We used the same random seed for all test cases of a fuzz session
for transitioning from choosing the flags on V8 side.
Since the grace period for stable bisection is over, we now use
the same random number generator throughout the fuzz session which
leads to a wider range of differently chosen flags.
TBR=tmrts@chromium.org
No-Try: true
Bug: chromium:813833
Change-Id: I07b9fe5de378c01344afd486bfd85fcbf0fcd8d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1906377
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64910}
There are some cases where we can ignore some truncations or
change nodes for Smi Untagging, when we are using 31 bit smis
in 64 bit architectures.
Updated DecompressionOptimizer to match the new pattern.
Change-Id: I89d34407e6f780ec0399cd427cf9d3e24ee5669a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1889877
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64909}
Wasm code GC is on by default now.
R=machenbach@chromium.org
No-Try: true
Change-Id: Ib24e68f431876ecb91e7ae6ef6bc6cc08c2ea0c0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910942
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64908}
Merge duplicate LowerCheckedInt32ToTaggedSigned code.
Skip ChangeInt32ToInt64:
* In 32 bit archs, ChangeInt32ToInt64 is a no-op.
* In 64 bit archs with 31 bit smis and smi corrupting enabled,
ChangeInt32ToIntPtr can be skipped. This is because it would only
change the upper bits, and those upper bits are not significant
since we are smi-corrupting.
Change-Id: Ia217773fc7fccdd6227f66fbd600326ebbe9b86d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1893193
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64906}
This is a reland of ab1b511c16
The offending flags are removed.
Original change's description:
> [test] Add more flags to numfuzz flags fuzzer
>
> This adds a selection of flags to numfuzz that are already used
> for different testing variants or on clusterfuzz for
> correctness testing.
>
> No-Try: true
> Change-Id: I79745b281b001f57d2b24977f3a8e9ce3bbab2a4
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1906573
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#64884}
No-Try: true
Change-Id: Ie01f244147be0b0fda8cec83f48ac3f73c5a81ac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910113
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64905}
This decomposes the crdtp library into multiple files.
Since it wasn't previously rolled
it's a bit more than just that.
Upstream review: https://chromium-review.googlesource.com/c/deps/inspector_protocol/+/1907115
New Revision: d020a9e614d4a5116a7c71f288c0340e282e1a6e
Change-Id: I5c588469654bec3e933804ac706fa967c6fe57bc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1907973
Auto-Submit: Johannes Henkel <johannes@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64902}
This patch excludes brand symbols from the result of
JSReceiver::GetPrivateEntries so that the brands do not show up
when the instances are inspected from the DevTools (e.g. via
`Runtime.getProperties()`).
To implement this, we use a bit in the Symbols to denote whether
it's a brand symbol. A brand symbol is also a private name
symbol so that we can just reuse the IC for accessing private
names and do not need to jump through extra ORs.
Design doc: https://docs.google.com/document/d/1N91LObhQexnB0eE7EvGe57HsvNMFX16CaWu-XCTnnmY/edit
Bug: v8:8671, v8:9839, v8:8330
Change-Id: I24346aeedce3602395289052d1e1350ae9390354
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1909757
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/master@{#64899}
... even with ptr-compr.
Although full uintptr-sized TypedArrays are not supported yet
we may already start using uint32-sized typed arrays as we no
longer rely on TypedArray length to be a Smi.
Bug: v8:4153
Change-Id: If179541ad4f02c4ec7de9d1f3836138fe526d8a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1905847
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64897}
Instead of changing all of TryToName to do the conversion to array
index, this patch narrows this fast path just to the element load IC
handler.
This patch also restores the HeapNumber conversion in TryToIntPtr and
in Turbofan inlining as per the original state of things.
Bug: v8:9449, chromium:1016738, chromium:1016709
Change-Id: Ibf3a2c38637fc36e0ee037dc740f273848d1e8a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1902386
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64896}
This reverts commit ab1b511c16.
Reason for revert: too many spurious errors
Original change's description:
> [test] Add more flags to numfuzz flags fuzzer
>
> This adds a selection of flags to numfuzz that are already used
> for different testing variants or on clusterfuzz for
> correctness testing.
