The biggest chunk of this CL is related to the CodeBuilder now
returning a Code object instead of an InstructionStream. Most
codegen-related parts of the codebase had to be updated, including
compiler.cc, pipeline.cc, and many tests. The good news is,
we now have 400 fewer references to InstructionStream.
Smaller changes:
- Remove ToAbstractCode
- Remove dead code
- Update comments
- Update method and variable names
Bug: v8:13654
Change-Id: Ieb12bc698af576e07016e4c5c8c9d494e5addb0e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4174091
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85372}
This CL introduces an initial implementation of code flushing, which
can be triggered from JavaScript with an explicit runtime call. The
runtime call allows easier testing. So far all Liftoff code gets
deallocated at a code flushing event. Experiments will show if this is
a good strategy.
Bug: chromium:1407659
Change-Id: I2c19a25ab5da1cf3b6d027d14cc6e719f33e300b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4171627
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85365}
This completes the big Code/CodeDataContainer name shuffle.
Bug: v8:13654
Change-Id: If033e9153e751ab0d2a38572da2ce2f7029bc359
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4173569
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85354}
The runtime function took two parameters, the instance and the function
index. The function index, however, seems to be unnatural information,
as the function index is a value that only has meaning with the binary
format of a wasm module, and not for the embedder of a wasm module.
This CL changes the signature of the runtime function to a single
parameter, the wasm function that should be optimized.
R=manoskouk@chromium.org
Bug: v8:12926
Change-Id: I6802cb6c8ffc586f4997a4a069735785ce59583d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4171625
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85352}
Liftoff will only be called on valid functions, but does not validate
itself. So we should not set the function to "validated" after executing
Liftoff compilation. Instead, we can DCHECK that the function was
validated before.
This requires a few changes to tests and fuzzers to correctly set the
{function_was_validated} bit.
R=ahaas@chromium.org
Change-Id: I669fca77724189c83d78bdfda9f08df9f7fd63f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4168411
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85349}
Tests with shared memory are non-deterministic and shall not be
run with --predictable.
Bug: v8:13267, v8:13669
Change-Id: I65c9e1b273ff96ea73acd817a297c08f83ba615f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4174076
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85345}
.. as part of the big Code/CodeDataContainer name shuffle. In the
next step, CodeDataContainer will be renamed to Code.
Bug: v8:13654
Change-Id: Ia80ac984d46dd6c2a108098055a5cd60e22a837c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4171628
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85337}
Add a map check for the RHS of instanceof checks (i.e. the class) when
loading its hasInstance method. We were previously confirming the value
of the RHS, to make sure that it's a constant, but not considering the
case that the map of that class could change (e.g. because of a
prototype change or field definition).
Bug: v8:7700
Change-Id: Ia2923b99dd0524670bebcc57e4c0c209f8835d04
Fixed: chromium:1407959
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4173568
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85336}
The RegisterInput (NewTarget) was not correctly visited by the GC.
This:
- Creates a sentinel safepoint to indicate that the stack is not
fully created (we are in the stack guard call).
- Generalises RegisterInputs (we assumed only NewTarget before) and
save them in the graph.
- Pass the register input count via tagged_register_indexes in
this case.
Fixed: chromium:1407606
Bug: v8:7700
Change-Id: I8f599f8c1a992ee6fd886eec1e289454649dfec8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4171626
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85331}
.. now that it unconditionally refers to CodeDataContainer. All
previous references to 'CodeT' (the type and as part of names) are
now updated to 'CodeDataContainer', including 'codet', 'CODET', etc.
Bug: v8:13654
Change-Id: I7abbba040091eddf3ef09028a891aed460363929
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4165619
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85325}
In some cases, a declaration of a function may be covered by
variables with a same name and thus bound to one parameter. This
CL records variables which should not be bound to the parameter,
are skipped when inserting shadowing variable binding initilizers.
Bug: v8:13459
Change-Id: Id7d147392450b177d219bfd04245b47d9e58c20e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4130416
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85321}
After the latest fix (https://crrev.com/c/4118547), it could happen that
we stop execution even though the stored "max steps" counter did not
reach zero. This was previously not possible because we did always
subtract 1, and only terminated once we reached zero. Not we sometimes
subtract bigger numbers, and terminate if the counter is smaller than
the number we want to subtract.
This CL fixes this by first subtracting, and then checking if the
counter ran negative.
R=thibaudm@chromium.org
Bug: chromium:1405322
Change-Id: I19d7be263b000eb0a6319aaeb8838d11b8c5a3b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4165602
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85317}
With --shared-space we weren't marking the main isolate's entry in
the EPT for the WaiterQueueNode.
Bug: v8:13267, chromium:1406729
Change-Id: I833b0a9f93d6b129529dcda71084c3bff5417bad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4162927
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85309}
The tests deal with recording OLD_TO_SHARED slots during page promotion
(in MinorMC) on a client heap, and retaining the corresponding shared
objects.
These tests cover issues fixed by crrev.com/c/4152485 and
crrev.com/c/4094755 (in the reland, compared to the previously submitted
version).
Bug: v8:12612
Change-Id: I7ba399d56ad75646092e6955f347a210c3dcac6e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4156473
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85308}
The callback can be used to enable / disable Wasm GC from Chrome or
other users. For more simplicity and as many users of Wasm GC also use
stringrefs, enabling it via the callback will also stringrefs.
Bug: v8:7748
Change-Id: I474034eabe438f0ce9759c1d34dda12a99aa491e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4165090
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85306}
We previously did not check for stack overflow when recursively nesting
functions and class declarations, with no statements in between.
Fixed: chromium:1404863
Change-Id: I00ec90ed4ac48ae7996a2d54201732bcaebc9757
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4162925
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85289}
This is a reland of commit ec4f19d530
Original change's description:
> [turbofan] Properly perform range check for array access
>
> Turbofan optimized array access returned incorrect values in some cases
> when a negative index was provided. This CL fixes this by changing the
> way those bounds checks are performed in JSNativeContextSpecialization.
>
> Bug: chromium:1320641
> Change-Id: Id1f06680ccf7964994d179f7fb44199a0b1245b1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4147622
> Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#85207}
Bug: chromium:1320641, chromium:1382948
Change-Id: I45e38598b97e2e997fc75d272dba470669e835c8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4164680
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85286}
This is a reland of commit c74c9e63e1.
