682fa73f136267f2ff873218ef46/test/js-perf-test/JSTests.json

Project Member

Comment 45 by bugdroid1@chromium.org, Dec 7 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/12afb22458663c64ef90179447b895fb00a59f92

commit 12afb22458663c64ef90179447b895fb00a59f92
Author: Sergiy Byelozyorov <sergiyb@chromium.org>
Date: Thu Dec 07 13:49:46 2017

[test] Add find-index.js to the list of resources for the test

R=jgruber@chromium.org

Bug:  chromium:791045 , v8:1956,  v8:7165 
Change-Id: I58ba09248824f0309a3d37afa3e59bdea7c5f1f1
Reviewed-on: https://chromium-review.googlesource.com/813914
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49933}
[modify] https://crrev.com/12afb22458663c64ef90179447b895fb00a59f92/test/js-perf-test/JSTests.json

Project Member

Comment 46 by bugdroid1@chromium.org, Dec 11 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a837ef8a9a43b9b2f05818e54c5cb929b4d20986

commit a837ef8a9a43b9b2f05818e54c5cb929b4d20986
Author: peterwmwong <peter.wm.wong@gmail.com>
Date: Mon Dec 11 11:16:09 2017

[turbofan] Array.prototype.find inlining.

Support inlining Array.prototype.find in Turbofan.
Quick benchmarks show >2x improvement for Smi and
Double packed arrays: https://github.com/peterwmwong/v8-perf/blob/master/array-find-tf/README.md

Bug:  chromium:791045 , v8:1956
Change-Id: I9a6882be9bc3e1e84df372a24bd0f85897cf92a0
Reviewed-on: https://chromium-review.googlesource.com/818193
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49987}
[modify] https://crrev.com/a837ef8a9a43b9b2f05818e54c5cb929b4d20986/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/a837ef8a9a43b9b2f05818e54c5cb929b4d20986/src/builtins/builtins-definitions.h
[modify] https://crrev.com/a837ef8a9a43b9b2f05818e54c5cb929b4d20986/src/builtins/builtins.cc
[modify] https://crrev.com/a837ef8a9a43b9b2f05818e54c5cb929b4d20986/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/a837ef8a9a43b9b2f05818e54c5cb929b4d20986/src/compiler/js-call-reducer.h
[add] https://crrev.com/a837ef8a9a43b9b2f05818e54c5cb929b4d20986/test/mjsunit/optimized-array-find.js

Project Member

Comment 47 by bugdroid1@chromium.org, Dec 13 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e2ce2e0aff862686379db8cf66eab45242d580d4

commit e2ce2e0aff862686379db8cf66eab45242d580d4
Author: peterwmwong <peter.wm.wong@gmail.com>
Date: Wed Dec 13 05:38:17 2017

[turbofan] Fix Array.p.find handling of holes in double elements

Bug:  chromium:791045 , v8:1956
Change-Id: I1400fc95b78e0f4771867d136377b14aed5bd4f4
Reviewed-on: https://chromium-review.googlesource.com/819510
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50061}
[modify] https://crrev.com/e2ce2e0aff862686379db8cf66eab45242d580d4/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/e2ce2e0aff862686379db8cf66eab45242d580d4/test/mjsunit/optimized-array-find.js

Project Member

Comment 48 by bugdroid1@chromium.org, Dec 13 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/0b9036dcc96f38635cd9bcad63682d8ee7b61f3d

commit 0b9036dcc96f38635cd9bcad63682d8ee7b61f3d
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Wed Dec 13 17:29:25 2017

[turbofan] Make Array#find use integers for the index.

The k value passed to NumberAdd was outside the integer range, which
meant it had to choose Double as the only valid representation. The
other array builtins pass the result of CheckBounds here to specifically
force the types into integer range, which allows the representation
selection to pick Word32 instead of Float64 representation.

Drive-by-fix: Pass kind to AccessBuilder::ForJSArrayLength() as well.

