Commit Graph

67171 Commits

Author SHA1 Message Date
Michael Lippautz
fbcaf729f2 api, cppgc-js: Allow creating a v8::CppHeap in detached state
The detached CppHeap allows for allocation without invoking garbage
collections.  Allocated bytes are reported on the first allocation
after the CppHeap has been attached to an Isolate.

States:
- Detached: Allow only allocation;
- Attached: Unified heap GCs;
- Termination GC: Require detached state;

Destruction:
- Heap::TearDown: Detach if attached;
- ~CppHeap: Detach if attached;

Bug: chromium:1056170
Change-Id: I95ce029f36a7f10392257080b6e23e13cc0fc7b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2672940
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72579}
2021-02-09 09:57:52 +00:00
Ulan Degenbaev
4d07f3f23c Make Map::instance_type accessors atomic
This fixes a false positive TSAN report where an object transitions to
a new map in StoreIC. The scenario:
1) Object a transitions from map1 to a newly created map2 in runtime.
   The map is installed with a release-store.
2) Object b transitions from map1 to map2 in StoreIC in generated code
   that is not visible to TSAN.
3) Concurrent marker visits object b and loads it map with an acquire
   load.

Since TSAN does not see the store in step (2) it thinks that the map
loaded in (3) is freshly allocated and is not guarded by a release
store.

Bug: v8:11353
Change-Id: Ifcace9edff987761a4098d3fdfb98c6190f1ee1e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2682641
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72578}
2021-02-09 09:55:00 +00:00
Shu-yu Guo
5104cbd055 Roll Test262
b2e9dff28..fd27d1f5d

Bug: v8:7834
Change-Id: Ieb652612285d809a0a6dbfc610ff1ab36e79b763
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2681314
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72577}
2021-02-09 09:09:59 +00:00
Michael Achenbach
8b6fd1471b Revert "[regexp] Ship RegExp match indices"
This reverts commit 72464122bd.

Reason for revert:
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/32046

Original change's description:
> [regexp] Ship RegExp match indices
>
> I2S:
> https://groups.google.com/a/chromium.org/g/blink-dev/c/RR_dw_ZXtT0/m/xtgu5jjyAQAJ
>
> Bug: v8:9548
> Change-Id: I8ccf2f4c38f9b9204ae47162303f21d2d44498e8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2682508
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Auto-Submit: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#72571}

TBR=jgruber@chromium.org,syg@chromium.org

Change-Id: I1173389082928aa5c9895ca4fb360c7ab8ec073b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9548
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2681943
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72576}
2021-02-09 08:47:51 +00:00
Santiago Aboy Solanes
a64c27cbfc [cleanup] Typo fix on GetLoadFieldByIndex's comment
Bug: v8:11384
Change-Id: I00754c295cd7b0de11f7ae039b423abfb9db5716
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2682643
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Auto-Submit: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72575}
2021-02-09 08:35:29 +00:00
Gus Caplan
8e5026b5a5 [fastcall] support more return types
This adds support for kBool, kInt32, and kUint32 types.

Bug: chromium:1052746
Change-Id: I54641eb036eea30113c44eab2c08626176ecc40a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2629463
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72574}
2021-02-09 08:30:40 +00:00
Michael Lippautz
8c99b253af cppgc: Avoid initializing cppgc platform through V8
Embedders may use cppgc (or v8::CppHeap) earlier than V8's Isolate and
platform are initialized. Require explicit initialization of cppgc to
avoid recurring init calls with potentially conflicting parameters.

Bug: chromium:1056170
Change-Id: I613452954b322c9a5bf074eefd25107b4579958c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2682648
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72573}
2021-02-09 08:26:11 +00:00
Jakob Gruber
da785659be [compiler] Don't serialize JSTypedArray fields
This CL removes serialization of JSTypedArray fields when direct heap
reads are enabled. Invariants we rely on:

- Of the underlying interesting fields,
  - base_pointer and external_pointer are set either during
    initialization, or in a one-time on-to-off-heap transition in
    GetBuffer.
  - length and buffer are immutable after initialization.
- is_on_heap and DataPtr derive from base_pointer and
  external_pointer s.t. is_on_heap == (base_pointer != 0) and
  DataPtr == external_pointer in the off-heap case.

