This aligns the breakpoint behavior of YieldExpression and
AwaitExpression with the behavior of AssignmentExpression
in V8. It basically boils down to not reporting expression
positions on SuspendGenerator bytecodes as breakable
locations.
In particular the initial implicit yield of any generator
function is no longer a breakable position. In light of
this changes we also refine https://crrev.com/c/2949099
to not be able to step to the initial implicit yield
either, which would otherwise be really odd.
Before: https://imgur.com/KYy9F1S.png
After: https://imgur.com/gCnWU8J.png
Doc: https://goo.gle/devtools-reliable-await-breakpoints
Bug: chromium:901814, chromium:1319019, chromium:1246869
Fixed: chromium:1319019, chromium:1357501
Change-Id: I0c5f83e279918eb392d8f77a8a04c4c0285f938e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3909688
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83392}
This is a reland of commit 80fb281561
This CL fixes the signedness of rematerialized Numbers from immediates, which was introduced by the original change. Besides, BigInt truncation to zero bits is lowered to Int64Constant instead of NumberConstant of zero, which will flow into the state values directly.
Original change's description:
> [turbofan] Rematerialize BigInt64 in deopt
>
> This CL introduces two MachineTypes - SignedBigInt64 and UnsignedBigInt64, which are represented as Word64 but will be rematerialized to BigInt in deoptimization. This will avoid unnecessary conversions for BigInt64s when they are passed to StateValues.
>
> Bug: v8:9407
> Change-Id: I65fdee3e028ed8f9920b1c20ff78993c7784de48
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858238
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Commit-Queue: Qifan Pan <panq@google.com>
> Cr-Commit-Position: refs/heads/main@{#83230}
Bug: v8:9407, chromium:1364319, chromium:1364400
Change-Id: I0b4e077b52f64af46018b6c045893bbd56153f32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899258
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83384}
V8-side implementation for trusted types fromLiteral.
Create a separate JSArray root map for template literal objects to
clearly identify untampered template literals belonging to a given
context.
Given that template literals are frozen arrays with a 'raw' property,
we don't expect additional polymorphism.
Drive-by-fix:
Avoid ValidateElements call in NewJSArrayWithElements.
Bug: chromium:1271149
Change-Id: I327b0fd99a2db3b57d35efa9293ddf2f14e555ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3572044
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83383}
We set the JSArray's length to the elements's length before,
which is wrong when the elements have the slack part. We could
serialize the correct length and only the actual elements excluding
the slack part for JSArray's elements. And we do the same thing
for the objects to avoid serializing unnecessary elements.
Bug: v8:13304
Change-Id: Ib68e06f409bfcab5c57fb5532e188aa0099d1140
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905061
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83380}
We don't remove the code just yet in case we need to re-enable the
feature. This could be in case we discover workflows not covered by
the "Scope View" and the scopes we report on "Debugger.paused".
R=kimanh@chromium.org
Bug: chromium:1365858
Change-Id: I636cc861af932156944a3f6e0a149cce0f939329
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905185
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83379}
This reverts commit 2a7f86edcb.
Reason for revert: Blocking the roll (https://ci.chromium.org/ui/p/chromium/builders/try/mac-rel/b8802346196479466065/test-results?q=ExactID%3Aninja%3A%2F%2Fgin%3Agin_unittests%2FGinShellTest.HelloWorld+VHash%3A46648b293475ce2a&clean=)
Original change's description:
> Reland "[v8] Use |AllocateAtLeast| for resizing v8 zones."
>
> This is a reland of commit 4444874cdf
> This fixes a failure on the UBSan bots caused by assuming |Realloc| is always in-place if the new size is <= the value of |malloc_usable_size|.
>
> Original change's description:
> > [v8] Use |AllocateAtLeast| for resizing v8 zones.
> >
> > This is part of an ongoing effort to reduce fragmentation in Chrome. Partition alloc shows v8 zones are a large user of memory in Renderer processes, and that there is fragmentation from these allocations. This CL will reduce this fragmentation by allowing v8 to use all allocated memory for its zones.
> >
> > Bug: v8:13193, chromium:1238858
> > Change-Id: Ibeac8bdba9d0e7ff66b14a3dde10e7c87d3cf953
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3889361
> > Reviewed-by: Adam Klein <adamk@chromium.org>
> > Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
> > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#83235}
>
> Bug: v8:13193, chromium:1238858
> Change-Id: I923bcbce8403dd7d84642340fd7202087b8a4440
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3910268
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83372}
Bug: v8:13193, chromium:1238858
Change-Id: I32f9c4701a29c0516e3f587f1c6028e4d4158466
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3909358
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83378}
Blink has shipped import assertions since M91, so it is safe enough to
go straight to shipping here.
Bug: v8:10958
Change-Id: I3256172473a1ae8ce74e7fa63b14137e24568360
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3911378
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83373}
This is a reland of commit 4444874cdf
This fixes a failure on the UBSan bots caused by assuming |Realloc| is always in-place if the new size is <= the value of |malloc_usable_size|.
Original change's description:
> [v8] Use |AllocateAtLeast| for resizing v8 zones.
>
> This is part of an ongoing effort to reduce fragmentation in Chrome. Partition alloc shows v8 zones are a large user of memory in Renderer processes, and that there is fragmentation from these allocations. This CL will reduce this fragmentation by allowing v8 to use all allocated memory for its zones.
>
> Bug: v8:13193, chromium:1238858
> Change-Id: Ibeac8bdba9d0e7ff66b14a3dde10e7c87d3cf953
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3889361
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83235}
Bug: v8:13193, chromium:1238858
Change-Id: I923bcbce8403dd7d84642340fd7202087b8a4440
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3910268
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83372}
This CL implements collection of garbage in the shared spaces in
the shared heap isolate. GC on such an isolate should now work
correctly without worker isolates. Support for worker isolates will
be implemented in a subsequent CL.
Bug: v8:13267
Change-Id: I30125ce3b791e2faa0504d065f23639d6106e6b6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904647
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83371}
- Use non-idle tasks to be able to process finalizers on time.
- Only process finalizers while concurrent marking is still running.
Bug: v8:13294
Change-Id: I1a2812c3fc350ea679c4c916c230cf736f2aa3ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904648
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83367}
There is no -0n, and we'd therefore never serialize such a BigInt.
But we can't trust serialized data to not have gotten corrupted
(or be fuzzer-generated), so guard against this case when
deserializing.
Fixed: chromium:1359937
Change-Id: If11d9a364480bae51911cc4a0ce8a719853139fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904414
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83362}
This test breaks when interrupts occur with unfortunate timing. Maglev
increases flakiness of this test since finished Maglev compiles all
raise a new interrupt (and interrupts abort-and-retry regexp
execution).
Disable concurrent recompilation for this test, and drive-by fix the
--trace-regexp-tier-up flag.
Bug: v8:7700
Change-Id: I170c911fe2308b0b5ad9941e695f11f8925455f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904604
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83359}
Correct the test expect result as the spec specifies the accumulator is 2*SEW
bits. Fix the simulator implementation as well.
R=qiuji@iscas.ac.cn
Change-Id: Ia5d11b3214cf32635c3767df75992b2a50ee6980
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878452
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#83354}
Correct the arguments for std::fma() to double as the instruction expects
both addend and destination are 2*SEW bits wide. Addressed corresponding
implementation in the simulator as well.