Types have been fixed to make MSVC happy.
Original change's description:
> [wasm][test] Remove useless macro
>
> Remove the BUILD macro, call a function with an initializer list
> instead. This makes the code slightly shorter, but most importantly it
> avoids an unnecessary macro, which improves maintainability and
> debuggability.
>
> R=jkummerow@chromium.org
>
> Bug: v8:13312
> Change-Id: I904ccf8e5b98c4d2f487c0cedc865db1386321c6
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4152482
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#85259}
Bug: v8:13312
Cq-Include-Trybots: luci.v8.try:v8_win64_msvc_rel
Change-Id: Ie3ca8dcd295ec22385b5d40262c2cb03bfcfeda4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4162932
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85278}
This reverts commit 77de44e1c4.
Reason for revert: Seems fuchsia doesn't like this improvement: https://ci.chromium.org/ui/p/chromium/builders/try/fuchsia-arm64-rel/68601/overview
Original change's description:
> [ptr-compr] Improve ptr compression/decompresion in C++
>
> Optimizations introduced in
> https://chromium-review.googlesource.com/c/v8/v8/+/1776079
> are currently defeated since Address is not a pointer type.
> Clang does not seem to carry over alignment information as range
> information when casting to ints.
>
> Using __builtin_assume we can restore the same effect. Additionally
> we can help the compiler remember that when compressing the removed
> bits are actually the cage base. This helps e.g. with
> `decompress(compress(..))`.
>
> See https://godbolt.org/z/5r68G5qa6 for details.
>
> Bug: v8:9353
> Change-Id: Ief016fce0788f2bef6b684a18b104ada6e6d3856
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4156060
> Commit-Queue: Olivier Flückiger <olivf@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#85246}
Bug: v8:9353
Change-Id: I1fd6f36667302490f12d19c1fc8f64ca181c006b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4162933
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#85266}
We have been manually disallowing subtypes of anyref, as well as null
types, at the JS boundary, although the infrastructure to handle them
was basically in place. This CL removes this restriction.
Drive-by: Handle null correctly for typed functions in {ToJS}.
Bug: v8:7748
Change-Id: I51df2159ff4e6eea5a1ba401fa87920db9c4f2aa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4154413
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85260}
Remove the BUILD macro, call a function with an initializer list
instead. This makes the code slightly shorter, but most importantly it
avoids an unnecessary macro, which improves maintainability and
debuggability.
R=jkummerow@chromium.org
Bug: v8:13312
Change-Id: I904ccf8e5b98c4d2f487c0cedc865db1386321c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4152482
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85259}
There is no reason to keep the CodeT dispatch (which switches
between `CodeT = CodeDataContainer` and `CodeT = Code`) around. Using
CodeDataContainer doesn't actually depend on anything from v8_enable_external_code_space, so let's use it unconditionally and
simplify our codebase.
In this first step, update the
`v8_enable_external_code_space = false` configuration to use
`CodeT = CodeDataContainer` as well and remove all support for
`CodeT = Code`.
Upcoming CLs will remove the CodeT alias type, and rename
the Code/CodeDataContainer pair to something more intuitive.
Bug: v8:13654
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_no_pointer_compression_dbg,v8_linux64_no_pointer_compression_rel,v8_linux64_arm64_no_pointer_compression_rel;luci.node-ci.try:node_ci_linux64_rel
Change-Id: I58e4d510924f685ef0f2403220a2c33651c3c864
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4138254
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85257}
We introduce high-level typed load elimination for wasm. It is based
on CSALoadElimination. It operates on wasm struct.set/get and
array.length operators (with array operations pending). Wasm types are
used to refine the may-alias analysis ran for stores.
Drive-by:
- Type more nodes in wasm-compiler and wasm-gc-operator-reducer.
- Remove an unsafe-cast test which now hits an Unreachable Turbofan
node.
Bug: v8:7748
Change-Id: I309e4af4d9f9c584e27ff79804a776666b5dc3c1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4146430
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85255}
This is a reland of commit 1e3dd39d09
and commit e5dbd05dcf
The fix is in https://chromium-review.googlesource.com/c/v8/v8/+/4094755/3..6
Original change's description:
> [heap] Iterate promoted pages during sweeping
>
> Promoted pages are iterated to record slots containing old to new and
> old to shared references. This takes a significant amount of time during
> the atomic pause.
> Instead we offload this task to the concurrent sweepers, record slots to
> a local cache, and merge it when finalizing sweeping.
>
> Array buffer sweeping depends on iteration of promoted pages, so it is
> frozen until iteration is done.
>
> See design doc at https://docs.google.com/document/d/1JzXZHguAnNAZUfS7kLeaPVXFfCYbf5bGCtyKgyiMDH4/edit?usp=sharing
>
> Bug: v8:12612
> Change-Id: Icdc79a7a70c53352e3a1b3961cfe369e8563b65b
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4062041
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Auto-Submit: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84706}
Bug: v8:12612
Change-Id: I67bbf4753e9fa8b9194367996797aa103e58c16f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4094755
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85250}
Turbofan uses the feedback vectors created by liftoff during
compilation. It is assumed that for any given function liftoff and
turbofan use same-sized feedback vectors.
Calls in unreachable code don't allocate entries in the feedback vector.
Therefore it is required that turbofan and liftoff have the same
understanding of which parts of the code are treated as unreachable.
This is achieved by moving the unreachable handling from liftoff
into the decoder that is also used for the turbofan compilation.
Bug: chromium:1403398
Change-Id: I113726c1a0d773ea9483c80d8e3c3084be423ca2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4152477
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85248}
Optimizations introduced in
https://chromium-review.googlesource.com/c/v8/v8/+/1776079
are currently defeated since Address is not a pointer type.
Clang does not seem to carry over alignment information as range
information when casting to ints.
Using __builtin_assume we can restore the same effect. Additionally
we can help the compiler remember that when compressing the removed
bits are actually the cage base. This helps e.g. with
`decompress(compress(..))`.
See https://godbolt.org/z/5r68G5qa6 for details.
Bug: v8:9353
Change-Id: Ief016fce0788f2bef6b684a18b104ada6e6d3856
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4156060
Commit-Queue: Olivier Flückiger <olivf@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85246}
Add an alternative to any_ic_changed_, where instead of a global flag
that is updated on ICs changed (which prevents small function
optimisation), the interrupt budget of the particular function whose IC
was updated is reset to a default value.
