Commit Graph

29592 Commits

Author SHA1 Message Date
Leszek Swirski
0df9606dca [maglev] Add lazy deopts
Nodes can now hold a LazyDeoptSafepoint which stores the frame state in
case they trigger a lazy deopt. OpProperties have a new CanLazyDeopt
bit, and codegen emits a safepoint table entry + lazy deopt for all
nodes with this bit. Also, we now check the deoptimized code bit on
entry into the maglev compiled function.

An example use of these lazy deopts is added as a PropertyCell fast path
for LdaGlobal, which adds a code dependency on the property cell.

Bug: v8:7700
Change-Id: I663db38dfa7325d38fc6d5f079d263a958074e36
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3557251
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79688}
2022-03-31 11:48:40 +00:00
Jakob Gruber
d368dcf4ae Refactor OSROptimizedCodeCache
Tweak a few names, remove a few GetIsolate calls, other minor
usability refactors.

It may be worth taking a closer look at the impl in the future,
currently the design choices don't seem ideal (see the added TODO
on top of the class).

Bug: v8:12161
Change-Id: Ib34e372aa58a30c68c9c5cdd0d1da0ec3e86717c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3560447
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79687}
2022-03-31 10:11:00 +00:00
Jakob Gruber
dc9b48e406 Address comments from [osr] Basic support for concurrent OSR
- Unhandlify OSROptimizedCodeCache::GetOptimizedCode.
- Unstatic-fy FeedbackVector::SetOptimizedCode.
- Remove frame-walking logic during the OSR tierup decision.

Bug: v8:12161
Change-Id: I4fa8c972cb50d369b17898ba57e1909c86e933df
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3560478
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79686}
2022-03-31 10:01:50 +00:00
Jakob Gruber
3ce690eef2 [osr] Basic support for concurrent OSR
This CL adds basic support behind --concurrent-osr,
disabled by default.

When enabled:
1) the first OSR request starts a concurrent OSR compile job.
2) on completion, the code object is inserted into the OSR cache.
3) the next OSR request picks up the cached code (assuming the request
   came from the same JumpLoop bytecode).

We add a new osr optimization marker on the feedback vector to
track whether an OSR compile is currently in progress.

One fundamental issue remains: step 3) above is not guaranteed to
hit the same JumpLoop, and a mismatch means the OSR'd code cannot
be installed. This will be addressed in a followup by targeting
specific bytecode offsets for the install request.

This change is based on fanchen.kong@intel.com's earlier
change crrev.com/c/3369361, thank you!

Bug: v8:12161
Change-Id: Ib162906dd4b6ba056f62870aea2990f1369df235
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3548820
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79685}
2022-03-31 09:58:40 +00:00
Frank Tang
803d1d3961 [Temporal] Add Calendar.prototype.monthsInYear
Spec Text:
https://tc39.es/proposal-temporal/#sec-temporal.calendar.prototype.monthsinyear

Note- this is only the non-intl version. intl version in
https://tc39.es/proposal-temporal/#sup-temporal.calendar.prototype.monthsinyear
will be implemented in later cl.


Bug: v8:11544
Change-Id: Ibf7a9f1e64ce638f745df2649ee3a69dc9e08139
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3531559
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79682}
2022-03-31 00:18:23 +00:00
Frank Tang
eb9a19a0a1 [Temporal] Add Calendar.prototype.dayOfYear
Also add AO: ToISODayOfYear
Spec Text:
https://tc39.es/proposal-temporal/#sec-temporal.calendar.prototype.dayofyear
https://tc39.es/proposal-temporal/#sec-temporal-toisodayofyear

Note- this is only the non-intl version. intl version in
https://tc39.es/proposal-temporal/#sup-temporal.calendar.prototype.dayofyear
will be implemented in later cl.