R=qiuji@iscas.ac.cn
Change-Id: Ib3963a61c00ee9dc73af019574a1665de406cc32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878448
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#83353}
1. Correct the return type of RoundTowardsZero to fix issue with
double value > 2^64
2. In TemporalDurationToString:
a. Use std::fmod instead of % to get the remainder
b. Use extra xx_add variables to hold additional value which may
overflow the double during computation.
c. Use BigInt for days if the value is too large for double
to ensure the precision.
3. Add tests with Number.MAX_SAFE_INTEGER
and Number.MAX_VALUE in values for Duration toJSON in mjsunit
Bug: v8:11544
Change-Id: Icac4f669ed1c591e947b51c82dd48bdef7a6db6e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3900813
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83344}
This change allows to put Wasm structs / arrays into prototype
chains. While this isn't particularly useful (as any access lookup
on the wasm object will throw a TypeError), there isn't any reason
not to allow it.
Bug: v8:7748
Change-Id: I81cf709d2e8403b545bbba9ad9c538c1e9748c74
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3901979
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83329}
If a shift right is performed with a negative value <= -32,
it may not be reduced to a 32 bit shift.
The reduction optimization was introduced by commit
2298b35f7c.
Fixed: v8:13290
Change-Id: Ifb16ed85560ab54d211ebb407690abe2c156e3a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905143
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83324}
Array.prototype.group and Array.prototype.groupToMap have an optional
thisArg, which is currently not passed.
Bug: v8:13301, v8:12499
Change-Id: Ib927638401d39ed0cbcc0595ab41fde328ef43cc
Fixed: v8:13301
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905934
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83323}
This CL adds a test that checks the block list for outer functions is
also correctly calculated when pausing in inner functions.
R=kimanh@chromium.org
Bug: chromium:1363561
Change-Id: I2d7c1671475759b977e4e41c7e09856b3b2e7daf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904308
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83319}
We currently use 1 test case per file for tests that check that
debug-evaluate correctly blocks the lookup of stack-allocated
variables.
This CL adapts a similar approach to `debug-scopes.js`, making it
easier to add new test cases in the future.
R=kimanh@chromium.org
Bug: chromium:1363561
Change-Id: I8ff8cfe7d59f0b9808dc02c5579e058f490553eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904544
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83315}
Allow non-registered symbols as keys in weakmap and weakset.
Allow non-registered symbols as target and unregisterToken in
WeakRef and FinalizationRegistry.
Bug: v8:12947
Change-Id: Ieb63bda66e3cc378879ac651e23300b71caed627
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865056
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83313}
The hoursInDay could be fractional number on the date of changng
daylight saving time for time zone in half hours or some historical time
zone.
Ex: Australia/Lord_Howe on Sunday, April 3, 2022, 2:00:00 am clocks were
turned backward 0:30 hours to Sunday, April 3, 2022, 1:30:00 am local
standard time instead. so that day will have 24.5 hours.
On Sunday, October 2, 2022, 2:00:00 am clocks are turned forward 0:30
hours to Sunday, October 2, 2022, 2:30:00 am local daylight time
instead. So the hoursInDay for that day is only 23.5 hours.
Historically, Singapore from 1933 to 1941 moved clocks forward 20 minutes for daylight savings, resulting the day in 24.33333 and
23.66667 hours.
Test covered in https://github.com/tc39/test262/blob/main/test/staging/Temporal/ZonedDateTime/old/dst-properties.js
Change the return type from MaybeHandle<Smi> to MaybeHandle<Object> so
we can return non integer value. Also change the method of division by
first convert the value to second in BigInt, then divid 3600 (number of
seconds in a hour) in double.
Bug: v8:11544
Change-Id: Ia69d2606cd832e51f415a00440fb9cbc236883e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3901619
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83311}
Refactor the interface between intl and Temporal and pass
the nanosecond in BigInt to intl. Approximate the nanoseconds
to the correct close by millisecond depending on the usage
before calling ICU API and convert the result millisecond into
BigInt in nanosecond before return from intl.
Remove Maybe for function always complete.
Bug: v8:11544
Change-Id: Icc471b80312c513c9415b690804aa624df4a387d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3897165
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83310}
Test was using concurrent sweeper which could lead to the concurrent
sweeper holding onto memory until the allocation succeeded in rare
cases.
Bug: v8:13308
Change-Id: I0f9f93cc503cdc17d6962b3c31bc4ea698b4cb42
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905183
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83309}
Make sure both the fast and slow version return the same value in case
of wrong follow-bit values in the input.
Bug: chromium:1359230, chromium:1360735
Change-Id: Ic65f81109e5bbc288fa41a5540ec7e6cece10ffc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890998
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83307}
... which will contain all compression scheme related functions.
This will allow introducing custom compression schemes for certain
cases and use the compression scheme class as a template argument for
TaggedField or OffHeapCompressedObjectSlot implementations.
Bug: v8:7703, v8:11880
Change-Id: Ic78d36b7021110d6a4797a3150547a224d942b32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899262
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83302}
ArrayBuffers of length 0 may not have a BackingStore, so guard for that
case in ArrayBuffer.prototype.transfer.
Bug: v8:11111, chromium:1364738
Change-Id: I058d00f0f60183f9137c60682ad93973c7a6dcbb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3902517
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83301}
This change tests all JavaScript language constructs and builtins in
combination with the unwrapped Wasm objects.
For JavaScript, excluding some basic introspection (e.g.
`Object.isExtensible`) WebAssembly GC objects are treated opaque.
They can be passed around freely but don't allow any access to
properties, elements etc.
This behavior is currently exposed only if the `wasm-gc-js-interop`
flag is set.
Bug: v8:7748
Change-Id: If0dc368f99d4097e3eaf53edde4e244e3081e334
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879616
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83299}
Lazy deopts are always after calls, so force them to spill their inputs.
This would normally be the case anyway, except for deferred calls, which
don't tell the register allocator to spill like normal calls do.
This makes lazy deopt regalloc always spill its inputs and use their
spill slot, but unlike calls, this doesn't additionally clear the
register, so subsequent nodes can continue using the register cached
value without having to reload it.
As drive-bys, fix the Throw* opcodes to have the Throw property, and use
detail::DeepForEachInput in a couple of extra locations (including for
lazy deopts).
Bug: v8:7700
Change-Id: I89b04f17ca781d4f69ff0ed07566fa583aa677e6
Fixed: chromium:1364074
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899009
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83293}
1) Inlining functions that contain stringref operations require builtin
calls to be marked as kNoThrow appropriately (or have exception
handling support in the graph).
2) Some overly-large inputs for string creation hit DCHECKs before
getting to the places where they would have thrown an orderly
exception.
3) We still had a known issue that some exceptions thrown by JS-focused
code were erroneously catchable by Wasm.
4) When string.concat attempted to create a too-long string, it ran into
a DCHECK because we didn't clear the "thread in wasm" flag.
5) The builtin call for string.concat was erroneously marked as
kEliminatable, which could cause the trap get eliminated.
Bug: v8:12868
Change-Id: Iad3ada0e2465bfd8f3d00bb064c32049d6b19d87
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3902522
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andy Wingo <wingo@igalia.com>
Reviewed-by: Andy Wingo <wingo@igalia.com>
Cr-Commit-Position: refs/heads/main@{#83292}
Let jump threading phase be able to handle the jump with gap moves instructions.
