... in order to be able to use it in other constants definitions in the header.
Bug: v8:7570
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: Id5d6ae34ab401ecf063bf5897b87b6bb87c24960
Reviewed-on: https://chromium-review.googlesource.com/1032782
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53097}
Moves all Oddballs, empty_feedback_metadata, lots of symbols and
immortal heap numbers and several other empty collection objects.
RO_SPACE NEW_SPACE OLD_SPACE CODE_SPACE MAP_SPACE LO_SPACE
old 31800 0 241976 24032 176 0
new 35080 0 238680 24032 176 0
diff +3280 -3296
Reland of https://chromium-review.googlesource.com/c/v8/v8/+/1025996,
without the empty_property_dictionary which is not read-only.
Bug: v8:7464
Change-Id: I84840d86eb3e5906ddb8b4c4e9e70bfec0cf78bc
Reviewed-on: https://chromium-review.googlesource.com/1049611
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53096}
Re-enables and fixes msan test failures due to string padding being
cleared only selectively in tests. This change instead makes sure it
always happens in TestIsolate.
Bug: v8:7746
Change-Id: I259b43ad25cb7af18bf16d29effb15772c981a67
Reviewed-on: https://chromium-review.googlesource.com/1051647
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53095}
The 'generates' clause was missing (so I suppose it got mapped
to JSReceiver).
Change-Id: I146546921e552f17dbadf74082b31315bf868bf7
Reviewed-on: https://chromium-review.googlesource.com/1032434
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Daniel Clifford <danno@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53093}
After closing a handle scope, and when allocating a new segment in a
zone, treat that memory as uninitialized in MSan. This will hopefully
catch more errors than handle zapping, which needs to be enabled
explicitly.
R=ahaas@chromium.org
Bug: v8:7570
Change-Id: Ie3be07434bed878fb607a522787514421f397197
Reviewed-on: https://chromium-review.googlesource.com/1046657
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53089}
The comment in {CallRuntime} was misleading. The {rsi}/{esi} register
did not hold the instance, but the context instead. The generated code
was correct thought.
R=titzer@chromium.org
Change-Id: I18020a04ac75faedf7ad5e4b07cab27ae0aedae7
Reviewed-on: https://chromium-review.googlesource.com/1051232
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53088}
This is a reland of 40f1aaf330
Put back padding clearing into the SerializeObject method but only when
the String is not in RO_SPACE. For RO_SPACE strings, if required
iterate over the space before serialization clearing the strings.
Original change's description:
> [heap] Mark RO_SPACE as read-only after deserialization
>
> Adds MarkAsReadOnly and MarkAsReadWrite to ReadOnlySpace. The latter
> is only usable with ReadOnlySpace::WritableScope to avoid the space
> being left writable). MarkAsReadOnly updates the high water mark and
> makes several previously mutating methods into no-ops.
>
> Moves some writes to immutable objects out of the bootstrapper to
> setup-heap-internal so they don't write to a read-only page.
>
> Also avoid writing hashes to strings that already have the value set as
> that invariably means writing to the "0" and "1" constant strings in
> RO_SPACE.
>
> Before serialization, it makes RO_SPACE writable again so that any
> padding can be cleared before writing it.
>
> Bug: v8:7464
> Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
> Change-Id: I22edc20dba7dde8943991a8fcaf87244af4490a3
> Reviewed-on: https://chromium-review.googlesource.com/1014128
> Commit-Queue: Dan Elphick <delphick@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#52943}
Bug: v8:7464
Change-Id: Ia8386c4ff5f5df3207f584caf7a9b1ff1e405f25
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/1042145
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53087}
This CL removes the JSGraph from WasmGraphBuilder and uses MachineGraph,
which is independent of the isolate, instead. In addition to using
the machine graph in the WasmGraphBuilder, this CL splits off a subclass
for compiling wrappers that does have a JSGraph and encapsulates it in
the .cc file. This makes the separation of WASM function graphs and WASM
wrapper graphs more explicit.
