And make the GC visit spilled references in the frame.
R=ahaas@chromium.org
CC=fgm@chromium.org
Bug: v8:12191
Change-Id: Ida430f12a6de7658972e7890542fb02f7f7ddbb1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3226784
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77763}
This CL
* adds forwarding accessors to CodeDataContainer for certain widely
used Code object's fields and predicates,
* adds JSFunction::set_code() overloads accepting CodeT values,
* migrates SharedFunctionInfo getters to CodeT,
* migrates InterpreterData::interpreter_trampoline to CodeT.
Drive-by-fix: replace #if V8_EXTERNAL_CODE_SPACE with #ifdef to be
consistent.
Bug: v8:11880
Change-Id: I1e114076a0568068038ca6f70a86431a3a9cfb9f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3262716
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77762}
V8 flags in general should not change in a process after the
first Isolate has been initialized. --jitless and related flags
especially sensitive to this, so we introduce a dedicated check
just for them.
Bug: chromium:1262676, v8:9019, v8:12366
Change-Id: I239726889d236a3785c1fdc076fa21d1b8983c92
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3260508
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77759}
... which could contain a smi value during CodeDataContainer setup.
Bug: v8:11880
Change-Id: Ibc67818411e9b824843bc5a20d249335c88d5f57
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3264291
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77758}
This CL fixes a null dereference when an attempt is made to access
the current arm64 simulator from a background thread.
Bug: chromium:1267491
Change-Id: I9232fe134fccbff162eb5076aff20884872e4cc7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3264219
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77757}
This CL adds an Allocator to SmallVector to control how dynamic
storage is managed. The default value uses the plain old C++
std::allocator<T>, i.e. acts like malloc/free.
For use with zone memory, one can pass a ZoneAllocator as follows:
// Allocates in zone memory.
base::SmallVector<int, kInitialSize, ZoneAllocator<int>>
xs(ZoneAllocator<int>(zone));
Note: this is a follow-up to crrev.com/c/3240823.
Drive-by: hide the internal `reset` function. It doesn't free the
dynamic backing store; that's a surprise and should not be exposed to
external use.
Change-Id: I1f92f184924541e2269493fb52c30f2fdec032be
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3257711
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77755}
Since the indirect function table at index 0 in an instance is now
represented like the other tables, the IndirectFunctionTableEntry
abstraction is no more useful. We replace it with direct access to the
tables and a simpler abstraction {FunctionTargetAndRef}.
Bug: v8:11510
Change-Id: Iab4a6ca7eda8eb1757dbd321cb3997e98e78267e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3247030
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77754}
Design doc: https://bit.ly/3jEVgzz
We represent the indirect function table of a WasmInstanceObject at
index 0 like the rest of the tables, i.e., as the 0th element of the
instance's indirect_function_tables() field. For performance, we
maintain direct links from the instance to the contents of table 0
(indirect_function_table_{size, sig_ids, refs, targets} in
WasmInstanceObject).
Bug: v8:11510
Change-Id: Ice49fd855109051d304ef9033cac7a495b68ab8b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3246970
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77752}
The isolate root pointer in a WasmApiFuncionRef cannot be sandboxed,
because we would need the isolate root in the first place to decode it.
Therefore we do not use Foreign as the parent class of
WasmApiFunctionRef.
Bug: v8:11510
Change-Id: Idcbe654274c543ee571a335cb8e212ca3492d973
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3262134
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77751}
Internal fields are used for implementing edges to C++ objects in
Oilpan. When setting the fields on a JS API object, we should also
emit a write barrier for this edge.
This mechanism replaces the explicit write barrier in V8's API which
is provided through `JSHeapConsistency::*`.
The internal barrier should also be slightly faster as it doesn't
require any API calls.
Bug: v8:12356
Change-Id: I639d18141acfb910d0ded8d987d8a0916e25431d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3257709
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77749}
Rolling v8/build: 9088cd6..f7f53e9
Rolling v8/buildtools/third_party/libunwind/trunk: 9901571..51ffc5e
Rolling v8/third_party/aemu-linux-x64: Ce6sqxwYi8DOFfwlCOP0MURltjjH-QIsgAsJ1p7--KIC..JOROMO2u_x7WbmPlWROhQxdCaIY-Q639bZpu8IWRc30C
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/429f4e0..e5067b0
Rolling v8/third_party/depot_tools: 1c179b5..6500963
Rolling v8/third_party/instrumented_libraries: 7dab69f..a736941
Rolling v8/tools/luci-go: git_revision:68355732afb00a422ae0c70eed95c6a45f9868b1..git_revision:d17c642c8c3c6d9e37bd9c25535c4c5b66b99781
Rolling v8/tools/luci-go: git_revision:68355732afb00a422ae0c70eed95c6a45f9868b1..qLMs01I9Ry2iQnzjXEE-TVzz-tLGynUTnCfDp0JgjnAC
Rolling v8/tools/luci-go: git_revision:68355732afb00a422ae0c70eed95c6a45f9868b1..git_revision:d17c642c8c3c6d9e37bd9c25535c4c5b66b99781
TBR=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com
Change-Id: I4d277c7cb14ecc226a116d4013840c86f1dec456
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3264753
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#77747}
Currently we are calculating the offset manually. This method
uses code patching to re-emit the instruction with correct offset
when the value is available.
