While the affect values must be valid addresses & thus will not overflow
the IntPtr type, they need to be interpreted as unsigned in comparisons.
Bug: chromium:792549, v8:7123, v8:3590
Change-Id: I864b50c8dbdc297d70bf83c74a83cc466c5f3eb0
Reviewed-on: https://chromium-review.googlesource.com/814395
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49937}
The tests illustrate the use of v8::EmbedderHeapTracer.
Bug: v8:7176
Change-Id: Ic383c968691fddb0ec96d66cb33ee42b9c304a75
Reviewed-on: https://chromium-review.googlesource.com/811924
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49934}
When enabling any coverage mode (other than best-effort), we trigger
deoptimization of all functions on the heap.
Prior to the recent removal of the weak list of optimized functions [0],
we'd unlink optimized code from all relevant JSFunctions during the call
to DeoptimizeAll.
After the weak-list-removal, this was no longer the case, hence this [1]
change which attempts to reset the code object from the
SharedFunctionInfo for all found JSFunction objects.
But this can create a situation in which JSFunctions are set up
incorrectly s.t. they have unoptimized code but no feedback vector.
This CL fixes that by leaving JSFunction objects untouched and relying
on self-healing mechanisms (CompileLazyDeoptimizedCode) to fix up
JSFunction::code.
[0] https://crrev.com/f0acede9bb05155c25ee87e81b4b587e8a76f690
[1] https://crrev.com/c/647596/5/src/debug/debug-coverage.cc
Bug: chromium:786784, chromium:791940, v8:6637
Change-Id: I13191f4c8800a0d72894b959105189dc09ca693e
Reviewed-on: https://chromium-review.googlesource.com/813615
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49932}
This is a preparation for a larger CL that needs VectorSlotPair
throughtout the compilation chain (including deoptimizer.cc).
Bug: v8:7127
Change-Id: Ia746805ca3fa294eedba19d23656f858840cd501
Reviewed-on: https://chromium-review.googlesource.com/813934
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49928}
Introduce new flag for starting young generation collection early
based on the current new space size.
Bug: v8:6972
Change-Id: I73dd28b8ac7df873b5c3e6ca4b3e55bdec5295a1
Reviewed-on: https://chromium-review.googlesource.com/811304
Commit-Queue: Michał Majewski <majeski@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49927}
This is a reland of 8dd405e39a. The MSAN
failures were unrelated and should be fixed by 75c1c6c.
Original change's description:
> [heap] introduce SpaceWithLinearArea class
>
> NewSpace and OldSpace have linear allocation areas, but presently the
> implementation doesn't share any code and there are subtle differences.
> This CL introduces a superclass 'SpaceWithLinearArea' that will be used
> to refactor and share code.
>
> Change-Id: I741e6a6ebb9e75c111287214fd1f555fba62c452
> Reviewed-on: https://chromium-review.googlesource.com/809504
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
> Cr-Commit-Position: refs/heads/master@{#49890}
Change-Id: I275bdc881b1b81f3ae3c7d36e919981ac4331315
Reviewed-on: https://chromium-review.googlesource.com/812324
Reviewed-by: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49926}
Ensure that the type is always stored correctly.
R=titzer@chromium.org
Bug: v8:6600, chromium:791810
Change-Id: Id3a3c20b14f8730b9550c548dec49ac47121e691
Reviewed-on: https://chromium-review.googlesource.com/811188
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49924}
Observers may start incremental marking and thus black allocation. Since
the object was allocated before invocing the observer the invariant
might not hold anymore.
Bug: v8:7174
Change-Id: I74fe1816303bedb28b69ec5ac83fd19e588acace
Reviewed-on: https://chromium-review.googlesource.com/813714
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49923}
This saves ~80KB code size for each Deoptimizer.
Bug:
Change-Id: I9fc6744e6acebad1d6012017caf2b29832364530
Reviewed-on: https://chromium-review.googlesource.com/809820
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49919}
The previous code assumed that trap handling was a global concept, defined
by function trap_handler::UseTrapHandler(). This CL does the first step
in changing the decision to be specifiable at a module level.
