Docs: https://docs.google.com/document/d/13n1qaB6A-gvgWc9NDhWm-UPuOqow_Y0DNgCeTbtIotI
Modify that C++ backend so that it can emit either runtime C++ or
postmortem debugging code. When in postmortem debugging mode, the
overall code structure would look similar with some difference:
1. Instead of passing an Isolate* everywhere, we pass a MemoryAccessor.
2. Instead of runtime class names like String, we use uintptr_t
3. When loading data from objects, instead of TaggedField<T>::load or
Object::ReadField (which read from the current process), we use the
MemoryAccessor and read data from the debuggee process.
4. Return values should be wrapped in the Value struct.
Implement the debug accessors for complex length expressions and add
test for such class (SmallOrderedHashSet).
Change-Id: I34107c92b31ed4e07bb628ae58c84487e41ba648
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2477921
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#72148}
This will allow us optimize the protector cell checks in the fast path
from checking against the function object in every context to just
doing a range check against the instance type.
This patch adds new instance types for constructor functions that
require such protector cell checks.
Bug: v8:11256
Change-Id: Iea722f9c6326dfa470149dd02e689a23942097f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2595442
Reviewed-by: Mythri Alle <mythria@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72146}
This reverts commit 4d5b878b61.
Reason for revert: Suspected to cause a failure on ChromeOS, which is blocking the roll - https://chromium-review.googlesource.com/c/chromium/src/+/2636263
Original change's description:
> [super] Store home object in Context instead of JSFunction
>
> This saves memory (the home object doesn't need to be stored for each
> method, but only once per class) and hopefully makes the home object
> a constant in the optimized code.
>
> Detailed documentation of the changes:
> https://docs.google.com/document/d/1ZVXcoQdf9IdMsnRI9iyUjyq9NDoEyx9nA3XqMgwflMs/edit?usp=sharing
>
> Bug: v8:9237
> Change-Id: Ia0925bdc8bfe54cbefcba6d10f64746d63a530c7
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2563275
> Commit-Queue: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#72137}
TBR=marja@chromium.org,leszeks@chromium.org
Change-Id: Idc5a8240cef4da8893ccc608ee4ae0d7206a1ba8
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9237
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2637215
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72142}
Adds a v8-gn.h file containing defines that are used in the
externally-visible headers files like v8.h. This must be included by
include/v8config.h which includes it if the GN flag
v8_generate_external_defines_header is on. (Currently off by default).
To enable the v8config.h file to be included without the other v8
headers (as required by cppgc), this moves it into its own header set
which sets up the include path correctly.
Also updates some headers to ensure v8config.h is included before using
externally-visible defines.
Bug: v8:11292
Change-Id: I5be634f4adfbef144bf684071461d64f1cb30899
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2608212
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72140}
Removes:
- v8_disable_arguments_adaptor GN flag
- ArgumentsAdaptorTrampoline
- ArgumentsAdaptorFrame class
Change-Id: I382ebe6c25c3c172bee5df3e86e762fca10fa392
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2622911
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72133}
This reverts commit b3d09001eb.
Reason for revert: https://chromium-review.googlesource.com/c/v8/v8/+/2565511 has to be reverted, and this was a follow-up to that
Original change's description:
> [objects] Remove uncached internal external string type
>
> We shouldn't be creating those anymore since they are not thread-safe.
>
> Bug: v8:7790
> Change-Id: I4546d995fa32eb076c8dfe9d95301fad719c9e07
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2615347
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#72006}
TBR=rmcilroy@chromium.org,leszeks@chromium.org,solanes@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:7790
Change-Id: I4eb1a6b8446fa602eeb5bf29fbf1fe57182cdbf3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2627605
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72122}
Make sure gcmole detects issue in DisallowGarbageCollection scopes.
DisallowGarbageCollection is widely used in the codebase to document
code that doesn't allocate. However, this has the rather unexpected
side-effect that gcmole is not run when such a scope is active.
This CL changes the default behavior of gcmole to run even with
DisallowGarbageCollection scopes present. This will give us the best
results of both worlds, dynamic checks by the fuzzer, and static
analysis by gcmole.
To allow crazy local raw pointer operations there is a new
DisableGCMole scope that explicitly disables gcmole.