In this CL we add one new invariant:

- For all base_pointer and external_pointer mutations after
  initialization, base_pointer is guaranteed to be release-stored
  after external_pointer has been written.

With these invariants, concurrent access to off-heap typed arrays is
trivial as long as is_on_heap (= base_pointer) is read before other
relevant fields.

Note that JSTypedArray remains a kSerializedHeapObject due to the
serialized superclass JSObject.

Drive-by: Remove unused Torque operators and empty TODOs.

Bug: v8:7790
Change-Id: I3c4327318f94e4e6083d4e87476069aad2649386
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_isolates_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2679689
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72572}
2021-02-09 07:44:09 +00:00
Shu-yu Guo
72464122bd [regexp] Ship RegExp match indices
I2S:
https://groups.google.com/a/chromium.org/g/blink-dev/c/RR_dw_ZXtT0/m/xtgu5jjyAQAJ

Bug: v8:9548
Change-Id: I8ccf2f4c38f9b9204ae47162303f21d2d44498e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2682508
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72571}
2021-02-09 06:37:40 +00:00
Benedikt Meurer
f10edd0900 [inspector][wasm] Re-add WasmValue as JSObject subclass.
BREAKING CHANGE: The values of Wasm locals, stack, and globals are now
represented as objects instead of holding the (primitive) values
directly, and SIMD128 values are no longer represented as Uint8Arrays.
The DWARF extension has been prepared for this breaking change.

The new `WasmValue` comes with `type` and `value` properties that hold
its contents. The motivation here is that this is a more extensible
approach. In case of SIMD128, the `value` property holds the canonical
string representation, which has the additional advantage that these
values can be compared with `===` (and `==`).

This partially reverts https://crrev.com/c/2614428, the main difference
here being that WasmValue is now a proper JSObject that can be exposed
on the DebugEvaluate proxy API.

Screenshot: https://imgur.com/rcahNKM.png
Bug: chromium:1170282, chromium:1071432, chromium:1159402
Change-Id: Iea304e3680775123c41deb4c3d172ac949da1b98
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2643384
Reviewed-by: Philip Pfaffe <pfaffe@chromium.org>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72570}
2021-02-09 05:50:16 +00:00
v8-ci-autoroll-builder
3af1d7c3e9 Update V8 DEPS.
Rolling v8/build: a2a1340..6408b07

Rolling v8/third_party/aemu-linux-x64: wSpywIGELAWo-KIDF77NMsedbTxiUN7DZUJS-hXiT1UC..BJKsuvEy1d1R4k1qe_4WGn47cAA9BDUVDaMnfbyiH-cC

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/ab8a40f..e6e7c93

Rolling v8/third_party/depot_tools: ac34821..79f916a

Rolling v8/tools/clang: fae3adc..5798a76

TBR=machenbach@chromium.org,tmrts@chromium.org,v8-waterfall-sheriff@grotations.appspotmail.com

Change-Id: I79b3255135b8ac21ba92bbd4d0b92818045390e2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2683244
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#72569}
2021-02-09 03:55:04 +00:00
Michael Lippautz
2b2d50d981 heap: Drop null references
Those references would be passed over to Blink via buffer and dropped
after a virtual call.

Bug: chromium:1056170
Change-Id: Idd02acce7a2d5c927dd9dc2415fe507b00ff3e58
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2682646
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72568}
2021-02-08 22:26:48 +00:00
Ng Zhi An
3b6eb33543 [wasm-simd][arm] Implement double precision conversion
Prototype these 6 instructions on arm:

- f64x2.convert_low_i32x4_s
- f64x2.convert_low_i32x4_u
- i32x4.trunc_sat_f64x2_s_zero
- i32x4.trunc_sat_f64x2_u_zero
- f32x4.demote_f64x2_zero
- f64x2.promote_low_f32x4

For all these instructions we rely on having Q registers that map to S
registers, which means we can only use q0 to q7. We fix the src/dst
to q0 arbitrarily.

Bug: v8:11265
Change-Id: Ied95f2dde9859a60fc216ed67615f80e9d795bb7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2679842
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72567}
2021-02-08 21:53:08 +00:00
Zhi An Ng
a723767935 Revert "[wasm-simd][x64][liftoff] Implement i8x16.popcnt"
This reverts commit 00babf0718.

