Inlineability can change when a function gets its deoptimization
disabled. We can bailout if we notice that (but keep in mind that it
can still happen later).
Bug: chromium:1250244, v8:7790
Change-Id: Ib088396f41eceeaae7ccdfce287cd11c5bee738a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3164980
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76896}
vragther require that the destination vector register group cannot overlap with the source vector
register groups, otherwise an illegal instruction exception is raised.
Change-Id: I6d23ea80edc4a80be961531ded855ff372ca0da0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3161777
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: Ji Qiu <qiuji@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#76895}
Previously the internal `[[ArrayBufferData]]` property for `ArrayBuffer`
objects reported by the inspector (and used by the DevTools front-end to
identify `ArrayBuffer`s and `WebAssembly.Memory`s using the same backing
store) simply contained a hex string representation of the backing store
pointer. However that unnecessarily leaks internal addresses and more
importantly is not deterministic, which complicates tests (just blew up
on layout tests).
This CL introduces an automatically incremented `BackingStore::id()`,
which is used instead now and is deterministic.
Bug: chromium:1199701, chromium:1163802, chromium:1249961
Change-Id: I8ee47009cd825cfdbe00230f617c87c90508ab2a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162144
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76893}
The default value for table entries in WebAssembly tables is null when
the table gets allocated from WebAssembly, but when the table gets
allocated from JavaScript, the default value is undefined when the
table type is externref. With this CL V8 handles the JavaScript case
spec-compliant.
R=manoskouk@chromium.org
Bug: v8:12227
Change-Id: Ic8a1361629d8e5dfb59e2ee22a5e0ae0f6de936d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162045
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76892}
Rolling v8/build: 590c648..48f708c
Rolling v8/buildtools/third_party/libc++abi/trunk: a5b6419..c883cb1
Rolling v8/buildtools/third_party/libunwind/trunk: 44ea7ab..a7e4ce0
Rolling v8/third_party/aemu-linux-x64: FqiWusPGPs0zkuCyCSj2axBNOhCaD117fjIbnnj6h8kC..4_W8oYEfH2jwjpXXJX32HUtITINfNQfevdEMi6HVUm8C
Rolling v8/third_party/depot_tools: 5307522..9cba73f
Rolling v8/tools/clang: 83b09bd..c8d8b3eTBR=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com
Change-Id: I22da2220afa663166c361d04b9301c6940f97a91
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3167810
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#76890}
Optimize i64x2mul when AVX is supported to elide some moves.
Bug: v8:11589
Change-Id: Ide0bba502a35cbb632e3fc311c9697c5f54f9d82
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3163280
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76889}
Refactor TryCopyAndConvertArrayToCppBuffer to avoid using a CTypeInfo*
pointer as template argument. Use instead a uint32 encoded value
sufficient to reconstruct the CTypeInfo.
Bug: v8:11739
Change-Id: I74052e59b3fa5ebed00cdb938504ba1947d959d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3138832
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76887}
Behind the --wasm-inlining flag, we introduce speculative direct calls
as an alternative to invoking functions through references.
In pseudocode, call_ref(func_ref, args...) reduces to
if (func_ref == function_reference_at(expected_index)) {
call_direct(expected_index, args...)
} else call_ref(func_ref, args...)
The introduced direct call can later get inlined in WasmInliningPhase.
Currently, we always speculate that the reference is the function at
index 0. Proper heuristics, based on liftoff runtime feedback, will come
later.
Bug: v8:12166, v8:7748
Change-Id: Icd1319d3091b436e71906717fd8a2662bfbb8481
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162602
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76884}
JavascriptBuiltinContinuationFrame and BuiltinFrame didn't correctly
handle the receiver when it was included in the argument count.
Bug: v8:11112, chromium:1249941
Change-Id: I4d79bd152ea7e992fa3b87a4de2a509b79fcb37c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3165058
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76881}
Change-Id: I5f3c83287fec334a56643f87d12a8dc1a7e47d72
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3109667
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76879}
Checks if the machine is running on a native BE and if so
try to do the load/store ops using the new vector instructions
form z15.
If target machine is older than a z15, the memory offset is larger
than 12 bits or we are running in the simulator then we fall back
to the scalar method of loading/store from memory.
Change-Id: Iec41ad21e7f292cf5b9c4707b4951a561f3dcda4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162247
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#76878}
... as it has nothing to do with bootstrapping.
Change-Id: I364469b023b3f0811a674ea39aefd46313dd10fc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3164536
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76877}
... by adding atomic (relaxed) accessor's for a map's
constructor_or_backpointer field, and using them in the two functions.