>
> No-Try: true
> Change-Id: I79745b281b001f57d2b24977f3a8e9ce3bbab2a4
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1906573
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#64884}
TBR=machenbach@chromium.org,clemensb@chromium.org,almuthanna@google.com,liviurau@chromium.org
Change-Id: Iba9cfa8e6e8e2cb3b9fe0f803b07376ae55d783c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910112
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64895}
They were there to avoid a GCC bug. Now that we do not support GCC 4 any
more, we can remove this workaround.
R=ahaas@chromium.org
Bug: v8:9810
Change-Id: I9346671cc1c5f0c83b47d0cfbd313cd1eb2179a7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910104
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64893}
This creates a .tq file in src/objects for each src/objects/*.h file
with Torque-defined classes and moves the object definitions and
corresponding helpers/macros there.
In addition, we create files convert.tq and cast.tq in src/builtins
to move the casts and conversions to.
Since Torque-generated .cc files end up as .o files in the same
directory, there cannot be two .tq files of the same name. Thus it
was necessary to rename src/builtins/arguments.tq and
src/builtins/string.tq to not clash with the new files in src/objects.
This is a mechanical change that only moves code.
Design doc: http://doc/1fh4OUMjQMnQdJm3aiAPXQUNdgbQugkRGdJzDh8hmyzk
Bug: v8:9861 v8:9810 v8:7793
Change-Id: I9c54cb50f32b9ae0fb41752199515133eb59ea5c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910100
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64892}
There were a couple of low-hanging fruits in code-stub-assembler. Tried
to keep it short to avoid conflicts with other CLs.
Bug: v8:9810
Change-Id: If23e16019116c22ddd6282867d9dd0b2e65a23f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1906570
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64890}
Produces too many spurious errors with tests that normally get
skipped in jitless variant.
TBR=clemensb@chromium.org
No-Try: true
Change-Id: Iddf0e39e4c454a3b17568ba17a014e8d38922052
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910107
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64889}
The function-entry stack check should dominate all other
instructions in a function. Prior to this CL it was possible to create
paths not including a stack check due to SwitchOnGeneratorState: the
generator-creation branch had a stack check, while generator-resume
branches did not.
0 : af fb 00 01 SwitchOnGeneratorState r0, [0], [1] { 0: @22 }
4 : 27 fe fa Mov <closure>, r1
7 : 27 02 f9 Mov <this>, r2
10 : 64 0a fa 02 InvokeIntrinsic [_CreateJSGeneratorObject], r1-r2
14 : 26 fb Star r0
16 : a7 StackCheck
17 : b0 fb fb 01 00 SuspendGenerator r0, r0-r0, [0]
22 : b1 fb fb 01 ResumeGenerator r0, r0-r0
[... no stack check here ...]
This CL moves the stack check to the beginning of the bytecode array,
i.e. before SwitchOnGeneratorState.
Bug: chromium:1020031
Change-Id: I8ba8cba99611ddbe50c76023129d926cc84b1d5e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1903440
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64888}
When the serializer encounters a JSConstruct, it now serializes the
initial map of the new_target to enable further opitmizations in
JSNativeContextSpecialization.
Add regression tests as well.
Bug: v8:7790
Change-Id: Ifab2b58c64a341744e833ed063e9695d74a5cdce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1900457
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64886}
Port 6e90f2f292
Original Commit Message:
Including but not limiting to removing:
* BitcastCompressedXXX
* CheckedCompressedXXX
* ChangeXXXToCompressedYYY
* ChangeCompressedXXX
As a note, ChangeTaggedToCompressed can't be removed just yet as it
is still in use.
R=solanes@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: I0974b300654f61d152ea65016a0e278ea4ba1b60
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1907440
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#64885}
This adds a selection of flags to numfuzz that are already used
for different testing variants or on clusterfuzz for
correctness testing.
No-Try: true
Change-Id: I79745b281b001f57d2b24977f3a8e9ce3bbab2a4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1906573
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64884}
Since smi-corrputing, TaggedSigned (aka known smis) only have the lower
bits used. This renders CompressedSigned useless.
Bug: v8:7703
Change-Id: Id59aaebc24d670ed32c483ceecf77fd194405ee4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1903445
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64883}
This reverts commit 5e97378f92.
Reason for revert: Caused multiple regressions.
Original change's description:
> [heap] Promote young objects by default in MC
>
> Start experiment to promote all young live objects during mark-compact.
>
> The last CL https://crrev.com/c/1879938 got reverted because of a flaky
> test, see v8:9192.