Reason for revert: Broke mac64 https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Mac64/38510/overview

Original change's description:
> [wasm-simd][x64][liftoff] Implement i8x16.popcnt
>
> Extract i8x16.popcnt implementation into a macro-assembler function, and
> reuse it in Liftoff.
>
> Bug: v8:11002
> Change-Id: I86b2f5322c799d44f584cac28c70e0e393bf114f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2676280
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#72565}

TBR=gdeepti@chromium.org,clemensb@chromium.org,zhin@chromium.org

Change-Id: I5795b71f65d59237db59907d40c34e4fa7779fe1
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:11002
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2682505
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72566}
2021-02-08 19:02:59 +00:00
Ng Zhi An
00babf0718 [wasm-simd][x64][liftoff] Implement i8x16.popcnt
Extract i8x16.popcnt implementation into a macro-assembler function, and
reuse it in Liftoff.

Bug: v8:11002
Change-Id: I86b2f5322c799d44f584cac28c70e0e393bf114f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2676280
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72565}
2021-02-08 18:12:27 +00:00
Junliang Yan
2071cfd7b7 s390x: refactor CountLeadingZeros
Change-Id: Ic973b6342a6b91fe9068ee1ffe4e83a138fb2fa4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2679269
Reviewed-by: Milad Fa <mfarazma@redhat.com>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/master@{#72564}
2021-02-08 16:44:27 +00:00
Santiago Aboy Solanes
c61832985a [compiler] Remove unused CompilationDependencies' methods
Change-Id: Icd1d9fa59fac714673a264839006e74fc4dfeac3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2676147
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72563}
2021-02-08 14:09:29 +00:00
Camillo Bruni
2dc8934d6c [tools] Improve callstats.html
CSV Support:
- Add import merged CSV from results.html
- Aggregate multiple runs and calculate stddev on them

Charts:
- Defer rendering charts for responsive UI
- Clean up chart rendering in general
- Sort charts based on raw chart data for speedups
- Show chart annotations
- Add chart total, displaying the total value for the currently
  selected categories
- Fix sorting by chart total
- Add average row for all charts

Change-Id: I1e542f319172ecf158dcb44f8da7ad6e81aafe41
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2675934
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72562}
2021-02-08 13:44:59 +00:00
Clemens Backes
c5b9cae05b [wasm][memory64] Update spec tests
Update the wasm spec tests to include the memory64 proposal. Some tests
are failing currently because of broken spec tests or missing v8
support. This will be addressed in follow-up CLs.

R=ahaas@chromium.org
CC=zhin@chromium.org

Bug: v8:11401
Change-Id: I1a8f75e70f9d0828ad32c960c113f5e4c0d1a44b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2679683
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72561}
2021-02-08 13:17:29 +00:00
Michael Lippautz
c7ff90d97d cppgc: Avoid dispatching write barrier during atomic pause
This change avoid dispatching a write barrier during the atomic pause.
The dispatch can generally be triggered through pre-finalizers.

In future, further checks may be added to avoid mis-use of
pre-finalizers.

Bug: chromium:1056170, chromium:1175560
Change-Id: I119e18372633b2375f60e17b4c881f68bb20bf66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2679685
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72560}
2021-02-08 12:56:09 +00:00
Jakob Kummerow
0c8b6e415c [mac][wasm] Work around MacOS 11.2 code page decommit failures
MacOS 11.2 refuses to set "no access" permissions on memory that
we previously used for JIT-compiled code. It is still unclear
whether this is WAI on the part of the kernel. In the meantime,
as a workaround, we use madvise(..., MADV_FREE_REUSABLE) instead
of mprotect(..., NONE) when discarding code pages. This is inspired
by what Chromium's gin platform does.

Fixed: v8:11389
Change-Id: I866586932573b4253002436ae5eee4e0411c45fc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2679688
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72559}
2021-02-08 12:25:29 +00:00
Clemens Backes
392a0251d4 [wasm][debug] Delta-encode the debug side table
For functions with a very large stack, the debug side table repeats a
lot of information: Most values will be spilled to the stack, still
every single entry in the debug side table repeats information about
them (type, stack offset). This leads to the size of the debug side
table to be quadratic in the size of the function.