Change-Id: I0a78fb3b4ceaad35be9bcf7293d917a41f90c91f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2615419
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72039}
For simplicity this CL includes a first crude conversion of
tickprocessor.mjs. Later CLs will introduce more ES6 syntax and clean
up more code.
Bug: v8:10667
Change-Id: Ief2ca623f5562114fb976a95d156e2ab3f961114
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2611252
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72013}
We shouldn't be creating those anymore since they are not thread-safe.
Bug: v8:7790
Change-Id: I4546d995fa32eb076c8dfe9d95301fad719c9e07
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2615347
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72006}
Change the background of source position markers based on the events
they link to.
Bug: v8:10644
Change-Id: I108d9f5670acdaf5835905c2b44648c0eaf6dbd0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2604708
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71970}
The IC object's interface is changing all the time and this code is
just bitrotting. Rather than trying to keep this updated all the time,
let's just use Object.values to print all the key value pairs in the
ic object.
This looks slightly worse than the previous text format but it has the
critical advantage of being broken less often.
Change-Id: Ia3580d1ba82a981d8442682f66d6002436e70f42
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2615418
Auto-Submit: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71969}
Previously we had introduced a special `v8::internal::WasmValue` type
which we used to expose Wasm values to the Scope view in Chromium
DevTools. The problem however is that these values cannot be exposed to
JavaScript (and in particular not to Debug Evaluate), which means that
particularly for v128 and i64 we have inconsistent representations
across the various parts of DevTools.
This change removes the `wasm` type from the RemoteObject and all the
adjacent logic, and paves the way for a uniform representation of Wasm
values throughout DevTools. For i64 we will simply use BigInt
consistently everywhere, and for i32, f32 and f64 we'll just use Number.
For externref we will represent the values as-is directly. For v128
values we currently use a Uint8Array, but will introduce a dedicated
WasmSimd128 class in a follow-up CL.
Bug: chromium:1071432
Fixed: chromium:1159402
Change-Id: I0671e5736c9c27d7ca376e23ed74f16d36e03c80
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2614428
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71962}
Prepare the system analyzer to be able to select events related to a
a single code log entry.
- Rename source-panel to script-script panel
- Update main index.css to support selects in the panel selection
header
Bug: v8:10644
Change-Id: Ie8dd1839294687cb9e25995bcb7ef246a7d7f48d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2604707
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71948}
Design doc:
https://docs.google.com/document/d/1xkXj94iExFgLWc_OszTNyNGi523ARaKMWPZTeomhI4U
A lot has changed since the last patchset! I recommend revisiting this
design doc and reading the parts in green. I explain the roadmap for
what changes to expect from ETW instrumentation as well as the
instrumentation of this particular CL.
I'll do my best to answer any further questions anyone has about my
particular instrumentation or ETW in general :)
---
This is the first of a series of changelists to round out ETW
instrumentation for V8.
This changelist represents the most minimal change needed to instrument
ETW in V8. In particular, it:
- defines and registers the ETW provider,
- interacts minimally with the rest of V8, by hooking into the
existing TracingController::AddTraceEvent function,
- is designed with a platform-agnostic layer, so that event tracers
for other platforms can be instrumented in teh future.
Some notes on instrumentation (aka I copied stuff from the design doc):
We make heavy use of the TraceLogging API to log events. It differs from
previous methods of emitting ETW events in that it doesn<E2><80><99>t
require the overhead of a separate manifest file to keep track of
metadata; rather, events using this API are self-descriptive.
Here are the five major steps to instrument the TraceLogging API:
- Forward declare the provider (from provider-win.h)
- Define the provider in a .cc file (from provider-win.cc)
- Register the provider (called from v8.cc).
- Write events (called from libplatform/tracing-controller.cc)
- Unregister the provider (called from v8.cc)
At the base, we have an abstract provider class that encapsulates the
functionality of an event provider. These are things like registering
and unregistering the provider, and the actual event-logging.
The provider class is split into provider-win and provider-mac
(currently not instantiated) classes, with OS-dependent implementations
of the above functions.
In particular, the TraceLogging API is used only in provider-win. It is
here that we forward declare and define the provider, as well as write
ETW events.