Record the first occurrence of the gap jump instruction and forward
the same gap jump instructions into the recorded one.
For example:
In this case, we merge the second instruction into the first one,
because those two gap jump instructions have the same gap moves.
-- Before jump threading phase:
B0:
1. gap(rdx=rbx)
ArchJmp imm:3
B1:
2. gap(rdx=rbx)
ArchJmp imm:3
-- After jump threading phase:
B0:
1. gap(rdx=rbx)
ArchJmp imm:3
B1:
2. ArchNop
This can eliminate redundant jump and move instructions.
Design doc: https://docs.google.com/document/d/1SpO7Kw4e6CnCesFT118MUnCufUHZDy3QaVSymcci5jE/edit?usp=sharing
Change-Id: Ie94c8f63e2f758824619f6ed9513cbdff00186c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858528
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jialu Zhang <jialu.zhang@intel.com>
Cr-Commit-Position: refs/heads/main@{#83288}
We move js-to-wasm wrappers to a WeakFixedArray in the isolate,
indexed by their canonical type index. This ensures that they are
reused across instances, and get GC'd when no longer needed.
We also remove eager compilation of wrappers.
This CL fixes some issues that were caused by out-of-bounds accesses
to wrapper arrays attached to module objects.
Bug: chromium:1363859, chromium:1363895
Change-Id: Idec0925e775f51fdfa7cd380379b0d1798295a0c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893860
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83275}
The number of feedback vector slots is currently stored in the
{WasmFunction}, returned in the {WasmCompilationResult}, and implicitly
stored as the size of the {call_targets} vector in
{FunctionTypeFeedback}.
This CL uses the latter as the source of truth, encapsulated in a new
{NumFeedbackSlots} function. This can be updated when adding new kinds
of feedback that need additional slots.
For now, the implementation of {NumFeedbackSlots} requires taking a
mutex, which we can hopefully avoid when productionizing speculative
inlining. We also take the mutex on every Liftoff compilation, which
adds synchronization between concurrent compilation which we previously
tried very hard to avoid (because it introduced significant overhead for
eager compilation).
As a nice side-effect, this CL reduces the per-function overhead by 8
bytes, independent of enabled features.
R=jkummerow@chromium.org
Bug: v8:13209
Change-Id: I2fe5f7fe73154328032a3f0961e88d068c5d07ae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899299
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83253}
The cached template object weakmap shouldn't be updated when we update
an existing cached template object, because this update can truncate the
linked list of cached template objects.
Bug: v8:13190
Change-Id: Icea61fcbd5c05d4293a884d1872523ddcdfc3323
Fixed: chromium:1364429, chromium:1364471
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899256
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83248}
This is a reland of commit 0a1f0e335e
Changes since revert:
- Deferred label for loading from forwarding table.
- Check if hash is computed instead of checking if it is a forwarding index.
- Retreive hash from forwarding table only if hash is assumed to be computed.
Original change's description:
> [strings] Fix raw hash lookup for forwarded strings
>
> Raw hashes may need to be looked up via the forwarding table when
> internalized strings are forwarded to external resources. Notably, the
> megamorphic ICs were not correctly fetching the raw hash.
>
> Bug: v8:12007
> Change-Id: Ibbc75de57e707788f544fbd1a0f8f0041350e29d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3885379
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Patrick Thier <pthier@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83115}
Bug: v8:12007
Change-Id: Ia88ed51a49c62170bc960b8f69673bb1e59a6009
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3888057
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83246}
This reverts commit 80fb281561.
Reason for revert: https://bugs.chromium.org/p/chromium/issues/detail?id=1364400
Original change's description:
> [turbofan] Rematerialize BigInt64 in deopt
>
> This CL introduces two MachineTypes - SignedBigInt64 and UnsignedBigInt64, which are represented as Word64 but will be rematerialized to BigInt in deoptimization. This will avoid unnecessary conversions for BigInt64s when they are passed to StateValues.
>
> Bug: v8:9407
> Change-Id: I65fdee3e028ed8f9920b1c20ff78993c7784de48
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858238
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Commit-Queue: Qifan Pan <panq@google.com>
> Cr-Commit-Position: refs/heads/main@{#83230}
Bug: v8:9407
Change-Id: I77d278ce302621db03b787318641709780348cc8
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3901814
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#83245}
This reverts commit 4444874cdf.
Reason for revert: CHECK failure under UBSan
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20UBSan%20-%20builder/5103/overview
Original change's description:
> [v8] Use |AllocateAtLeast| for resizing v8 zones.
>
> This is part of an ongoing effort to reduce fragmentation in Chrome. Partition alloc shows v8 zones are a large user of memory in Renderer processes, and that there is fragmentation from these allocations. This CL will reduce this fragmentation by allowing v8 to use all allocated memory for its zones.
>
> Bug: v8:13193, chromium:1238858
> Change-Id: Ibeac8bdba9d0e7ff66b14a3dde10e7c87d3cf953
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3889361
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83235}
Bug: v8:13193, chromium:1238858
Change-Id: I03c8c1ad7bb1cd20770323bffe1c42a4be47c454
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3900814
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83237}
Need to reset tzi_xxx and calendar_xxx in parser state if the
post-condition of CalendarName and TimeZoneIdentifier is not met.
Bug: v8:11544
Change-Id: If2df6c8fc8cf2418ddd5443abab02066d423a0c3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893554
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83236}
This is part of an ongoing effort to reduce fragmentation in Chrome. Partition alloc shows v8 zones are a large user of memory in Renderer processes, and that there is fragmentation from these allocations. This CL will reduce this fragmentation by allowing v8 to use all allocated memory for its zones.
Bug: v8:13193, chromium:1238858
Change-Id: Ibeac8bdba9d0e7ff66b14a3dde10e7c87d3cf953
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3889361
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83235}
This CL introduces a new LookupIterator state WASM_OBJECT, and updates
all switches that need to handle it.
Bug: v8:7748
Change-Id: Ie3359aed2d37f5a6854e5577fa3799f0464391e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865559
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83234}
The split is rudimental and now is not needed at all:
- as part of the shared-cage effort we added HeapHandle pointer to the
BasePageHandle class (on the API side);
- for the value-full barrier we get HeapHandle from bitmasking the
value;
- for the value-less barrier we get it from the callback provided by the
caller.
The CL entirely removes the split and uses the single
BoundedPageAllocator. A minor note: the conservative stack scanning can
become sligthly more expensive.
Bug: chromium:1361582, chromium:1325007
Change-Id: I2a8aded3dd12037998f36341c68af8e23b0dcd88
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899320
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83232}
Since enabling the sandbox is now required for example for mkgrokdump,
add it to the default gn args. Also treat non-sandbox builds as
"non-shipping" in mkgrokdump.cc
Bug: v8:13281
Change-Id: I08042aa53057e25c556e166c059373e2fdb9d2c1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899317
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83231}
This CL introduces two MachineTypes - SignedBigInt64 and UnsignedBigInt64, which are represented as Word64 but will be rematerialized to BigInt in deoptimization. This will avoid unnecessary conversions for BigInt64s when they are passed to StateValues.