Bug: v8:11544
Change-Id: I5e5f9ea93cc0577df8d9b228efe5c3a97d118b88
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3531566
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79681}
2022-03-30 22:16:50 +00:00
Adam Klein
ac4c2afc7f Skip mjsunit/shared-memory/shared-struct-atomics-workers under stress_snapshot
Bug: v8:12749
Change-Id: I33d0313625c38f9634ffba5ed358c1782811ddde
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3561184
Commit-Queue: Adam Klein <adamk@chromium.org>
Auto-Submit: Adam Klein <adamk@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#79680}
2022-03-30 17:35:20 +00:00
Marja Hölttä
185d6116ae [super IC] Fix API getter related bugs and re-enable super IC
Bug: chromium:1308360,chromium:1309467,v8:9237
Change-Id: I2923e3ee60b4b30c4e2b57b9c8569a030fc7bfbd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3550588
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79676}
2022-03-30 13:09:20 +00:00
Dominik Inführ
3eb8671edb [heap] Fix global safepoint when waiting in event loop
When starting a global safepoint, it could happen that one isolate is
waiting/blocking in the event loop, which prevents this isolate from
reaching a safepoint. As a consequence we therefore deadlock when
performing the safepoint. We can solve this by simply posting a task
for each isolate that when run performs a safepoint check.

This CL also renames IncludeMainThreadUnlessInitiator to
ShouldIncludeMainThread.

Bug: v8:11708, v8:12645
Change-Id: Ide956b3c39b350c2bb0279a7dd94ff79cb9d771b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3555771
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79675}
2022-03-30 12:59:31 +00:00
Jakob Gruber
57d985a584 Refactor OptimizationMarker and ConcurrencyMode enums
.. with readability and simplicity in mind.

- Rename OptimizationMarker to the (shorter) TieringState. 'Tiering'
  also matches 'TieringManager' terminology.
- Rename the values:
  kNone -> kNone
  kInOptimizationQueue -> kInProgress
  kCompileFoo_NotConcurrent -> kRequestFoo_Synchronous
  kCompileFoo_Concurrent -> kRequestFoo_Concurrent
- Likewise rename ConcurrencyMode::kNotConcurrent to kSynchronous.
- Add predicates to test enum values.
- Consistent lower case names for accessors on JSFunction and
  FeedbackVector.
- Instead of having to call HasOptimizationMarker() before using any
  other accessor, simply have optimization_marker() return kNone if
  no feedback vector exists.
- Drive-by: Enable the Unreachable() in MaybeOptimizeCode()
  unconditionally - this should never happen, there's no reason not
  to protect against this in release builds as well.

Bug: v8:12161
Change-Id: I67c03e2b7bd0a6b86d0c64f504ad8cb47e9e26ae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3555774
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79669}
2022-03-30 08:37:42 +00:00
jameslahm
55e526c4c2 [compiler] Optimize kWord64And x64 instruction selector
- For y = x & 0xFF, we could use movzxbq y, x.
- For y = x & 0xFFFF, we could use movzxwq y, x.
- For y = x & 0xFFFFFFFF, we could use movl y, x.
- For y = x & immediate and immediate fits into uint32,
we could use andl x, immediate.


Bug: v8:12337
Change-Id: I31f04fa9058c6acabb210f0fce61ac713ed1a382
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3518913
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79668}
2022-03-30 08:12:30 +00:00
Nico Hartmann
98db200c3d Revert "[wasm-gc] Implement isorecursive canonicalization"
This reverts commit e76ad5c6d9.

Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20-%20shared/19438/overview

Original change's description:
> [wasm-gc] Implement isorecursive canonicalization
>
> This implements isorecursive canonicalization for static types.
>
> Not implemented in this CL:
> - Runtime type canonicalization.
> - Cross-module signature canonicalization for purposes of call_indirect.
>
> Bug: v8:7748
> Change-Id: I6214f947444eea8d7b15a29b35c94c3d07ddb525
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3541925
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79665}

Bug: v8:7748
Change-Id: I9e26696a7113b1bacafa800c8d6ef24df38c41fd
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3557233
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79667}
2022-03-30 07:47:00 +00:00
Manos Koukoutos
e76ad5c6d9 [wasm-gc] Implement isorecursive canonicalization
This implements isorecursive canonicalization for static types.

Not implemented in this CL:
- Runtime type canonicalization.
- Cross-module signature canonicalization for purposes of call_indirect.