Finally, there is a v8-provider class that serves as a top-level API and
is exposed to the rest of V8. It acts as a wrapper for the
platform-specific providers.
The .wprp file is needed so that Windows Performance Recorder knows how
to capture our events.
Some considerations:
- Is TracingController::AddTraceEvent the best place from which to
write my events?
- Is src/libplatform/tracing the best place to put my instrumentation?
- Right now, I fail the preupload because of this, which tells me my
files are probably not in the best location:
You added one or more #includes that violate checkdeps rules.
src\init\v8.cc Illegal include: "src/libplatform/tracing/v8-provider.h"
Because of "-src/libplatform" from src's include_rules.
Change-Id: Id53e4a034c9e526524a17000da0a647a95d93edf
Bug: v8:11043
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2233407
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Sara Tang <sartang@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#71918}
The negative implication from --single-threaded to --liftoff was
introduced because with --single-threaded, no tier-up to TurboFan is
possible, and TurboFan provides faster code and smaller code
This CL removes this implication. The reason is that this implication
does not only define the default compiler for --single-threaded to
TurboFan, and also completely disables the option to use Liftoff
instead. By removing the implication, and embedder who uses
--single-threaded can decide by themselves if they want to use Liftoff
by setting --liftoff, or if they don't want to use Liftoff by setting
--no-liftoff.
R=clemensb@chromium.org
Bug: v8:11279
Change-Id: Ie6e64a42823b87484135364ecb4589cfd188db5e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2599548
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71917}
- Fix landing page
- Introduce and use SelectRelatedEvent for centralising the logic of
finding and showing related LogEntries. It also clears the selection
of all list panels if there are no related entries.
- Add "select related" button to the script-panel to show events only
from the currently selected script
- Add selection type tabs for the map-panel
- Fix transition colors for map-transitions view
- Introduce separate map-transition view for the currently selected Map
Bug: v8:10644
Change-Id: I4199a8332bab2518d98078712ed5ce9a8f1dc19e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2599555
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71849}
This allows the JSFunctionOrBoundFunction instance type range to no
longer be stuck at the last of the JSObject instance type range. This
will be useful in the future where we extend the function instance
types and include them in fast protector cell checks.
Bug: v8:11256
Change-Id: I955991576b3cca76b10f76c87748016fe527e3d0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2595275
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71826}
Concurrent inlining is enabled for TurboProp compiles, but we don't
enable the --concurrent-inlining flag so don't also set the implied
turbo_direct_heap_access flag. This CL fixes this.
BUG=v8:9684
Change-Id: I298febdf7c466385047f420d4c33ca0162778210
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2593344
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71804}
Previously, we were looking up the prototype of the receiver and
checking that against %TypedArrayPrototype% before invalidating the
protector cell.
This is incorrect as it's possible to patch the prototype and then
change the constructor property, bypassing this check.
This CL adds a new instance type to prototype of all TypedArray
constructors and checks the receiver against this instance type.
TBR: tebbi@chromium.org
Bug: v8:11274, v8:11256
Change-Id: I2ff6280e4cf820b06c5593fe4addd36f7ac656c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2594776
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71799}
In the future, these instance types will be used for fast range checks
rather than the current slow individual map checks.
Bug: v8:11256
Change-Id: I4ad7d5259fbd46c3272a80996a5ac45a400d1f5e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2590040
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71791}
Associate DeoptLogEntry with both, the function's source position and
the deopt location's source position.
Also fixes the list-panel click handler to support all clickable entry
types.
Bug: v8:10644, v8:10754
Change-Id: If10272a926d5dad10b29322e237610900715b9dd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2584955
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71732}
This commit updates the gen-postmortem-metadaa.py script to
incorporate changes in V8 8.5. This removes the need to float a
patch to the script in Node.js.
Change-Id: I6532495bee906f51eb2b773ec38ff0a6e404dafe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2582705
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/master@{#71699}
This commit updates the gen-postmortem-metadata.py script to
incorporate changes in V8 8.4. This removes the need to float a
patch to the script in Node.js.