R=mstarzinger@chromium.orgCC=ahaas@chromium.org
BUG=v8:7721
Change-Id: I3c190baef2084919d22a9a89a8c9f11d2ddcf3d0
Reviewed-on: https://chromium-review.googlesource.com/1050266
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53086}
The handles created for each SharedFunctionInfo within
SourcePosition::InliningStack live for the life of the profile,
reaching 5MiB+ on an example server application for Node.
This HandleScope limits their lifetime locally, given that the handles
do not escape.
This saves ~10% of peak memory.
Bug: v8:7719
Change-Id: I97ce0fd3658be89fdd9cb9c1369ea5bfae0ce579
Reviewed-on: https://chromium-review.googlesource.com/1049647
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53085}
This makes sure that the {WasmModuleObject} has been allocated before
any debug events are fired. Since {WasmScript} objects reference the
module object, it needs to be allocated earlier by now.
R=ahaas@chromium.org
TEST=debugger/regress/regress-crbug-840288
BUG=chromium:840288
Change-Id: I02783ce126c463ac953eb2192acb65f3a5d420a1
Reviewed-on: https://chromium-review.googlesource.com/1050246
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53084}
This reverts commit e084eea628.
Reason for revert:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20UBSanVptr/builds/3163
Original change's description:
> Fix SourcePositionInfo for wasm
>
> In wasm we often don't have a SharedFunctionInfo associated with a
> compilation job, so we can't get a Script. Just print "unknown" in
> these cases (instead of crashing).
>
> R=titzer@chromium.org
> CC=herhut@chromium.org
>
> Bug: chromium:840757, v8:7738
> Change-Id: I850c6adfd9e07c9a0f6dd018f1a9314feb89d887
> Reviewed-on: https://chromium-review.googlesource.com/1049632
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#53080}
TBR=titzer@chromium.org,clemensh@chromium.org
Change-Id: Ib2020ea3f2b778df9fe50ccbe803938f2f4fd709
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:840757, v8:7738
Reviewed-on: https://chromium-review.googlesource.com/1051265
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53082}
Port d8131cd63a
Original Commit Message:
Stubs and builtins are very similar. The main differences are that
stubs can be parameterized and may be generated at runtime, whereas
builtins are generated at mksnapshot-time and shipped with the snapshot
(or embedded into the binary).
My main motivation for these conversions is that we can generate
faster calls and jumps to (embedded) builtins callees from (embedded)
builtin callers. Instead of going through the builtins constants table
indirection, we can simply do a pc-relative call/jump.
This also unlocks other refactorings, e.g. removal of
CallRuntimeDelayed.
R=jgruber@chromium.org, joransiu@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: I193e4275470d492912a7d0f8523c3b8c29f1b146
Reviewed-on: https://chromium-review.googlesource.com/1050732
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#53081}
In wasm we often don't have a SharedFunctionInfo associated with a
compilation job, so we can't get a Script. Just print "unknown" in
these cases (instead of crashing).
R=titzer@chromium.org
CC=herhut@chromium.org
Bug: chromium:840757, v8:7738
Change-Id: I850c6adfd9e07c9a0f6dd018f1a9314feb89d887
Reviewed-on: https://chromium-review.googlesource.com/1049632
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53080}
D8 enables the Wasm trap handler by default now, but we need to make sure the
older bounds check case still gets test coverage too, as bounds checks will
continue to be a supported configuration.
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I5b0bdded6929a9b3a8480e87d038398b8d2a0fd8
Reviewed-on: https://chromium-review.googlesource.com/1048835
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53078}
Removes lots of parameters that are never used (found using
-Wunused-parameter).
Also wires up the pretenure parameter for Factory::NewFrameArray so it's
actually used.
Change-Id: I486e22ac0683afb84bba6a286947674254f93832
Reviewed-on: https://chromium-review.googlesource.com/1041687
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53077}
Next SSCA mitigation: Mask the function index on indirect calls. This
avoids speculative jumps to arbitrary memory.
R=titzer@chromium.org
Bug: v8:6600, chromium:798964
Change-Id: Id4a54fbb42096655d48965b63202bb58f98dc9aa
Reviewed-on: https://chromium-review.googlesource.com/1049627
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53076}
If termination was requested on pause we should handle it properly as
soon as execution resumed.