Bug: v8:9407
Change-Id: I65fdee3e028ed8f9920b1c20ff78993c7784de48
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858238
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#83230}
Inner pointer resolution, to be used in conservative stack scanning,
assumes that all pages registered with the memory allocator are
iterable. Until this CL, this was not the case for pages that were
owned by the young generation semispaces but were unused. Such pages
are either in the "from" semispace, or in the "to" semispace but have
not yet been used.
This CL ensures that all pages owned by the young generation are iterable. It also adds tests to verify that inner pointer resolution
works correctly for unused young pages and for pointers above the
page area.
Bug: v8:13257
Change-Id: Ieff7cc216853403e01f83220b96bf8ff4cdea596
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3885893
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83226}
This test observes GC behavior and needs the garbage collector to work
in a somewhat predictable way.
Bug: v8:13286
Change-Id: I24e6a4f33a644b5f1845cd34558da03fc196f7e5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898721
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83218}
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.
R=szuend@chromium.org
Bug: v8:12887
Change-Id: I8123d18ae852807557bf26b1308e0061dc1ac123
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898937
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83216}
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.
R=jgruber@chromium.org
Bug: v8:12887
Change-Id: I0454426c664e54e9b8c8b39f903eeca1a80d4bc2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898933
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83214}
The kContextRegister can alias allocated registers - when setting it,
take care not to unintentionally clobber.
Bug: v8:7700
Change-Id: I0635d334fb14fa15540582a4873d4186fffa2199
Fixed: chromium:1363450
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3897634
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83212}
Running the libfuzzer fuzzers locally (with an experimental flag turned
on) found crashes, but did not produce crash files because we were
generating a software interrupt ("trap") instead of properly aborting.
Disabling the "hard-abort" feature fixes that.
This will hopefully not flush out previously missed crashes. If so,
please do manually bisect across this CL, instead of assigning to me :)
Drive-by: Move more initialization logic from {InitializeFuzzerSupport}
to the {FuzzerSupport} constructor, where other similar work is
performed.
R=thibaudm@chromium.org, saelo@chromium.org
Bug: v8:13283
Change-Id: Id8d4e92f5ab6bb27676adeae6b3b1eb042b8ba3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892061
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Samuel Groß <saelo@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83208}
Temporaries and the allocated result register may alias, thus order is
important when setting the result value.
Fixed: TestUndetectable, LogicalNot, SetPendingMessage.
Drive-by: Pass Label::kNear in a few spots I passed by.
Bug: v8:7700
Change-Id: Ice3de1d1014ad05d8fa9fb18d967887386bfed0d
Fixed: chromium:1359723
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898530
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83207}
Correct the call the the one which take the UTC based time
instead of the one taking the local wall time.
Bug: v8:11544
Change-Id: Ib288617e8f98b21865c306ca36cd905a3e5315bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892639
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83205}
A couple of customers have asked about using devtools to get information
about temporary allocations, with the goal of reducing GC time and/or
peak memory usage. Currently, the sampling heap profiler reports only
objects which are still alive at the end of the profiling session. In
this change, I propose adding configuration options when starting the
sampling heap profiler so that it can optionally include information
about objects which were discarded by the GC before the end of the
profiling session. A user could run the sampling heap profiler in
several different modes depending on their goals:
1. To find memory leaks or determine which functions contribute most to
steady-state memory consumption, the current default mode is best.
2. To find functions which cause large temporary memory spikes or large
GC pauses, the user can request data about both live objects and
those collected by major GC.
3. To tune for minimal GC activity in latency-sensitive applications
like real-time audio processing, the user can request data about
every allocation, including objects collected by major or minor GC.
4. I'm not sure why anybody would want data about objects collected by
minor GC and not objects collected by major GC, but it's also a valid
flags combination.
Change-Id: If55d5965a1de04fed3ae640a02ca369723f64fdf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3868522
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#83202}
When regenerating v8heapconst.py, the v8 sandbox now has to be enabled
explicitly (using the v8_enabe_sandbox=true gn arg) as it is enabled by
default in Chromium builds, but not standalone v8 builds.
Bug: v8:13281
Change-Id: I1a0861b1d63f340465d7433e042b27eace706ca7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3895622
Commit-Queue: Adam Klein <adamk@chromium.org>
Auto-Submit: Samuel Groß <saelo@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83201}
Check whether the exception phi for the accumulator (i.e. the exception
message object) is dead, and don't assign rax to it if yes. Note that
maglev node liveness can differ from bytecode liveness, since the
bytecode accumulator could have been considered "live" just because of a
move to a (dead) register.
Bug: v8:7700
Change-Id: If1384284f6f55a565e2ae94e5e7a32455fdedb93
Fixed: chromium:1359382
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892353
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83197}
Use Script as the key for the template object cache, instead of the
SharedFunctionInfo. This is because SharedFunctionInfos can be garbage
collected and then later recompiled, which would mean that we break the
spec's expectation that the template object stays constant.
Now the association of cached template object with SharedFunctionInfo is
via the function_literal_id of the SharedFunctionInfo, stored on the
CachedTemplateObject. These are linearly searched, similar to the linear
search over slot ids.
Bug: v8:13190
Change-Id: I3f67811c16ea4cd39c99b2fa034aa7e1f03c171e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892787
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83195}
SimulateFullSpace starts with no LAB, iterates over pages and allocates
all free space on each page. After the first page, the LAB is empty but
is no longer null.
Bug: v8:12612
Change-Id: I2c00b9ba68fdd5f60eda086ea940cb6e211a986e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891294
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83186}
Before, import and export wrappers were cached based on their
signature. This change
- makes wrapper canonicalization consistent with that of types and
call_indirect signatures under --wasm-type-canonicalization,
- removes the last uses of signature maps, which will enable us to
remove them in a future CL.
Change-Id: I512bc234f0ae10e50bd94237e8e675ca47ed13c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891250
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83183}
Ignition remembers the correct context to restore when entering an
exception handler by moving the context to an interpreter register
when entering a try block, and restoring it from there when unwinding
the frame and entering the catch block.
Maglev code has to do the same by taking the context from the
appropriate register for the handler's frame state.
Bug: v8:7700
Change-Id: I294fcccc845c660b2289b6d7b40f49f1aa46283d
Fixed: chromium:1359928
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892352
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83181}
Trap if the suspender argument provided to the JSPI import
wrapper is invalid.
For now, the suspender argument is expected to be the active
suspender. In the future, it will also be possible to suspend
to a parent of the current suspender. This will only be possible
once wasm-to-wasm suspending wrappers are supported, or if and
when JSPI suspenders become compatible with their core
stack-switching counterpart (e.g. Fibers in the fiber proposal).
R=jkummerow@chromium.org
Bug: v8:12191
Change-Id: I650454ed076bd251b0aa18656774d4c4b2d3bfdc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892697
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83173}
1. Return null if the transition is out of bound.
2. Remove incorrect MAYBE_RETURN which is handled by the IsNothing check.
Bug: v8:11544
Change-Id: Ia54f68831120bd2460cb813464168b1a2c92da3d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893595
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83171}
Instead of having e.g. `string.new_wtf8` that takes an immediate
specifying the particular UTF-8 flavor to parse, make one instruction
per flavor.
See https://github.com/WebAssembly/stringref/pull/46.
Bug: v8:12868
Change-Id: I2e9f2735c557b2352b6e75314037e473710d87a9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892695
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andy Wingo <wingo@igalia.com>
Cr-Commit-Position: refs/heads/main@{#83170}
This also allows allocation folding to be tested in cctests.