Change-Id: I69da40e792f22748b0eee2952b9009b2f03d13f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2565275
Reviewed-by: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/master@{#71646}
This cl extends profview to
1. Show Turboprop ticks in a different color in timeline panel
2. In summary panel, show Turboprop optimizations and TurboFan
optimizations as two different entries
3. Fix deopts in summary panel after the rename to deopts
4. Also show information about bailouts (happen only with Turboprop)
Bug: v8:9684
Change-Id: I028b12a55741c789ecc1d212d1517a57496379dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2573477
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71638}
Improve the performance of gcmole by
* Precompiling the regexes in GCSuspectsCollector.Resolve
* Merging those regexes into a single regex, using '|'
* Changing multiprocess clang plugin invocation to threaded (running
the plugin releases the GIL so this can efficiently thread). This
uses a simple worker pool with a single work queue.
* Change clang plugin invocation loop to yield after each invocation.
This pipelines the dump-callees plugin and GCSuspectsCollector
Parse/Resolve, so that the parse can happen while waiting for other
callee dumps to finish.
Change-Id: Ib9fca70dbcfd2f9d1aebc8bd11aa1d1f7d34e24a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2562242
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71617}
Also construct the `JSMap`s used to store these names lazily and
only on-demand, and construct them directly instead of first doing
a `std::vector<Handle<String>>` and using that to construct the
`JSMap`. The latter resulted in a gigantic root set of 150k+ handles,
which wasn't well received by the GC.
Bug: chromium:1154154
Fixed: chromium:1154564
Also-By: bmeurer@chromium.org
Change-Id: I92e8931f15eda133e2a62b5cc53fbe1f2dafcead
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2568275
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Philip Pfaffe <pfaffe@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71589}
This is a reland of 4ad08c82f7
The reland organizes the different error types in separate functions
for separate call stacks. Error simulation is also guarded by
a minimum file size to prevent Clusterfuzz from getting stuck with
its bad-build check.
Original change's description:
> Enable simulating errors to test fuzzer reliability
>
> This adds a d8 flag --simulate-errors, which on shutdown will cause
> certain errors. This enables testing the reliability of sanitizers.
>
> This will cause a fatal error, a dcheck (if available) or a
> violation that can be detected with one of the following sanitizers:
> ASAN, UBSAN, MSAN, CFI.
>
> The same flag used in differential fuzzing will cause an error
> subsumed with the error state "fake_difference".
>
> Bug: chromium:1152412
> Change-Id: I4b36c6fe716797004d634263617d22ca67b05600
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2554999
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#71430}
Bug: chromium:1152412
Change-Id: I604258b4c1ebd215c26b1de6b2822663f857bf64
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2565125
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71538}
The wasm fuzzer corpus is pretty outdated. The script that was used to
generate it did not work any more.
This CL updates the script, and runs it. This generates a fuzzer corpus
of 42011 wasm modules, compared to 15290 before. The new modules will
contain new features like SIMD and multi-value, which will be
interesting fuzzer inputs.
R=ahaas@chromium.org
Change-Id: Ic3df26930cb8c1c6e8d521597ceb06cc338c02ed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2565512
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71537}
When one comparison run crashes, we cap the outputs to compare to the
shorter one. If one of those, however, contains ignored lines, the
comparison get's skewed.
This makes the main source of ignored lines more robust (the line
printed for unknown flags), by not printing it in the first place in
the context of differential fuzzing.
Bug: chromium:1153871
Change-Id: If2e534959779be14a686be5e43630cbf66e215a0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2567692
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71522}
ScopeInfo objects generally start with three fields: flags, parameter
count, and local variable count. But a single read-only ScopeInfo
instance has none of those fields. This is the empty ScopeInfo, which is
used for contexts that don't correspond to any scope (the native context
and contexts for builtin functions). Since there is only ever a single
instance of the empty ScopeInfo, the memory savings of omitting these
fields is trivial, and we can simplify logic somewhat by including them.
Rather than checking for length to be zero, this change introduces a new
flag indicating that a ScopeInfo instance is the empty one.
On its own, this change doesn't provide a whole lot of value. However,
it sets us up for two further improvements, which are consistent with
the goals outlined in [1]:
1. We should fully describe ScopeInfo fields in Torque. Getting rid of
the requirement to check for emptiness would substantially simplify the
indexed field expressions.
2. ScopeInfo shouldn't inherit from FixedArray, and shouldn't begin with
a `length` field when the length can be computed from the other fields.