R=yangguo@chromium.org
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ica50500094138097f115545db716264126fbe59e
Reviewed-on: https://chromium-review.googlesource.com/1049486
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53074}
Similar to msan.h, asan should get its own header file such that the
functionality can be reused.
R=ahaas@chromium.org
Bug: v8:7570
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: Ib81e4ff4b1d08158df7730c32345d4facf9453b0
Reviewed-on: https://chromium-review.googlesource.com/1046656
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53073}
In addition to a git grep I ran the
virtual/enable_wasm_streaming/http/tests/wasm_streaming/wasm_response_apis.html
layout test locally to confirm that the flag is not used in Chrome.
R=titzer@chromium.org
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I00d013b85b585d26e50aacaeb82fb0b1ce1ff56c
Reviewed-on: https://chromium-review.googlesource.com/1049965
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53072}
Currently, non-msan builds don't check the arguments for
MSAN_ALLOCATED_UNINITIALIZED_MEMORY and MSAN_MEMORY_IS_INITIALIZED
calls, so type errors will only be reported on the msan builder.
This CL adds static_asserts for non-msan builds.
Drive-by: Rename MEMORY_SANITIZER to V8_USE_MEMORY_SANITIZER and move
it to macros.h, where also other such macros (like
V8_USE_ADDRESS_SANITIZER) live.
R=ahaas@chromium.org
Bug: v8:7570
Change-Id: If6c3c6e0d1287b5f1e0c59828cd028d1beac933d
Reviewed-on: https://chromium-review.googlesource.com/1046655
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53071}
Fixes the MaybeObject->Object conversion in ObjectStats to allow Smis,
rather than just HeapObjects.
Change-Id: I845613c47bb6ca696d444a025100b471fb385980
Reviewed-on: https://chromium-review.googlesource.com/1049925
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53070}
When a custom workdir is used for the checkout, it differs from the workdir
for temporary state files. In this case, code ensuring the existing of the
parent dir wasn't executed.
NOTRY=true
Bug: v8:7735
Change-Id: Idc81b50bb8f880dea45fde08ba4d437c91e96a37
Reviewed-on: https://chromium-review.googlesource.com/1049552
Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53068}
Loading the length from a PropertyArray is currently broken.
Bug: v8:7732
Change-Id: Ia05f314f2f4822a8821801889b7a58f75b3f198c
Reviewed-on: https://chromium-review.googlesource.com/1049610
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53067}
To stay compatible with JSC, Array.p.sort did a post-processing step
that shadowed elements from the prototype chain.
Some time ago, JSC changed and no longer exhibits this behavior. To
preserve comptibility and stay consistent with RemoveArrayHoles,
this CL removes this post-processing step altogether and adjusts
tests to expect the new behavior.
R=cbruni@chromium.org, jgruber@chromium.org
Bug: v8:7382
Change-Id: Iecedc37cea25001d3768b99a3a9de3a2db90ba82
Reviewed-on: https://chromium-review.googlesource.com/1047286
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53066}
Code comments help a lot to understand the generated code. Add a
comment before each instruction, and some special comments for longer
instructions.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: Ic18974e5cc89e23533e3abc54b0389723b77ff73
Reviewed-on: https://chromium-review.googlesource.com/1049626
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53064}
Embedded builtins have been regressing benchmarks incrementally as
more and more builtins were moved to the embedded blob. This has made
recognition and analysis of other possible performance issues more
difficult.
Let's disable embedded builtins until their performance is at an
acceptable level.
Bug: v8:6666
Change-Id: I21a1274f3d5a65063127b0a8604df6dd0d3c0c95
Reviewed-on: https://chromium-review.googlesource.com/1049550
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53062}
This CL re-implements CopyFromPrototype, that is used during sorting,
as a runtime function, in preparation to move Array.p.sort to CSA.
CopyFromPrototype is called for sparse non-arrays, where elements
might be available on the prototype chain. For compatibility with
JSC, we copy them to the object itself and sort only own properties.
