This fix consists of 2 parts:
a) Fix async hooks:
- Allow initialising the promise hook properties
- Do not call async hooks if we're overflowing the stack
b) Avoid some more recursion when reporting the stack trace
Bug: chromium:1240723
Change-Id: Icedfc8b48655bacc3f79591944e3869b85f1c4de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103321
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76383}
HAS_PROGRESS_BAR is set after page initialization at which point all
flags are assumed to be immutable while a GC is running.
Separating out the progress bar from flags allows setting it lazily at
allocation time.
Bug: v8:11915
Change-Id: I48a877e0e80d583d7a0fadef2546fc70417806e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3085268
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76382}
The JSRegExp heap object should not be the source of truth for regexp
flags, which are also relevant in places that don't need or want to
care about the heap object layout (e.g.: the regexp parser).
Introduce RegExpFlags as a new source of truth, and base everything
else on these flags.
As a first change, remove the js-regexp.h dependency from the regexp
parser. Other files in src/regexp/ should be updated in follow-up
work.
Change-Id: Id9a6706c7f09e93f743b08b647b211d0cb0b9c76
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103306
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76379}
This reverts commit edcc8ff5b5.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Blink%20Linux%20Debug/10806/overview
A prefinalizer is creating a WeakMember from a raw pointer to a dead object for checking whether it is in a set.
Original change's description:
> cppgc: Enable checks for assignments in prefinalizers
>
> Bug: v8:11749
> Change-Id: Ic027f732030fb6a2befeffeca9db2eacfd0830a5
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3099953
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Omer Katz <omerkatz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76370}
Bug: v8:11749
Change-Id: I0c90f232df9ae363f05f8b9ba26c2a7eede8a269
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3106646
Auto-Submit: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#76377}
The NumFuzz fuzzers need to make use of this flag to ignore
Mjsunit exceptions and other exceptions. The flag ignores
the exit code 1.
R=clemensb@chromium.org
R=cbruni@chromium.org
Bug: v8:11826
Change-Id: Ic0878078edec7292e43cdb18dd6fb32f7bbad12c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103310
Commit-Queue: Almothana Athamneh <almuthanna@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76376}
S10 is a Callee save register and be used in scratch_list.
In cctest, could use scratch but not does't go through the JSEntry function that can save callee save reg. So cctest could be crashed due to using s10.
Bug: v8:12124
Change-Id: I62c3582ad490681d5efb24e8bfe0884006d42e66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103425
Reviewed-by: Ji Qiu <qiuji@iscas.ac.cn>
Commit-Queue: Ji Qiu <qiuji@iscas.ac.cn>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#76375}
liftoff-assembler-ia32.h can now use it. TurboFan ia32 doesn't use it
because it generates different instruction codes (movlps, movhps).
Bug: v8:11589
Change-Id: I07540814acff2d8ea48e06d1e00023d80b276a3d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3095009
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76373}
Move optimized implementation (accounts for AVX2) into
shared-macro-assembler, and use it everywhere.
Drive-by fix in liftoff-assembler-ia32.h to use Movss and Movsd
macro-assembler functions to that they emit AVX when supported.
Bug: v8:11589
Change-Id: Ibc4f2709d323d5b835bcac175a32b422d47d3355
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3095008
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76372}
This adds the option to list disallowed flags for differential
fuzzing directly in the harness. Flags that can crash in smoke
tests shoule be added there.
No-Try: true
Bug: chromium:1240812
Change-Id: I57c772bedeac0ca6ba023c6b4929515b4b0e6cca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103314
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76369}
This is probably a latent bug, but since we didn't have a test that used
'--gdbjit', our fuzzers weren't testing this code path.
Bug: chromium:1240714
Change-Id: I6225e17b60d3a7a73a9c5502fde315207b8e721a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3101265
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76368}
After building V8 using Clang (./out/x64.release/v8_build_config.json
says that "is_clang" is true), I could reproduce the referenced bug
report locally. Replacing the getMinutes() calls with getUTCMinutes()
calls fixed the test failure.