Therefore trap_handler::UseTrapHandler() is replaced by
trap_handler::IsTrapHandlerEnabled(), and communicates if compilation
supports the use of trap handlers (but still allowing the use of
bounds checking on memory accesses).
It then refactors the classes ModuleEnv and WasmCompiledModule to have
a field "use_trap_handler" that specifies if traps should be used for
the memory accesses in the module being compiled.
Bug: v8:7143
Change-Id: I9844842d5721c86c2dd55e911b42bf8b9922cf63
Reviewed-on: https://chromium-review.googlesource.com/802322
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49915}
Performed manual testing as well by making 20 CPU profile recordings of
loading http://meduza.io page. Without the patch the page renderer memory size
grows beyond 300MB. With the patch it remains below 200MB.
BUG=v8:6623
Change-Id: Ifce541b84bb2aaaa5175520f8dd49dbc0cb5dd20
Reviewed-on: https://chromium-review.googlesource.com/798020
Commit-Queue: Alexei Filippov <alph@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49914}
It will help us to preserve some scripts for user.
R=alph@chromium.orgTBR=jgruber@chromium.org
Bug: chromium:655701
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I6d42434148c2d9eb41c3a2af906e8c14ccf8d9a9
Reviewed-on: https://chromium-review.googlesource.com/806741
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49913}
Exposing the existing Context::AllowCodeGenerationFromStrings(false) API
to the command line.
Bug: v8:7134
Change-Id: I062ccff0b03c5bcf6878c41c455c0ded37a1d743
Reviewed-on: https://chromium-review.googlesource.com/809631
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49911}
For instance, it now knows that Number(x) has type Number.
(In this particular case, we used to know that already due to
js-call-reduction of Number but that was recently disabled because
of BigInts.)
Bug: v8:6791
Change-Id: If5c57d46fc8448ca530a9ce7c9d14d63daa0f31c
Reviewed-on: https://chromium-review.googlesource.com/811264
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49909}
They will eventually be used instead of Tuple3/FixedArray by the IC system.
Bug: v8:5561, v8:7159
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I39faad1b2dc10ce7d42cb7477ea87b64d1e0b44c
Reviewed-on: https://chromium-review.googlesource.com/806178
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49908}
Observer that increases frequency of checking if we reached
marking limit. Works only with --stress-marking.
Bug: v8:6972
Change-Id: I13544fdd8bb33738d78adbac96feb70222b5b634
Reviewed-on: https://chromium-review.googlesource.com/802434
Commit-Queue: Michał Majewski <majeski@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49907}
Control Flow Integrity [1] indirect call checking is a compiler-
instrumentation that verifies that function pointers are only used to
call functions whose type signatures matches the type of the function
pointer. The once implementation casts function pointers to different
types--refactor it to pass around a std::function that calls the
provided function pointer with its original type instead.
[1] https://www.chromium.org/developers/testing/control-flow-integrity
Bug=chromium:776905,v8:7164
Change-Id: I26b63973fdcebbc11b1cd7b023a6a6d0724c360c
Reviewed-on: https://chromium-review.googlesource.com/806262
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49906}
This saves us 14.2kB binary size in libv8.so (in release mode), and
probably also improves performance a little bit.
R=titzer@chromium.org
Bug: v8:7109
Change-Id: I345a48369aaf054572a4fd4368bf5cd526ed146a
Reviewed-on: https://chromium-review.googlesource.com/797270
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49905}
The value is passed as int in most places anyway, so better also store
it as int, and make sure that it's in the range [0..kMaxInt].
Also, our style guide only allows {int} out of the standard integer types.
R=mstarzinger@chromium.org
Bug: v8:6600
Change-Id: Ia425a8a6f64c9e617de02bb1d4f07413e9da4fc6
Reviewed-on: https://chromium-review.googlesource.com/810645
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49904}
- When a global object changes, invalidate its validity cell.