This would save a small amount of heap memory and avoid any possibility
of a mismatch between the two ways of computing the length.
[1] https://docs.google.com/document/d/1tiGK7_lubxPHnInI2vscUwMHfadn8gIEa1apmI8HxR4/edit#heading=h.n63k76b3zfwa
Bug: v8:8952
Change-Id: I018127698a5d91fb2a91684bc3aec2e27ee27c41
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2561598
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#71500}
- Timeline.selection is now a Timeline as well
- Allow remove the current timeline-track selection by double-clicking
outside-the selection
- Update the timeline-track stats based on the current selection
- Simplify DOM element creation methods
- Add separate SelectionHandler class for timeline-track
Bug: v8:10644
Change-Id: I4f15d6ab4f5ec6b7330e22769472ca3074b00edd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2565130
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71497}
- Fix transition view selection and opening of subtrees
- Fix transition colors by storing an index on the uniqueType map
in the timeline
- Do not reset the current list in the transition view when
clicking on a map
- Support changing source positions in the source panel
- Highlight the current source position with a pulsing marker
- Fix kColors usage in timeline-track
Bug: v8:10644
Change-Id: I5130f18d9076cb37f9c3c8d585c9e47038ca411b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2562386
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71477}
This reverts commit 4ad08c82f7.
Reason for revert: Need to retry with bugs in separate stack
frames.
Original change's description:
> Enable simulating errors to test fuzzer reliability
>
> This adds a d8 flag --simulate-errors, which on shutdown will cause
> certain errors. This enables testing the reliability of sanitizers.
>
> This will cause a fatal error, a dcheck (if available) or a
> violation that can be detected with one of the following sanitizers:
> ASAN, UBSAN, MSAN, CFI.
>
> The same flag used in differential fuzzing will cause an error
> subsumed with the error state "fake_difference".
>
> Bug: chromium:1152412
> Change-Id: I4b36c6fe716797004d634263617d22ca67b05600
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2554999
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#71430}
TBR=machenbach@chromium.org,clemensb@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: chromium:1152412
Change-Id: If20cdef372b0e7e92e7080687f446539a587a815
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2565120
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71475}
The error simulation works and crashes during the smoke test are
detected. But now this masks real crashes (https://crbug.com/1153200),
therefore this change subsumes smoke-test crashes with
--simulate-errors under a separate crash state.
Now Clusterfuzz will detect the case "unexpected crash" as fixed, but
create a new bug for "simulated crash". Which we will keep open
forever.
No-Try: true
Bug: chromium:1152412
Change-Id: I511af167d33430d9b89692151cb8abaf3a90c715
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2563270
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71452}
- Add ToolTip helper that tracks scrolling target elements
- Auto hide if the target scrolls out of view
- ToolTip position depends on target position
- Add basic tooltips for maps in the transition view, entries in
timeline tracks and the source panel
Drive-by-fix:
- Move events.mjs to view/ folder
- Add basic toString methods on various log entries
- Add requestAnimationFrame update support for V8CustomElement
Bug: v8:10644
Change-Id: I1059733cd094a986b715547b3d5747eefbc54bc5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2551103
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71434}
This passes the --simulate-errors flag for differential fuzzing with
a probability of 0.01%.
No-Try: true
Bug: chromium:1152412
Change-Id: I3146c0ea5706be8b5ec13ee8740e1d185e008075
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2562248
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71432}
This adds a d8 flag --simulate-errors, which on shutdown will cause
certain errors. This enables testing the reliability of sanitizers.
This will cause a fatal error, a dcheck (if available) or a
violation that can be detected with one of the following sanitizers:
ASAN, UBSAN, MSAN, CFI.
The same flag used in differential fuzzing will cause an error
subsumed with the error state "fake_difference".
Bug: chromium:1152412
Change-Id: I4b36c6fe716797004d634263617d22ca67b05600
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2554999
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71430}
Scopes in V8 are used to guarantee one or more properties during its
lifetimes. If a scope is not named e.g MyClassScope(args) instead of
MyClassScope scope(args) it will get created and automatically destroyed
and therefore, being useless as a scope. This CL would produce a
compiling warning when that happens to ward off this developer error.
Follow-up to ccrev.com/2552415 in which it was introduced and
implemented for Guard classes.