Bug: v8:7748
Change-Id: I6214f947444eea8d7b15a29b35c94c3d07ddb525
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3541925
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79665}
2022-03-30 06:23:30 +00:00
Shu-yu Guo
21cfbf047e [rab/gsab] Support RAB/GSABs in context snapshot
Bug: v8:11111, v8:12731, v8:12742
Change-Id: I2679c0e64faca25a2c16e15fd3a5c727eb941c92
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3551894
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79662}
2022-03-29 22:37:49 +00:00
Adam Klein
7cc6e6a4e0 Skip failing mjsunit/regress/regress-crbug-1307310 in stress_snapshot
Bug: v8:12742
Change-Id: If96908f8585a5789c09d98bb8ca06f9a9fb6fc7e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3558310
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79659}
2022-03-29 17:21:30 +00:00
Toon Verwaest
ecc3c6367f [maglev] CompactInterpreterFrameState fixes
Bug: v8:7700
Change-Id: I1efa298a25bf15c104a57db3ec7cc4d7e36861eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3553102
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79655}
2022-03-29 13:59:48 +00:00
Leszek Swirski
0a110021d2 [deoptimizer] Remove non-fixed-size deopts
All architectures have kSupportsFixedDeoptExitSizes = true, so we can
remove kSupportsFixedDeoptExitSizes entirely and always have fixed-size
deopts.

Change-Id: Ib696f6d2431f60677cc7fa2193ee27b9b0f80bc8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3550268
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79654}
2022-03-29 12:54:58 +00:00
Leszek Swirski
4fd61de7c1 [maglev] Fix over application return stack cleanup
Under over-application (passing more arguments into a function than its
formal parameter count), we need to use the passed argc to clean up the
stack, rather than the formal parameter count. Fix Maglev's Return node
code to do the appropriate check and dynamic sized return.

Bug: v8:7700
Change-Id: I36037d29e14323b336974d4b75b75f5702ce8a28
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3555767
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79649}
2022-03-29 10:39:28 +00:00
jameslahm
9641ce6438 [compiler] Optimize String#includes
This CL adds the reduction for String#includes
and merges the reduction of String#indexOf and
String#includes in JSCallReducer.

This CL does two things:
- Add StringIndexOfIncludesVariant to distinguish
String#indexOf and String#includes.
- Add ReduceStringPrototypeIndexOfIncludes to reduce
for String#indexOf and String#includes.

Bug: v8:12732
Change-Id: Ied75485cf1511956e97ef986fc34a711aae3d1ce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3552279
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79648}
2022-03-29 10:24:08 +00:00
Marja Hölttä
8c94b7ec7b [rab/gsab] Fix the rab gsab TA initial map
Bug: v8:11111,chromium:1307310
Change-Id: I41175d759e71d2016880eae1cd42e420ee9cc229
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540262
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79646}
2022-03-29 07:31:41 +00:00
Dominik Inführ
a847182056 [heap] Initialize pages with placement-new
Define ctors for BasicMemoryChunk, ReadOnlyPage, MemoryChunk, Page and
LargePage. We can use those with placement-new to initialize pages. We
now initialize chunks at once either for ReadOnlyPage, Page or
LargePage. Previously initialization happened in multiple locations
starting with BasicMemoryChunk::Initialize.

Adding ctors to these classes should improve debugging, since debug
info for classes without ctors was removed with the compiler flag
`-fuse-ctor-homing`.

Change-Id: Ib842bb9b1e93a6576cad8299b7c5dbfe299baa33
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545092
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79638}
2022-03-28 09:18:55 +00:00
jameslahm
bd7f4823c1 [error] Improve GetExport error message
According to https://tc39.es/ecma262/#sec-InnerModuleLinking
step 10 and https://tc39.es/ecma262/#sec-source-text-module-record-initialize-environment
step 8-25, variables must be declared in Link. And according
to https://tc39.es/ecma262/#sec-module-namespace-exotic-objects-get-p-receiver,
accessing the exported variable with the hole value should
throw uninitialized error.

