With shared space (instead of the shared isolate), the AccessorInfo
implementation of SharedArray's length property is no longer threadsafe.
Until AccessorInfos can be put into shared or RO space, go back to
storing the length field as a per-instance in-object field, which is
unfrotunately a little wasteful.
Bug: v8:12547
Change-Id: I99c1cbf26047da48a4b4c11e14ab7def7d4e4f60
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4039309
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84408}
Clear OLD_TO_SHARED slots in free memory after shrinking large objects.
This CL now clear all slots outside of the object and not just from
the next OS page boundary.
Since we are already here also stop clearing OLD_TO_NEW and OLD_TO_OLD
since they should already be cleared at this stage of the GC. Add
DCHECKs that this always holds. We also don't need to iterate large
code objects since we do not shrink such pages anyway.
Bug: v8:13267, chromium:1385717
Change-Id: I75f6e56a7c13974ce669bbba29262e95eb94d287
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4037981
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84407}
So far we parallelized the {WebAssembly.validate} function. After recent
refactorings, we can use the same parallelized logic for validing (only
lazy or all) functions during compilation.
R=ahaas@chromium.org
Bug: v8:13447
Change-Id: I38d48e1e48d83c8e63657abb7077aa8318cf94f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4037269
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84405}
From the documentation: "Applications not manifested for Windows 8.1 or
Windows 10 return false, even if the current operating system version is
Windows 8.1 or Windows 10". As such, the sandbox initialization logic
may incorrectly conclude that it is running on an older version of
Windows and fall back to a partially-reserved sandbox.
The check for the version is not really necessary: afterwards, we check
if we can create virtual memory subspaces, which will only be possible
on Windows if VirtualAlloc2 is available. That API is only available
since Windows 10, making the explicit version check redundant.
Bug: chromium:1368009
Change-Id: Id877dcfd6e384c6af94b571f37e70a115ead8dde
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4042290
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84404}
This factors out a call graph from the suspects collector which in
a future CL can be serialized as a partial call graph and later
merged.
Bug: v8:12660
Change-Id: Ie6f682195a900ba0711b8f828c63bf41f142f2b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4035131
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84403}
Currently, if a script is compiled on the main thread or deserialized on
any thread, and a matching Script object is found in the Isolate
compilation cache, the new content is merged into the existing Script.
This CL implements the same merging for scripts which were compiled by a
background task. I expect speed changes to be minimal, because merging
is only needed in a small minority of compilations. When needed, it
usually takes about 10% as long as the deserialization of the script,
which in turn is faster than compilation from source text.
This CL also removes some code which I added in preparation for merging
on a background thread in this case. Upon further discussion, we've
determined that the extra round trip to a background thread when the
main thread is likely just waiting for completion would do more harm
than good, and performing the compilation cache lookup from the
background thread would be quite cumbersome.
Bug: v8:12808
Change-Id: Ia7a14a739779ab658b505572d19df4ec489a078e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4023904
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84402}
The validation paths during decoding and compilation should generate the
same error message. To achieve this, we move the {GetWasmErrorWithName}
function from the compiler to the decoder. As a drive-by, we replace the
{WasmFunction&} parameter by just an integer, because that is all we
need.
R=ahaas@chromium.org
Bug: v8:13447
Change-Id: I469dd871c7471c0f5af12c56e19b71be136557cd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4037268
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84399}
The gap resolver issue that this was blocked on is fixed now.
R=clemensb@chromium.org
Bug: chromium:1269989
Change-Id: I1aa4566190dd9705bf5688f5c551923f6273f93e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4042243
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84398}
This CL implements Torque builtins for BigInt left shift and right
shift and truncates shift operations when the shift amount is a
constant.
- Propagate truncation if we know the operation is a left shift.
- Lower the operation to a word64 right shift if the lhs is Signed- or
UnsignedBigInt64 and we know the op is a right shift.
A side effect of truncating left shift is it will not throw a
BigIntTooBig exception in optimized code.
Bug: v8:9407
Change-Id: Ibd42cf897ef8a35f6addd09674faf409654d6d7c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4028142
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84396}
Otherwise we may pass an out-of-bounds type to {IsSubtypeOf}.
Bug: v8:7748, chromium:1388938
Change-Id: Ifcbf31c68da40d7b7a365c9d756cd5fa81347291
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4040930
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84395}
Port 2f4397d652
Original Commit Message:
Tail calls generate parallel moves that don't preserve the stack
layout, which is not always correctly handled by the current
gap resolver algorithm. Introduce a more robust algorithm that
handles any parallel move.