Change-Id: Ie68580398df92ed2ab57c3972f408cfde8e60432
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3264746
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/main@{#77745}
This is to reduce eng-review bottleneck when new dot files are added
to the top-level directory.
No-Try: true
Bug: chromium:1266833
Change-Id: I62e1155e90f3f07bca15ca0b23d3308904ecaecb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3264284
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77743}
Bug: chromium:1266833
Change-Id: I3ec80560881c596c41df389c754a5b01f911bb9a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3260516
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77742}
After the snapshot data ends, interpret the rest as normal JS code.
Bug: v8:11525
Change-Id: I8de4cf4027e582e6b8e330dda7708623373d2675
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3263896
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77741}
Torque allows a `weak` keyword on class field declarations. This keyword
is confusing, because it means two completely different things:
1. This field should be included in the weak fields section, meaning the
field's offset should be in the range [kStartOfWeakFieldsOffset,
kEndOfWeakFieldsOffset).
2. If a BodyDescriptor is generated for this class, then this field
should be visited using *custom* weakness semantics
(IterateCustomWeakPointers, not IterateMaybeObjectPointers).
I propose the following updated behavior, which I think is a bit more
reasonable:
1. To request that the generated BodyDescriptor use custom weakness
semantics, use a new annotation @customWeakMarking.
2. The weak fields section includes all fields that can be a Weak<T>
type, plus those annotated with @customWeakMarking.
These new rules require reordering fields in two classes which didn't
already have all of their strong fields adjacent.
Bug: v8:7793
Change-Id: Ic9d741986afa7fc1be3de044af5cae11a3c64d8c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3261968
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77739}
We use the InvokeParams to pass host-defined options to Invoke.
The script should never access them directly and thus we should clear
out the argv and argc values.
Bug: chromium:1244145
Change-Id: I915186d624f92581af79ca62bcb1613bc4069640
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3263891
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77738}
The old check didn't expect to see an already evacuated object.
Bug: v8:11880
Change-Id: I5a105e3ae8c04df0061e96f0650c5bd3e66264de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3264286
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77736}
This is a reland of 92edf9a1da
Introduce map handle again to prevent corruption.
Drive-by-fix:
Make some PropertyDetails and Representation methods constexpr.
Original change's description:
> [runtime] Optimise paired instance type checks
>
> Clang doesn't optimise over handle derefs. Change the ValueSerializer
> and the JsonStringifier to use InstanceType directly for checks.
> This CL squeezes another 1.5% of JSON.stringify in local benchmarks.
>
> Drive-by-fix:
> - Avoid a few more derefs in the JsonStringifier
> - Make JsonStringifier::SerializeJSArray a bit more readable
>
> Change-Id: I37626a6d92a8d9275611a4e6d1d908f2e0c6d43b
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3247637
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#77697}
Change-Id: I8915a82aab6dd7966223a4d7a8dd1363258b7c81
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3260512
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77735}
The new callback does no longer use ScriptOrModule but rather gets the
host-defined options and the referrer name as separate arguments.
This brings us one step closer to deprecate ScriptOrModule and putting
the host-defined options in the script context.
- Add v8::Data::IsFixedArray and cast helpers
- Deprecate HostImportModuleDynamicallyWithImportAssertionsCallback soon
- Add Script::Run entry point that explicitly takes host-defined
options (unused yet)
Bug: chromium:1244145
Change-Id: I08bc92cfb3b79d840e766fb71b8d91d301f4399c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3263893
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77733}
CodeSpaceMemoryModificationScope should only be used by the main
thread and during a safepoint. This adds a check in
CodeSpaceMemoryModificationScope.
The reason for this is that CodeSpaceMemoryModificationScope is not
thread-safe. It assumes that no other thread is modifying code space
(either by setting memory permission or adding a new page).
This CL also replaces CodeSpaceMemoryModificationScope to
CodePageCollectionMemoryModificationScope in a few occurrences, where
the former is not needed. This should not hurt performance.
Bug: v8:12054
Change-Id: I2675e667782c6ad8410877a4e64374899066bcd1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3263890
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77732}
Report young generation GC statistics to the Recorder API.
