This is a reland of commit 2b79eefed3
A DCHECK was using map[key] and inadvertently inserted into the map
that way.
Original change's description:
> Reland^2: [heap] Store size with invalidated object
>
> This is a reland of commit 23b2d571a7
>
> When updating pointers during a full GC, a page might not be swept
> already. In such cases there might be invalid objects and slots
> recorded in free memory. Updating tagged slots in free memory is fine
> even though not strictly necessary.
>
> However, the GC also needs to calculate the size of potentially dead
> invalid objects in order to be able to check whether a slot is within
> that object. But since that object is dead, its map might be dead as
> well which makes size calculation impossible on such objects. The CL
> changes this to cache the size of invalid objects. A follow-up CL will
> also check the marking bit of invalid objects.
>
> Reason for reverts:
>
> Revert #2: In-object slack tracking on JSObjects doesn't update the
> cached size of invalidated objects. The fix here was to stop
> invalidating recorded slots on JSObjects at all and avoid that problem
> completely (see https://crrev.com/c/3620274).
>
> Revert #1: Not all size changes go through NotifyObjectLayoutChange, so
> https://crrev.com/c/3607992 introduced NotifyObjectSizeChange as a
> bottleneck for object size changes/right-trimming. This method is
> now used to update the size of invalidated objects.
>
> Bug: v8:12578, chromium:1316289
> Change-Id: I0478d04601c0270ddb39419ca6cf98719951eb4d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3623542
> Reviewed-by: Jakob Linke <jgruber@chromium.org>
> Reviewed-by: Patrick Thier <pthier@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80344}
Bug: v8:12578, chromium:1316289
Change-Id: Ibcc04c209213c584860a7c473082526cb4e53c59
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3627635
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80542}
GCC complains about empty format strings, and also clang already
required special-handling for this case.
We could either drop it, since statically empty strings are not that
useful anyway, but for completeness I fix it via "if constexpr" instead.
R=tebbi@chromium.org
Bug: chromium:1323177
Change-Id: I4d59e1b361afd1edcd552e8a9ce395759646e67f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644433
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80540}
This CL adds to the existing experimental implementation of the
object start bitmap, that is evaluated as a mechanism for resolving
inner pointers (behind the flag v8_enable_conservative_stack_scanning).
It fixes method ObjectStartBitmap::FindBasePtr to ensure that the
correct base pointer is returned, even if the bitmap is not fully
populated (e.g., with object evacuation or inline object allocation).
This method now recalculates the part of the bitmap that is
required for returning the correct result, by iterating through
objects of the page. A special constructor has been introduced to the
PagedSpaceObjectIterator for this purpose.
It also moves the existing inline methods of ObjectStartBitmap to a
new -inl.h header file, to avoid circular dependencies.
Bug: v8:12851
Change-Id: Iabd0df020bee3bb63ef9d4888591b25d24d79dd9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3641179
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80538}
This is a reland of commit 8278cb5015
The reland adds the RestartFrameTrampoline to the list of
builtins that the deoptimizer is allowed to return from for
control flow integrity.
Original change's description:
> [inspector] Re-enable Debugger#restartFrame
>
> Doc: https://bit.ly/revive-restart-frame
>
> This CL "undeprecates" Debugger#restartFrame and adds a new optional
> "mode" parameter for back-wards compatibility. Moreover, the return
> values are all deprecated. They were never actually used in the
> DevTools frontend and the same information is available from the
> Debugger#paused event that fires once execution stops at the
> beginning of the restarted function.
>
> The CL also re-baselines all the restart-frame inspector tests that
> now run successfully.
>
> R=bmeurer@chromium.org, kimanh@chromium.org
>
> Bug: chromium:1303521
> Change-Id: I34bddeb1f2f4ff3dee58dd82e779c111495566f3
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3616505
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80491}
Bug: chromium:1303521
Change-Id: I13e2f8b5011795a38e541310622b8333a3d08049
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644624
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80534}
MSVC does not implicitly convert the std::array iterator to a char*,
hence explicitly use the {data()} accessor instead of {begin()}, which
is cleaner anyway.
R=mlippautz@chromium.org
Bug: chromium:1323177
Change-Id: I65c6836889eb57a18b655cb9e6c98008a8fbcaac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644794
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80533}
Read only a single byte of FLAG_trace_osr in assembly builtin code to
make asan happy in the simulator.