Design doc:
https://docs.google.com/document/d/1WbX5B4ej9MzsJ28JS4J5cF2eiJhKyX39vAUB7GSA5YE/edit?usp=sharing
Also remove the move-splitting logic. The problem that it addresses
(swapping aliasing FP registers of different widths on arm) is already
handled by the new algorithm.
R=thibaudm@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N
Change-Id: I6122e9fa7543171eff91435de1804f3a788455f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4035332
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#84394}
This will allow us to reuse the function for validation only lazy
functions.
R=ahaas@chromium.org
Bug: v8:13447
Change-Id: I853ec0a39a4f383391bd7e3556c16e84d11df553
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4037642
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84393}
The interpreter does not implement WasmGC, hence always use Liftoff as
reference if WasmGC opcodes are enabled.
R=manoskouk@chromium.org
Bug: v8:13496, chromium:1387316
Change-Id: I29f496ebc1921c727c216dda763c1e9a63d6597b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4042288
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84392}
The test fails with multiple isolates because with the NativeModule
cache the second isolate can create an unexpected state for the first
isolate.
R=clemensb@chromium.org
Bug: v8:13503
Change-Id: Ic83d374c61703fdeb570b65b3c444ab0ae3cef8c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4040929
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84391}
When creating the generator object, Ignition includes the
header object size.
The uses of debug-pos-offset, such as isolate.cc:AppendAsyncFrame,
expect that.
Bug: v8:7700
Change-Id: Idbe31802ac3ad6cbac7c5f7f7bd731132c358b61
Fixed: chromium:1387883
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4042664
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84390}
This adds an implementation for the {kRef} case in
{MakeDefaultArguments}.
R=jkummerow@chromium.org
Bug: v8:13496, chromium:1391168
Change-Id: I4c0e85b46c50f766816f799e80cf1afbe6fa258a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4042663
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84386}
This is a reland of commit 00db0fff8c
Fix missing update_feedback_count setting, and adding update feedback to
lazy deopt.
Original change's description:
> [maglev] Support call speculation disabling
>
> Add a FeedbackSource to DeoptInfo which allows the caller to specify
> that this deopt is part of call speculation, and that call speculation
> should be disabled for this call when the speculation fails. This is a
> mechanism to prevent deopt loops, also used by TurboFan.
>
> Bug: v8:7700
> Change-Id: I59b5db3956e074ec808b218c00ae85796455742e
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030438
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Auto-Submit: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84332}
Bug: v8:7700
Change-Id: I3dee2108495776d37417982ad593f6daa460919e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4042661
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84385}
Move the {ValidateAllFunctions} method out of the
{ModuleDecoderTemplate} and provide it as a separate function. This will
allow us to reuse it for validation during compilation.
R=ahaas@chromium.org
Bug: v8:13447
Change-Id: Ie72b5e0a531eecc298e515646320ad83a3f6b9ae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4035979
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84384}
BranchElimination is currently broken in turboshaft, because when
duplicating a block that contains operations with multiple outputs
(OverflowCheckedBinop, Call, Change), if a Projection for this
Operation is in a later block, then the projection input won't be
alive, because we can't merge those operations with multiple outputs.
Fixing this will require re-thinking a bit how Call, CatchException
and CheckLazyDeopt work. For now, disabling BranchElimination is a
reasonable temporary solution.
Fixed: v8:13514, chromium:1391696, chromium:1386287
Change-Id: I71e8b6cc20701749e0c26638ac8c354393c8d426
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4042543
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84383}
1) Pass {WasmFeatures} by value, it's a single word.
2) Pass a {base::Vector} instead of {start} and {end} pair.
3) Remove a redundant constructor (just pass an empty wire bytes vector
instead).
R=thibaudm@chromium.org
Change-Id: I337c3c86960505ae23c88cb6adc5646a61111f76
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030434
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84382}
In a follow up we want to introduce a mode for just collecting or
processing. In the infrastructure however, we still call the wrapper
script with old arguments on release branches. This ensures that
we stay backwards compatible.
Bug: v8:12660
Change-Id: I08da713719d10cb58c2cd5ea7f711570bd57572c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4035976
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84380}
This ports:
https://crrev.com/c/4026927
This fixes the msan builders in CI.
Bug: chromium:1260217
Change-Id: Iabc978d65b534679be27054f005158c154c3de23
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4042241
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Alexander Schulze <alexschulze@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84377}
This reverts commit ef88cefa23.
Reason for revert: Fuchsia now supports changing permissions through
nested VMARs, so this call should now succeed.
Original change's description:
> Skip protecting data memory on fuchsia
>
> The {vmar.protect} API used for {SetPermissions} fails when called on
> data memory with error -10 (ZX_ERR_INVALID_ARGS).
> Skip fuchsia until we figure out the right API to use there.