Change-Id: Ifa0fb89cc3d9bdcdee0fd8150a2618af5ef45cbf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2555001
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71425}
With concurrent inlining, the inlining phase happens on the background
thread and the data needed for the inlining phase is serialized on
the main thread. The serialization phase tries to gather data about
functions called which is sometimes more expensive than inlining phase
itself. So it's better not to use concurrent inlining for TurboFan
compilations when tiering up from Turboprop to TurboFan. Turboprop
compilations don't inline and hence it is OK to continue using
concurrent inlining for Turboprop compilations.
Bug: v8:9684
Change-Id: Ib529905213fa7f0df84ee52218adc27f7c219f60
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2557504
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71405}
Drive-by Torque changes:
- kSize can be non-aligned, use SizeFor() instead for map allocation.
- Factory functions use Torque-generated setters directly to work even
if they are shadowed.
- Allow class generation in the presence of custom weak fields, this
was supported already.
Bug: v8:7793
Change-Id: I7e2df45d550ff70973e5167459050fd84db03114
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2547285
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71371}
Don't pass the correctness-fuzzing suppressions to normal fuzzing as
they turn stack overflows and invalid string length checks into
crashes.
This became first now a problem after the flag was passed in an mjsunit
test case.
No-Try: true
Bug: chromium:1151600,chromium:1151599
Change-Id: I5d29900a4b155762cae447fc102055eab1916309
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2551112
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71333}
Because of LocalHeap safepoints, our existing assert scopes don't
necessarily maintain the same guarantees as desired. In particular,
DisallowHeapAllocation no longer guarantees that objects don't move.
This patch transitions DisallowHeapAllocation to
DisallowGarbageCollection, to ensure that code using this scope is
also protected against safepoints.
Change-Id: I0411425884f6849982611205fb17bb072881c722
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2540547
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71319}
For people not too familiar with cloud storage, the direct URL makes it
easier to download the zip archive.
R=machenbach@chromium.org
Bug: chromium:1142437, v8:10891
Change-Id: I6b29ebaac37489a73c4f75473d07e04e7200f2c3
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2543395
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71276}
Some tests explicitly set the --always-opt flag, but they are not
ignored when the testrunner is invoked with variant="jitless" or
variant="nooptimization".
This CL implies --opt from --always-opt and excludes
--always-opt when the testrunner is invoked with jitless or
nooptimization variants.
Change-Id: I49ebc3907666c462aa09a294a39a504a0c90de96
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2544548
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71258}
This removes the dependency on Lua for running gcmole, and Python's
expressiveness lets us clean up the code a bit, including getting rid
of global variables, embedding the multiprocessing (removing the need
for a separate `parallel.py`), and using difflib for printing the test
expectation diff.
Bug: v8:11169, v8:8590, chromium:1097212
Change-Id: If0ab5ea6f764864855d73cd0ba63cb37c1823955
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2543927
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71253}
It took me a while to figure out how to set up everything to run the
fuzzer locally. These improved error messages would have helped to find
errors earlier.
R=machenbach@chromium.org
Bug: chromium:1142437
Change-Id: I414de0a8448cd81fdbf999cc7c3c8cf9394354f6
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2543397
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71239}
Add a "combination" assert scope class, which combines multiple existing
assert scopes. This will allow scopes with functional overlap, e.g.
DisallowGarbageCollection and DisallowHeapAllocation, to share an assert
type rather than rather than requiring users to remember to set both. To
demonstrate this, this redefines DisallowGarbageCollection to a
combination of DisallowHeapAllocation and a new DisallowSafepoints, and
some of the DCHECKs checking both are simplified to only check one or
the other, as appropriate.
The combination classes become subclasses of the existing assert scopes,
so that they can be used in their place as e.g. a function parameter,
e.g. DisallowGarbageCollection can be passed to a function expecting
const DisallowHeapAllocation&.
As a drive-by, this also changes the per-thread assert scopes to use a
bitmask, rather than a bool array, to store their per-thread data. The
per-isolate scopes already used a bitmask, so this unifies the
behaviour between the two.
Change-Id: I209e0a56f45e124c0ccadbd9fb77f39e070612fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2534814
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71231}
It is becoming difficult to continue supporting the compiler dispatcher
and background compile task unittests alongside the off-thread
finalization work, so disable those tests when that flag is enabled.