In the linked bug, the generation of the debug side table took ~400ms,
whereas Liftoff compilation alone just took 16ms.

This CL optimized the debug side table by delta-encoding the entries,
i.e. only storing stack slots that changed. This reduces the size of the
table significantly, at the cost of making lookup slower, since that now
has to search the table backwards for the last entry that had
information about a specific slot. For now, this seems like a good
compromise. If it turns out to be a problem, we could speed up the
lookup by either forcing a full dump of the stack state after N entries,
or by dynamically inserting new entries during lookup, whenever we find
that we had to search backwards more than N entries. That would speed up
subsequent lookups then.

On the reproducer in the linked bug, this change reduces the time to
generate the debug side table from ~400ms to ~120ms.
Before this CL, the debug side table has 13,314 entries with a total of
38,599,606 stack value entries. After this CL, it shrinks to 20,037
stack value entries in the 13,314 entries (average of ~1.5 instead of
~2,899).

R=thibaudm@chromium.org

Bug: chromium:1172299
Change-Id: Ie726bb82d4c6648cc9ebd130115ee7ab3d1d551b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2676636
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72558}
2021-02-08 10:56:59 +00:00
Iain Ireland
f905e3f40b [regexp] Change rangeBoundaries to use uc32
Some of the DCHECK_LT assertions in GenerateBranches were generating
signed-vs-unsigned comparisons in SM. While I was looking at this code,
it seemed reasonable to just fix the whole thing to use uc32/uint32_t
where appropriate.

Bug: v8:11380
Change-Id: I7e27fb7e34ce962349d7204d6306217292746e33
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2666986
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72557}
2021-02-08 07:03:19 +00:00
v8-ci-autoroll-builder
13b7167dad Update V8 DEPS.
Rolling v8/third_party/aemu-linux-x64: UT48xoBffYP6u1cAu_aL71Lh18Z3xtRc7BJSyc_1csMC..wSpywIGELAWo-KIDF77NMsedbTxiUN7DZUJS-hXiT1UC

Rolling v8/third_party/icu: 70dd9a6..12825ed

TBR=machenbach@chromium.org,tmrts@chromium.org,v8-waterfall-sheriff@grotations.appspotmail.com

Change-Id: I94b61291f41c646cd414b550131a2ef326869350
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2681316
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#72556}
2021-02-07 04:06:46 +00:00
Manos Koukoutos
a6e01fb95b [turbofan] Refactor loop peeling/analysis infrastructure for unrolling
In preparation of loop unrolling, we move some loop analysis
infrastructure out of loop-peeling.{h, cc}, and implement some
additional required functionality.

Changes:
- Implement inner_loops() in loop-analysis.h. Change some parameters
  in other functions from Loop* to (const Loop*) to accommodate this
  change.
- Move Peeling class into loop-analysis, rename it to NodeCopier.
- Simplify NodeCopier::CopyNodes().
- Allow NodeCopier to produce multiple copies of the targeted Nodes.
- Introduce LoopFinder::HasMarkedExits(). Move the implementation of
  LoopPeeling::CanPeel() there. CanPeel() is now an alias for
  HasMarkedExits().

Bug: v8:11298
Change-Id: I245b2e937393e4a78ce4d355e1290aaf6e617114
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2672019
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72555}
2021-02-06 08:16:55 +00:00
v8-ci-autoroll-builder
4023383c04 Update V8 DEPS.
Rolling v8/build: ee7e404..a2a1340

Rolling v8/third_party/aemu-linux-x64: rNvRFA3R0THFzCnDKyJfVyqZysmcZ_To-ZfvXMhYKw8C..UT48xoBffYP6u1cAu_aL71Lh18Z3xtRc7BJSyc_1csMC

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/c8f9f36..ab8a40f

Rolling v8/third_party/depot_tools: e342fb1..ac34821

Rolling v8/tools/clang: f18ba70..fae3adc

TBR=machenbach@chromium.org,tmrts@chromium.org,v8-waterfall-sheriff@grotations.appspotmail.com

Change-Id: Iefb23fa4349bb8a4e4aaaa9f0335b4c2c7ff479d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2680328
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#72554}
2021-02-06 04:03:25 +00:00
Bill Budge
e5699fda34 [compiler][backend][ia32] Merge opcodes into a single IA32Push
- Reworks the code structure to break out 3 major cases:
  Immediate, MemoryOperand, and LocationOperand.
- InstructionSelector passes an additional immediate operand,
  the push size in bytes, so we can generate correct code
  for the Immediate case.