>
> Change-Id: I16897f45fffeafbb7e70c21899976a4c026e69ba
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1903432
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#64832}
TBR=ulan@chromium.org,dinfuehr@chromium.org
Bug: chromium:1023308, chromium:1022708
# Not skipping CQ checks because original CL landed > 1 day ago.
Change-Id: Ie551f0765fb54a36e52c20da8b026e2c0ebf0451
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1906385
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64882}
Including but not limiting to removing:
* BitcastCompressedXXX
* CheckedCompressedXXX
* ChangeXXXToCompressedYYY
* ChangeCompressedXXX
As a note, ChangeTaggedToCompressed can't be removed just yet as it
is still in use.
Bug: v8:7703
Change-Id: I98cf88a32adfa976d419e69702d1cac4d3e811a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1903435
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64880}
I changed the verification algorithm of switch nodes from a quadratic
algorithm to a linear one. On my machine this speeds up the test from
17 seconds to 2 seconds in the x64.optdebug build.
R=mslekova@chromium.org
Bug: v8:9810
Change-Id: I952d3fcc641b4e269b8ebac8f65fe545c6062587
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1905768
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64877}
Overview:
- Change basic type hierarchy to split Tagged into StrongTagged (= Object) and
and WeakHeapObject. This enables to emit the right CSA types (Object, MaybeObject).
- The new Weak<T> type encodes a possibly cleared weak bit pattern that
points to type T if it's not cleared.
- Make TNode<Object> a subtype of TNode<MaybeObject> so that the generated code
compiles on the C++ side. Drive-by change: simplify a few CSA helpers by using
MaybeObject as a common supertype of MaybeObject and Object.
- Port CreateObjectWithoutProperties and LoadMapPrototypeInfo.
Bug: v8:7793
Change-Id: I895a6501ce3e287ea8cf4065aaff3a5535245ab4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1889870
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64876}
Also fixes its uses in interpreter-generator.cc and
accessor-assembler.cc.
Bug: v8:9810
Change-Id: Ie9817f3e53c54588a4ad28c2c98da1a48ac73681
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1906571
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64875}
This fixes MSVC Windows builds that were broken due to a missing deps
definition.
Bug: v8:9954
Change-Id: I19c5112226caadae6a0221acee7bcf19cf0abbc8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1906379
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64873}
Live sets represent sets of live virtual registers at block entry and
exit points. They are usually sparsely populated; for example, a sample
taken from Octane2 shows 80% of sampled live sets with a fill ratio of
10% or less.
Prior to this CL, live sets were implemented as a statically-sized bit
vector. This is fine for low-ish virtual register counts, but becomes
wasteful at higher numbers.
This CL attempts to address this issue through an adaptive
implementation. Small live sets remain bit vectors, while larger sets
switch to a PersistentMap-based implementation. PersistentMap has very
memory-efficient add/remove/copy operations.
Of course, with adaptive data structures we enter the territory of
parameter fiddling. In this case, two parameters are used:
kMaxSmallSetSize controls when to switch implementations, and
kMaxDeletionsBeforePrune controls when pruning (= managing the # of
deleted entries in the map) sets in.
On the (degenerate) test case from the linked bug, the register
allocation zone shrinks from 1008MB to 475MB. For more realistic cases
I expect savings on the order of 10s of KB.
Bug: v8:9574
Change-Id: Id903bbe23f030b418e8d887ef4839c8d65126c52
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1891693
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64872}
port b6edadchttps://crrev.com/c/1872930
Original Commit Message:
[wasm-simd] Implement f64x2 comparisons for arm
Change-Id: If0fab2307a7f6da75f27ecd90cef6e15945214dd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1903290
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Auto-Submit: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/master@{#64868}
Shrink RO_SPACE since it contains Immortal immovable objects and is
otherwise reporting a virtual size of 256KB when only half of that
will ever be used.
Bug: v8:9230, v8:7464
Change-Id: I68c17bb6c4ff12170774bad6a07dbb8b9d49cce1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1906207
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64865}
Using proper register (RIP) on this platform.
Change-Id: Iaa0a25e328bd82c152db0ef3632523fd7d621020
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1857221
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64863}
Exception variables can be Object (e.g. throw 4) so loosen the type from
HeapObject.
Bug: v8:9810
Change-Id: I14600978ed5159b2b661bd09e69ad6d6530553ed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1906566
Commit-Queue: Dan Elphick <delphick@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Auto-Submit: Dan Elphick <delphick@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64861}