Bug: v8:13070
Change-Id: I7b6991461dd7ad4423539b33f59a05d6b247c3e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891257
Auto-Submit: Teo Dutu <teodutu@google.com>
Commit-Queue: Teo Dutu <teodutu@google.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83169}
GetIterator on object o consists of two steps:
1) iter = load o[#Symbol.Iterator]
2) call iter
For null / undefined step (1) throws an exception, meaning
step (2) is never reached. Up to this change, turbofan
deopts if for either of the two steps there isn't enough
feedback, meaning that we have a deopt loop for null and
undefined.
Change-Id: Ie0eaf8e231a149313e10af9e95fd80bc77dc0beb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890980
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83159}
FillCurrentPage assumed that everything after top is empty, which
doesn't work with MinorMC and sweeping. Revise FillCurrentPage based
SimulateFullSpace for MinorMC.
I similar implementation is provided both in unittests and cctest.
Migrating affected cctest to unittests is left a future work.
Bug: v8:12612
Change-Id: Ie29be2fc7aaee25e1fd5f66b1c0959c2a45f007f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3885888
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83158}
The normative change in
https://github.com/tc39/proposal-resizablearraybuffer/pull/93 changed
the behavior of TypedArray.prototype.subarray(begin, end) such that if
the receiver is a length-tracking TA and end is undefined, the result
TypedArray is also length-tracking.
This change reached consensus in the March 2022 TC39.
Bug: v8:11111
Change-Id: If1a84cc3134f3ce8046196d6cc36683b6996dec0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3888382
Commit-Queue: Marja Hölttä <marja@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83147}
This is a reland of commit 49c5967830
The non-deterministic snapshot issue has been fixed by using the correct
field size for CodeDataContainers in serializer.cc.
Original change's description:
> [sandbox] Fold V8_SANDBOXED_EXTERNAL_POINTERS into V8_ENABLE_SANDBOX
>
> Now that all external pointers have been sandboxed,
> V8_SANDBOXED_EXTERNAL_POINTERS is no longer needed. This change also
> shrinks external pointer slots to 32 bits when the sandbox is enabled.
>
> Bug: v8:10391
> Change-Id: Iccbef27ac107b988cb23fe9ef66da6fe0bae087a
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869269
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83083}
Bug: v8:10391
Change-Id: I29870404406902d99ba6016c570cc0c4d05c6c85
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3887899
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83130}
Make the flush-baseline-code tests use --no-maglev in addition to
--no-turbofan.
Bug: v8:7700
Change-Id: I12145735e7a88f156d30e15621a9fe12e18abecf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890990
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83127}
Not passing null object but passing undefined while calling
ToTemporalDate()
Bug: v8:11544
Change-Id: I9376c32f306b000980d37bf233ffef3e83baf706
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3885352
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83124}
Raw hashes may need to be looked up via the forwarding table when
internalized strings are forwarded to external resources. Notably, the
megamorphic ICs were not correctly fetching the raw hash.
Bug: v8:12007
Change-Id: Ibbc75de57e707788f544fbd1a0f8f0041350e29d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3885379
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83115}
Storing with E64 when SEW=32 has EMUL=2, which copies |n| 64 bit wide
data to the result double array already. Besides, accessing v1 when
EMUL=2 is reserved.
R=yahan@iscas.ac.cn
Change-Id: I0870d53c36b642529cab753409f52016d79219b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878442
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#83110}
32-bit values are held in a sign-extended format in 64-bit registers. Which
the vaule 0x856AF894 becomes 0xFFFFFFFF856AF894 and failed equality comparison
with lwu's result 0x00000000856AF894. XOR the result with 0xFFFFFFFF00000000
before comparison.
R=yahan@iscas.ac.cn
Change-Id: I4d225ff653070022023ac7f10257ad0c30c24e5b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3881601
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#83109}
This is a reland of commit a165e82ea7
The reason of revert is SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../src/objects/js-temporal-objects.cc:3837:22 which is the line
"nanoseconds_mv = std::round((seconds_mv - std::floor(seconds_mv)) * 1e9);"
where seconds_mv is a double and nanoseconds_mv is a int32_t
In this reland, we change the type of nanoseconds_mv to double to avoid the ubsan error.
Original change's description:
> [Temporal] Use double/int32_t instead of int64_t for duration parsing
>
> Use double and int32_t instead of int64_t in duration parsing result
> so we can parse very large duration fields as infinity and throw RangeError in later stages. The three fractional parts can hold up value from 0 to 999,999,999 so we use int32_t to hold it. Other part could be infinity so we use double to hold it. Also rearrange the order of the three int32_t in the struct ParsedISO8601Duration after all the double
>
> Bug: v8:11544
> Change-Id: I7e5b02f7c7bbb60997f1419f016aed61dd3e0d6c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3840761
> Reviewed-by: Shu-yu Guo <syg@chromium.org>
> Commit-Queue: Frank Tang <ftang@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82754}
Bug: v8:11544
Change-Id: If8b72cb4912d8b4fc4c286fc856ea59df5cf0bb7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858576
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83090}
When the sandbox is disabled, object layouts are now different as
ExternalPointerSlots are then 64-bit (raw pointers) instead of 32-bit
(ExternalPointerHandles).
Bug: v8:10391
Change-Id: Ia03d1ae9300fad96e40b77f0ed9544a1a118b74a
Cq-Include-Trybots: luci.v8.try.triggered:v8_linux64_no_sandbox_dbg_ng_triggered
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3884075
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Samuel Groß <saelo@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83089}
Now that all external pointers have been sandboxed,
V8_SANDBOXED_EXTERNAL_POINTERS is no longer needed. This change also
shrinks external pointer slots to 32 bits when the sandbox is enabled.
Bug: v8:10391
Change-Id: Iccbef27ac107b988cb23fe9ef66da6fe0bae087a
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869269
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83083}
Inlining of bar into foo required taking allocation in foo into account
as well (crrev.com/c/1021734), but this makes the test vulnerable to gc
timing changes since other allocations are also inlined into foo and may
die at arbitrary times (as observed when enabling MinorMC).
Fix by preventing inlining of bar into foo.
Bug: v8:12612
Change-Id: I2d8848d4002334d329c4b2cc8f18bff1296f5cc1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3882970
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83080}
Change the constructor and instance registers into a single
constructor_then_instance register, and add some register allocation
scopes to reduce temporary register use. This also allows us to change
FindNonDefaultConstructor to only need one output for both constructor
and instance.
Also make BuildCreateArrayLiteral a bit more friendly to the interpreter
register allocation.,
Bug: v8:13091
Change-Id: I0b6015b0bc6810bb4607157d715b7e536efb89f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876386
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83077}
Skip over DCHECK in fuzzing that is always checked later by getting the
value from a Maybe object.
Bug: chromium:1359230, chromium:1360735
Change-Id: I9512e27fdeb1d6919e24bd631ae2caece7aed466
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3874934
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83075}
This is a reland of commit 0a1a579ad2
The original CL has a bag in assigning no_reg to scoped Register variable.
To fix it Scoped guard was added for automated release of scoped registers.
