If the register allocator assigns kJavaScriptCallArgCountRegister
to {object}, we were clobbering the object, before pushing it to
the stack.
Additionally, we use PushReverse instead of Push to indicate
that kDataViewPrototypeGetByteLength has a JS call convention
(arguments are reversed). This is a no-op for x64, but it guarantees
the correct order of the padding in arm64.
Fixed: chromium:1406456
Bug: v8:7700, v8:13645
Change-Id: Ia9126ff5315ab4ab08ae733f138a1e0cb2d021a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4156053
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85227}
Rmove the deprecated array.len 0xfb17 variant which takes a type
immediate.
This has been superseded by 0xfb19 which does not need the type.
Bug: v8:7748
Change-Id: I7d4620423c786462444512abe40ee006aab99cf2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110831
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85225}
Code protection based on page permission flipping is inherently unsafe since it does not prevent concurrent modification of unprotected pages. It also comes with a significant performance cost. Going forward we will rely on per-thread page permission mechanisms (e.g. PKEYS) to protect code memory.
Change-Id: I28e15899cd6316fbe146f3725b9e0c81a668e1dd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4156051
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85224}
This removes the deprecated callref variant 0x17 which has been
superseded by 0x14.
Bug: v8:7748
Change-Id: I8e3704f5b302428eb175df2d59896a1b6c6a1323
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4118868
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85223}
This is a reland of commit 47405154da
Original change's description:
> Reland "[heap] Adjust pretenuring heuristic for MinorMC"
>
> This is a reland of commit a614ccb8f7
>
> This CL will cause a performance regression when running with MinorMC on
> the bots. However this regression is expected (due to delaying pretenuring
> decisions) and we anyway result from relanding crrev.com/c/4092734.
>
> Original change's description:
> > [heap] Adjust pretenuring heuristic for MinorMC
> >
> > MinorMC needed to process pretenuring feedback both after sweeping and
> > at the end of the atomic pause, despite having no new feedback at the
> > end of the atomic pause, because the heuristics didn't hold after
> > sweeping. This CL adjusts the heuristics for MinorMC so that processing
> > twice is no longer needed.
> >
> > Bug: v8:12612
> > Change-Id: I4d3ebaeaa6e7868bcdcae6fbdb3bcecb0ebcb8bf
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4085983
> > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> > Commit-Queue: Omer Katz <omerkatz@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#84730}
>
> Bug: v8:12612
> Change-Id: I3101f8c8b4c1d34ff95802fbc8c8d1fff81e8ddd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4147607
> Commit-Queue: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#85161}
Bug: v8:12612
Change-Id: I9de00799fb79403289d6ec3d47f1696b0410cf28
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4155013
Auto-Submit: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85221}
The immediate value for a read-only root can be larger than 12-bit and
therefore can't be encoded directly on arm64. To avoid using an
additional scratch register, we can use the destination for the prepared
immediate operand.
Bug: v8:13466
Change-Id: I7904770c4a155a876793c029e3ad321825517a8e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4154420
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85215}
After we received feedback about some legitmate use-cases of the
internal [[Scopes]] property, we decided to not go ahead with its
removal.
This CL removes the corresponding experimental flag.
R=kimanh@chromium.org
Bug: chromium:1365858
Change-Id: I6744889b4e2e960695838648e2f4902cbdb75890
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4154416
Auto-Submit: Simon Zünd <szuend@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Commit-Queue: Kim-Anh Tran <kimanh@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85214}
The feature shipped with M109 so we'll remove the flag with M111.
R=jarin@chromium.org
Bug: chromium:1363561
Change-Id: Ia9b276f6c56fb3f57c57f5da1abe02dda8dc36e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4154418
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85213}
Currently structref is interpreted as dataref by default for backwards
compatibility reasons.
This behavior is now being removed with this change.
Bug: v8:7748
Change-Id: I610fd04187b1bda53c83a82345eae09f23d99731
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4111171
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85211}
When disabled, Turbofan is fully excluded from the compilation result.
This is expected to reduce V8's contribution to chromium's binary size
by roughly 20%.
If Turbofan is disabled, Maglev and Webassembly must also be disabled
(since both depend on TF).
Note this new configuration (v8_enable_turbofan=false) is not yet
used anywhere - we'll probably enable it for lite_mode bots in an
upcoming CL for test coverage.