Bug: chromium:1011762
Change-Id: Iba9aaa29b08723afb90edc127609fef1d63ceed5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2539908
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71211}
- Reuse DOM nodes if possible
- Delay slow DOM node removal to not block the UI
- Fix global time range syncing when adding timelines to the state
- Use a Proxy to cache CSS colors instead of querying CSS properties
on every access
- Set className on newly create DOM nodes instead of adding to the
classList
- Use bound functions for event handlers that are added multiple times
- Speed up Chunk.getBreackdown
- Use CSS gradient for timeline-track chunk backgrounds, which is an
order of magnitude faster than the serialised canvas approach
Bug: v8:10644
Change-Id: Ie2d6d5b404f18e920c10c0a6460669fd4d0b20e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2539947
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71207}
This resolves issues building gcmole under LLVM 8.0.0 with gcc 10 (see
https://bugs.gentoo.org/708730).
Change-Id: I932def25fb3cc841cf21414a513fbe2a2fa8a8dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2539946
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Tamer Tas <tmrts@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71204}
The new platform can be used in combination with --single-threaded.
It disables background threads and thus avoids waiting on mutexes
and condition variables completely, which is useful for V8 embedders
that fork the V8 process after initialization.
As a bonus the new platform allows use to test --single-threaded and
has already uncovered an existing bug in parallel pointer updating code.
Change-Id: I3446fa027d2a077641cdaac0cd08062a1acae176
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2416501
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71187}
Previously, we performed "is A subtype of B?" checks by walking
A's supertypes list and comparing every found type to B.
This CL stores not just A's immediate parent type on A, but its
entire list of supertypes, and uses that list plus compile-time
knowledge of B's distance to the root type in order to compare
only exactly one of A's supertypes to B.
Bug: v8:7748
Change-Id: I0011b72c4b54440b16494918f64d8fb119bef8b0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2527097
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71127}
On builds without pointer compression enabled, v8windbg currently fails
to display information about objects in the Locals pane. This is because
some important code to get a type name was hidden behind a
COMPRESS_POINTERS_BOOL check. The existing cctest
test-v8windbg/V8windbg is sufficient to catch this error, but apparently
nobody ever runs that test in the failing configuration (Windows,
symbol_level = 2, v8_enable_pointer_compression = false).
Change-Id: Ia4e2714b11e6854b3f4f6b72da4ae8c352e8cddc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2530413
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#71124}
This is mostly an auto-conversion done by several tools.
- use let / const
- use arrow functions
- use template strings
There are some additional manual rewrite required to modernize the
code further.
Change-Id: I63a7a43b05b14b33ad9941350d3d5f26aab10ba0
Bug: v8:10667
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2519564
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71080}
Instead of just warning, let's try to format the files as well
Bug: v8:10670
Change-Id: I0dfbdc0ed4a96af7f2a2a472f1d0d3d332d39c90
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2523193
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Auto-Submit: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71076}
This change plumbs import assertions from SourceTextModuleDescriptor's
ModuleRequestMap into SourceTextModuleInfo via a new ModuleRequest
type, where previously there had been only the specifier.
SourceTextModuleDescriptor::module_map now deduplicates module requests
using the specifier and the import assertions. Continuing to use the
specifier alone would cause a loss of information in the event that
a module imports from the same specifier multiple times using different
sets of assertions. Failing to deduplicate at all would result in
multiple requests for statements like `import {a,b,c} from "foo.js"`,
which would be a potential performance issue. See design doc at
https://docs.google.com/document/d/1yuXgNHSbTAPubT1Mg0JXp5uTrfirkvO1g5cHHCe-LmY
for more detail on this decision.
v8::internal::ModuleRequest holds the assertions as an array of the form
[key1, value1, position1, key2, value2, assertion2, ...]. However the
parser still needs to use a map, since duplicate assertion keys need to
be detected at parse time. A follow-up change will ensure that
assertions are sorted using a proper lexicographic sort.
Bug: v8:10958
Change-Id: Iff13fb9a37d58fc1622cd3cce78925ad2b7a14bb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2493060
Commit-Queue: Dan Clark <daniec@microsoft.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71066}