>
> R=cbruni@chromium.org
>
> Bug: v8:13194
> Change-Id: I20754f7212a892b8440f29658bf3db40f7745fe9
> No-Try: true
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3833820
> Auto-Submit: Clemens Backes <clemensb@chromium.org>
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82494}
Bug: v8:13194
Change-Id: Ica7d94890eed111042d2edf10a2b0576c87744ce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031194
Commit-Queue: Wez <wez@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84375}
Rolling v8/build: 4f35453..bd89361
Rolling v8/buildtools: c3244c4..09154d6
Rolling v8/buildtools/reclient: re_client_version:0.85.0.91db7be-gomaip..re_client_version:0.86.0.25feac0-gomaip
Rolling v8/buildtools/third_party/libc++/trunk: b343ccb..cd0a050
Rolling v8/buildtools/third_party/libunwind/trunk: 86213b7..5870472
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/dc9aaef..b898eb3
Rolling v8/third_party/depot_tools: 7aaca94..d06e475
Rolling v8/third_party/fuchsia-sdk/sdk: version:10.20221111.1.1..version:10.20221117.0.1
Rolling v8/third_party/instrumented_libraries: 7bb87a3..ecd3bd8
Rolling v8/third_party/zlib: 8bbd6c3..d866d41
Rolling v8/tools/clang: d3df9cc..ed5ed0e
Change-Id: I169e5ba775c5bcd84679e5c74b4583476ecfa964
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4039189
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#84373}
This adds a regression test for https://crrev.com/c/4025548.
Using {addBodyWithEnd(body)} makes the test a lot faster, and we just
skip it on known-to-be-slow variants.
In a default release build, the test takes ~0.3 seconds. In an x64 debug
build, it takes 17 seconds.
Bug: v8:13436
Change-Id: I63e2927774601b24d177b03cf075f9a8d287e934
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031206
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84371}
Port b57bb851e0
Original Commit Message:
If entered, the debugger hangs on readline in fuzz test cases, which
makes differential fuzzing test cases harder to handle and repro.
R=machenbach@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N
Change-Id: Ic0ebfe18ea7a50b6655087983ad02dbec60456fc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4037846
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Cr-Commit-Position: refs/heads/main@{#84369}
Top-level inline-asm has no knowledge of its current section and
continues under whatever section that was defined before it.
`src/heap/base/stack.h` in this case is defining some global
constant values and as a result the previous section in this case
is `.rodata`, hence we may be placing instructions in a (potentially
not properly aligned) read only data section (which happens to become executable).
This CL forces the assembler to place these in the .text section and
gives them a correct alignment.
Change-Id: Ie9288b6c024f6ff0f399620169e5f777986e96c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4035887
Reviewed-by: Nikolaos Papaspyrou <nikolaos@chromium.org>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#84367}
Tail calls generate parallel moves that don't preserve the stack
layout, which is not always correctly handled by the current
gap resolver algorithm. Introduce a more robust algorithm that
handles any parallel move.
Design doc:
https://docs.google.com/document/d/1WbX5B4ej9MzsJ28JS4J5cF2eiJhKyX39vAUB7GSA5YE/edit?usp=sharing
Also remove the move-splitting logic. The problem that it addresses
(swapping aliasing FP registers of different widths on arm) is already
handled by the new algorithm.
Bug: chromium:1269989
Change-Id: I575d5b56e0d949e3226388e06052292680b66044
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030580
Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84366}
The CL implements an old-V8-to-young-Oilpan remembered set together with
a generational barrier.
Bug: v8:13475
Change-Id: I5f09f7c6db397f2a49cb0c47fd758a1604af4e83
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030433
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84365}
The End block is not necessarily the last one in the RPO. Iterate
until the end but skip the end block.
Bug: chromium:1381131
Change-Id: I5e1cd19c1b3bea4cbe565319631a7686ed2352fc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4017313
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84364}
The sandbox-future configuration (used by these bots) is now equivalent
to the default configuration, so they are no longer needed.
Bug: v8:10391
Change-Id: I3c4995f68a270b9f94161bbb9b4f90fd5ccade93
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4034168
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84362}
This adds tests of the GCSuspectsCollector and its relevant usages
in GCMole. The relevant logic has now 100% code coverage, which
prepares refactoring of the code and serialization of only partially
collected suspect data in a future CL .
No-Try: true
Bug: v8:12660
Change-Id: I0b0cc6f8a5e65f14084e80cda50400232e0d2c45
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031052
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84361}
Now that the external pointer sandboxing rollout has completed, the
machinery to support unsandboxed external pointers is no longer needed.
Bug: v8:10391
Change-Id: I5cec4b9bfca41a7db670b93d984f3cfc5a2adbfa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4034166
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84360}
