[compiler] Fix more concurrency issues exposed by tsan
- FLAG_turbo_inline_js_wasm_calls data race - Map::instance_descriptors non-atomic concurrent loads - Skip one more cctest incompatible with stress_concurrent_inlining Bug: v8:7790,v8:11648,v8:11651 Change-Id: Ie4833373a1da34497f4cfe129254071d8a5772dd Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2827891 Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#73970}
This commit is contained in:
parent
5ecb5bd978
commit
09e0ad9a74
@ -84,6 +84,7 @@ bool OptimizedCompilationInfo::FlagGetIsValid(Flag flag) const {
|
||||
|
||||
void OptimizedCompilationInfo::ConfigureFlags() {
|
||||
if (FLAG_untrusted_code_mitigations) set_untrusted_code_mitigations();
|
||||
if (FLAG_turbo_inline_js_wasm_calls) set_inline_js_wasm_calls();
|
||||
|
||||
switch (code_kind_) {
|
||||
case CodeKind::TURBOFAN:
|
||||
|
@ -71,7 +71,8 @@ class V8_EXPORT_PRIVATE OptimizedCompilationInfo final {
|
||||
V(TraceHeapBroker, trace_heap_broker, 17) \
|
||||
V(WasmRuntimeExceptionSupport, wasm_runtime_exception_support, 18) \
|
||||
V(ConcurrentInlining, concurrent_inlining, 19) \
|
||||
V(DiscardResultForTesting, discard_result_for_testing, 20)
|
||||
V(DiscardResultForTesting, discard_result_for_testing, 20) \
|
||||
V(InlineJSWasmCalls, inline_js_wasm_calls, 21)
|
||||
|
||||
enum Flag {
|
||||
#define DEF_ENUM(Camel, Lower, Bit) k##Camel = 1 << Bit,
|
||||
|
@ -427,8 +427,8 @@ PropertyAccessInfo AccessInfoFactory::ComputeDataFieldAccessInfo(
|
||||
Handle<Map> receiver_map, Handle<Map> map, MaybeHandle<JSObject> holder,
|
||||
InternalIndex descriptor, AccessMode access_mode) const {
|
||||
DCHECK(descriptor.is_found());
|
||||
Handle<DescriptorArray> descriptors(map->instance_descriptors(isolate()),
|
||||
isolate());
|
||||
Handle<DescriptorArray> descriptors = broker()->CanonicalPersistentHandle(
|
||||
map->instance_descriptors(kAcquireLoad));
|
||||
PropertyDetails const details = descriptors->GetDetails(descriptor);
|
||||
int index = descriptors->GetFieldIndex(descriptor);
|
||||
Representation details_representation = details.representation();
|
||||
|
@ -3442,8 +3442,8 @@ Reduction JSCallReducer::ReduceArraySome(Node* node,
|
||||
#if V8_ENABLE_WEBASSEMBLY
|
||||
|
||||
namespace {
|
||||
|
||||
bool CanInlineJSToWasmCall(const wasm::FunctionSig* wasm_signature) {
|
||||
DCHECK(FLAG_turbo_inline_js_wasm_calls);
|
||||
if (wasm_signature->return_count() > 1) {
|
||||
return false;
|
||||
}
|
||||
@ -3460,10 +3460,13 @@ bool CanInlineJSToWasmCall(const wasm::FunctionSig* wasm_signature) {
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
} // namespace
|
||||
|
||||
Reduction JSCallReducer::ReduceCallWasmFunction(
|
||||
Node* node, const SharedFunctionInfoRef& shared) {
|
||||
DCHECK(flags() & kInlineJSToWasmCalls);
|
||||
|
||||
JSCallNode n(node);
|
||||
const CallParameters& p = n.Parameters();
|
||||
|
||||
|
@ -2308,8 +2308,8 @@ void MapData::SerializeOwnDescriptor(JSHeapBroker* broker,
|
||||
// owner map if it is different than the current map. This is because
|
||||
// {instance_descriptors_} gets set on SerializeOwnDescriptor and otherwise
|
||||
// we risk the field owner having a null {instance_descriptors_}.
|
||||
Handle<DescriptorArray> descriptors(map->instance_descriptors(isolate),
|
||||
isolate);
|
||||
Handle<DescriptorArray> descriptors = broker->CanonicalPersistentHandle(
|
||||
map->instance_descriptors(kAcquireLoad));
|
||||
if (descriptors->GetDetails(descriptor_index).location() == kField) {
|
||||
Handle<Map> owner(map->FindFieldOwner(isolate, descriptor_index),
|
||||
isolate);
|
||||
|
@ -1385,7 +1385,7 @@ struct InliningPhase {
|
||||
if (data->info()->bailout_on_uninitialized()) {
|
||||
call_reducer_flags |= JSCallReducer::kBailoutOnUninitialized;
|
||||
}
|
||||
if (FLAG_turbo_inline_js_wasm_calls && data->info()->inlining()) {
|
||||
if (data->info()->inline_js_wasm_calls() && data->info()->inlining()) {
|
||||
call_reducer_flags |= JSCallReducer::kInlineJSToWasmCalls;
|
||||
}
|
||||
JSCallReducer call_reducer(&graph_reducer, data->jsgraph(), data->broker(),
|
||||
@ -2746,7 +2746,7 @@ bool PipelineImpl::OptimizeGraph(Linkage* linkage) {
|
||||
|
||||
#if V8_ENABLE_WEBASSEMBLY
|
||||
if (data->has_js_wasm_calls()) {
|
||||
DCHECK(FLAG_turbo_inline_js_wasm_calls);
|
||||
DCHECK(data->info()->inline_js_wasm_calls());
|
||||
Run<WasmInliningPhase>();
|
||||
RunPrintAndVerify(WasmInliningPhase::phase_name(), true);
|
||||
}
|
||||
|
@ -710,6 +710,7 @@
|
||||
# crbug.com/v8/11513: Flakily failing due to the additional compile task.
|
||||
'test-heap/EnsureAllocationSiteDependentCodesProcessed': [PASS, FAIL],
|
||||
'test-heap/LeakNativeContextViaMapProto': [PASS, FAIL],
|
||||
'test-heap/NewSpaceObjectsInOptimizedCode': [PASS, FAIL],
|
||||
'test-heap/ObjectsInEagerlyDeoptimizedCodeAreWeak': [PASS, FAIL],
|
||||
}], # variant == stress_concurrent_inlining
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user