This should have a similar effect, allowing small functions to tier up
quickly but still only once they have been stable enough for some time,
but should prevent cross-contamination of different functions'
stabilities due to the global nature of the flag.
It does, however, require a back pointer from the feedback vector to its
parent feedback cell (which holds the interrupt budget).
Drive-by, use any_ic_changed_ for Maglev tierup, to match small
function behaviour.
Change-Id: I7109cf3aff536af7ab36d3564ec8005ee7aa44f6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4156472
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85240}
This mode was used for an experiment and isn't used anymore.
IsolateInBackgroundNotification() can be used to achieve the same
memory savings mode.
Bug: v8:13653
Change-Id: I4bc0b0bd7ceac43f22e16b234b9482af9fe03152
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4156054
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85239}
This CL fixes a bug where TurboFan was incorrectly compiling away the
shared value barrier for shared arrays.
TurboFan should not be compiling accesses to objects in the shared heap
until it natively has support for the shared value barrier, because it
is an invariant that shared objects do not point to non-shared objects.
Bug: chromium:1404052, v8:12547
Change-Id: I5bd44ce5c44ad81a97421598e6d5b24fb5e210cd
Fixed: chromium:1404052
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4136980
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85233}
This should save about 0.23% cycles on the JQuery Speedometer story.
Bug: chromium:1406296
Change-Id: Ib2b76325c6441eb5da8051c3701291abf347c56d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4152952
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85230}
If the register allocator assigns kJavaScriptCallArgCountRegister
to {object}, we were clobbering the object, before pushing it to
the stack.
Additionally, we use PushReverse instead of Push to indicate
that kDataViewPrototypeGetByteLength has a JS call convention
(arguments are reversed). This is a no-op for x64, but it guarantees
the correct order of the padding in arm64.
Fixed: chromium:1406456
Bug: v8:7700, v8:13645
Change-Id: Ia9126ff5315ab4ab08ae733f138a1e0cb2d021a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4156053
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85227}
Rmove the deprecated array.len 0xfb17 variant which takes a type
immediate.
This has been superseded by 0xfb19 which does not need the type.
Bug: v8:7748
Change-Id: I7d4620423c786462444512abe40ee006aab99cf2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110831
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85225}
After we received feedback about some legitmate use-cases of the
internal [[Scopes]] property, we decided to not go ahead with its
removal.
This CL removes the corresponding experimental flag.
R=kimanh@chromium.org
Bug: chromium:1365858
Change-Id: I6744889b4e2e960695838648e2f4902cbdb75890
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4154416
Auto-Submit: Simon Zünd <szuend@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Commit-Queue: Kim-Anh Tran <kimanh@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85214}
The feature shipped with M109 so we'll remove the flag with M111.
R=jarin@chromium.org
Bug: chromium:1363561
Change-Id: Ia9b276f6c56fb3f57c57f5da1abe02dda8dc36e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4154418
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85213}
Currently structref is interpreted as dataref by default for backwards
compatibility reasons.
This behavior is now being removed with this change.
Bug: v8:7748
Change-Id: I610fd04187b1bda53c83a82345eae09f23d99731
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4111171
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85211}
When disabled, Turbofan is fully excluded from the compilation result.
This is expected to reduce V8's contribution to chromium's binary size
by roughly 20%.
If Turbofan is disabled, Maglev and Webassembly must also be disabled
(since both depend on TF).
Note this new configuration (v8_enable_turbofan=false) is not yet
used anywhere - we'll probably enable it for lite_mode bots in an
upcoming CL for test coverage.
Changes in detail:
- Split out all src/compiler files from the main source sets. This
was mostly done already, here we only clean up the few files that
were left.
- Define a new main TF entry point in turbofan.h. `NewCompilationJob`
replaces `Pipeline::NewCompilationJob`.
- When TF is enabled, turbofan-enabled.cc implements the above.
- When disabled, turbofan-disabled stubs out the above with a runtime
FATAL message.
- The build process is modified s.t. mksnapshot always has TF
available since it's needed to generate builtins. When disabled,
TF is removed from other components, in particular it is no longer
included in v8_compiler and transitively in v8_base.
- When disabled, v8_for_testing no longer has v8_initializers
available. These were only needed for test-serialize.cc, which
is now excluded from this build mode.
- When disabled, remove all related cctest/ und unittest/ files from
the build.
Bug: v8:13629
Change-Id: I63ab7632f03d0ee4a787cfc01574b5fdb08fd80b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4128529
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85210}
The file `at.js` was missing in the resources list, and did therefore
not get uploaded to the perf bot. This caused an error on the perf bot.
R=machenbach@chromium.orgCC=dmercadier@chromium.org
Bug: v8:12926
Change-Id: I199591444da651854633a37e7164756981b9353f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4154414
Auto-Submit: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85208}
Turbofan optimized array access returned incorrect values in some cases
when a negative index was provided. This CL fixes this by changing the
way those bounds checks are performed in JSNativeContextSpecialization.
Bug: chromium:1320641
Change-Id: Id1f06680ccf7964994d179f7fb44199a0b1245b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4147622
Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85207}
This CL adds some tests for async generators to ensure that we
correctly report caught/uncaught exceptions.
Most of the cases were fixed by the for-of fix:
https://crrev.com/c/4146420
The remaining broken test cases contain a throw directly
after a `yield`. For each ".next" call we create a new promise
that we need to push on the promise stack before we actually
resume the generator.
R=bmeurer@chromium.org
Fixed: chromium:1270780
Change-Id: I8365d20490451be37cc6973d8d91aeffed7e3511
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4146421
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85196}
Currently the shared value barrier manually fast paths instance types
for objects that are always in the shared heap. This CL makes a common
superclass, AlwaysSharedSpaceJSObject, and uses that for the fast path.
Bug: chromium:1402920, v8:12547
Fixed: chromium:1402920
Change-Id: I84421802791a4dc72925341eeb0cfc5949b8938a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4134475
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85192}
This is a reland of commit ebd933037e
Original change's description:
> [flags,testrunner] Consider readonly flags for conflict detection
>
> Flag conflict detection 1) bails out on incompatible flag values (e.g.