Bug: v8:9198

Change-Id: I86cd41826150aa84b158fdbb1d3e8f3e93755119
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2673273
Commit-Queue: Bill Budge <bbudge@chromium.org>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72553}
2021-02-05 23:05:04 +00:00
Clemens Backes
6b1c27fa80 [wasm] Remove Liftoff counters
Those counters were interesting during the development of Liftoff, but
they were never reported to UMA. Now that we have precise tracking of
the Liftoff bailout reason in UMA, those counters are redundant.

R=ahaas@chromium.org

Bug: v8:11387
Change-Id: I4595414a0e3ff8bf9c954baa2317aa39af65b372
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2678163
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72552}
2021-02-05 15:30:24 +00:00
Bill Budge
c394be4f7e [compiler][backend][x64] Fix gap checking for X64Push codegen
- Removes DCHECKs that will be incorrect when SIMD operands
  are intermixed.
- Reworks the code structure to break out 3 major cases:
  Immediate, MemoryOperand, and LocationOperand.

Bug: v8:9198

Change-Id: I1be426bc450dda0fd670a2483aae9afd2c96ce17
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2673271
Commit-Queue: Bill Budge <bbudge@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72551}
2021-02-05 15:23:44 +00:00
Michael Lippautz
65893d84e5 cppgc: Fix low-level write barriers
Some types of supported low-level write barrier only requires passing
a slot, which may not be even part of a heap object but stack.

This complicates the situation, as even with caged heap, there's no
way to distinguish a stack and heap slot.

Solve this by passing an optional callback that can lazy be used to
get the heap. This can be used by the embedder to retrieve the heap
from e.g. TLS if needed.  This aligns the barrier with Oilpan in
Blink.

Bug: chromium:1056170
Change-Id: I1e5d022ab17a2614a67b6ef39ed12691bcbd0ac6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2675924
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72550}
2021-02-05 15:22:04 +00:00
Santiago Aboy Solanes
f116eb1816 [compiler] Move GetStrongValue to DescriptorArrayRef
Also access the DescriptorArray through GetStrongValue concurrently if
the FLAG_turbo_direct_heap_access is on.

Bug: v8:7790
Change-Id: I7a36789b44e84988d498339312bf9fe92eab8e66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2653233
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72549}
2021-02-05 15:14:54 +00:00
Ulan Degenbaev
3265309ab8 [heap] Add GC epilogue callbacks in LocalHeap
A background thread can register a callback that is guaranteed to be
invoked after each GC in a safepoint before background threads resume.
This will be allow the background compiler and parser to keep raw
pointers to frequently accessed objects and ensure that they are fixed
up after GC.

Note that the existing global GC epilogues are run after background
threads resume, so they are unsafe for background threads.

Change-Id: I1c782f912d63afc09c4982d393a6f3805a318962
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2675933
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72548}
2021-02-05 14:37:17 +00:00
Clemens Backes
679af80e75 [wasm][arm] Avoid duplicating parameter lists
Avoid duplicating the list of parameter registers to push in the
WasmCompileLazy builtin by reusing the existing arrays from
wasm-linkage.h.

Also verify the computed results against different constants.

R=zhin@chromium.org

Bug: v8:11377
Change-Id: I727d4dcd1f1a0d3ae0e1a6ec03f0fb40c08564ed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2668767
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72547}
2021-02-05 14:36:12 +00:00
Junliang Yan
2ba0b6138f s390x: [liftoff] implement MoveStackValue
Change-Id: I372d3ef6806b001e45b5522e5a91f20393bf75bc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2676627
Reviewed-by: Milad Fa <mfarazma@redhat.com>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/master@{#72546}
2021-02-05 14:02:42 +00:00
Benedikt Meurer
57062d6ccd [stack-traces] Speed up method name inference.
In JSStackFrame::GetMethodName() we try to infer a useful method name to
show for the closure to which the stack frame belongs. This is done by
first considering the functions name, and checking if the receiver has a
property with that name and if that property's value is the closure. In
case the function doesn't have a name or the property's value is not the
closure itself, we fall back to a reverse lookup of the closure within
the object (and its prototypes).