Bug: chromium:1324042
Change-Id: I002cea0b4917af3780d6bdedfb0ec55008e146c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644793
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Auto-Submit: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80532}
This test tests the interpreted/baseline and optimized behaviour of cpu
profiler ticks. We should eventually support this for maglev too, but
for now just disable it.
Bug: v8:7700
Change-Id: Iba89ab2c718025ebf90c86a84ed937c2d1d0af7f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647363
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80531}
This is more consistent with similar features, for example
V8_ENABLE_WEBASSEMBLY or V8_ENABLE_MAGLEV.
Drive-by: remove V8_SANDBOX_IS_AVAILABLE as it's no longer needed.
Bug: v8:10391
Change-Id: I8658c5b0c331a4c73892737083b2c2f9b8f84056
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647355
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Samuel Groß <saelo@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80530}
This introduces a class which can be used for formatting dynamic values
into a constant-size, stack-allocated array. You get ostream-style code
but printf-style performance, and in particular no dynamic allocation.
This makes this class also suitable to be used in OOM or other fatal
situations where we cannot rely on dynamic memory allocation to still
work.
Using FormattedString will automatically compute the format string
depending on the types. It also computes the maximum size of the output.
Last but not least, it makes the code a lot more readable than
traditional printf style printing.
R=mlippautz@chromium.org
Bug: chromium:1323177
Change-Id: I47228b3603c694c1fa23516dd3f1c57e39c0ca35
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644622
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80529}
We initialize the JSObject in the payload of a ByteArray, so we know
that no slots were recorded there. This also means we don't need to
remove any recorded slots and thus invalidation isn't required.
With this change only strings use object slot invalidation on
String::MakeExternal.
Bug: v8:12578
Change-Id: I009635c2a61ae8ff2b9e2480cb7d374451a8cc7d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644614
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80528}
Explicitly initialize the loop merge's back-edge predecessor to a
specfic "uninitialized" value, distinct from nullptr (which marks dead
loops) and done in both debug and release modes.
Bug: v8:7700
Change-Id: I6a845cc4dbd7da75954f78607e69a5d4e2ec1ec7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3645114
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80525}
Now that we require C++17 support, we can just use the standard
static_assert without message, instead of our STATIC_ASSERT macro.
R=leszeks@chromium.org
Bug: v8:12425
Change-Id: I1d4e39c310b533bcd3a4af33d027827e6c083afe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647353
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80524}
JobDelegate::ShouldYield() should not be called anymore after it has
already returned true. This CL changes the deserialization of
WebAssembly to remember when ShouldYield() returned for the first time,
and does not call ShouldYield() afterwards anymore.
R=thibaudm@chromium.org
Bug: chromium:1277962
Change-Id: Ie84abf30b20d302a19f3192c3859796be1cccd97
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647361
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80522}
With this CL, the decompression simply becomes:
movsxd rax, edi
add rax, rax
and rax, qword ptr fs:[base@TPOFF]
Bug: chromium:1325007
Change-Id: I931e4e667a9b9697671bccf14575420f8cb705e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3629871
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80521}
Do the same trick as TurboFan, keeping the BytecodeArray alive by
holding it strongly in the deopt literals.
Bug: v8:7700
Change-Id: I8f8472674b08df3ca18aff58172e7ba83d09a620
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647358
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80519}
With caged heap enabled, we can halve Member<> by storing only the least
significant half. The base of the heap is stored in a thread local
variable. The feature has therefore an implication that only single heap
is allowed per thread.
The feature is gated by the new GN arg:
cppgc_enable_pointer_compression.
Bug: chromium:1325007
Change-Id: Ic7f1ecb7b9ded57caad63d95bbc8e8ad6ad65031
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2739979
Reviewed-by: Almothana Athamneh <almuthanna@chromium.org>
Commit-Queue: Almothana Athamneh <almuthanna@chromium.org>
Commit-Queue: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Auto-Submit: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80518}
We temporarily enable the StringForwardingTable for all ThinString
transitions behind --future to get coverage and performance numbers from
future bots.
Bug: v8:12007
Change-Id: Ia59bd6c40df2fd413867f6fc2aa7f69d099b5377
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3637799
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80516}
Spec text:
https://tc39.es/proposal-temporal/#sec-temporal.calendar.prototype.erahttps://tc39.es/proposal-temporal/#sec-temporal.calendar.prototype.erayear
Notice this only implement the "iso8601" calendar and we will implement the
code for other calendar later by calling ICU with other Calendar methods.