Bug: v8:12729
Change-Id: I6fd2fcc580f7bafca986448b37adb8ba8f077929
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3552281
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79637}
2022-03-28 09:03:45 +00:00
Frank Tang
8b663818fc [Temporal] Add Temporal.Calendar.prototype.year
Spec Text:
https://tc39.es/proposal-temporal/#sec-temporal.calendar.prototype.year

Note- this is only the non-intl version. intl version in
https://tc39.es/proposal-temporal/#sup-temporal.calendar.prototype.year
will be implemented in later cl.

Bug: v8:11544
Change-Id: Ifadcdb4efe00a9954d5ac4c1154420c4903f28d5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3531553
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79635}
2022-03-26 23:18:06 +00:00
Frank Tang
cdafded496 [Temporal] Add Calendar.prototype.daysInYear
Spec Text:
https://tc39.es/proposal-temporal/#sec-temporal.calendar.prototype.daysinyear

Note- this is only the non-intl version. intl version in
https://tc39.es/proposal-temporal/#sup-temporal.calendar.prototype.daysinyear
will be implemented in later cl.

Bug: v8:11544
Change-Id: I627fcf82641659c4697395057ee664a37f237228
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3531557
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79634}
2022-03-26 22:16:54 +00:00
Frank Tang
c232d789c7 [Temporal] Add Duration.prototype.(abs|negated)
Also add AO: CreateNegatedTemporalDuration

Spec Text:
https://tc39.es/proposal-temporal/#sec-temporal.duration.prototype.abs
https://tc39.es/proposal-temporal/#sec-temporal.duration.prototype.negated
https://tc39.es/proposal-temporal/#sec-temporal-createnegatedtemporalduration

Bug: v8:11544
Change-Id: Ie522a7446f40c946c30f2e90c5f6c7fbc96c41eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3380101
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79633}
2022-03-26 22:15:14 +00:00
jameslahm
89ed081c17 [runtime] Add async-stack-trace support for Promise.allSettled
... with zero cost.

Bug: v8:9357
Change-Id: I66985c3fd3e7b4efa354eb564c641562cf55ab49
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3518909
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79632}
2022-03-26 12:04:24 +00:00
Tobias Tebbi
e71ce3093d Revert "[heap] Only start incremental marking when V8 is not in GC VM state."
This reverts commit f124b28d46.

Reason for revert: https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket/8818719400214419665/+/u/Check_-_stress_concurrent_allocation__flakes_/flush-baseline-code

Original change's description:
> [heap] Only start incremental marking when V8 is not in GC VM state.
>
> Bug: v8:12503
> Change-Id: Icda291d9770c46c7fee3c70dd4df97f320b1956a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3398113
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Hannes Payer <hpayer@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79623}

Bug: v8:12503
Change-Id: I067b308cfc4511d89144d2bb65a1dba24db62179
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3553104
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Owners-Override: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79629}
2022-03-25 16:07:53 +00:00
legendecas
0a0ad98a5a [ShadowRealm] WrappedFunction properties
Implement WrappedFunction properties name/length.

Bug: v8:11989
Change-Id: I050af5814537552ef6c2077802ffc726f2e08fa3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3507201
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Chengzhong Wu <legendecas@gmail.com>
Cr-Commit-Position: refs/heads/main@{#79628}
2022-03-25 16:00:33 +00:00
Hannes Payer
f124b28d46 [heap] Only start incremental marking when V8 is not in GC VM state.
Bug: v8:12503
Change-Id: Icda291d9770c46c7fee3c70dd4df97f320b1956a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3398113
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79623}
2022-03-25 11:53:23 +00:00
Marja Hölttä
c6b68cbfbd [super IC] Turn off super ICs
They make assumptions which don't hold for API handlers.

Bug: v8:9237,chromium:1308360
Change-Id: I9f122c4e75a24d83ef3653cbf7a223ed522e4d13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3548899
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79614}
2022-03-24 17:59:52 +00:00
Igor Sheludko
0981e91a4f [runtime] Fix handling of interceptors
Bug: chromium:1309225
Change-Id: Ifd62639a2aa18b633e7cf36632677ee16c977afd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3548458
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79613}
2022-03-24 17:50:12 +00:00
Shu-yu Guo
bcf43eb780 [string] Add additional ThinString test
Add a test for the case where SlicedStrings of ThinStrings are looked up
in the string table, testing the path that the original string's length
differs from the actual string's length.