Bug: v8:7382
Change-Id: I4f5c14995cf9769c4f9f1d62b3a5bfde6d386556
Reviewed-on: https://chromium-review.googlesource.com/1044205
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53061}
This CL implements the functionality of SafeRemoveArrayHoles (JS),
which is used as a pre-processing step for sorting, in a runtime
function.
SafeRemoveArrayHoles is a generic fallback, when an existing runtime
function fails to remove holes/move undefineds to the end of an array.
This CL extends the existing runtime function to also support JSProxy
objects, and objects where indices have accessors.
R=cbruni@chromium.org, jgruber@chromium.org
Bug: v8:7382
Change-Id: I4881539cf2171caba08ff6e3e50320291f49839c
Reviewed-on: https://chromium-review.googlesource.com/1041950
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53060}
On system which required a contiguous code range, we currently limit
the committed wasm code space to the heap code space. Since
https://crrev.com/c/1044195, this was only 128MB, making bigger
benchmarks fail.
There is no need to link the two limits, thus just remove that logic.
R=titzer@chromium.org
Change-Id: Id61f5dd28c96c3d2b7fcd730751285c6fc144bc5
Reviewed-on: https://chromium-review.googlesource.com/1049648
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53059}
This shares JS-to-Wasm wrapper code across instances belonging to the
same module object. We no longer need to copy the wrappers since they
are by now independent of the concrete instance.
R=titzer@chromium.org
BUG=v8:7424
Change-Id: I54188eae6378e53cc274cd19f8e652ffdba72ee5
Reviewed-on: https://chromium-review.googlesource.com/1049607
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53058}
This changes JS-to-Wasm wrappers to no longer embed a WeakCell with the
associated instance into the code, but load the instance object from the
passed {WasmExportedFunction} object instead.
R=titzer@chromium.org
BUG=v8:7424
Change-Id: I5403f882912eb23e760fabe70207440648754a69
Reviewed-on: https://chromium-review.googlesource.com/1028053
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53057}
at register is used a lot in macro-assembler-mips[64].cc and
we should not use it as temporary register in other parts of code
Change-Id: I7ef038cdf4f8c57aa76823e7ee0ffb40b62731cd
Reviewed-on: https://chromium-review.googlesource.com/1027816
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Reviewed-by: Sreten Kovacevic <sreten.kovacevic@mips.com>
Cr-Commit-Position: refs/heads/master@{#53055}
- Make FeedbackVector backing store a WeakFixedArray.
- "feedback" is always strong but "extra" might be weak.
- Whenever the handler stored in FeedbackVector is a WeakCell to a transition
Map, replace it with an in-place weak reference.
For a more detailed description of the changes, see the design doc
https://docs.google.com/document/d/1P8cIme2wKszdYt64ObAiuh6pXgLnrrn80Hpl1ejJbOU/edit#heading=h.ijx1oculrikp
BUG=v8:7308
Change-Id: I72c5cf6597ef24d4c22a1fe8e25b67ca196d4ec8
Reviewed-on: https://chromium-review.googlesource.com/1027855
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53051}
This CL introduces type narrowing and constant folding reducers
to constant fold code that comes out of inlined destructuring
of arrays. In particular, array iterator introduces code that
contains a phi of a temporary array that blocks escape analysis.
The phi comes from conditional that can be evaluated statically
(i.e., constant folded), so with better constant folding we
allow escape analysis to get rid of the temporary array.
On a quick micro-benchmark below, we see more than 6x improvement.
This is close to the hand-optimized version - if we replace
body of f with 'return b + a', we get 220ms (versus 218ms with
destructuring).
function f(a, b) {
[b, a] = [a, b];
return a + b;
}
function sum(count) {
let s = 0;
for (let i = 0; i < count; i++) {
s += f(1, 2);
}
return s;
}
// Warm up
sum(1e5); sum(1e5);
console.time("destructure array");
sum(1e8);
console.timeEnd("destructure array");
console.timeEnd: destructure array, 213.526000
console.timeEnd: destructure array, 1503.537000
Bug: v8:7728
Change-Id: Ib7aec1d5897989e6adb1af1eddd516d8b3866db5
Reviewed-on: https://chromium-review.googlesource.com/1047672
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53048}