Changes in detail:
- Split out all src/compiler files from the main source sets. This
was mostly done already, here we only clean up the few files that
were left.
- Define a new main TF entry point in turbofan.h. `NewCompilationJob`
replaces `Pipeline::NewCompilationJob`.
- When TF is enabled, turbofan-enabled.cc implements the above.
- When disabled, turbofan-disabled stubs out the above with a runtime
FATAL message.
- The build process is modified s.t. mksnapshot always has TF
available since it's needed to generate builtins. When disabled,
TF is removed from other components, in particular it is no longer
included in v8_compiler and transitively in v8_base.
- When disabled, v8_for_testing no longer has v8_initializers
available. These were only needed for test-serialize.cc, which
is now excluded from this build mode.
- When disabled, remove all related cctest/ und unittest/ files from
the build.
Bug: v8:13629
Change-Id: I63ab7632f03d0ee4a787cfc01574b5fdb08fd80b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4128529
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85210}
The file `at.js` was missing in the resources list, and did therefore
not get uploaded to the perf bot. This caused an error on the perf bot.
R=machenbach@chromium.orgCC=dmercadier@chromium.org
Bug: v8:12926
Change-Id: I199591444da651854633a37e7164756981b9353f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4154414
Auto-Submit: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85208}
Turbofan optimized array access returned incorrect values in some cases
when a negative index was provided. This CL fixes this by changing the
way those bounds checks are performed in JSNativeContextSpecialization.
Bug: chromium:1320641
Change-Id: Id1f06680ccf7964994d179f7fb44199a0b1245b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4147622
Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85207}
Phis should be typed correctly in the wasm typer even if the branch of
the first phi input is unreachable.
Bug: v8:7748
Change-Id: I9276127c0f92f9b74f61dd19502790c779ae3393
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4151198
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85204}
This reverts commit 47405154da.
Reason for revert: Speculative revert for roll failures: (https://ci.chromium.org/ui/p/chromium/builders/try/linux_chromium_tsan_rel_ng/1395090/overview and others)
Original change's description:
> Reland "[heap] Adjust pretenuring heuristic for MinorMC"
>
> This is a reland of commit a614ccb8f7
>
> This CL will cause a performance regression when running with MinorMC on
> the bots. However this regression is expected (due to delaying pretenuring
> decisions) and we anyway result from relanding crrev.com/c/4092734.
>
> Original change's description:
> > [heap] Adjust pretenuring heuristic for MinorMC
> >
> > MinorMC needed to process pretenuring feedback both after sweeping and
> > at the end of the atomic pause, despite having no new feedback at the
> > end of the atomic pause, because the heuristics didn't hold after
> > sweeping. This CL adjusts the heuristics for MinorMC so that processing
> > twice is no longer needed.
> >
> > Bug: v8:12612
> > Change-Id: I4d3ebaeaa6e7868bcdcae6fbdb3bcecb0ebcb8bf
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4085983
> > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> > Commit-Queue: Omer Katz <omerkatz@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#84730}
>
> Bug: v8:12612
> Change-Id: I3101f8c8b4c1d34ff95802fbc8c8d1fff81e8ddd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4147607
> Commit-Queue: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#85161}
Bug: v8:12612
Change-Id: Ib3efee6a75f4267dcdee74cac97d2ee785f35361
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4151748
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85203}
Create names for each static root. This is useful for debugging. It
might also be useful to track changing names and ensure static-roots.h
agrees with the actual name of the static root.
Bug: v8:13466
Change-Id: I32e2b370d99aabe42c87e2a3db7a8e5ebaae3e04
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4151189
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Olivier Flückiger <olivf@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85201}
Functions validated during streaming compilation (via
{ValidateSingleFunction}) should get marked as validated, to avoid
unnecessary re-validation before compiling them.
R=ahaas@chromium.org
Change-Id: If0285e41774158c018adfc1041c27bd9302fbb86
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4152483
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85197}
This CL adds some tests for async generators to ensure that we
correctly report caught/uncaught exceptions.
Most of the cases were fixed by the for-of fix:
https://crrev.com/c/4146420
The remaining broken test cases contain a throw directly
after a `yield`. For each ".next" call we create a new promise
that we need to push on the promise stack before we actually
resume the generator.