> --jitless and --turbofan) and 2) handles such bailouts transparently in
> the test runner by marking affected tests as OUTCOMES_FAIL.
>
> This CL adds full support for readonly flags to this system, together
> with required additional annotations in variants.py.
>
> Drive-by: assert proper use of v8_enable_slow_dchecks, and add
> support when dcheck_always_on is set.
> Drive-by: introduce has_maglev build variable detection based on
> v8_enable_maglev and use that for .status file annotations.
> Drive-by: protect against unintended overwrites of build variables
> in statusfile.py.
>
> Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel
> Bug: v8:13629,v8:10577
> Change-Id: I04de399139a0490806df8bfee7e75e2ec767b4b5
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4135879
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Commit-Queue: Jakob Linke <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#85130}
Bug: v8:13629,v8:10577
Change-Id: I49ce322c3fda00a1e1e280d99d2d818772533927
Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4151087
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85172}
- For TypedArrays, we bail out trying to reduce the access.
- For DataView, we check dynamically the DataView object bitfield
and call a builtin on a slow path.
Drive by: fix presubmit lint to allow assertOptimized when
passing --maglev flag.
Bug: v8:7700, v8:13645
Change-Id: I3ce4773466f045ff10c86c41734e00fbb94eb331
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4146435
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85171}
Only byte displacement was handled for opcode F6F7,
this CL adds 32-bit displacement support.
Change-Id: I40b3140df582cd0dce008dbbb957e615751c2131
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4144627
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Jie Pan <jie.pan@intel.com>
Cr-Commit-Position: refs/heads/main@{#85166}
The bytecode generator currently uses the wrong catch prediction in
the desugaring for for-of loops. This leads to unexpected pauses in
DevTools when 'pause on uncaught exceptions' is enabled, e.g. for throwing generators.
Specifically the call to .next of the iterator is unconditionally
marked as 'uncaught' instead of using the surrounding catch
prediction. Similarly, in the desugared "finally" block we call
.return which can also throw.
Note that if both the loop body and the ".return" throws, the
exception from ".return" is caught and only the loop body exception
is re-thrown. We still pause on both throw sites since we can't
detect this case statically.
R=leszeks@chromium.org
Bug: chromium:1270780
Change-Id: I2e642ef3fbfcfc6ad19e92cf611188801ebf2450
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4146420
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85164}
Drive-by: fix wrong bound check for TypedArrays / DataView on arm64,
which sometimes resulted in unecessary deopts.
Bug: v8:7700, chromium:1405651
Change-Id: I9afb2008edb22c0cd63044a6700a9f276960c191
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4146437
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85157}
The caller was rewritten but the ignore scope was left behind.
Bug: v8:12819
Change-Id: I76c297f43587bb5bd74c62cf39e0e979271a3b7a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110939
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85146}
This CL handles 2 issues with disposing of external string resources in
the string forwarding table:
1) Resources of unmarked strings during GCs with stack are correctly
disposed (these were previously leaking).
2) Resources of unmarked strings during GCs without stack are disposed
at most once. Previously resources could be disposed multiple times if
the same resource had multiple entries in the string forwarding table.
Bug: v8:12957, chromium:1403564
Change-Id: I809ec1ada1ee813d7277e85ade9aa1e3e95a80f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4136725
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85144}
This CL introduces typed optimizations for Turboshaft, which replaces all operations that produce a constant output (and don't have side effects) by the corresponding constant.
In addition, a new pass for eliminating dead code is introduced that cannot only remove dead operations, but also rewrite branches that are not required into GotoOps.
Drive-by: Introduce -0 as a "special value" for Float32Type and Float64Type to fix a few issues where 0 and -0 have been treated as identical.
Bug: v8:12783
Change-Id: Ia1450ad7a9abb5d58c7d753596ed08a33a73184f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110993
Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85143}
EmbedderHeapTracer has been removed, making the separate main-thread
worklist obsolete.
Bug: v8:13207
Change-Id: I3f92457a73d6664b28646247548b78ade491be32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4136716
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85142}
This reverts commit ebd933037e.
Reason for revert: Breaks a test: https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket/8792462319927467985/+/u/OptimizeForSize/CreateIsolateFromReadOnlySnapshot
Original change's description:
> [flags,testrunner] Consider readonly flags for conflict detection
>
> Flag conflict detection 1) bails out on incompatible flag values (e.g.
> --jitless and --turbofan) and 2) handles such bailouts transparently in
> the test runner by marking affected tests as OUTCOMES_FAIL.
>
> This CL adds full support for readonly flags to this system, together
> with required additional annotations in variants.py.
>
> Drive-by: assert proper use of v8_enable_slow_dchecks, and add
> support when dcheck_always_on is set.
> Drive-by: introduce has_maglev build variable detection based on
> v8_enable_maglev and use that for .status file annotations.
> Drive-by: protect against unintended overwrites of build variables
> in statusfile.py.
>
> Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel
> Bug: v8:13629,v8:10577
> Change-Id: I04de399139a0490806df8bfee7e75e2ec767b4b5
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4135879
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Commit-Queue: Jakob Linke <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#85130}
Bug: v8:13629,v8:10577
Change-Id: I0cb072c6c9f05d92894cc0af83c4d1a28df100d5
Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4147098
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85133}
We change the breakpoint hint logic to check if the script has not
locally changed (with a hash of the source text between the requested
breakpoint location and the actual breakpoint location). If the
text did not change, we set the breakpoint at the same
location as before.
Bug: chromium:1404643
Change-Id: I6ceecf9924e699aaf37518680d1cb79d3eb00959
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4138260
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85131}
Flag conflict detection 1) bails out on incompatible flag values (e.g.
--jitless and --turbofan) and 2) handles such bailouts transparently in
the test runner by marking affected tests as OUTCOMES_FAIL.
This CL adds full support for readonly flags to this system, together
with required additional annotations in variants.py.
Drive-by: assert proper use of v8_enable_slow_dchecks, and add
support when dcheck_always_on is set.
Drive-by: introduce has_maglev build variable detection based on
v8_enable_maglev and use that for .status file annotations.
Drive-by: protect against unintended overwrites of build variables
in statusfile.py.
Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel
Bug: v8:13629,v8:10577
Change-Id: I04de399139a0490806df8bfee7e75e2ec767b4b5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4135879
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85130}
Loops can be unrolled only for innermost loops. But, the wasm graph
builder builds loop exits regardless of the condition. This CL detects
if the loop can be innermost using AnalyzeLoopAssignment, and do not
allocate unnecessary nodes if it can't be.
This reduces memory usage for the reported wasm binary from 1.3GB to
300MB.
Bug: v8:13543
Change-Id: I693800071f7eee4a9991e094830f23d27a96b13f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4134466
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Choongwoo Han <choongwoo.han@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#85122}
This CL is exactly the same as the original CL, without changes. The
issue was a missing Isolate::Scope, and it existed already before this
CL. I fixed the issue separately in https://crrev.com/c/4136720.
Original message:
Original change's description:
> [wasm][capi] Optimize all functions before serialization
>
> The existing implementation of `serialize` in the C-API is to produce
> a snapshot of the current state of the `NativeModule`. However, so
> far all users of `serialize` did not care about the runtime of
> `serialize`, but cared about `deserialize` starting up fast.
>
> With this CL all functions of a module get tiered up to TurboFan
> before serializing the module.
R=clemensb@chromium.org
Change-Id: Ib8ed33c63c137e167fb50ccf721184b2b16cf4d4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4131635
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85120}
We add a {canonical_type_index} field to tag objects and use it to
check for canonical subtyping between tags when needed.
Bug: v8:7748
Change-Id: I60723d8f72a9487af03f223c8f8a33ef8fa56461
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4135885
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85119}
After a call to {StreamingDecoder::NotifyCompilationEnded}, no method on
the {StreamingProcessor} should be called any more. We were still
calling the {OnAbort} method later.
To make the semantics a bit more clear, we rename
{NotifyCompilationEnded} to {NotifyCompilationDiscarded}.
We also remove the {stream_finished_} field and reset the processor
instead, which will result in a nullptr access if we try to illegally
call any further methods.
R=ahaas@chromium.org
Bug: chromium:1403531, chromium:1399790, chromium:1400066
Change-Id: I4caef3801dfe9d653125efbd7bc9b5d13ce30dc7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4132966
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85114}
V8FileLogger has a dynamic behaviour when listening to
code events, i.e., it can stop listening without removing
itself from the Logger, which invalidates the field
is_listening_to_code_events_. This field is only updated
when adding/removing an event listener.
This cache was recently introduced in a refactoring
https://crrev.com/c/3582125
Bug: chromium:1400809
Change-Id: If93c88a6a64f5bf2c10265ac1db455ea498733a0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4136726
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85113}
Runtime.executionContextCreated provides many details in
ExecutionContextDescription structure while
Runtime.executionContextDestroyed provides only executionContextId. This
information is insufficient for the clients that use uniqueContextId.
Bug: v8:12896
Change-Id: I31df0ed618dc1c8b55c7eba8f96eeaef2d4de6c8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657439
Commit-Queue: Simon Zünd <szuend@chromium.org>
Auto-Submit: Vladimir Nechaev <nechaev@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85110}
The debugger utilizes the source position while single stepping
("Step-in") through the source to go from statement to statement and
skipping some expressions along the way. The debugger remembers the
"statement position" of the last stepping action.
This works well in general but falls flat for loops that only have
a single statement in them. Every step lands on the same statement,
just one loop iteration later.
We detect this case by checking if we are in the same frame and have
the exact same bytecode offset as the last step action.
Note that this also fixes "frame restarting" should we have restarted
a function while paused at the beginning of that function.
R=jarin@chromium.org
Bug: chromium:1401674
Change-Id: Id0a5753ed7cc9f23f22d869368d88e1c4b48566d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4135881
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85107}
This CL fixes a bug where we wouldn't pause (or even crash) when trying
to interrupt an infinite loop.
When we pause via stack check (i.e. a scheduled break) we currently do
one additional step-in. We do so to enter functions properly in case
we are paused in the middle of setting up the stack frame.
Loops also do a stack check, to support pausing infinite loops. In
that case we can skip the additional step-in as we are already
in a valid pause position (as implemented by this CL).
This CL also removes two bogus DCHECKs. We assumed that
a scheduled break never happens after a step. This is wrong, e.g.
a user can click the pause button after stepping over a long running
function.
Note that we duplicate the various loop interruption cctests to
also interrupt the loops with the "scheduled" break reason. Without
the changes in debug.cc, those won't pass.
The CL https://crrev.com/c/4136058 adds a regression test on the
blink side.
R=jarin@chromium.org
Fixed: chromium:1401674
Change-Id: I42b44744b17d24351f01b83c0446908c24e6c5fd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4134246
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85106}
Delay the "max steps" check until the frame is fully set up. This means
that the work is already done at the point where we check the maximum
number of steps, but the additional work is limited by the maximum
number of locals and parameters.
R=thibaudm@chromium.org
Bug: chromium:1404619
Change-Id: I4919c837feea92af84f99182a571edf96e4728ac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4135890
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85098}
The expected behavior of the optimized code is deoptimizing when using a BigInt
as an index and throwing an error (from CheckedTaggedToInt64).
The representation changer tries to insert conversions for this case where
- The output node is represented in Word64 (SignedBigInt64)
- The use info is CheckedSigned64AsWord64
The representation changer first rematerializes the output node to
TaggedPointer because the type check is not BigInt. Then it falls wrongly to
the branch where the output representation is TaggedPointer, the output type is
SignedBigInt64 in GetWord64RepresentationFor.
Bug: v8:9407, chromium:1403574, chromium:1404607
Change-Id: I9d7ef4c94c1dc0aa3b4f49871ec35ef0877efc24
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4135876
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#85094}
Increase length of strings in the test to ensure they are cachable
external strings even when the sandbox is disabled.
Change-Id: I1228e1abb1d88c0bb70edaeb718e1bf2f4cdd53d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4127228
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Patrick Thier <pthier@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85081}
With lazy compilation we disabled mprotect-based code protection. We
currently have no users and no test coverage of that flag. Hence remove
it from the code base.
R=ahaas@chromium.org
Bug: v8:13632
Change-Id: I1e39499dfbdb896287901b97c32f00366449c466
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4114296
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85080}
EmbedderStackStateScope is used to disable conservative stack scanning
for cppgc when the stack is known to not contain heap pointers. Also,
DisableConservativeStackScanningScopeForTesting is used to disable CSS
for the V8 heap in tests that assume a precise GC. Until now, these two
have used two different mechanisms for disabling CSS. This CL merges
the two mechanisms and implements the latter scope via the former.