These will be used by Blink to populate UMA histograms.
Existing UMA reporting in V8 remains as is for now and will be removed
in a followup.
This CL goes together with:
https://chromium-review.googlesource.com/c/chromium/src/+/3247446
Change-Id: I1fed070d4a3996c4d0d8942b455d722afafcc4ab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3247635
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77731}
We enable struct.new and array.init initializer expressions in the JS
testcase generated by --wasm-fuzzer-gen-test. We needed to make some
changes in the WasmInitExpr class, and to implement a new interface for
the WasmFullDecoder, which constructs a WasmInitExpr.
Changes:
- Make WasmInitExpr a ZoneObject. Use a pointer for its operands_ field.
This is needed so WasmInitExpr is trivially copiable, and thus usable
as a Value type in WasmFullDecoder.
- Implement a WasmFullDecoder interface in wasm-fuzzer-common that
constructs a WasmInitExpr. Use it to decode initializers in the
module generated by the fuzzer.
- Change AppendInitExpr to take a WasmInitExpr as argument.
- Fix an issue with printing of struct definitions.
- Change initializer expression used for structs to struct.new_with_rtt.
This is consistent with the currently used structural types.
Bug: v8:11954
Change-Id: I65a87cc98701a54f32500be192b3b6eef2ff6c8c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3257712
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77730}
We don't do scope analysis when there is a preparse error, so we don't
have a literal that is valid enough to create a SharedFunctionInfo.
Fixed: chromium:1267172
Change-Id: I18437889fb42593622410a44922bd9f0dc995992
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3263887
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77728}
The tests are modeled after another patch that includes
v8::CFunctions into Node.js's builtin snapshot.
Refs: https://github.com/nodejs/node/pull/40649
Change-Id: I5a91682f7944ef06a0d3caf7333b09f974bcd64b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3251138
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/main@{#77726}
Remove FunctionLiterals and ParseInfo from the LazyCompileDispatcher
API, passing instead the SharedFunctionInfo, a character stream, and
optionally some preparse data.
In the future, this should allow us to pass arbitrary uncompiled
SharedFunctionInfos into the LazyCompileDispatcher.
Change-Id: Iff90408f3b259c7f5df0e74687d052e75959fa48
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3262131
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77723}
Capture group names were extended in
https://github.com/tc39/ecma262/pull/1869/fileshttps://github.com/tc39/ecma262/pull/1932/files
RegExpIdentifierName now explicitly enables unicode (+U) for
unicode escape sequences; likewise, surrogate pairs are now allowed
unconditionally.
The implementation simply switches on unicode temporarily while
parsing a capture group name.
Good news everyone, /(?<𝒜>.)/ is now a legal pattern.
Bug: v8:10384
Change-Id: Ida805998eb91ed717b2e05d81d52c1ed61104e3f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3233234
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77722}
Do a full copy of all fields when initialising and copying from the
placeholder SharedFunctionInfo that is used in off-thread function
compilation. This guarantees that all fields are correct both in the
on-thread and off-thread cases.
Change-Id: If1807c6f56fe38fea40ed39596f85634356e2623
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3260518
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77720}
Move logic to perform a global safepoint into GlobalSafepointScope
respectively GlobalSafepoint for easier reuse of this functionality in
the future.
Note that full functionality for a global safepoint will be provided
in a subsequent CL.
Bug: v8:11708
Change-Id: I80dd22c36ab01df573623aa36ead9cc373663b9b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3259531
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77719}
This is a reland of 0446ab7ce1
Additional fix:
Manually set the host-defined options on deserialised scripts in d8.
Original change's description:
> [d8] Verify host-defined options
>
> d8 never checked what the actual value of the host-defined options are.
> We now properly very that the host-defined options is a specific object
> so we we don't end up accidentally ignoring a wrong options object.
>
> Drive-by-fix:
> - Convert %AbortJS argument to string
>
> Bug: chromium:1244145
> Change-Id: If0ed128d215682bcf066592418420548b06eb6a1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3259655
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Shu-yu Guo <syg@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#77699}
Bug: chromium:1244145
Change-Id: I8ddfdba27d84c36862323ab9e1aba14b2ff932a4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3259539
Auto-Submit: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77716}
The wasm serialization format only contains TurboFan code. All other
functions are only represented by placeholders. With this CL
serialization fails if the serialized module does not contain any
TurboFan functions and would therefore consist only of placeholders.
This is a defense in depth approach, because ideally serialization
only gets triggered when TurboFan code is available. However, in some
scenarios like debugging it can happen that modules without TurboFan
code get serialized.
Bug: v8:12281
Change-Id: Ib05430ff89eb2317da80fc0d086ce1d7ab0e919d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3212510
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77715}