Signed-off-by: Darshan Sen <raisinten@gmail.com>
Bug: v8:11200
Change-Id: Ia36be481f2c8728380d550ead856ef8e51b1069c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3093362
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76367}
.. instead of a FlatStringReader. This is in preparation for reusing
the regexp parser directly from the JS parser, which uses different
string types (AstRawString instead of heap Strings).
Drive-by: Hide parser internals in the .cc file.
Bug: v8:896
Change-Id: I06bd08f2ef5fd7a5e9812c123d88b89cacf5d864
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3101488
Commit-Queue: Patrick Thier <pthier@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76365}
The heap snapshot view in the dev tools reports a lot of incorrect
retaining paths involving weak references from FeedbackVectors. To fix,
when IndexedReferencesExtractor encounters a weak reference, it should
record a weak reference rather than a hidden reference. This way, the
forward reference is still visible when exploring in the summary view,
but weak references aren't reported as retainers.
Bug: v8:12112
Change-Id: Ib3bafc49482fb4f515877a90bae8707483d0a7a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3101266
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#76364}
This is an internal property that should not be used publicly.
The following methods are going to be deprecated:
- v8::TryCatch::JSStackComparableAddress
- v8::BackupIncumbentScope::JSStackComparableAddress
Change-Id: Iaecfdece4660eaf1aef88121ff0f0c501c0ced5b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097451
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76363}
We see too many regressions for now in M94 (~10% more misses in
some cases).
This CL reverts the logic to the state before landing
https://crrev.com/c/3069152 without having to revert the several
refactoring CLs that landed on top of it.
Bug: v8:10284, chromium:1238312, chromium:1237242
Change-Id: I57e66b9e0d58c36d2f1563b07720e3729c88ec94
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103006
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76362}
The heap sandbox will rely on the virtual memory cage to protect the
data pointers in ArrayBuffers, TypedArrays, and DataViews.
Bug: v8:10391
Change-Id: Ib0ee352e0eba07dea0fb9e0dc4957cb74d37ba3b
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3101489
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76361}
This introduces a new, optional `nonIndexedPropertiesOnly` flag to the
`Runtime.getProperties` inspector request, which tells the inspector to
only report properties whose name is not an (typed) array index. This is
to support retrieving all properties except for the indexed ones when
the DevTools front-end decides to use the array bucketing mechanism.
Previously the DevTools front-end had some quite complicated logic in
place to simulate this via injected JavaScript, but that logic didn't
pick up internal properties and was also interfering with the inherited
accessor mechanism. With this new flag, it's straight-forward to
implement the correct behavior in the DevTools front-end.
The corresponding devtools-frontend CL is https://crrev.com/c/3099011.
Before: https://imgur.com/hMX6vaV.png
After: https://imgur.com/MGgiuJQ.png
Bug: chromium:1199701
Change-Id: Iacbe9756ed8a2e6982efaebe1e7c606d37c05379
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3099686
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Philip Pfaffe <pfaffe@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76360}
In follow-up work, the parser will be refactored to take the input as
raw char arrays instead of a FlatStringReader s.t. it can be reused by
the V8 parser (which has AstRawStrings instead of Strings).
Bug: v8:896
Change-Id: I0e0bda4b34bc23b8bc427ddf3f9516081c42bb8a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3099947
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76359}
These tests test allocation failure and time out on MSAN.
TBR=adamk@chromium.org
Bug: v8:11852
Change-Id: Ie0b042ab6bc37028c41a4b12d4911aba7f9af375
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3101574
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76356}
Bug: v8:11852
Change-Id: I1d3c01b827e847bb7edcd2ebe7d3b340f7d53069
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097473
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76355}
We snapshot all the code first, then log it without holding the lock.
Change-Id: I8c18b2db56678a9320ea6b63cd06290453c0a66a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097472
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76354}
Change i16x8.splat to use Punpcklqdq instead of Pshufd as the final step
to move low 32 bits to all lanes.
Move this implementation to shared-macro-assembler and use it
everywhere.