Original change's description:
> Port JS-Wasm Promise Integration for arm64
>
>
> Port Generic JS-Wasm Wrapper for arm64
>
> Change-Id: I256e6511d47af9ab04c577beb6b829dfee34a6ed
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3841074
> Commit-Queue: Ilya Rezvov <irezvov@chromium.org>
> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83038}
Change-Id: I7b8b355f5689e51529223f1156e74e980c3b50ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879492
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Ilya Rezvov <irezvov@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83068}
Add the missing KB multiplier. Also add a flag to set the fixed stack
size.
R=clemensb@chromium.org
Bug: v8:12191
Change-Id: I9782192d2eef1986286f726a05444a4bec49fc66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3875902
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83065}
ShouldFinalize should only be called if major incremental marking is
active, and can crash if minor incremental marking is active, if
MajorMC's local_marking_worklists_ was reset.
The only caller is IsMarkingComplete. This CL changes the IsMarking
check to IsMajorMarking to solve this issue, and renames
IsMarkingComplete to IsMajorMarkingComplete.
Bug: v8:13012
Change-Id: Iba6bd5b7977ec8566c3ab0f047646d8cafd45038
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879485
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83064}
Fix broken DCHECK:
When using MinorMC, new space is a paged space and only uses the
TO_PAGE page flag. New large object space however still uses both
TO_PAGE and FROM_PAGE page flags. With MinorMC it still possible
to find reference to FROM_PAGEs, but those pages have to be large
pages.
Fix broken test:
MinorMC may only free empty pages when shrinking. Therefore, shrink
may actually not change the space capacity at all (e.g. when all
pages have live objects on them). More specifically, the capacity is
not guaranteed to be half the previous capacity.
Bug: v8:12612
Change-Id: Ib0edcafd758828f821f82bc8c796c205f162809c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879493
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83061}
assertEquals() compares objects by comparing each property for both
objects. This was done by using Object.keys() which however only returns
enumerable properties.
With this change also non-enumerable properties are compared.
Still, the comparison doesn't require the properties to be equal.
So, if one property is marked enumerable in one object but not the
other, the objects would still be considered equal.
This could be adapted in a follow-up CL if desired.
The prototype is still ignored for the comparison.
Change-Id: I1bb9df055bfb764ac1c02d971ac6f4a50f4a98e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876384
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83058}
This is a reland of commit 24e60017d4
The reland changes %ClearFunctionFeedback to clear *all* feedback
slot kinds including binary/compare/for-in slots. In the tests we
thus no longer have to resort to tricks to restore the function to
it's initial state, instead simply call %ClearFunctionFeedback.
Original change's description:
> [maglev] Deopt on overflow in >>>
>
> Re-enable the int32 fast path for ShiftRightLogical, but account for
> Maglev's missing signed/unsigned representation tracking by a)
> removing rhs==0 as the identity value (a shift by 0 is still a
> signed-unsigned conversion) and b) deoptimizing if the result cannot
> be converted to a non-negative smi.
>
> Note this is not a deopt loop, since a non-smi result will change the
> feedback to kSignedSmallInputs (from kSignedSmall).
>
> To fix this properly, we should track signed/unsigned representations
> and convert the result to a heap number if it doesn't fit within smi
> range.
>
> Bug: v8:7700
> Change-Id: Ifd538d227a6f1290eb7f008d9bfad586ff91ea0f
> Fixed: v8:13251
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876366
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Jakob Linke <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83025}
Bug: v8:7700
Change-Id: I2f607a0fb863b80e8589c9c1e86ee31fbac48c25
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879491
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83057}
This CL fixes redesigns the current API, which does not correctly
manage lifetimes of the shared object conveyors.
See design doc at
https://docs.google.com/document/d/1TV6agY9dafVJFvdPrUAGbEvos8wL2WDnsmf84n3OJVU/edit?usp=sharing
This CL also removes the incorrect behavior of serializing all shared
strings by sharing instead of copying. Shared strings may be sent to
another process, which should still work.
Bug: v8:12547
Change-Id: I7413abd2d871fd3d52c9b433445cfa1d03e4a732
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3868713
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83044}
- Remove the {ValueRepr} parameter from Wasm table and global object
internals. It is now the responsibility of the user to transform
to/from a JS object. This removes duplicate work in some cases (type
checking in the caller, transforming in the callee).
- For the reverse direction in the JS API, introduce
{WasmObjectToJSReturnValue}.
Bug: v8:7748
Change-Id: Ie7625cc0f08d38fe74dbe57e69004de2d93b8a11
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876184
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83031}
This reverts commit 24e60017d4.
Reason for revert: Change breaks maglev GC stress tests.
Original change's description:
> [maglev] Deopt on overflow in >>>
>
> Re-enable the int32 fast path for ShiftRightLogical, but account for
> Maglev's missing signed/unsigned representation tracking by a)
> removing rhs==0 as the identity value (a shift by 0 is still a
> signed-unsigned conversion) and b) deoptimizing if the result cannot
> be converted to a non-negative smi.
>
> Note this is not a deopt loop, since a non-smi result will change the
> feedback to kSignedSmallInputs (from kSignedSmall).
>
> To fix this properly, we should track signed/unsigned representations
> and convert the result to a heap number if it doesn't fit within smi
> range.
>
> Bug: v8:7700
> Change-Id: Ifd538d227a6f1290eb7f008d9bfad586ff91ea0f
> Fixed: v8:13251
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876366
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Jakob Linke <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83025}
Bug: v8:7700
Change-Id: Ibd4c29cc57b999e1cfcd040cee3228ea27a74029
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876374
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83029}
Re-enable the int32 fast path for ShiftRightLogical, but account for
Maglev's missing signed/unsigned representation tracking by a)
removing rhs==0 as the identity value (a shift by 0 is still a
signed-unsigned conversion) and b) deoptimizing if the result cannot
be converted to a non-negative smi.
Note this is not a deopt loop, since a non-smi result will change the
feedback to kSignedSmallInputs (from kSignedSmall).
To fix this properly, we should track signed/unsigned representations
and convert the result to a heap number if it doesn't fit within smi
range.
Bug: v8:7700
Change-Id: Ifd538d227a6f1290eb7f008d9bfad586ff91ea0f
Fixed: v8:13251
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876366
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83025}
Re-implement the --log-function-events functionality after
refactoring the tiering state bits on the FeedbackVector.
The new version also tries to log first-execution of non-interpreter
code and will handle OSR events.
Not-yet supported:
- First-execution logging when OSR-ing in Sparkplug or Maglev
Bug: v8:13146
Change-Id: I2059c6d8105091f20586eaf157ef19d5e65295aa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3832375
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83019}
This is a reland of commit d00c040547
Changes since revert: Use AsAtomicTagged instead of
base::AsAtomicPointer to store a hash value in the forwarding table.
Original change's description:
> [strings] Support shared external strings>
>
> With this CL shared strings can be externalized and external strings can
> be shared.
> The StringForwardingTable is used to delay the real transition to the
> next full GC. On the API side strings marked for externalization will
> look like externalized strings.
>
> Bug: v8:12957
> Change-Id: I53b6509129bc5679c06bdf99421bdb41ea5d9082
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849643
> Reviewed-by: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Commit-Queue: Patrick Thier <pthier@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82966}
Bug: v8:12957
Change-Id: I17715e927e4339240a6aa12a3c4a3c2ea50eb567
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871211
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83018}
This test somehow ended up inside an assertThrows arrow function, after
the expression that was supposed to throw -- so it never got executed
(and the expectation was slightly off.) This moves the test outside the
arrow function so it gets executed, and fixes the expectation.
