This is a reland of 1dd7f3a953
Original change's description:
> [heap] Add concurrent marking write barrier
>
> A LocalHeap creates and owns an instance of MarkingBarrier. A pointer to
> the marking barrier is set to a thread_local variable for a quick access.
>
> WriteBarrier::MarkingSlow fetches the thread_local variable and invokes
> the write barrier if it is set. Otherwise, it invokes the main thread
> heap()->marking_barrier().
>
> Each marking barrier has its own local marking worklist that is
> published during scavenge (for updating pointers) and at finalization
> of incremental marking.
>
> Typed-slot recording does not work yet because it is not thread-safe.
> It will be fixed in a subsequent CL.
>
> Bug: v8:10315
> Change-Id: I221a906436cd91e7405a253ce0eb06cf68046f2c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2354809
> Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#69448}
Bug: v8:10315
Change-Id: I155bb0aadd53a5333672fb085b33d8da86f3f336
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2364509
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69517}
the V8 branch cut
TBR=hablich@chromium.org
Change-Id: Iddc7173833f266fe43f0d5e2e618eeeb534d6f21
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2366783
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69516}
Some tests are failing now and have been marked as failing to
investigate them.
R=jkummerow@chromium.org
Change-Id: I1242ccf3bdc8f4d2ff55bc016c43fa51c556376e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2366696
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69513}
Skip code spaces that do not have a far jump table in GetRuntimeStubId.
R=clemensb@chromium.org
Bug: chromium:1116141
Change-Id: Id0fcec691a2729f67750d2da15eea9f521075743
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2366763
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69512}
ppc and s390 do not currently support this feature.
Change-Id: I5ea840e20f9aa77d63d19652bd826c812caae0b4
Bug: v8:10201
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2366762
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69511}
Ensure that events are triggered when a module is decoded, compiled,
instantiated and tiered-up.
R=clemensb@chromium.org
Bug: chromium:1092417
Change-Id: I9dc87957fc03023c5ab1c4f49e865957c8324e1a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2351676
Commit-Queue: Emanuel Ziegler <ecmziegler@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69508}
This CL adds a bytes based deadline to draining of worklist.
The time based deadline is also kept because:
1) Unified heap can't transition to bytes-based deadlines yet.
2) Unified heap with concurrent marking needs to flush v8 references
which don't count as marked_bytes and can cause very long incremental
pauses.
Bug: chromium:1056170
Change-Id: I5ab57754e7ff0b5821f3acb76e1e6f59fc9d68b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2299374
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69506}
Port 929dd3748e
Original Commit Message:
When CFI is enabled this adds a check against this list whenever a new
return address must be set in a deoptimized frame, as a mitigation for
ROP attacks.
The list is known at linking time so that its content and the pointer
to it can be stored in a read-only memory section.
The check is performed in the signing function, which is no longer
generic, as well as when setting the current pc of the frame.
Since the pc is now only signed when setting the caller's pc, there
is no need for ReplaceContext anymore.
R=salome.thirot@arm.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: I5005096811c289707e2d080477c60ae2ed4bf38b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2365372
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#69502}
To properly test tier-up in the V8 test suite, change the test variant
previously called --turbo-nci-as-highest-tier to
--turbo-nci-as-midtier. As a midtier (between ignition and turbofan),
all major parts of the NCI pipeline (codegen, caching inside the same
native context, tier-up) are exercised by test suite.
Bug: v8:8888
Change-Id: Ic8ee2f3e3d72768c3869f5e0b25800dd0a5f25b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2361462
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69501}
On x64, trap handlers are enabled as part of the default configuration.
However, each embedder has to enable trap handlers explicitly, and in
the wasm fuzzers, trap handlers were not enabled. This CL enables trap
handlers now in all wasm fuzzers.
Drive-by change: enable all staged wasm features in the wasm-async
fuzzer.
R=clemensb@chromium.org
Change-Id: Ib7c2addb092551b5554a2b74830e5b67db077909
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362957
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69500}
Heap::UnregisterStrongRoots needs to iterate the list of all strong
roots to delete the given slot. This CL changes
Heap::RegisterStrongRoots to return the pointer to the linked list node.
Heap::UnregisterStrongRoots gets the node as argument and can directly
delete it in constant time.