This CL speeds up this logic by attacking two problems:

1. The reverse lookup was performed by first using the KeyAccumulator to
   extract the names of all enumerable properties, and afterwards using
   the LookupIterator on each name, and testing the resulting property
   value against the closure. This is fairly slow and creates a lot of
   temporary objects and handles. We now look into the descriptor arrays
   or dictionary backing stores of the objects directly instead, which
   is easily 2-10x faster.
2. For the common case of `o.foo = function() { ... }` the parser already
   places an "inferred name" of `o.foo` onto the SharedFunctionInfo,
   which we can use as a hint to infer the name of the function instead
   of immediately falling back to the expensive reverse lookup.

This repairs the regression reported in http://crbug.com/1069425 and
recovers most of the slowdown reported in http://crbug.com/1077657
(there's still some overhead left from the async stack trace tracking).

Fixed: chromium:1069425
Bug: chromium:1077657
Change-Id: I88d23ccad123906df70c5217e815493106e03ccf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2676635
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72545}
2021-02-05 13:57:12 +00:00
Almothana Athamneh
ede00308f6 Added CI and CQ bots with v8_dict_property_const_tracking enabled
Bug: v8:11385
Change-Id: Idbfafa2db7dd5a091796e7982c4181486dcc60fc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2675928
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Commit-Queue: Almothana Athamneh <almuthanna@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72544}
2021-02-05 13:28:38 +00:00
Georg Neis
701a409284 [compiler] Add owners of machine-operator.* and opcodes.*
Change-Id: I6df71e7bbbcd726816826693b43d4acf30af21d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2667186
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72543}
2021-02-05 11:53:40 +00:00
Georgia Kouveli
35b4f3a0e5 [arm64][cfi] Enable sim_abort_on_bad_auth by default.
This requires a small fix in {Push,Pop}CalleeSavedRegisters, where
the return address was signed/authenticated at the wrong point,
which meant the stack pointer used as modifier was different from
the one the StackFrameIterator expected.

Bug: v8:10026
Change-Id: Idebd2ee8f07312b5e99dd2ea5181fc7a7e4a87bc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2667861
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72542}
2021-02-05 10:23:40 +00:00
Paolo Severini
831fa62b97 [compiler] Re-reland "Faster JS-to-Wasm calls"
This is a reland of 6ada6a90ee

- Fixed a GC issue
  https://bugs.chromium.org/p/v8/issues/detail?id=11335:
  GC expected all arguments on the stack from code with
  CodeKind::TURBOFAN to be tagged objects. This is not the case now with
  inlined Wasm calls, and this information can be passed in
  SafepointEntry for each call site.

- Disabled JS-to-Wasm inlining for calls inside try/catch.

For more details, see updated doc:
https://docs.google.com/document/d/1mXxYnYN77tK-R1JOVo6tFG3jNpMzfueQN1Zp5h3r9aM/edit#

Bug: v8:11092


Original change's description:
> Reland "Faster JS-to-Wasm calls"
>
> This is a reland of 860fcb1bd2
>
> - Disabled the tests for this feature in V8-lite mode (the original
> change broke V8-lite tests).
> - Also modified test console-profile-wasm.js that was brittle with this
> change because it assumed that there was always a JS-to-Wasm wrapper
> but this is not the case when the TurboFan compilation completes before
> the Liftoff-compiled code starts to run.
>
> More changes in Patchset 8:
>
> - Moved inlining of the "JSToWasm Wrapper" away from simplified-lowering,
> into a new phase, wasm-inlining that reuses the JSInliner reducer.
> The doc
> https://docs.google.com/document/d/1mXxYnYN77tK-R1JOVo6tFG3jNpMzfueQN1Zp5h3r9aM/edit#
> describes the new logic.
>
> - Fixed a couple of small issues in wasm_compiler.cc to make sure that
> the graph "JSToWasm Wrapper" subgraph has a valid Control chain;
> this should solve the problem we had inlining the calls in functions
> that can throw exception.