Bug:  chromium:791045 , v8:1956
Change-Id: I357e1ba0dc52be544e631e4d554ab772b9b4c9bb
Reviewed-on: https://chromium-review.googlesource.com/823968
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50084}
[modify] https://crrev.com/0b9036dcc96f38635cd9bcad63682d8ee7b61f3d/src/compiler/js-call-reducer.cc

Project Member

Comment 49 by bugdroid1@chromium.org, Dec 15 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/61e2f270d84f53a9a65bbf1de45f98e7a05c9d22

commit 61e2f270d84f53a9a65bbf1de45f98e7a05c9d22
Author: peterwmwong <peter.wm.wong@gmail.com>
Date: Fri Dec 15 16:32:26 2017

[turbofan] Array.prototype.findIndex inlining.

Support inlining Array.prototype.findIndex in Turbofan.
Depending on array size, quick benchmarks show a >2x
improvement: https://github.com/peterwmwong/v8-perf/blob/master/array-find-findIndex-tf/README.md

Bug:  chromium:791045 , v8:1956,  v8:7165 
Change-Id: I250554885f924c97b0072e09ee289713df5cbe63
Reviewed-on: https://chromium-review.googlesource.com/824382
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50133}
[modify] https://crrev.com/61e2f270d84f53a9a65bbf1de45f98e7a05c9d22/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/61e2f270d84f53a9a65bbf1de45f98e7a05c9d22/src/builtins/builtins-definitions.h
[modify] https://crrev.com/61e2f270d84f53a9a65bbf1de45f98e7a05c9d22/src/builtins/builtins.cc
[modify] https://crrev.com/61e2f270d84f53a9a65bbf1de45f98e7a05c9d22/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/61e2f270d84f53a9a65bbf1de45f98e7a05c9d22/src/compiler/js-call-reducer.h
[modify] https://crrev.com/61e2f270d84f53a9a65bbf1de45f98e7a05c9d22/test/mjsunit/optimized-array-find.js
[add] https://crrev.com/61e2f270d84f53a9a65bbf1de45f98e7a05c9d22/test/mjsunit/optimized-array-findindex.js

Comment 50 by danno@chromium.org, Dec 18 2017

Blockedon: 7221
Project Member

Comment 53 by bugdroid1@chromium.org, Dec 29 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/8c68b655ec01667cf9d03785a9f4790fc70d80a5

commit 8c68b655ec01667cf9d03785a9f4790fc70d80a5
Author: Mike Stanton <mvstanton@chromium.org>
Date: Fri Dec 29 10:50:36 2017

[Turbofan] Add holey support to Array.prototype.map & filter.

Bug: v8:1956
Change-Id: Iae150730eb230dd7c90c66941d4d6aa8f0f0a423
Reviewed-on: https://chromium-review.googlesource.com/845685
Reviewed-by: Daniel Clifford <danno@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50317}
[modify] https://crrev.com/8c68b655ec01667cf9d03785a9f4790fc70d80a5/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/8c68b655ec01667cf9d03785a9f4790fc70d80a5/test/mjsunit/optimized-filter.js
[modify] https://crrev.com/8c68b655ec01667cf9d03785a9f4790fc70d80a5/test/mjsunit/optimized-map.js

Project Member

Comment 56 by bugdroid1@chromium.org, Jan 4 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/506371974711446f34870b60b8368fd0093f8b9e

commit 506371974711446f34870b60b8368fd0093f8b9e
Author: Mike Stanton <mvstanton@chromium.org>
Date: Thu Jan 04 12:10:46 2018

[TurboFan] Handle double holey arrays in several array builtins.

Array.prototype.{forEach, filter, map, every} get this support
with the help of a new opcode NumberIsFloat64Hole.