Justification for changing the expectation: rab is [0, 1, 2, 3, ... 9],
and length_tracking_ta_with_offset2 has an offset of 2, so it is [2, 3,
...]. During the loop, after 2 iterations which have produced [2, 3], we
resize the buffer so the array has length 0. Therefore, the iteration
ends after producing [2, 3], not [3, 4].
Change-Id: Iec6024fb955102841b45f033de3fed80b7d2af34
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878244
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Auto-Submit: Philip Chimento <ptomato@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83009}
ValueDeserializer should be lenient and not assume correct usage when
deserializing shared objects. This CL makes ValueDeserializer throw if
a shared object conveyor id or shared object id are not found.
Bug: v8:12547, chromium:1359227
Change-Id: I429a37dfadd95e42edca5d4870eb5188cb013bc7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872549
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83004}
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.
R=ishell@chromium.org
Bug: v8:12887
Change-Id: I457fd781f13c37ffdaa19e29c8f998ee3eaa55a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3875085
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82996}
- i31s should not be packed in {WasmWrapperGraphBuilder::ToJS}.
- anyref should be able to hold any JS value (except null if non
nullable).
- Restructure TypeCheckJSObject.
Bug: v8:7748
Change-Id: I51ab6b84e89a70e565ce56de7a41f8693aa28e5b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871073
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82992}
This adds two flags to dump "type feedback" (call targets and
frequencies) to a local file, or load it from there. This is meant for
experimentation only.
Some implications are removed, as (speculative) inlining now does not
require Liftoff any more, but can also use information from PGO.
R=jkummerow@chromium.org
Bug: v8:13209
Change-Id: I2d34233ce4077db61f5c237b1941136ac61d3b73
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870470
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82979}
The test broke in
https://crrev.com/c/3865148
Bug: chromium:1352649
Change-Id: I9857fd359d73a4c1f7d202feba27a3dcf56e23c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872275
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82974}
The stack of an isolate's main thread is kept in the isolate's heap.
This CL sets the stack's start address when the isolate's heap is set
up; it can also be set explicitly from the embedder. The CL also fixes
threaded cctests, where an isolate is shared by many "main" threads.
Bug: v8:13257
Change-Id: Ie30bbbe4130882d94f23de946cbada748f32e22d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870923
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82973}
This reverts commit d00c040547.
Reason for revert: Failing CI tests on Mac arm64
Original change's description:
> [strings] Support shared external strings
>
> With this CL shared strings can be externalized and external strings can
> be shared.
> The StringForwardingTable is used to delay the real transition to the
> next full GC. On the API side strings marked for externalization will
> look like externalized strings.
>
> Bug: v8:12957
> Change-Id: I53b6509129bc5679c06bdf99421bdb41ea5d9082
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849643
> Reviewed-by: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Commit-Queue: Patrick Thier <pthier@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82966}
Bug: v8:12957
Change-Id: I13155fcc788d217db56cbfd1c9e4457a81a9dbd7
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870486
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82970}
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.
R=mlippautz@chromium.org
Bug: v8:12887
Change-Id: Id12f9d8270dd9fed651e1b3596c06e45aae9d6d1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3846151
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82969}
With this CL shared strings can be externalized and external strings can
be shared.
The StringForwardingTable is used to delay the real transition to the
next full GC. On the API side strings marked for externalization will
look like externalized strings.
Bug: v8:12957
Change-Id: I53b6509129bc5679c06bdf99421bdb41ea5d9082
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849643
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82966}
This CL adds PKU support for V8 heap, but we will not enable
PKU by default before adding bots that are able to test the
PKU machinery.
Bug: v8:13023
Change-Id: I0465604d56900536ad63311f119ea0324ebe4f2f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3793944
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Wenqin Yang <wenqin.yang@intel.com>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82965}
Inline DependOnStablePrototypeChain to iterate only those maps which
share a validity cell with the receiver map. This resolves an issue
where maps after the holder object violate the stability invariants, but
doesn't require looking up what the actual holder is.
Bug: v8:7700
Change-Id: Id06f0d13660f547e14dd25085799c0e6223c34b9
Fixed: chromium:1359215
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871298
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82964}
The intention is to be restrictive for now: modules should not
start to depend on this subtyping while the stringref type
hierarchy question is being settled (see
https://github.com/WebAssembly/stringref/issues/3 for details).
Bug: v8:12868
Change-Id: I0140e72f92550c88393dc84bb1fa3ce65840a048
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865019
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82937}
At the start of the graph builder, we add merge states to exception
handlers basic block with ExceptionPhis (normal phis with no input,
but with an interpreter register "owner").
Every Node that can throw, can also lazy deopt, so we use the
lazy deopt IFS to recover the exception phi values in a trampoline
before jumping to the exception catch block.
Bug: v8:7700
Change-Id: I62fe7f19ce5e89c3df645224ea62f9fc2798207c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865865
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82935}
This change adds support for defining globals whose value is imported
and not defined inline. This was already possible for importing globals
from other modules, now it is also supported for non-global values, e.g.
values created by a wasm function and exported to JS.
Bug: v8:7748
Change-Id: I4fe22a7ab33b431cb731458900c0f332dff8b8f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865554
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82934}
This CL refactors most of the cctests and unittests (22 out of 31) that
directly invoke heap GC, so that the corresponding internal heap methods
are called from a few specific places in boilerplate code. This will
facilitate impending changes to the interface of GC-related internal
heap methods.
Bug: v8:13257
Change-Id: Ia6773a7952501b0792b279b799171519620497d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869264
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82927}
Use the correct helper function to emit an immediate.
Fixed: chromium:1358909
Change-Id: I2f2ae7819f40009b3f9c22067cdf11885d3347ca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869265
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82924}
This CL removes the marking_worklists parameter from the
ConcurrentMarking constructor, and instead sets marking_worklists_
in ScheduleJob based on the new GarbageCollector parameter.
We will use the ConcurrentMarking class for both major and minor
marking later, and this CL does preparatory work for that by allowing
to change the mode of operation (minor/major) through ScheduleJob.
Bug: v8:13012
Change-Id: I44a35155cf19e1df139a6a4e5bc5cbedbc3e00aa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3850289
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82910}
This is a reland of commit aa541f1c9c
Original change's description:
> [turbofan][arm64] Emit Lsl for Int32MulWithOverflow when possible
>
> Int32MulWithOverflow on arm64 uses a cmp to set flags rather than
> the multiply instruction itself, thus we can use a left shift when
> the multiplication is by a power of two.
>
> This provides 0.15% for Speedometer2 on a Neoverse-N1 machine,
> with React being improved by 0.45%.
>
> Change-Id: Ic8db42ecc7cb14cf1ac7bbbeab0e9d8359104351
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829472
> Commit-Queue: George Wort <george.wort@arm.com>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82499}
Change-Id: Ib8f387bd41d283df551299f7ee98e72d39e2a3bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865484
Commit-Queue: George Wort <george.wort@arm.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82909}
Sufficiently full pages in new space are promoted as is to old space. If
a string is allocated on such a page, it won't be promoted to the shared
heap. The string can later be promoted by the next full GC, but then it
is promoted from old space, not new space, which was not supported.