Original change's description:
> Faster JS-to-Wasm calls
>
> This replaces https://chromium-review.googlesource.com/c/v8/v8/+/2376165/.
>
> Currently JS-to-Wasm calls go through a wrapper/trampoline, built on
> the basis of the signature of a Wasm function to call, and whose task
> is to:
> - set "thread_in_wasm_flag" to true
> - convert the arguments from tagged types into Wasm native types
> - calculate the address of the Wasm function to call and call it
> - convert back the result from Wasm native types into tagged types
> - reset "thread_in_wasm_flag" to false.
>
> This CL tries to improve the performance of JS-to-Wasm calls by
> inlining the code of the JS-to-Wasm wrappers in the call site.
>
> It introduces a new IR operand, JSWasmCall, which replaces JSCall for
> this kind of calls. A 'JSWasmCall' node is associated to
> WasmCallParameters, which contain information about the signature of
> the Wasm function to call.
>
> WasmWrapperGraphBuilder::BuildJSToWasmWrapper is modified to avoid
> generating code to convert the types for the arguments
> of the Wasm function, when the conversion is not necessary.
> The actual inlining of the graph generated for this wrapper happens in
> the simplified-lowering phase.
>
> A new builtin, JSToWasmLazyDeoptContinuation, is introduced to manage
> lazy deoptimizations that can happen if the Wasm function callee calls
> back some JS code that invalidates the compiled JS caller function.
>

Bug: v8:11092
Cq-Include-Trybots: luci.v8.try:v8_linux_arm_lite_rel_ng
Change-Id: Ie052634598754feab4ff36d10fd04e008b5227a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2649777
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72541}
2021-02-05 09:41:30 +00:00
Manos Koukoutos
7c2b7cefee [map] Consistently use back_pointer over backpointer
The constructor_or_backpointer accessor of Map was not consistent with
the torque-defined field constructor_or_back_pointer_or_native_context,
leading to confusion. This CL brings them in sync, choosing the latter
spelling.

Change-Id: I3375c5f060bfd5e1e7cab195e3cca3d508c88154
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2674011
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72540}
2021-02-05 05:55:40 +00:00
v8-ci-autoroll-builder
e59f1ebe4d Update V8 DEPS.
Rolling v8/build: 10e5511..ee7e404

Rolling v8/third_party/aemu-linux-x64: daCtImfwROvNf-7jcpyqZ6KMCGlIQv9BROkyXnulGioC..rNvRFA3R0THFzCnDKyJfVyqZysmcZ_To-ZfvXMhYKw8C

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/5c5a297..c8f9f36

Rolling v8/third_party/depot_tools: 6dc9cc3..e342fb1

Rolling v8/tools/clang: 4ee065a..f18ba70

TBR=machenbach@chromium.org,tmrts@chromium.org,v8-waterfall-sheriff@grotations.appspotmail.com

Change-Id: I8195fa46a4f6f0acd52e3fa4d60cf084c6c82d07
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2677053
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#72539}
2021-02-05 04:05:20 +00:00
Junliang Yan
5fb6e80e02 s390x: fix shift operations
Change-Id: I8d331992330eeabc9aae564e4467c95764d605f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2676623
Reviewed-by: Milad Fa <mfarazma@redhat.com>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/master@{#72538}
2021-02-05 01:03:47 +00:00
Ng Zhi An
74362ae3e2 [wasm-simd][arm64] Prototype i32x4.widen_i8x16_{s,u}
This prototypes i32x4.widen_i8x16_s and i32x4.widen_i8x16_u for arm64.

Bug: v8:11297
Change-Id: Ib9be5086c8ea98340c9bb1980c319626d7072c1e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2664994
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72537}
2021-02-04 23:33:19 +00:00
Ng Zhi An
5ce3afe2d7 [wasm-simd][x64] Fix F64x2ConvertLowI32x4U isel and codegen
The previous instruction selection was too loose, it only required
registers for the inputs. The codegen also used Unpcklps(dst, mask), and
failed to use src at all. The test case was accidentally passing
because dst == src (xmm0) by chance.

We fix this bug requiring that for AVX, any register is fine, but for
SSE, require dst == src. Also redefine Unpcklps to check dst == src in
the no AVX case.

