This CL allows aborting of compaction on a page based on an Address
instead of a HeapObject.
Bug: v8:12251
Change-Id: Ib928ace9aa24a0ff1ab5f44026d5b287f7cdcdb3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3199881
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77216}
This is needed in case of 'let', where OpcodeLength transitively calls
{read_value_type()}.
Bug: v8:9495
Change-Id: I8aebffabc7ba1c47418d363dc9257f132fac33df
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200074
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77215}
1. In ElementAccessFeedback::HasOnlyStringMaps - we can assume
the map is safe to read because it was read earlier from the
feedback vector and passed the gc predicate then.
2. In JSHeapBroker::GetPropertyAccessInfo - we can assume that the
feedback vector in a FeedbackSource is store-ordered/safe to read.
Bug: v8:7790, v8:12282
Change-Id: Ie09acdfaac3d5e767ffe74e4bad941d4eeb47f9a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200082
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77213}
This CL enables the virtual memory cage at compile time by default for
Chromium builds on x64 and arm64. However, the cage will only be used at
runtime if the correpsonding Chromium feature is enabled as well.
Bug: chromium:1218005
Change-Id: I5a452d299ac950f8ec0f741f6b9a153e57b2a666
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200081
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77212}
Trying to optimize in such case breaks down the optimization, as we
end up with potentially non-eliminatable nodes that depend on the dead
IfTrue/IfFalse node.
Drive-by: Clean up dead nodes with {Kill()}.
Bug: v8:11510, chromium:1255354
Change-Id: Ia89fe6c243974c3c2abac6ad80bd4677a935f637
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200073
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77211}
Since we are reading an Object field, it could be that the gc
predicate fails. Therefore, this CL changes to TryMakeRef, and
makes the return value of length_unsafe() optional.
Bug: v8:7790, v8:12282
Change-Id: I86a8bcc6649d5e8121e52f8947b8331fcf242887
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200078
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77209}
The checks for assignemnts to member during prefinalizers assumed the
slot has to live. It was assumed that if a slot is dead then we would
not be updating it.
Prefinalizers are allowed to touch dead objects and thus are techincally
allowed to write to dead slots. Such writes are usually redundant (the
object will be swept soon anyway) but are not always easy to get rid of.
Bug: chromium:1255152, v8:11749
Change-Id: I57e143abd53d434c3198616909c506eb70d8944b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3199800
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77208}
MapRef::GetConstructor and GetBackPointer are immutable after
initialization.
Bug: v8:7790, v8:12282
Change-Id: I1059aabdd85a08af5f6d570a2eee206bda4f7ac3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200076
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77206}
Since the WasmStackGuard build-in is not kNoThrow, it needs to be
inserted in the control chain between the IfFalse and Merge nodes of the
stack check.
Change-Id: I5ad1c4f01e079c0c9079ea129f8e3363ade80217
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3199798
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77205}
When scanning for capture groups, we have to consider the case that the
current state is inside a character class. In that case skip everything
until the end of the current character class. Otherwise we would wrongly
count open brackets inside the character class as start of a capture
group.
Bug: chromium:1254704
Change-Id: I91d2177c464f7e507413d96216fe570253f17676
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3199871
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77204}
There is a demand of access to %Array.prototype% in Blink in
order to implement Web IDL observable array type.
Bug: chromium:1201744
Change-Id: I31ca5cd746f3a2eab8bd291741408a1dea17c122
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3194025
Auto-Submit: Yuki Shiino <yukishiino@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77200}
This CL adds support for handling calls to C functions with arbitrary
signatures on native arm64. It introduces a new ExternalReference type
FAST_C_CALL.
The CL also splits the 10 bits used by kArchCallCFunction instruction to
store the total number of parameters into two 5-bit values, representing
the number of general purpose and floating point parameters.
Design doc:
https://docs.google.com/document/d/1ZxOF3GSyNmtU0C0YJvrsydPJj35W_tTJZymeXwfDxoI/edit
This CL is partially based on the previous attempt:
https://chromium-review.googlesource.com/c/v8/v8/+/2343072
Bug: chromium:1052746
Change-Id: Ib508626d57da26ec3c9186ee8fc46356e3c87f3a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3182232
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77198}
If processing the marking worklists found new ephemeron pairs, but
processing the existing ephemeron pairs didn't mark new objects, marking
would stop and the newly discovered ephemeron pairs would not be
processed. This can lead to a marked key with an unmarked value.
Bug: chromium:1252878
Change-Id: I0f158f6f64490f1f06961520b4ba57fa204bd867
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3199872
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77197}
This is mostly just whitespace tweaks, plus removing a redundant
public access specifier.
Bug: v8:7793
Change-Id: Ic8b3efe4f707108d29dc2dfd55c46d9a47c48058
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3199603
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#77195}
It's not always easy to spot what exact configuration of V8 is run
within embedders. With --print-flag-values we can easily compare
different configurations.
Drive-by-fix:
- Use new FlagValue and FlagName helpers for printing
- Remove unused FlagList::argv helper
Change-Id: Ic8a25479d7b1e72f714b22ae7d2e56e06e810556
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3197713
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77189}
When we generate identical signatures in the fuzzer,
we generate one function for each of the copies.
However, when these functions are added to WasmModulBuilder,
all will be assigned the same signature index.
Therefore, when ref.func tries to find a function corresponding
to a signature index, it will fail, despite a matching signature
existing in the module.
This CL fixes this issue by looking up functions by signature
over signature index.