Bug: chromium:1309767
Change-Id: I909c64397bf28ec33c3324d94882fbfe81ac4109
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3549837
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79610}
2022-03-24 16:46:12 +00:00
Nico Hartmann
fa374fc934 [turbofan] Fix a rare false positive in SLVerifier
Bug: chromium:1309769, v8:12619
Change-Id: I880c7326f2ec91f1aa985d6b7ed67f8f5afc074b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3548897
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79608}
2022-03-24 15:04:23 +00:00
Marja Hölttä
0129218b08 [rab/gsab] Disable a test in stress-snapshot mode
It's hitting unimplemented code paths.

Bug: v8:11111, v8:12731
Change-Id: Icbffced6cbe207426363daa5f3b9ff5677b58b6c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3548816
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79605}
2022-03-24 13:35:42 +00:00
Joyee Cheung
4ee68d81b9 [ic] fix handling of existing properties in Define{Keyed|Named}OwnIC
- When the property being defined with DefineKeyedOwnIC or
  DefineNamedOwnIC already exists, we should use the slow path to
  check if the operation is allowed in case the property is
  non-configurable or Object.preventExtensions() has been called on
  the property.
- Since KeyedStoreIC:Store() reuses StoreIC::Store() when the key is a
  name, we should use Runtime::DefineObjectOwnProperty() for
  DefineKeyedOwnIC too.
- When dealing with public fields, Runtime::DefineObjectOwnProperty()
  should use JSReceiver::CreateDataProperty() instead of
  Object::SetProperty() for the specified semantics. This patch also
  adds JSReceiver::AddPrivateField() for it and StoreIC::Store to
  define private fields without triggering traps or checking
  extensibility.
- To emit a more specific error message when redefining properties
  on non-extensible objects, Object::AddDataProperty() now also takes
  a EnforceDefineSemantics enum to distinguish between set and define.
- Drive-by: fix JSReceiver::CheckIfCanDefine() which should check for
  extensibility even if the configurability check passes.

Bug: chromium:1259950, v8:9888
Change-Id: Ib1bc851ffd4b9c3a0e98cac96dafe743c08ee37e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3517934
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/main@{#79603}
2022-03-24 12:36:42 +00:00
Thibaud Michaud
672bf4ee6a Reland "[wasm][liftoff] Spill regs for multi-value merges"
This is a reland of commit d9e1f2aee5

Change: disable regression test on non-SIMD hardware

Original change's description:
> [wasm][liftoff] Spill regs for multi-value merges
>
> If there is more than one value in the merge region, a stack-to-stack
> move can overwrite the source of a stack-to-register move. To avoid
> this, spill all registers.
>
> R=clemensb@chromium.org
>
> Bug: chromium:1299183
> Change-Id: I10495434d0a18c9072ee3882e00a687edd8c592a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3523044
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79584}

Bug: chromium:1299183
Change-Id: I6f2af786ab91194a93945f5030575d1b8abee7fd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3548716
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79601}
2022-03-24 12:15:43 +00:00
Benedikt Meurer
3eb6b7aca6 [debug] Hold on to promises weakly from the debugger's promise stack.
The debugger maintains a stack of promises used for catch prediction
with promise builtins and async functions. Previously this stack would
hold on to the individual promises strongly, and subtle bugs that lead
to not properly cleaning up the stack in some corner cases would often
lead to significant memory issues (e.g. leaking whole iframes).

This refactors the PromiseOnStack to be

  (a) on the V8 heap, rather than allocating C++ structs with global
      handles pointing to the promises, and
  (b) hold on to the promises only weakly.

While this will not guarantee proper promise stack management, it will
at least ensure that edge cases don't lead to catastrophic (debugger
only) leaks.