Bug: v8:11265
Change-Id: I1988b2d2da8263512bf6e675e6297c50f55663f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2668918
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72536}
2021-02-04 23:10:17 +00:00
Ng Zhi An
fec9c5d655 [wasm-simd][ia32] Implement double precision conversions
Implement these 6 instructions:

- f64x2.convert_low_i32x4_s
- f64x2.convert_low_i32x4_u
- i32x4.trunc_sat_f64x2_s_zero
- i32x4.trunc_sat_f64x2_u_zero
- f32x4.demote_f64x2_zero
- f64x2.promote_low_f32x4

The code sequences are exactly the same as on x64.

Needed to add some more instructions, and we don't have macro lists for
these instructions yet, so individually define them for now. We can
factor them into lists in a future change.

Bug: v8:11265
Change-Id: I606e1226201e3c5ecdc7e3f611315437e917d77c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2668913
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72535}
2021-02-04 19:26:45 +00:00
Toon Verwaest
a8091a0554 [feedbackvector] Don't drop the interrupt budget when using a OneClosureCell
Change-Id: I783c41ca4192d686454728b7c8356935bc67cc98
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2675922
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72534}
2021-02-04 16:15:14 +00:00
Jakob Gruber
b62bbd1637 [deoptimizer] Add translation array compression behind a flag
TranslationArrays (TA) are large and rarely used, thus could benefit
from compression. This CL adds a --turbo-compress-translation-arrays
flag (off by default) to experiment with that.

Each optimized Code object has an associated translation array
(Code->DeoptimizationData->TranslationArray). These translation arrays
have roughly the same size as the Code object itself. They are
used only rarely: when deoptimizing, and when traversing the stack and
looking into optimized frames. Neither of these code paths are
especially performance critical. TA's contain only immutable, untagged
data. They are thus good candidates for compression.

The trade-off is between TA memory consumption and time spent
in decompression/compression. This CL keeps everything on the main
thread, but it would also be possible to move compression (the more
expensive operation by a factor of 5 to 10) to a worker thread.

Numbers from a local Octane2 run:

Sum of Code instructions sizes: 4.6MB
Sum of uncompressed TA sizes:   4.1MB
Sum of compressed TA sizes:     0.6MB

Compression times depend on the selected compression quality, but
roughly:

Compression:   50ms (40us avg per compilation)
Decompression:        7us avg per compilation

Drive-by: Translation arrays currently use run-length encoding;
I disabled this for when --turbo-compress-translation-arrays is
enabled (no need to compress twice).

Bug: v8:11354
Change-Id: I7828d7d91eb074816b383b02f883c5d7b7e318b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2652497
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72533}
2021-02-04 15:11:33 +00:00
Michael Achenbach
5e80ce590c [test] Prepare removing gpu defaults for tester bots
We want to remove the gpu:none default as we want to switch to
Mac Minis in the Mac pool that have gpus.

This starts a 3-way change:
1. This CL: Add the gpu dimension for Mac source side.
2. Remove setting it as default for Mac in infra.
3. Flip the value for gpu source side.

This requires merging to beta/stable.

No-Try: true
Bug: chromium:1174040
Change-Id: I81f2f5863593aa93fa668b4534d1116a11768f31
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2673402
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72532}
2021-02-04 14:58:23 +00:00
Thibaud Michaud
a12e9329fd [wasm][eh] Fix catch_all encoding
In the latest spec, catch_all is encoded as 0x05. This is the same
opcode as "else", but they do not conflict because "else" is not valid
in the context of a try block.

The 0x0a opcode now corresponds to the "unwind" instruction, which
currently has the same semantics as "catch_all".

R=clemensb@chromium.org

Bug: v8:11392
Change-Id: Ie9cd06c9a2001a02d8bea5be7a3c016e3a58ee3d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2674007
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72531}
2021-02-04 14:36:24 +00:00
Nico Hartmann
63f7d83d14 Atomic accessor for Isolate::code_coverage_mode
Change Isolate::code_coverage_mode to an atomic such that access from
the background thread is safe.

Bug: v8:11378
Change-Id: I26d6915b1662ba022ea6a173a87d184d3ac7cd3b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2666691
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72530}
2021-02-04 13:53:13 +00:00