Bug: v8:1956
Change-Id: Ic6a785590cec66bae4c1462c19d6843c0aa5473b
Reviewed-on: https://chromium-review.googlesource.com/847435
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Daniel Clifford <danno@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50358}
[modify] https://crrev.com/506371974711446f34870b60b8368fd0093f8b9e/src/compiler/effect-control-linearizer.cc
[modify] https://crrev.com/506371974711446f34870b60b8368fd0093f8b9e/src/compiler/effect-control-linearizer.h
[modify] https://crrev.com/506371974711446f34870b60b8368fd0093f8b9e/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/506371974711446f34870b60b8368fd0093f8b9e/src/compiler/opcodes.h
[modify] https://crrev.com/506371974711446f34870b60b8368fd0093f8b9e/src/compiler/simplified-lowering.cc
[modify] https://crrev.com/506371974711446f34870b60b8368fd0093f8b9e/src/compiler/simplified-operator.cc
[modify] https://crrev.com/506371974711446f34870b60b8368fd0093f8b9e/src/compiler/simplified-operator.h
[modify] https://crrev.com/506371974711446f34870b60b8368fd0093f8b9e/src/compiler/typer.cc
[modify] https://crrev.com/506371974711446f34870b60b8368fd0093f8b9e/src/compiler/verifier.cc
[modify] https://crrev.com/506371974711446f34870b60b8368fd0093f8b9e/test/mjsunit/optimized-foreach.js
[modify] https://crrev.com/506371974711446f34870b60b8368fd0093f8b9e/test/mjsunit/optimized-map.js

Project Member

Comment 57 by bugdroid1@chromium.org, Jan 19 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/8f8b452fb8d4531faf1e08024c28a5439c9288c7

commit 8f8b452fb8d4531faf1e08024c28a5439c9288c7
Author: Mike Stanton <mvstanton@chromium.org>
Date: Fri Jan 19 11:37:55 2018

[TurboFan] Enable Array.prototype.some inlining

Along with double holey support.

Bug: v8:1956
Change-Id: Ic7fb233c57cbc3d43a5a6190f5d166686ae86df7
Reviewed-on: https://chromium-review.googlesource.com/874476
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50712}
[modify] https://crrev.com/8f8b452fb8d4531faf1e08024c28a5439c9288c7/src/compiler/js-call-reducer.cc

Blockedon: 7420
Project Member

Comment 59 by bugdroid1@chromium.org, Feb 9 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/630b2a5f19607d29421bb911ebb8cee7cd395dde

commit 630b2a5f19607d29421bb911ebb8cee7cd395dde
Author: Dan Elphick <delphick@chromium.org>
Date: Fri Feb 09 14:01:06 2018

[builtins] Implement Array.from in CodeStubAssembler

This removes the Javascript version of Array.from in js/array.js and
adds a CodeStubAssembler version in src/builtins/builtins-array-gen.cc.

Also modify IteratorBuiltinsAssembler to allow querying the existence
of the iterator method without calling it so we can fall back to the
array-like behavior.

BUG=v8:1956

Change-Id: Ibfb3cef002d72d70bd30b4de676fd22becde006c
Reviewed-on: https://chromium-review.googlesource.com/887066
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51208}
[modify] https://crrev.com/630b2a5f19607d29421bb911ebb8cee7cd395dde/src/bootstrapper.cc
[modify] https://crrev.com/630b2a5f19607d29421bb911ebb8cee7cd395dde/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/630b2a5f19607d29421bb911ebb8cee7cd395dde/src/builtins/builtins-definitions.h
[modify] https://crrev.com/630b2a5f19607d29421bb911ebb8cee7cd395dde/src/builtins/builtins-iterator-gen.cc
[modify] https://crrev.com/630b2a5f19607d29421bb911ebb8cee7cd395dde/src/builtins/builtins-iterator-gen.h
[modify] https://crrev.com/630b2a5f19607d29421bb911ebb8cee7cd395dde/src/compiler/code-assembler.h
[modify] https://crrev.com/630b2a5f19607d29421bb911ebb8cee7cd395dde/src/js/array.js
[modify] https://crrev.com/630b2a5f19607d29421bb911ebb8cee7cd395dde/test/mjsunit/es6/array-from.js

Project Member

Comment 60 by bugdroid1@chromium.org, Aug 22

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/11261f42064a28db59034335ad192ce5cc22ed7e

commit 11261f42064a28db59034335ad192ce5cc22ed7e
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Wed Aug 22 19:23:31 2018

[turbofan] Support HOLEY_DOUBLE_ELEMENTS for Array#find() and findIndex().