Bug: v8:11589,v8:12090
Change-Id: I968b1dca5a262e4e67875caea18c5c09828cb33a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3092558
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76353}
The optimal implementation is in TurboFan x64 codegen, move it into
shared-macro-assembler, and have TurboFan ia32 and Liftoff use it. The
optimal implementation accounts for AVX2 support.
We add a couple of AVX2 instruction to ia32 in sse-instr.h, not all of
them are used, but follow-up patches will use them, so we add support
(including diassembly and test) in this change.
Drive-by clean up to test-disasm-x64.cc to merge 2 AVX2 test sections.
Bug: v8:11589
Change-Id: I1c8d7deb0f8bb70b29e7a680e5dbcfb09ca5505b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3092555
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76352}
The old implementation had an implicit assumption that
IsolateData::builtin_entry_table_offset is a uint12, i.e.
<4096. We're about to cross that threshold, so this patch
frees up a temp register to let the code generator handle
larger offsets.
Bug: v8:12110
Change-Id: I2c313918be4b1c4fdd2984259e5e8cc02bb24035
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097108
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76350}
ArrayBuffer backing stores will instead use the virtual memory cage and
be referenced through offsets rather than pointers when the sandbox is
enabled. This will be implemented in an independent CL.
Bug: v8:10391
Change-Id: Icc9781003e53c76dbbf4c84ee165151e4182da4b
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3086458
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76348}
The API doesn't forbid passing in a "no cache reason" even when there's
a cache.
Change-Id: I4392bd9707333e8bc39129de72de753d88265c5c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3099950
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76347}
{NativeModule::AddCode} is a central method that should usually be
called in batches, where the caller holds a {CodeSpaceWriteScope} for a
longer time (over several compilations).
This CL moves us closer to that by removing the scope from that central
method and instead putting it in callers where it becomes more visible.
There are already TODOs to introduce caching or batching to avoid some
switching, and one more TODO is added.
Drive-by: Remove an unneeded {CodeSpaceMemoryModificationScope}.
R=jkummerow@chromium.org
Bug: v8:11974
Change-Id: Ia13c601abc766e5fca6ca053bf1fc4d647b53ed0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3098186
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76344}
Don't create DataField and FastDataConstant access infos with a kNone
field representation. Instead return Invalid.
Bug: chromium:1239601
Change-Id: I4df7aa298974f9dcd650ead50aaa349c84feb487
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097463
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76343}
Changing the protections of a kNoAccess region to something different
can fail due to OOM. We should handle this properly.
Bug: chromium:1240062
Change-Id: I35e8837a57d66930390067eb0d1ab4bc76709948
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3099685
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76342}
Make off-thread deserialization play well with the Isolate compilation
cache, by moving the Finish call into GetSharedFunctionInfoForScript.
This means that
a) The isolate cache is checked before the Finish, allowing it to be
hit, and
b) Results of off-thread deserializations are written into the Isolate
cache.
Bug: chromium:1075999
Change-Id: I535935180bbe77f3e718253830e649bd62857634
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3094006
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76341}
This is a reland of 2261e05333
This patch can now be relanded as some space was made for more opcodes:
https://bugs.chromium.org/p/v8/issues/detail?id=12093
Original change's description:
> [arm64][wasm] Use NEON S/Usra for Wasm SIMD add(shr(x, imm), y)
>
> A single AArch64 SIMD signed/unsigned Shift Right and Accumulate can be
> used to implement Wasm SIMD add(shr(x, imm), y). This gives a 1-1.5%
> improvement on some compute intensive Wasm benchmarks on Neoverse-N1.
>
> Mla and Adalp optimisations were refactored to match the style of the
> added code.
>
> Change-Id: Id5959a31ca267e02b7d60e7ff6f942adb029b41e
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3089157
> Reviewed-by: Zhi An Ng <zhin@chromium.org>
> Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
> Cr-Commit-Position: refs/heads/master@{#76280}
Change-Id: Idd166b7d3c960af33049bbce6e7276763c28f286
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097284
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76340}
The validation was too strong in the case where the incrementation
produces type None.
Bug: chromium:1236716
Change-Id: I948b370594fa7dad1ba6e5b951f473855bf1346b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097865
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76338}