Bug: v8:11954, chromium:1254387
Change-Id: Iac8d5444d4914d993da63d0630ca4d95e671630c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3197711
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Maria Tîmbur <mtimbur@google.com>
Cr-Commit-Position: refs/heads/main@{#77187}
The logic to locate the correct function to set a breakpoint in based
on script position was treating SharedFunctionInfo::EndPosition() as
inclusive rather than exclusive. There are various assumptions all over
the Debugger that seem to demand this treatment for the toplevel script.
But it's definitely wrong for function literals.
Fixed: chromium:1253277
Change-Id: I3421703673f4d78aee28e923e03e2fca24bc06ac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3197715
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Kim-Anh Tran <kimanh@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77186}
Smi constants in 32 bit machines are guaranteed to be 31 bits.
Bug: chromium:1254189
Change-Id: I4ea296a7212c5e6ea14119fbd71cfb5789762b55
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3195874
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77185}
This CL adds a getStorageIfAligned method to obtaining a typed pointer
to the underlying TypedArray data, if the pointer to it is properly
aligned.
Bug: chromium:1052746
Change-Id: Ie8cb3438135b0da060e2b42ec71bba0e72ae4f5e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3195875
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77184}
Previously we'd treat %_AsyncFunctionReject (and %AsyncFunctionReject)
as side-effect free (in async functions), but that's not correct, since
promise rejections have side-effects (at the very least triggering the
unhandled promise rejection machinery in the browser).
This required a minor refactoring as previously we'd classify functions
as side-effecting or not depending on whether they contain any calls to
side-effecting intrinsics, no matter whether this call is actually
executed or not. That would break REPL mode however if we'd generally
treat all async functions with %_AsyncFunctionReject intrinsic calls as
side-effecting, so instead of performing the intrinsic checks ahead of
time, we now perform the test at execution time.
Before: https://imgur.com/5BvJP9d.png
After: https://imgur.com/10FanNr.png
Fixed: chromium:1249275
Change-Id: Ib06f945ba21f1e06ee9b13a1363fad342464fd9a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3197712
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77183}
We implement two optimizations for trap conditionals for patterns that
come up in wasm-gc.
In case of a Merge followed by a trap, where the path conditions of all
branches of the Merge contain the trap condition, we lift the trap into
the branches of the Merge.
In case of a Branch whose IfTrue branch is followed by a TrapIf with the
same condition, we replace it with the trap followed by the IfFalse
branch. Symmetrically for IfFalse and TrapUnless.
Bug: v8:7748
Change-Id: I43040aebe60eab7b2230fc3130e3b8250e8b2f45
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3190109
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77181}
Port 3e3a027da1
Original Commit Message:
Irregexp reentrancy (crrev.com/c/3162604) introduced a bug for global
regexp execution in which each iteration would use a new stack region
(i.e. we forgot to pop the regexp stack pointer when starting a new
iteration).
This CL fixes that by popping the stack pointer on the loop backedge.
At a high level:
- Initialize the backtrack_stackpointer earlier and avoid clobbering
it by setup code.
- Pop it on the loop backedge.
- Slightly refactor Push/Pop operations to avoid unneeded memory
accesses.
R=jgruber@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N
Change-Id: Iafe6814d3695e83fced6a46209accf5e712d56f6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3198391
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#77180}
Currently, it is possible to declare macros, builtins, etc., without
specifying a return type, in which case the return type is treated as
void. This is confusing; the code is more clear if we require the return
type to be specified.
Aside from src/torque, this change is almost entirely just adding
`: void` until the compiler is happy. However, two intrinsics in
src/builtins/torque-internal.tq have been corrected to declare an
appropriate return type. Those two intrinsics were only used in code
generated within the compiler after the type-checking phase, so we never
noticed that their return types were declared incorrectly.
Bug: v8:7793
Change-Id: Ib7df88678c25393a9e3eba389a6a1c4d9233dcbb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3176502
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77178}
Loop exits are only used during loop unrolling and are then removed, as
they cannot be handled by later optimization stages. Since unrolling
comes before inlining in the compilation pipeline, we should not emit
loop exits in inlined functions.
Bug: v8:12166
Change-Id: I28b3ebaf67c9e15b127eeb1a63906c4ecfd77480
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3195871
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77175}
Minor MC does not support processing the specialized remembered set
for ephemeron tables.
Temporarily delegate to the regular write barrier for correctness
until the other barrier is supported.
Bug: v8:12262
Change-Id: Iad74b27f8738237dcc1e146b2df3aa6ed8c9a505
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3195895
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77170}
This is a reland of 9495817296
Original change's description:
> [torque] Get rid of @noVerifier annotation
>
> As one small step toward reducing annotations, I propose that all
> classes get generated verifiers unless they've opted out of C++ class
> generation via @doNotGenerateCppClass, and that generated verifiers
> always verify every Torque-defined field. If a generated verifier is
> incorrect, such as for JSFunction or DataHandler, we can just avoid
> calling it and hand-code the verification.
>
> Bug: v8:7793
> Change-Id: I7c0edb660574d0c688a59c7e90c41ee7ad464b42
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3171758
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Cr-Commit-Position: refs/heads/main@{#77145}
Bug: v8:7793
Change-Id: I3da34705bf9fc2b1886161f8f59c7275583f7fc4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3194812
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77168}
We currently could produce the error message 'not enough arguments on
the stack for block, expected 0 more'. This CL fixes this by printing
the available number of arguments and the needed number, and adds
DCHECKs to catch similar miscomputations in the future.
It also adds a new test that produced the broken error before, and
includes the expected failure message in a few more tests for
robustness.
R=manoskouk@chromium.org
Change-Id: Ia08863889ae36ae0a05d96d36e92295b7159a01e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3194264
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77167}