This adds the missing support for HOLEY_DOUBLE_ELEMENTS to both
`Array#find()` and `Array#findIndex()`. The implementation just deopts
whenever it hits a double hole. In order to prevent deoptimization
loops we add feedback to the CheckFloat64Hole operator, which also
addresses the TODO in the `%ArrayIteratorPrototype%.next()` lowering.

This provides a speed-up of up to 8x in microbenchmarks when using
`Array#find()` or `Array#findIndex()` on HOLEY_DOUBLE_ELEMENTS arrays.

Bug:  chromium:791045 , v8:1956, v8:6587,  v8:7165 , v8:8015
Change-Id: I1be22d3fcba56c676a81dc31a9042f8123ef3a55
Reviewed-on: https://chromium-review.googlesource.com/1183906
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55321}
[modify] https://crrev.com/11261f42064a28db59034335ad192ce5cc22ed7e/src/compiler/effect-control-linearizer.cc
[modify] https://crrev.com/11261f42064a28db59034335ad192ce5cc22ed7e/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/11261f42064a28db59034335ad192ce5cc22ed7e/src/compiler/js-native-context-specialization.cc
[modify] https://crrev.com/11261f42064a28db59034335ad192ce5cc22ed7e/src/compiler/simplified-lowering.cc
[modify] https://crrev.com/11261f42064a28db59034335ad192ce5cc22ed7e/src/compiler/simplified-operator.cc
[modify] https://crrev.com/11261f42064a28db59034335ad192ce5cc22ed7e/src/compiler/simplified-operator.h

Project Member

Comment 61 by bugdroid1@chromium.org, Sep 4

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/fd334b3216488011b368ec4652819e08c38d0d36

commit fd334b3216488011b368ec4652819e08c38d0d36
Author: Mike Stanton <mvstanton@chromium.org>
Date: Tue Sep 04 13:18:23 2018

[builtins] Enable Torque Array.prototype.splice

Before, splice was implemented with a C++ fast path and a
comprehensive JavaScript version.

This impl. is entirely in Torque with a fastpath for SMI,
DOUBLE and OBJECT arrays, and a comprehensive slow path.
The same level of "sparse" array support as given by the
array.js implementation is included.

This reland addresses several issues:

* Removed "sparse" array support from splice.
* Addressed ClusterFuzz issue 876443:
  The test and code that uses the fix is in this CL.
  The fix in isolation can be seen here:
  https://chromium-review.googlesource.com/c/v8/v8/+/1199403
* Removed dead code in elements.cc

BUG=chromium:876443, v8:8131, v8:1956, v8:7221

Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I2d4a66c24ba1edabeca34e27e6ff8ee6136ed5f1
Reviewed-on: https://chromium-review.googlesource.com/1201783
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55610}
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/BUILD.gn
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/bootstrapper.cc
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/builtins/array-reverse.tq
[add] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/builtins/array-splice.tq
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/builtins/array.tq
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/builtins/base.tq
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/builtins/builtins-array.cc
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/builtins/builtins-definitions.h
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/code-stub-assembler.cc
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/code-stub-assembler.h
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/contexts.h
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/elements.cc
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/elements.h
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/flag-definitions.h
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/js/array.js
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/runtime/runtime-array.cc
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/runtime/runtime.h
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/mjsunit/array-functions-prototype-misc.js
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/mjsunit/array-splice.js
[add] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/mjsunit/regress/regress-crbug-876443.js
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/mjsunit/regress/regress-splice-large-index.js
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/mozilla/mozilla.status
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/test262/test262.status
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/webkit/array-splice.js

Project Member

Comment 62 by bugdroid1@chromium.org, Sep 4

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/fd334b3216488011b368ec4652819e08c38d0d36

commit fd334b3216488011b368ec4652819e08c38d0d36
Author: Mike Stanton <mvstanton@chromium.org>
Date: Tue Sep 04 13:18:23 2018

[builtins] Enable Torque Array.prototype.splice

Before, splice was implemented with a C++ fast path and a
comprehensive JavaScript version.