- The global object prototypes don't need to be gathered into an array in InitPrototypeChecks.
Bug: v8:7159
Change-Id: I3621c914d08b83e49e8a391800a92eb53ba19feb
Reviewed-on: https://chromium-review.googlesource.com/808588
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49901}
This reverts commit 0c2faa0633.
Reason for revert: seems to make win asan flaky:
https://build.chromium.org/p/client.v8/builders/V8%20Win32%20ASAN/builds/1094https://build.chromium.org/p/client.v8/builders/V8%20Win32%20ASAN/builds/1095
Original change's description:
> [D8] Clean up ArrayBuffer Allocators in shell.
>
> - Reworks the class hierarchy in d8.cc to conform to the allocator API.
> In particular, allocators should malloc/free or equivalent unless
> v8::ArrayBuffer::Allocator::Reserve is called.
> - Modifies ExternalizedContents to remember the allocation mode.
> - ArrayAllocatorBase now tracks its allocations to make sure it doesn't
> call Free on externalized array buffers it didn't allocate.
>
> Bug: chromium:756050
> Change-Id: Ic2d07d36358f1b4fa542bea27f93d1d51a1757e1
> Reviewed-on: https://chromium-review.googlesource.com/807355
> Commit-Queue: Bill Budge <bbudge@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Eric Holk <eholk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49893}
TBR=bbudge@chromium.org,titzer@chromium.org,eholk@chromium.org
Change-Id: I0f3ecc10de843102e7681285f0300cf98704c92c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:756050
Reviewed-on: https://chromium-review.googlesource.com/810904
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49895}
When implementing Liftoff I realized that these are not tested at all
in our cctests.
R=ahaas@chromium.org
Bug: v8:6600
Change-Id: I9f4da9bb93580f556bc67ebe8b79427373e656ba
Reviewed-on: https://chromium-review.googlesource.com/808385
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49894}
- Reworks the class hierarchy in d8.cc to conform to the allocator API.
In particular, allocators should malloc/free or equivalent unless
v8::ArrayBuffer::Allocator::Reserve is called.
- Modifies ExternalizedContents to remember the allocation mode.
- ArrayAllocatorBase now tracks its allocations to make sure it doesn't
call Free on externalized array buffers it didn't allocate.
Bug: chromium:756050
Change-Id: Ic2d07d36358f1b4fa542bea27f93d1d51a1757e1
Reviewed-on: https://chromium-review.googlesource.com/807355
Commit-Queue: Bill Budge <bbudge@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49893}
This reverts commit 8dd405e39a.
Reason for revert: MSAN errors: https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/18598
Original change's description:
> [heap] introduce SpaceWithLinearArea class
>
> NewSpace and OldSpace have linear allocation areas, but presently the
> implementation doesn't share any code and there are subtle differences.
> This CL introduces a superclass 'SpaceWithLinearArea' that will be used
> to refactor and share code.
>
> Change-Id: I741e6a6ebb9e75c111287214fd1f555fba62c452
> Reviewed-on: https://chromium-review.googlesource.com/809504
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
> Cr-Commit-Position: refs/heads/master@{#49890}
TBR=ulan@chromium.org,ofrobots@google.com
Change-Id: Ibd325c2965b7b8dea36b34a8c4a3ee06ea24e515
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/810664
Reviewed-by: Ali Ijaz Sheikh <ofrobots@google.com>
Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
Cr-Commit-Position: refs/heads/master@{#49892}
NewSpace and OldSpace have linear allocation areas, but presently the
implementation doesn't share any code and there are subtle differences.
This CL introduces a superclass 'SpaceWithLinearArea' that will be used
to refactor and share code.
Change-Id: I741e6a6ebb9e75c111287214fd1f555fba62c452
Reviewed-on: https://chromium-review.googlesource.com/809504
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
Cr-Commit-Position: refs/heads/master@{#49890}