This is a reland of commit f51e0bb1db
reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/4111954
Bug: v8:13257
Change-Id: Ia124a4201686e0ea79f9cd07bc3888b9781cafa9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4128141
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85066}
This removes EmbedderHeapTracer from V8's API. Going forward
v8::TracedReference is only supported with using CppHeap (Oilpan).
Bug: v8:13207
Change-Id: I4e0efa94890ed147293b5df69fd7e0edad45abb5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4111546
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85061}
When internalizing external strings, a new internalized external string object is allocated if the string is not in-place internalizable. This newly allocated strings external resource is set to null (the actual resource will be transferred by MakeThin to ensure unique ownership of the resource).
We need to preserve the original string in the InternalizedStringKey for
the second lookup (inside the critical section), as we need to access
the external resource in case of hash collisions to check for equality.
Bug: chromium:1402187
Change-Id: I62b637859b06f05d1b34cb26495f08ec44d2f2db
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4128089
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85057}
This reverts commit 84e470845a.
Reason for revert: Breaks TSAN stress-incremental-marking: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20stress-incremental-marking/10433/overview
Original change's description:
> [wasm][capi] Optimize all functions before serialization
>
> The existing implementation of `serialize` in the C-API is to produce
> a snapshot of the current state of the `NativeModule`. However, so far
> all users of `serialize` did not care about the runtime of `serialize`,
> but cared about `deserialize` starting up fast.
>
> With this CL all functions of a module get tiered up to TurboFan before
> serializing the module.
>
> R=clemensb@chromium.org
>
> Change-Id: Icaef846e33509d90b38559c0b689f798d35a98db
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4129495
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#85052}
Change-Id: Ie0758b32ef3469fe75d3a45bc3e6950b3b192edb
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4131634
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85053}
The existing implementation of `serialize` in the C-API is to produce
a snapshot of the current state of the `NativeModule`. However, so far
all users of `serialize` did not care about the runtime of `serialize`,
but cared about `deserialize` starting up fast.
With this CL all functions of a module get tiered up to TurboFan before
serializing the module.
R=clemensb@chromium.org
Change-Id: Icaef846e33509d90b38559c0b689f798d35a98db
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4129495
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85052}
TurboAssembler::Switch considers its "condition" input is 64-bit.
However, Maglev's inner integers are rather Smis/32-bit integers.
Because we didn't not sign-extend the condition before calling
TurboAssembler::Switch, negative values were treated as positive
rather than negative.
Fixed: chromium:1403749
Bug: v8:7700
Change-Id: I78e934045330012186dc83dea0dc620ec977380a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4128080
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85049}
`CpuProfiler::StopProfiling()` return `nullptr` if no profiling is
active. Thus a `nullptr` check is needed before serializing the profile
returned by `CpuProfiler::StopProfiling()`.
R=clemensb@chromium.org
Bug: chromium:1394663
Change-Id: I364eeb1d9bd670de5179e242c4462f0fbfc9c607
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4126234
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85047}
.. which should result in 0 if x is non-negative, and -0.0 otherwise.
- Fix two invalid modulus-related folds.
- Handle aliased inputs in Int32ModulusWithOverflow.
- Drive-by: rename left/right to lhs/rhs to match the algorithm
description.
Note there is no deopt loop here since a result of -0.0 will update
feedback to kSignedSmallInputs.
Bug: v8:7700
Change-Id: I84fca0e43ded152d3520cbe73cc43299ff1c4230
Fixed: chromium:1403575
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4128081
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85039}
The Sub macro sometimes needs a scratch register when the 2nd operand
is too large to be encoded in the instruction. The prologue was
already reserving 2 scratch registers, which made Sub crash on a
DCHECK when trying to reserve one more scratch register.
Bug: v8:7700
Change-Id: I995689b8b16e3ef216641f0b6cadbf58f7f3740b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4128554
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85029}
Mark rhs as clobbered since we may negate it. Negate the lhs in rax.
Bug: v8:7700, chromium:1403470
Change-Id: I9a26de78fcd8d1db90c1d26617001c0c699c350e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110814
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85021}
As a drive-by this also fixes property load from smi. We still need to check that we actually have a smi...
Bug: v8:7700, chromium:1403280, chromium:1403323
Change-Id: I3c4f050b94550b8d7e4e65f733f9c1dad47941d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4120575
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85015}
Even if we have a constant load, if the map is not stable, we cannot
guarantee that the load is preserved across side-effecting calls.
Fixed: chromium:1403324
Bug: v8:7700
Change-Id: Ib900cf7574711115439e6521ed8cfaa866525e78
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4123532
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85014}
It's possible that various branches merged already with a value that's
in a liveness hole, but we only figure out later. If so, drop the merge
as well.
Bug: v8:7700, chromium:1403399
Change-Id: Ifd97e0c1959ffe51017e400fb028041047885a9c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4111932
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85013}
The issue causing this test to fail on the usban bot was fixed with
https://crrev.com/fcda478d890caea6bf04a50e6106682b64cf8d5a
Bug: v8:13611, v8:13612
Change-Id: I1d0a713160cdddf8623e767d43277a988509bce0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110955
Auto-Submit: Patrick Thier <pthier@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85007}
This CL plugs the hole in the outside<-ShadowRealm direction (i.e.
getting a reference to an object inside of the ShadowRealm from outside
the ShadowRealm).
This is a follow-on CL to
https://chromium-review.googlesource.com/c/v8/v8/+/4108810, which
plugged the getFunction hole in the ShadowRealm<-outside direction (i.e.
getting a reference to an object outside of the ShadowRealm from inside
the ShadowRealm).
Bug: v8:1198
Change-Id: Ic06533ba8b1cc6477ef9d55a23cb8b0b6584d4a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4115657
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85003}
With smi feedback, we use int32 operations for arithmetics.
When negating 0, we have to fallback to float as we can't represent -0
in int32. We can simply deopt in that case without causing a deopt loop, as a non-smi result will change the feedback to kSignedSmallInputs (from kSignedSmall).