This impl. is entirely in Torque with a fastpath for SMI,
DOUBLE and OBJECT arrays, and a comprehensive slow path.
The same level of "sparse" array support as given by the
array.js implementation is included.

This reland addresses several issues:

* Removed "sparse" array support from splice.
* Addressed ClusterFuzz issue 876443:
  The test and code that uses the fix is in this CL.
  The fix in isolation can be seen here:
  https://chromium-review.googlesource.com/c/v8/v8/+/1199403
* Removed dead code in elements.cc

BUG=chromium:876443, v8:8131, v8:1956, v8:7221

Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I2d4a66c24ba1edabeca34e27e6ff8ee6136ed5f1
Reviewed-on: https://chromium-review.googlesource.com/1201783
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55610}
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/BUILD.gn
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/bootstrapper.cc
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/builtins/array-reverse.tq
[add] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/builtins/array-splice.tq
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/builtins/array.tq
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/builtins/base.tq
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/builtins/builtins-array.cc
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/builtins/builtins-definitions.h
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/code-stub-assembler.cc
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/code-stub-assembler.h
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/contexts.h
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/elements.cc
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/elements.h
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/flag-definitions.h
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/js/array.js
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/runtime/runtime-array.cc
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/runtime/runtime.h
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/mjsunit/array-functions-prototype-misc.js
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/mjsunit/array-splice.js
[add] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/mjsunit/regress/regress-crbug-876443.js
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/mjsunit/regress/regress-splice-large-index.js
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/mozilla/mozilla.status
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/test262/test262.status
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/webkit/array-splice.js

Project Member

Comment 63 by bugdroid1@chromium.org, Sep 4

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/fd334b3216488011b368ec4652819e08c38d0d36

commit fd334b3216488011b368ec4652819e08c38d0d36
Author: Mike Stanton <mvstanton@chromium.org>
Date: Tue Sep 04 13:18:23 2018

[builtins] Enable Torque Array.prototype.splice

Before, splice was implemented with a C++ fast path and a
comprehensive JavaScript version.

This impl. is entirely in Torque with a fastpath for SMI,
DOUBLE and OBJECT arrays, and a comprehensive slow path.
The same level of "sparse" array support as given by the
array.js implementation is included.

This reland addresses several issues:

* Removed "sparse" array support from splice.
* Addressed ClusterFuzz issue 876443:
  The test and code that uses the fix is in this CL.
  The fix in isolation can be seen here:
  https://chromium-review.googlesource.com/c/v8/v8/+/1199403
* Removed dead code in elements.cc

BUG=chromium:876443, v8:8131, v8:1956, v8:7221

Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I2d4a66c24ba1edabeca34e27e6ff8ee6136ed5f1
Reviewed-on: https://chromium-review.googlesource.com/1201783
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55610}
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/BUILD.gn
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/bootstrapper.cc
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/builtins/array-reverse.tq
[add] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/builtins/array-splice.tq
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/builtins/array.tq
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/builtins/base.tq
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/builtins/builtins-array.cc
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/builtins/builtins-definitions.h
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/code-stub-assembler.cc
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/code-stub-assembler.h
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/contexts.h
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/elements.cc
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/elements.h
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/flag-definitions.h
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/js/array.js
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/runtime/runtime-array.cc
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/src/runtime/runtime.h
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/mjsunit/array-functions-prototype-misc.js
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/mjsunit/array-splice.js
[add] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/mjsunit/regress/regress-crbug-876443.js
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/mjsunit/regress/regress-splice-large-index.js
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/mozilla/mozilla.status
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/test262/test262.status
[modify] https://crrev.com/fd334b3216488011b368ec4652819e08c38d0d36/test/webkit/array-splice.js

Sign in to add a comment