R=bmeurer@chromium.org
Fixed: chromium:1270780
Change-Id: I8365d20490451be37cc6973d8d91aeffed7e3511
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4146421
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85196}
878ccb33bd converted the runtime code to avoid {Object::operator->}
but missed the conversion of 32-bit big endian targets. Fix this.
Change-Id: Idf3a08f03995136a7cabd5cc136412f25de2ea32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4124995
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85194}
Currently the shared value barrier manually fast paths instance types
for objects that are always in the shared heap. This CL makes a common
superclass, AlwaysSharedSpaceJSObject, and uses that for the fast path.
Bug: chromium:1402920, v8:12547
Fixed: chromium:1402920
Change-Id: I84421802791a4dc72925341eeb0cfc5949b8938a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4134475
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85192}
A MinorMC in a client isolate while incremental marking is active in the
main isolate may observe an object in the shared heap as residing on an
evacuation candidate. It would then treat it as OLD_TO_OLD rather than
OLD_TO_SHARED.
This logic is obsolete and no longer needed since MinorMC is not
interleaved with full GCs and only need to record OLD_TO_NEW and
OLD_TO_SHARED slots.
Fix by removing OLD_TO_OLD and OLD_TO_CODE recording.
Bug: chromium:1402660
Change-Id: I5482d3fe7d7a4eeb00be13445d66f178a3ffe2fb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4152485
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85191}
Drive-by fixes:
1. On x64, avoid reloading from memory a value already in a register.
2. On arm64, pop has the wrong order of the padding/value.
Bug: v8:7700
Change-Id: I3baedcc280f5c544cc9d44b37aaf80e4eb8bd636
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4152472
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85190}
Allow the user to specify the range of instructions
that are shown on the live ranges grid so as to
ease performance issues.
Bug: v8:7327
Change-Id: I431e4464155427f59adf3a2229806c6f11c471be
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110973
Commit-Queue: George Wort <george.wort@arm.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85186}
Most Wasm signatures still do not contain any tagged parameters. Thus
skip the second pass over the signature if we did not see any tagged
parameter before.
R=ahaas@chromium.org
Bug: v8:13565
Change-Id: Icf0df86bc96125b38adb65f074166b6b3c47b722
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4147615
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85184}
InstanceType is a 16bit word.
Bug: v8:7700
Change-Id: Id73d2bf42fd682d3fa5136e17a9f85e353edbe4d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4151199
Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85182}
We add simplified Turbofan operators for the following wasm-gc
operations: struct.get/set, array.get/set, array.length, and array
length initialization. We then lower them to object load/store
operators in WasmGCOperatorReducer.
Bug: v8:7748
Change-Id: I3b40df1419e5ad98562e6bec6c4a3d1a4de63c71
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4146428
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85181}
This is a reland of commit fe54336953
The reland fixes an arm64 compilation error.
Original change's description:
> [maglev] Force (U)Int32 values to always be zero extended
>
> Ensure that (U)Int32 values are always zero extended (in particular,
> after Float64 truncation and constant materialisation), and add debug
> code which asserts that (U)Int32 register inputs to nodes are zero
> extended at input read time.
>
> Bug: v8:7700
> Change-Id: Idbebabdd48bc7a6d2d73f1dfce7da629b5814ca5
> Fixed: chromium:1404066
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4147621
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Auto-Submit: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#85169}
Bug: v8:7700
Fixed: chromium:1404066
Change-Id: I4f61acfd3a1cdbc8c1976bb1731441cb1e8fe784
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4151569
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85180}
This is a reland of commit 3cc300558e
Original change's description:
> [maglev] Remove kScratchRegister in maglev-ir
>
> The use of kScratchRegister in arm64 code is unsafe. Since a scratch
> scope could re-use the same register. Ideally, we should remove it
> altogether, but we still currently require it for the ParallelMover.
>
> Bug: v8:7700
> Change-Id: I46c93874632a3d505ef71a7bf790c31fb5fd46d6
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4147617
> Commit-Queue: Victor Gomes <victorgomes@chromium.org>
> Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
> Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> Auto-Submit: Victor Gomes <victorgomes@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#85156}
Bug: v8:7700
Change-Id: I7de621b19da48c234ccb18ca702aa041673a1c2e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4151489
Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85178}