The CL also introduces Heap::UpdateStrongRoots which can update a
node without locking the mutex.
Bug: v8:10315
Change-Id: I2c021517c010a659821f8c10de758bb49b28449f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2364511
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69499}
This CL adds a table to the right side of the each
timeline-tracks to display statistics about the log
events. Double clicking on an event type notifies other
panels about the selected log events with the selected type.
Bug: v8:10644
Change-Id: Iae523d46da4f0b6a007b02a2beac23d9c48aca02
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2353457
Commit-Queue: Zeynep Cankara <zcankara@google.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69498}
This is a reland of ad68de6f5b
Reason for reland: Reverted since another CL got reverted. This cleanup
is independent though and can be relanded.
Original changes description:
> [compiler] Remove unused holder parameter from IF_ACCESS_FROM_HEAP(_C)
>
> Bug: v8:7790
> Change-Id: I44849f45d1049b8a3c794dd0558b734c1e7061fd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362919
> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#69482}
Bug: v8:7790
Change-Id: Ib650ef1701168be7a910ff51e30a90e239d5f5c8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2366774
Auto-Submit: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69496}
With concurrent allocation background threads invoke Log::IsEnabled()
as well. Fix data race here by making is_enabled_ atomic, such that
IsEnabled() remains cheap.
After locking the mutex in MessageBuilder, IsEnabled() needs to be
checked again in case an old value was read. Otherwise we might log
even though logging was already disabled on another thread.
The other direction where a log message isn't logged is deemed
acceptable.
Bug: v8:10315
Change-Id: I32c9dd2e9879fbdb4ca94e080a16ddd875de7c30
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362948
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69495}
Load extends always load 8 bytes, so the access size does not depend on
MachineType of the load. The MachineType is used for classifying the
lane shape of the 8-byte load.
Also add cctest to load splats and load extends to test OOB. (Note that
load splats access size depends on MachineType).
Add regression test from clusterfuzz, minimized by ahaas@. Remove the
`--no-wasm-trap-handler` flag since we have a no_wasm_traps variant that
should test this flag.
Bug: chromium:1116019
Change-Id: I27ba051d0536ca0f6fd75dd641ca9b78132dafed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2363291
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69489}
CanonicalHandleScope is now also used on background threads. Therefore
Heap::RegisterStrongRoots and Heap::UnregisterStrongRoots are not
exclusively used on the main thread anymore. Simply protect this list
with a mutex.
Bug: v8:10315, v8:10814
Change-Id: Id08269c9f7fecae8c570ab711c522d111b06b005
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2364503
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69488}
This reverts commit 7b9a0c20f3.
Reason for revert: Different tests start flaking, e.g. https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/29532
Original change's description:
> [compiler] Replace ScopeInfoData with direct reads
>
> As part of this, introduce a new ObjectData kind for objects that we
> want to read directly from the background thread rather than serialize.
> ScopeInfoRef is the first user of that.
>
> For details, see:
> https://docs.google.com/document/d/1U6x6Q2bpylfxS55nxSe17yyBW0bQG-ycoBhVA82VmS0/edit?usp=sharing
>
> Bug: v8:7790
> Change-Id: Ia3cda4f67d3922367afa4a5da2aeaae7160cf1f2
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2346405
> Auto-Submit: Georg Neis <neis@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#69473}
TBR=neis@chromium.org,solanes@chromium.org,nicohartmann@chromium.org
Change-Id: Ide5a4a583547b63cc9accfb93fcadb97b8100e8a
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7790
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2364504
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69487}
The number of constants stored in locals and the merge region can be
arbitrarily big, thus generating arbitrarily long code for a single
`br_if`. This happened in particular for unoptimized code.
This CL solves this by materializing all constants (in registers or on
the stack) before doing a conditional branch. This ensures that in a
series of `br_if`s, each constant is only spilled once instead of on
each single branch.
For the linked bug, this reduces the total generated code size by ~36%.
R=thibaudm@chromium.org
Bug: chromium:1117033
Change-Id: I84ea2ea9ba4d3de9b042ceb223af15c3d73dc5b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2364498
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69485}
This is part two of the implementation (part 1: heuristics in NCI code
to call the runtime profiler, part 2: heuristics in the runtime
profiler to mark the function for optimization, part 3: the final
part, recognizing and acting upon the marked function).