Bug: chromium:1292063
Change-Id: I9c293ca2032de3a59e1e9624f132d37187805567
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545176
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79594}
2022-03-24 08:16:32 +00:00
Clemens Backes
a18b1606d2 [wasm] Add validation of compilation hints
Before productionizing this, we probably want to just ignore the whole
section if it contains invalid data, but for now failing with a decode
error is more consistent with existing checks.

R=ecmziegler@chromium.org

Bug: v8:12537
Change-Id: I7fc5933573a4d6eddd039bf51361c5bee5c5170d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545177
Reviewed-by: Emanuel Ziegler <ecmziegler@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79593}
2022-03-24 07:12:53 +00:00
Tobias Tebbi
89c213bb0f Reland "cppgc: Add DCHECK that object start bitmap is safe to use"
This reverts commit ad09811a18.

Reason for revert: reverted by accident

Original change's description:
> Revert "cppgc: Add DCHECK that object start bitmap is safe to use"
>
> This reverts commit 9e1db51817.
>
> Reason for revert: https://chromium-review.googlesource.com/c/v8/v8/+/3535782 causes roll failures, this needs to be reverted too because it's based on it
>
> Original change's description:
> > cppgc: Add DCHECK that object start bitmap is safe to use
> >
> > During sweeeping/compaction the bitmap is being reconstructed and
> > should not be relied on for finding object start.
> > Add a DCHECK that the bitmap is fully populated.
> >
> > Bug: chromium:1307471
> > Change-Id: I4aa414722262bb6fb169123a49fce1510a60d3ef
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540680
> > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> > Commit-Queue: Omer Katz <omerkatz@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#79575}
>
> Bug: chromium:1307471
> Change-Id: I377b8737609fff33199776dce3d997f31074c59b
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545316
> Auto-Submit: Tobias Tebbi <tebbi@google.com>
> Owners-Override: Tobias Tebbi <tebbi@google.com>
> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
> Cr-Commit-Position: refs/heads/main@{#79586}

Bug: chromium:1307471
Change-Id: I04357072c6974e045c1e2bdea93d4059a1e987b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545319
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Owners-Override: Tobias Tebbi <tebbi@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79592}
2022-03-23 22:58:42 +00:00
Tobias Tebbi
19633c4e2c Revert "cppgc: Add regression test and check for object start bitmap"
This reverts commit 164a040a2a.

Reason for revert: roll failure: https://ci.chromium.org/ui/p/chromium/builders/try/cast_shell_linux/1164753/overview

Original change's description:
> cppgc: Add regression test and check for object start bitmap
>
> Access to the object start bitmap is only safe during marking until
> sweeping is started as the concurrent sweeper may clear and rebuild
> the bitmap at any time during sweeping.
>
> Adds a DCHECK and an additional test for a previously broken
> pre-finalizer scenario.
>
> Bug: chromium:1307471
> Change-Id: If67ade43f7cdad6de4720c0efeac11bfe8c22b3c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3535782
> Reviewed-by: Nikolaos Papaspyrou <nikolaos@chromium.org>
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79550}

Bug: chromium:1307471
Change-Id: I181e63a34eae9369184fb86112bc64e53b8bfad5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545317
Owners-Override: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79590}
2022-03-23 21:07:16 +00:00
Michael Lippautz
f6386018d4 [api] Remove TracedGlobal<>
Remove deprecated TracedGlobal<>, greatly simplifying handling of
traced references in general.

Also saves a word per v8::TracedReference as there's no need to keep a
possible callback around.

Bug: v8:12603
Change-Id: Ice35d7906775b912d02e97a27a722b3e1cec28d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3532251
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79589}
2022-03-23 21:04:51 +00:00
Michael Lippautz
542a78458f MockTracingPlatform: Fix uaf with stack-scoped platform
This fixes a general race with stack-scoped `TestPlatform` which
may go out of scope while tasks on workers are still running.

Add a barrier for workers, implemented through tasks, to synchronize
destruction of `TestPlatform`.

While this fixes general races, such short-lived platforms still
break if tasks cache the global platform pointer.

Bug: v8:12635
Change-Id: Ifc6ecc29f0e2b7297ca52051eae9bd81013b60ce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3536651
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79587}
2022-03-23 20:22:42 +00:00
Tobias Tebbi
ad09811a18 Revert "cppgc: Add DCHECK that object start bitmap is safe to use"
This reverts commit 9e1db51817.