Bug: v8:12612
Change-Id: I6133e13bec9ba3110b2b9dbfb4dcef47bde25e90
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865162
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82906}
This is a reland of commit 3297ccca23
This is a straight-up reland of the original CL. The failing test
was flaky and removed with https://crrev.com/c/3868727. We replaced
the test with a proper DevTools e2e test: https://crrev.com/c/3867522
Original change's description:
> [debug] Immediately step-in for 'stack check triggered' debug breaks
>
> This CL changes debug breaks that are triggered via interrupts (i.e.
> via stack check). One client of this behavior is the `Debugger.pause`
> CDP method.
>
> The problem is that when we pause so early, the JSFunction didn't have
> time yet to create and push it's context. This requires special
> handling in the ScopeIterator and makes an upcoming change unnecessary
> complex.
>
> Another (minor) problem is that local debug-evaluate can't change
> context-allocated local variables (see changed regression bug). Since
> the context is not yet created and pushed, variables are written to
> the DebugEvaluateContext that goes away after the evaluation.
>
> The solution is to mirror what `BreakOnNextFunction` does. Instead
> of staying paused in the middle of the function entry, we trigger
> a "step in" and pause at the first valid breakable position instead.
> This ensures that the function context is already created and pushed.
>
> Note that we do this only in case for JSFunctions. In all other cases
> we keep the existing behavior and stay paused in the entry.
>
> R=jgruber@chromium.org
>
> Fixed: chromium:1246907
> Change-Id: I0cd8ae6e049a3b55bdd44858e769682a1ca47064
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3854501
> Reviewed-by: Jakob Linke <jgruber@chromium.org>
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82817}
Change-Id: I1938ccb5979fd80dff530b2ffe3f18714b7eff3f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3867727
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82901}
Some wasm simd unit tests are not guarded by V8_ENABLE_WEBASSEMBLY,
it will cause test failure on no-wasm build.
Change-Id: Ib08e133f979e492ca620191d799f641bdb0f60bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3866706
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jie Pan <jie.pan@intel.com>
Cr-Commit-Position: refs/heads/main@{#82887}
We've previously reset profiler ticks on ML finalization to avoid
unexpected early tierups to TF. This CL additionally avoid early TF
tierup through the `small function` reason by disabling small-function
optimization.
Bug: v8:7700
Change-Id: I57ba294af0d1d189f76c2cb1ffc31af0837b1e42
Fixed: v8:13242
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865550
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82886}
Changes:
- Limit how often a function can be inlined, mostly to constrain
recursive-function inlining.
- Move call count limiting earlier (to WasmInliner::ReduceCall), and
guard it behind the flags that are required to generate call counts.
Bug: v8:12166
Change-Id: Ie3c140daff110e08fe7103ee79393ea27ae49bb2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865918
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82880}
We fixed the test earlier but forgot to remove the SKIP.
Bug: v8:11544
Change-Id: I6594dc2ad07fe88fdc2ed9bfaa0f0715bc14930b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3867132
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82874}
Add test for ensuring that page promotion records old-to-shared slots
during a full GC.
Bug: v8:11708
Change-Id: Id2eb77a623c84586cad61d72bb80479ef69e3b29
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3866176
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82873}
If we see a default ctor, walk up the constructors until we find a non-
default one.
Default ctors can only be skipped if there are no class fields / private
brands.
This CL implements the Ignition parts; Sparkplug, Maglev and TF will
be implemented as follow ups. (This is fine, since this feature is
behind a flag.)
Bug: v8:13091
Change-Id: Ie8ca8aedb01bd4b13adf1063332a5cdf41ab358a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3804601
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82872}
This CL has two changes:
1. Remove ValueDeserializer::Delegate::SupportsSharedValues. Only
ValueSerializer::Delegate needs to report whether it supports
serializing shared values. The ValueDeserializer::Delegate should
DCHECK if it gets a shared object tag but it doesn't support it.
This better mirrors what happens with SharedArrayBuffer transfers
currently.
2. When attempting to serialize a shared object (shared struct, shared
array, Atomics.Mutex, or Atomics.Condition) when
!SupportsSharedValues(), throw instead of assert. This is for better
ergonomics.
Bug: v8:12547
Change-Id: I2bb66830393526578016813c4e3488859dd07073
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3866302
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82870}
Rename BytecodeOperandFlag to BytecodeOperandFlag8. The methods in
interpreter-assembler were missed in https://crrev.com/c/3857561.
Change-Id: I09383531e4d16e6e428a56feb76192156211dc81
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3867515
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82869}
In preparation for the new `v`-flag, extend RegExp flags from 1-byte to
2-byte.
Bug: v8:11935
Change-Id: I2dacb5e8dba889947054aa5c155708b8d315b898
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3857561
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82863}
Due to https://crbug.com/1195263, large typed arrays can have an
observable difference on the same architecture, depending on
optimization behavior.
For differential fuzzing comparisons, we previously used a proxy
for typed arrays that capped the maximum size only when comparing
different architectures - there an observable difference is WAI.
We move the capping code and make it arch-independent for now until
the bug above gets fixed, since it caused too many duplicates, which
degrade fuzzing performance.
Bug: chromium:1195263
Change-Id: Ic81c383e547413378cbe037de3c38eb900a9e5dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3866173
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82860}
.. since ticks collected in lower tiers use a different budget than
ticks collected in ML code. Keeping ticks from a lower tier would lead
to earlier-than-expected TF compilation requests.
Also, remove the runtime call between loops in osr-from-ml-to-tf.js
to not give TF too much time to tier up. It should no longer happen
now that ticks are cleared, but there's also no reason for the runtime
function to between the loops.
Bug: v8:7700
Fixed: v8:13242
Change-Id: I901c636079de05cb62d2aae1c92f0285a0f8c1ad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3867310
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82859}
This reverts commit 3297ccca23.
Reason for revert: V8 roll is failing https://luci-milo.appspot.com/ui/inv/build-8804330987023399745/test-results?q=DevToolsTest.TestPauseWhenScriptIsRunning
Original change's description:
> [debug] Immediately step-in for 'stack check triggered' debug breaks
>
> This CL changes debug breaks that are triggered via interrupts (i.e.
> via stack check). One client of this behavior is the `Debugger.pause`
> CDP method.
>
> The problem is that when we pause so early, the JSFunction didn't have
> time yet to create and push it's context. This requires special
> handling in the ScopeIterator and makes an upcoming change unnecessary
> complex.
>
> Another (minor) problem is that local debug-evaluate can't change
> context-allocated local variables (see changed regression bug). Since
> the context is not yet created and pushed, variables are written to
> the DebugEvaluateContext that goes away after the evaluation.
>
> The solution is to mirror what `BreakOnNextFunction` does. Instead
> of staying paused in the middle of the function entry, we trigger
> a "step in" and pause at the first valid breakable position instead.
> This ensures that the function context is already created and pushed.
>
> Note that we do this only in case for JSFunctions. In all other cases
> we keep the existing behavior and stay paused in the entry.
>
> R=jgruber@chromium.org
>
> Fixed: chromium:1246907
> Change-Id: I0cd8ae6e049a3b55bdd44858e769682a1ca47064
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3854501
> Reviewed-by: Jakob Linke <jgruber@chromium.org>
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82817}
Change-Id: I0c34b7b4a788572a73ca380b3d767223fb6e7ea1
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3867311
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82855}