The runtime profiler heuristics added here remain very similar to what
we have for ignition, except that we now inspect optimized frames with
NCI code, and that we (currently) do not OSR from NCI to TF.
Bug: v8:8888
Change-Id: Ie88b0a0dcee16334cea585c771a4b505035f2291
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2358748
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69484}
Drive-by: Remove a parameter that had to be SKIP_WRITE_BARRIER.
Bug: v8:9708, v8:6949
Change-Id: Ib5d0521f255a92749440a5001dab8b59eb078bf9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362950
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69481}
This CL adds a basic implementation of incremental marking for standalone GC.
Followup CLs include:
* Use bytes instead of time as deadline
* Port incremental marking schedule from blink
* Mark on allocation
* Guarantees for progres/termination for standalone GC
* etc...
Calling StartIncrementalGarbageCollection triggers StartMarking which
schedules incremental marking as non-nestable tasks.
For unified heap, marking will continue running until it runs out of
work but it won't finalize independently.
For standalone, when incremental runs out of work it will schedule a new
task in which it will finalize marking and trigger the rest of the GC.
Users of standalone can also force finalization before incremental
marking as finished using FinalizeIncrementalGarbageCollectionIfRunning.
Calling CollectGarbage would also finalize an on-going incremental GC
if one exists. Otherwise it will trigger an atomic GC.
See the following doc for explanation of the various methods:
https://docs.google.com/document/d/1ZhJY2fOoD8sH53ZxMh2927Zl8sXqA7azJgcQTWx-YKs/edit?usp=sharing
Bug: chromium:1056170
Change-Id: I75ead414eb9da9f8b7f71c4638b9830fce7708ca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2298009
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69480}
When CFI is enabled this adds a check against this list whenever a new
return address must be set in a deoptimized frame, as a mitigation for
ROP attacks.
The list is known at linking time so that its content and the pointer
to it can be stored in a read-only memory section.
The check is performed in the signing function, which is no longer
generic, as well as when setting the current pc of the frame.
Since the pc is now only signed when setting the caller's pc, there
is no need for ReplaceContext anymore.
Bug: v8:10026
Change-Id: I5e85a62b94722051716fdeba476db383c702a318
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2287490
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Rodolph Perfetta <rodolph.perfetta@arm.com>
Cr-Commit-Position: refs/heads/master@{#69478}
When running with --verify-heap, ObjectVerify() is invoked for every
live object anyway, so there is no need for individual FooVerify()
implementations to recursively request verification of their
sub-objects. If they do, (a) it is duplicated work of O(n²) complexity,
and (b) it can cause fuzzer-generated tests to crash because they run
out of stack space when they trigger heap verification with very little
stack space left.
Fixed: chromium:1106426
Change-Id: Ib9bd444806b148fffc23d635f931dfe73fe7e4ce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2358746
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69477}
As part of this, introduce a new ObjectData kind for objects that we
want to read directly from the background thread rather than serialize.
ScopeInfoRef is the first user of that.
For details, see:
https://docs.google.com/document/d/1U6x6Q2bpylfxS55nxSe17yyBW0bQG-ycoBhVA82VmS0/edit?usp=sharing
Bug: v8:7790
Change-Id: Ia3cda4f67d3922367afa4a5da2aeaae7160cf1f2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2346405
Auto-Submit: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69473}
We can create a new macro to skip the xxxData classes and read directly
from the heap.
Bug: v8:7790
Change-Id: I8de9ba0aee78c74d4c3113eb6bc4870a314de552
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362687
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69471}
Add an event for recording metrics related to compiling Wasm modules.
This provides different events for both baseline compilation and
tier-up.
R=clemensb@chromium.org
Bug: chromium:1092417
Change-Id: Ib5ea7f5ba9e91e2c34473e666eea1c6dc6a97037
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2351674
Commit-Queue: Emanuel Ziegler <ecmziegler@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69470}
... to avoid the repeated pattern of calculating it.
Bug: v8:8888
Change-Id: I4af5264aae6cfb8b6232b5aaf9ceb2cb568c29d0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362692
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69469}
