Google Git
Sign in
chromium / v8 / v8 / bcdede0c53ab6c0cb6912111f599435cd8f6929f
commitbcdede0c53ab6c0cb6912111f599435cd8f6929f[log] [tgz]
authorBenedikt Meurer <bmeurer@chromium.org>Wed Sep 26 14:47:25 2018
committerCommit Bot <commit-bot@chromium.org>Sun Oct 07 12:00:01 2018
tree0619dc5d12152f840781d894bb1ec4c9c8da50fd
parent248fd5ffe045f583ee493634d64cf9b3b068c106 [diff]
[turbofan] Eliminate redundant Smi checks around array accesses.

As identified in the web-tooling-benchmark, there are specific code
patterns involving array indexed property accesses and subsequent
comparisons of those indices that lead to repeated Smi checks in the
optimized code, which in turn leads to high register pressure and
generally bad register allocation. An example of this pattern is
code like this:

```js
function f(a, n) {
  const i = a[n];
  if (n >= 1) return i;
}
```

The `a[n]` property access introduces a CheckBounds on `n`, which
later lowers to a `CheckedTaggedToInt32[dont-check-minus-zero]`,
however the `n >= 1` comparison has collected `SignedSmall` feedback
and so it introduces a `CheckedTaggedToTaggedSigned` operation. This
second Smi check is redundant and cannot easily be combined with the
earlier tagged->int32 conversion, since that also deals with heap
numbers and even truncates -0 to 0.

So we teach the RedundancyElimination to look at the inputs of these
speculative number comparisons and if there's a leading bounds check
on either of these inputs, we change the input to the result of the
bounds check. This avoids the redundant Smi checks later and generally
allows the SimplifiedLowering to do a significantly better job on the
number comparisons. We only do this in case of SignedSmall feedback
and only for inputs that are not already known to be in UnsignedSmall
range, to avoid doing too many (unnecessary) expensive lookups during
RedundancyElimination.

All of this is safe despite the fact that CheckBounds truncates -0
to 0, since the regular number comparisons in JavaScript identify
0 and -0 (unlike Object.is()). This also adds appropriate tests,
especially for the interesting cases where -0 is used only after
the code was optimized.

Bug: v8:6936, v8:7094
Change-Id: Ie37114fb6192e941ae1a4f0bfe00e9c0a8305c07
Reviewed-on: https://chromium-review.googlesource.com/c/1246181
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56428}
6 files changed
tree: 0619dc5d12152f840781d894bb1ec4c9c8da50fd
  1. benchmarks/
  2. build_overrides/
  3. custom_deps/
  4. docs/
  5. gni/
  6. include/
  7. infra/
  8. samples/
  9. src/
  10. test/
  11. testing/
  12. third_party/
  13. tools/
  14. .clang-format
  15. .clang-tidy
  16. .editorconfig
  17. .git-blame-ignore-revs
  18. .gitattributes
  19. .gitignore
  20. .gn
  21. .vpython
  22. .ycm_extra_conf.py
  23. AUTHORS
  24. BUILD.gn
  25. ChangeLog
  26. CODE_OF_CONDUCT.md
  27. codereview.settings
  28. DEPS
  29. LICENSE
  30. LICENSE.fdlibm
  31. LICENSE.strongtalk
  32. LICENSE.v8
  33. LICENSE.valgrind
  34. OWNERS
  35. PRESUBMIT.py
  36. README.md
  37. snapshot_toolchain.gni
  38. WATCHLISTS
README.md

V8 JavaScript Engine

V8 is Google's open source JavaScript engine.

V8 implements ECMAScript as specified in ECMA-262.

V8 is written in C++ and is used in Google Chrome, the open source browser from Google.

V8 can run standalone, or can be embedded into any C++ application.

V8 Project page: https://github.com/v8/v8/wiki

Getting the Code

Checkout depot tools, and run

    fetch v8

This will checkout V8 into the directory v8 and fetch all of its dependencies. To stay up to date, run

    git pull origin
    gclient sync

For fetching all branches, add the following into your remote configuration in .git/config:

    fetch = +refs/branch-heads/*:refs/remotes/branch-heads/*
    fetch = +refs/tags/*:refs/tags/*

Contributing

Please follow the instructions mentioned on the V8 wiki.