Bug: chromium:1403102
Change-Id: Ic27c267349a1de6904639e91b1cade2c4f7d1fe2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4122829
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Auto-Submit: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84998}
This CL introduced four more operators in TurboFan: BigIntLessThan,
BigIntLessThanOrEqual, and the corresponding speculative operators so
that all the BigInt comparisons are supported.
This CL also implemented fast paths for small BigInt inputs.
Bug: v8:9407
Change-Id: Iaa2d4dbebf68656d775a7feb65b97fb5c598ec23
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4111951
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84995}
After https://crrev.com/c/3859787 those frames would be printed like
standard Wasm frames, but in the place of the WasmInstanceObject, they
have a WasmApiFunctionRef object instead.
So special-case the {WasmToJsFrame::instance()} to load the instance
properly. Also special-case the {position()} accessor for imported
functions.
R=victorgomes@chromium.org
Bug: chromium:1402270
Change-Id: I39805805a50e7a73d7d8075c63c46bdf5a373a33
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4116778
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84993}
It's failing regularly on the ubsan bot, closing the tree.
This CL also adds a 'variant == future' section in the mjsunit.status
file to enable easy disabling of maglev-specific failures.
No-Tree-Checks: true
Bug: v8:13612
Change-Id: I3c0f7725e1fb36577e97c662cd3830c64ba298e0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4120554
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84982}
This reverts commit 2a71e8637f.
Reason for revert: This probably blocked the V8 roll.
https://chromium-review.googlesource.com/c/chromium/src/+/4116621?tab=checks
Original change's description:
> Reland "[heap] Fix conservative stack scanning for client isolates"
>
> This is a reland of commit 36bac1bcae
>
> Original change's description:
> > [heap] Fix conservative stack scanning for client isolates
> >
> > With this CL, the context of stacks corresponding to all client isolates
> > are saved, so that conservative stack scanning can be used correctly
> > during a shared garbage collection. This happens:
> >
> > 1) in Heap::PerformSharedGarbageCollection, for the stacks of the shared
> > isolate and the initiator;
> > 2) when an isolate's main thread is waiting in a safepoint; and
> > 3) when an isolate's main thread is parked.
> >
> > Bug: v8:13257
> > Change-Id: I9ff060f2c0c1ec12977c70d67d65d9c543e2d165
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4027210
> > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> > Reviewed-by: Omer Katz <omerkatz@chromium.org>
> > Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
> > Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#84712}
>
> Bug: v8:13257
> Change-Id: I61df6eeca5a28e04eb3a858f7d601bc5f6312e49
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4092737
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84963}
Bug: v8:13257
Change-Id: I3a235f11e5fe55c476591a5274946aeb6cc9bf6e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4111178
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84973}
This reverts commit f51e0bb1db.
Reason for revert: Dependent on crrev.com/c/4092737 that is being reverted.
Original change's description:
> [heap] Merge mechanisms for disabling CSS
>
> EmbedderStackStateScope is used to disable conservative stack scanning
> for cppgc when the stack is known to not contain heap pointers. Also,
> DisableConservativeStackScanningScopeForTesting is used to disable CSS
> for the V8 heap in tests that assume a precise GC. Until now, these two
> have used two different mechanisms for disabling CSS. This CL merges
> the two mechanisms and implements the latter scope via the former.
>
> Bug: v8:13257
> Change-Id: Ieca082657854fe2eff9eb5d95a30d48bb8eab44f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4111954
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84964}
Bug: v8:13257
Change-Id: Id769af6215a2ed319ec96b354734a5362b2384cf
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4111179
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84972}
EmbedderStackStateScope is used to disable conservative stack scanning
for cppgc when the stack is known to not contain heap pointers. Also,
DisableConservativeStackScanningScopeForTesting is used to disable CSS
for the V8 heap in tests that assume a precise GC. Until now, these two
have used two different mechanisms for disabling CSS. This CL merges
the two mechanisms and implements the latter scope via the former.
Bug: v8:13257
Change-Id: Ieca082657854fe2eff9eb5d95a30d48bb8eab44f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4111954
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84964}
This is a reland of commit 36bac1bcae
Original change's description:
> [heap] Fix conservative stack scanning for client isolates
>
> With this CL, the context of stacks corresponding to all client isolates
> are saved, so that conservative stack scanning can be used correctly
> during a shared garbage collection. This happens:
>
> 1) in Heap::PerformSharedGarbageCollection, for the stacks of the shared
> isolate and the initiator;
> 2) when an isolate's main thread is waiting in a safepoint; and
> 3) when an isolate's main thread is parked.
>
> Bug: v8:13257
> Change-Id: I9ff060f2c0c1ec12977c70d67d65d9c543e2d165
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4027210
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84712}
Bug: v8:13257
Change-Id: I61df6eeca5a28e04eb3a858f7d601bc5f6312e49
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4092737
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84963}
The spec does not allow side effects on wrapping the exceptions
crossing the realm boundaries. We need to provide an easy way to inspect the exception-thrown cross-realms according to the last TC39 meeting
consensus.
Related spec change: https://github.com/tc39/proposal-shadowrealm/pull/382.
Bug: v8:11989
Change-Id: Ia78d94fd33cba689267aeacd028d662bd4a37fe9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3618759
Commit-Queue: Chengzhong Wu (legendecas) <legendecas@gmail.com>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84961}
With this change property accesses on WasmObject and WasmArray return
undefined instead of throwing.
Furthermore retrieving the prototype of a WasmObject/WasmArray returns
null.
Bug: v8:13523
Change-Id: I12e3b9fb6ac9a7305f001a3b3835854068c3064f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110995
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84957}
We add final types to wasm-gc.
- We introduce a `kWasmSubtypeFinalCode` as an alternative to
`kWasmSubtypeCode`.
- Behind a flag, we interpret types behind this code as final, as well
as types outside a subtype definition by default.
- For final types, type checks for call_indirect and ref.test etc. are
reduced to simple type identity checks.
Bug: v8:7748
Change-Id: Iabf147b2a15f43abc4c7d1c582f460dbdc645d66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096478
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84955}
Error mode: a TypedArray backed by RAB claims it's not backed by RAB.
Drive-by: disable resizability even harder when --harmony-rab-gsab is
not on.