This CL reduce the differences of testing result between ALWAYS and no_i18n
because the code in no_i18n will not call Calendar era or eraYear and therefore
passed the test even w/o this CL but the ALWAYS tests will cause Temporal
object to internal call era and eraYear and therefore fail if w/o this CL.
Bug: v8:11544
Change-Id: I921fbfbbd26473c238024161eb58b096c38b881b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3641938
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80513}
Doesn't do much at the moment beyond not being a baseline frame. Fixes a
DCHECK in tiering that checks the frame type, by removing the frame
lookup there (which wasn't necessary anymore).
Bug: v8:7700
Change-Id: Icecfe27771923d380a7d1dc1c29aa9c5c9dfbf0f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644618
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80512}
We use the invalidate_recorded_slots argument to signal to NotifyObjectLayoutChange whether a particular object layout change
could cause a tagged pointer to be replaced with an untagged value.
In such cases we need our snapshot protocol in order to allow marking
such objects concurrently.
The snapshot protocol consists of two main operations:
1) Tracing and marking the object black on the main thread before
performing the unsafe transition.
2) The concurrent marker needs to read such objects into a buffer
first and is only allowed to trace it when successfully marking
that object black.
However, in some cases we were still doing 1) on the main thread when
the concurrent marker didn't use 2) the snapshot buffer anymore. This
CL cleans up this behavior and ensures that 1) and 2) are always paired
together.
Bug: v8:12578
Change-Id: Id83b3de866a80efedf4a72e440cbc767fe3eaea6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644611
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80511}
The budget interrupt in maglev can clobber registers. We need to save
the caller-saved registers before making this call.
Additionally, move the interrupt call into deferred code, and only emit
the interrupt check + call for returns and backwards jumps (i.e. things
that reduce the budget).
Bug: v8:7700
Change-Id: I277e9fdf454ff0f22bf20e7cf9538e3020403c1a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644619
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80510}
CompilationSubCache has some complexity regarding generations of tables
which is only used by one subclass, CompilationCacheRegExp. This change
adjusts the class hierarchy so that classes only contain the necessary
member functions.
Bug: v8:12808
Change-Id: I4f4cf15bbf9b80c2de0c18aea82a0c238804759d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3629603
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#80506}
This CL adds two experimental JS builtins to convert between
i16 Wasm GC and JS strings. This is a non-standard experimental
feature only available with the flag --wasm-gc-js-interop.
WebAssembly.experimentalConvertArrayToString(array, start, count)
Convert the `count`-many WTF-16 code units starting at index `start`
into a JS string. Throws a TypeError if `array` is not an i16 array,
or if `start` and `count` are not numbers or not in range.
WebAssembly.experimentalConvertStringToArray(string, sampleArray)
Convert `string` to an i16 array. The `sampleArray` parameter needs
to be an arbitrary i16 array, which is only used to extract the rtt.
Throws a TypeError if `string` is not a string or `sampleArray` is not
an i16 array.
Change-Id: I7ac2f6bd89b8f638427f61da1bb01ccba90d735b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3642301
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80505}
This reverts commit 8278cb5015.
Reason for revert: breaking https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20arm64%20-%20sim%20-%20CFI/10778/overview
Original change's description:
> [inspector] Re-enable Debugger#restartFrame
>
> Doc: https://bit.ly/revive-restart-frame
>
> This CL "undeprecates" Debugger#restartFrame and adds a new optional
> "mode" parameter for back-wards compatibility. Moreover, the return
> values are all deprecated. They were never actually used in the
> DevTools frontend and the same information is available from the
> Debugger#paused event that fires once execution stops at the
> beginning of the restarted function.
>
> The CL also re-baselines all the restart-frame inspector tests that
> now run successfully.
>
> R=bmeurer@chromium.org, kimanh@chromium.org
>
> Bug: chromium:1303521
> Change-Id: I34bddeb1f2f4ff3dee58dd82e779c111495566f3
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3616505
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80491}
Bug: chromium:1303521
Change-Id: Ibc33328c31a4b6ea736d07ce5e5ee109039eec8b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3645767
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80495}
The IsValidSectionCode function shouldn't include internally-used
numeric identifiers of well-known optional sections.
Fixed: v8:12867
Change-Id: I9d894ee57157455e92a17ddcde94f32f05fb038d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644612
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80494}