Reason for revert: https://chromium-review.googlesource.com/c/v8/v8/+/3535782 causes roll failures, this needs to be reverted too because it's based on it

Original change's description:
> cppgc: Add DCHECK that object start bitmap is safe to use
>
> During sweeeping/compaction the bitmap is being reconstructed and
> should not be relied on for finding object start.
> Add a DCHECK that the bitmap is fully populated.
>
> Bug: chromium:1307471
> Change-Id: I4aa414722262bb6fb169123a49fce1510a60d3ef
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540680
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Omer Katz <omerkatz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79575}

Bug: chromium:1307471
Change-Id: I377b8737609fff33199776dce3d997f31074c59b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545316
Auto-Submit: Tobias Tebbi <tebbi@google.com>
Owners-Override: Tobias Tebbi <tebbi@google.com>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#79586}
2022-03-23 20:05:12 +00:00
Shu-yu Guo
7566979213 Revert "[wasm][liftoff] Spill regs for multi-value merges"
This reverts commit d9e1f2aee5.

Reason for revert: Linux test failures: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux/45960/overview

Original change's description:
> [wasm][liftoff] Spill regs for multi-value merges
>
> If there is more than one value in the merge region, a stack-to-stack
> move can overwrite the source of a stack-to-register move. To avoid
> this, spill all registers.
>
> R=​clemensb@chromium.org
>
> Bug: chromium:1299183
> Change-Id: I10495434d0a18c9072ee3882e00a687edd8c592a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3523044
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79584}

Bug: chromium:1299183
Change-Id: I465129695cfc1c5678923f7eefe5b91e31383798
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3546745
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Owners-Override: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79585}
2022-03-23 19:35:32 +00:00
Thibaud Michaud
d9e1f2aee5 [wasm][liftoff] Spill regs for multi-value merges
If there is more than one value in the merge region, a stack-to-stack
move can overwrite the source of a stack-to-register move. To avoid
this, spill all registers.

R=clemensb@chromium.org

Bug: chromium:1299183
Change-Id: I10495434d0a18c9072ee3882e00a687edd8c592a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3523044
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79584}
2022-03-23 18:08:31 +00:00
Joyee Cheung
639c09a341 [class] fix read-only private references in logical assignments
Since assignments to read-only private references can be skipped due
to short-circuiting in logical assignments, we should not eagerly
emit the error of invalid writes, and should instead load the values
as usual, only emitting an error when the assignment happens,
which can be handled by BytecodeGenerator::BuildAssignment().

Bug: v8:12680, v8:8330, v8:10372
Change-Id: Ia5fea9090bc48b0af8a9c8d6f95174f7aa2d86f8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3509298
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/main@{#79583}
2022-03-23 16:16:32 +00:00
Marja Hölttä
b35964839c [rab/gsab] RAB/GSAB support for Object.DefinePropert(y|ies)
Bug: v8:11111,chromium:1306929
Change-Id: I26e4c5d7e87f75844e60952f30e8fe20189910c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3535783
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79577}
2022-03-23 14:17:17 +00:00
Omer Katz
9e1db51817 cppgc: Add DCHECK that object start bitmap is safe to use
During sweeeping/compaction the bitmap is being reconstructed and
should not be relied on for finding object start.
Add a DCHECK that the bitmap is fully populated.

Bug: chromium:1307471
Change-Id: I4aa414722262bb6fb169123a49fce1510a60d3ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540680
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79575}
2022-03-23 13:39:32 +00:00
David Sanders
cabf441d12 Fix typos, intial* -> initial*
Change-Id: Ia5066069304ae2eee442cd3e224c0c0c0816fd75
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3543179
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79574}
2022-03-23 13:20:33 +00:00
Michael Lippautz
aca727f69f heap: Remove OneShotBarrier
The code is dead since migrating to jobs API.

Change-Id: Icdcc3523ffe5830ef5851cf4ea86e579841f543c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540103
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79573}
2022-03-23 13:02:21 +00:00