Bug: v8:11111, chromium:1402139
Change-Id: I937c69f6124419cc8d29da0195686bc3b9a5c281
Fixed: chromium:1402139
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110751
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84952}
- Converts tests in EmbedderTracingTest to UnifiedHeapTest
- Move EmbedderRootsHandler tests to their own file
- Adds support for CppHeap in ManualGCScope
- Drive-by fix typo
Reland: Fix issue with attaching a CppHeap while incremental marking
is already running.
This reverts commit d90a98edc1.
Change-Id: Ifafa9145df3103578c4c7f1b3b0336b4bd9f34dd
Bug: v8:13207
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110941
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84950}
ShadowRealms have a callable boundary: there cannot be any edges between
objects in the ShadowRealm and those from other realms. V8's
prepareCallStack API breaks this invariant via getFunction() and
getThis(). This CL makes those functions throw when called inside
ShadowRealms.
See also
https://docs.google.com/document/d/1aXEy4YCC9CduxLs7MGw-UOm0P4OuG7W-cScBnLG3ALI/edit?usp=sharing
Bug: v8:11989
Change-Id: I5a2b8fa735c0f10583c8cede4062645986b2d914
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4108810
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84944}
All IFS values of resumable loops are loop phis, so values from before
the loop can safely be dropped. In fact, if we don't drop them we might
not be able to restore them and crash in a safety check. Eagerly
dropping the values allows us to keep the safety check.
Bug: v8:7700
Change-Id: I99ef80e35db5aba965dc1c5c9d78f1d085e589fb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110940
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84943}
Usually sharable strings are automatically promoted to shared old space
and can be shared in-place.
There are currently two exceptions:
- When using a non-moving GC (e.g. minor MC)
- Strings in LO space
Account for these exceptions by copying strings to the respective shared
space when sharing them.
Bug: chromium:1400048
Change-Id: I20713b5f32f449c14febd848e289b5767530a257
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110752
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84942}
We use 0xffffffff as a sentinel for "no supertype". Therefore we
should reject it as we parse it. We implement this by rejecting
supertypes outside V8's type definition limit.
Bug: v8:7748
Change-Id: I7942d94073d8f7350528fb0e364e91f7359c8cec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110750
Auto-Submit: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84934}
Aligning struct fields to multiples of their own size can leave gaps
between them, e.g. when i8 and i32 fields alternate. This patch
introduces a simple optimization: it keeps track of the most recent
such gap, and attempts to use it for later fields that are small enough.
Bonus changes:
- Cap field alignment to 4 bytes (because we only have 4-byte object
alignment anyway).
- Don't re-compute field offsets when canonicalizing types. Instead,
re-use the original type's offsets.
Bug: v8:7748
Change-Id: Iabfc8e7cda94f16d196ed4429f3aa92d249b3b72
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4092494
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84933}
This (test-only) runtime function only supported unoptimized frames as
callers. Add support for Maglev frames as well by extracting the
relevant BytecodeArray and bytecode offset.
This reverts commit 955de73ee5.
Bug: chromium:1400549,v8:7700
Change-Id: I80f80f8736ff0400d6d47e355add2a07cdc4559e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4111851
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84931}
This is a reland of commit 5d95bd39ca
Original change's description:
> [maglev] Prevent lazy deopts during maglev's JumpLoop (=OSR)
>
> The problem was that synchronous Maglev OSR potentially caused
> code deoptimization during compilation dependency finalization; this
> led to a lazy deopt when returning from the call to
> Runtime_CompileOptimizedOSRFromMaglev. However, a lazy deopt is
> disallowed at this point, since a) Maglev doesn't support marking an opcode as both lazy- and eager deopt, and b) the JumpLoop opcode
> is already marked as eager deopt since that's how OSR is implemented
> under the hood. See also the comment in runtime-compiler.cc.
>
> We fix this by changing synchronous Maglev-to-Turbofan OSR
> behavior s.t. actual OSR compilation is triggered from Ignition
> (and not from Maglev). In other words, when synchronous OSR is
> requested:
>
> 1. trigger an eager deopt from Maglev to Ignition by returning a
> non-null code object from Runtime_CompileOptimizedOSRFromMaglev.
> 2. Ignition handles the pending OSR compile request (through
> osr_urgency).
>
> This CL also reverts previous partial fixes:
>
> This reverts commit 21969e8e24.
> This reverts commit 6bcbcfed5c.
>
> Bug: chromium:1394279,v8:13585,v8:7700
> Change-Id: I3d64aa39575ad806ba2623102092176ca160ef0b
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110740
> Commit-Queue: Jakob Linke <jgruber@chromium.org>
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84922}
Bug: chromium:1394279,v8:13585,v8:7700
Change-Id: Id9d1a1ab2dc36e481287a1a25863b45bf281920c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110746
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84928}
This reverts commit 5d95bd39ca.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20-%20gc%20stress/2101/overview
Original change's description:
> [maglev] Prevent lazy deopts during maglev's JumpLoop (=OSR)
>
> The problem was that synchronous Maglev OSR potentially caused
> code deoptimization during compilation dependency finalization; this
> led to a lazy deopt when returning from the call to
> Runtime_CompileOptimizedOSRFromMaglev. However, a lazy deopt is
> disallowed at this point, since a) Maglev doesn't support marking an opcode as both lazy- and eager deopt, and b) the JumpLoop opcode
> is already marked as eager deopt since that's how OSR is implemented
> under the hood. See also the comment in runtime-compiler.cc.
>
> We fix this by changing synchronous Maglev-to-Turbofan OSR
> behavior s.t. actual OSR compilation is triggered from Ignition
> (and not from Maglev). In other words, when synchronous OSR is
> requested:
>
> 1. trigger an eager deopt from Maglev to Ignition by returning a
> non-null code object from Runtime_CompileOptimizedOSRFromMaglev.
> 2. Ignition handles the pending OSR compile request (through
> osr_urgency).
>
> This CL also reverts previous partial fixes:
>
> This reverts commit 21969e8e24.
> This reverts commit 6bcbcfed5c.
>
> Bug: chromium:1394279,v8:13585,v8:7700
> Change-Id: I3d64aa39575ad806ba2623102092176ca160ef0b
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110740
> Commit-Queue: Jakob Linke <jgruber@chromium.org>
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84922}
Bug: chromium:1394279,v8:13585,v8:7700
Change-Id: Ib82d06ab8281f0e59a2af2b631bf93b25064df1f
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110745
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84925}