Bug: chromium:1250216, v8:7790
Change-Id: I3416799cca73792ff5f8963685274ad9afdc6229
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162129
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76876}
This is a refactor-only change in preparation for the upcoming
builtins table split.
- Define fields through a macro list to avoid some manual boilerplate
code.
- Consistent names for builtin_entry_table_ and builtin_table_, and
update names of related methods as well.
- Add Builtins::ToInt to replace manual static_casts.
- Move around IsolateData methods s.t. they're in the same order as
the underlying fields.
Bug: v8:12203
Change-Id: I68cd036b8de1dd2708e2d4579d76bb3baaea5e1c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162128
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76874}
Reason for revert: There was an out-dated wpt test in blink that
failed after this CL. I adjusted the test expectations in https://chromium-review.googlesource.com/c/chromium/src/+/3162980 so that I can land this CL.
Original change's description:
> Revert "[wasm][externref] Support default value for the table.set"
>
> This reverts commit 6b57898062.
>
> Reason for revert: Fails layout tests: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Blink%20Linux/13751/overview
>
> Original change's description:
> > [wasm][externref] Support default value for the table.set
> >
> > WebAssembly.Table.set allows a default value instead of the second
> > parameter, which was not supported by V8 so far.
> >
> > R=thibaudm@chromium.org
> >
> > Bug: v8:7581
> > Change-Id: I417790722b1cb4f854cd0056ecb8377c330c45fa
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3141574
> > Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
> > Commit-Queue: Andreas Haas <ahaas@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#76846}
>
> Bug: v8:7581
> Change-Id: I83d9be59c66ece3184b5708e5b8a3b401e4938ed
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3163257
> Auto-Submit: Clemens Backes <clemensb@chromium.org>
> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
> Cr-Commit-Position: refs/heads/main@{#76852}
Bug: v8:7581
Change-Id: I248f836ba4de2a4e3f3d80c00e6f1ac0b46a38d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162608
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76873}
GetWriteBarrierType used to consider the slot so that a barrier is not
triggered for on-stack slots. For strongifying weak collections we want
the write barrier to trigger even if the backing store is only reachable
from stack.
Blink counterpart: crrev.com/c/3162170
Bug: chromium:1244057
Change-Id: I75b1ca62ad5de7bae3d2f4c1a9acce839f3ccdc1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162127
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76872}
Liftoff needs to be fully implemented for running this test.
Change-Id: Ia229d478fa22d4ce9a715d13b3d2b09a2634ad1c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3163016
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#76870}
This test is added in commit bc3b9332ac
Bug: v8:7748
Change-Id: I8bada39c6fc9ed22f7a25786697aed880738bc9e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3163286
Auto-Submit: Liu yu <liuyu@loongson.cn>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76868}
Safepoints were used in Heap::AddAllocationObserversToAllSpaces and
Heap::RemoveAllocationObserversFromAllSpaces as a poor man's approach
to synchronization. This CL removes the safepoint and protects the
potential race on the free list with a mutex in
PagedSpace::DecreaseLimit.
The motivation for this CL is that SafepointScope might possibly park
the main thread in the future. However parking is only allowed if GCs
are also allowed. GCs are not allowed when running allocation observers,
so an allocation observer would not be able to add or remove additional
observers as is currently done in StressConcurrentAllocationObserver.
Also adding additional checks to the safepoint to ensure that we are
on the main thread.
Bug: v8:11708
Change-Id: I4e65a83ac4015d30b15d8c4eeaed4ea759b7c982
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3160523
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76867}
ClusterFuzz reported a non-reproducible issue here:
https://clusterfuzz.com/testcase-detail/4634185246244864
What happens here is that a LAB is replaced that is adjacent to a live
object that is concurrently being marked using the object start
bitmap.
Bug: chromium:1056170
Change-Id: Iebc0db6b85262f2f544a76bac9b3d1c662e41d6a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162603
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76865}
EphemeronHashTable does not trigger interrupts when accessed
(as opposed to calling the WeakMapGet builtin), so it avoids
the use-after-free problem when reading exception metadata
triggers session disconnect while holding a reference
to the session.
Bug: chromium:1241860
Change-Id: I29264b04b8daf682e7c33a97faedf50e323d57c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3158326
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76864}
This is a reland of 11045926ca
The first version of this CL uncovered a TSAN failure when not disabling
RCS anymore. The problem was that a background thread was still updating
RCS counters, while the main thread already dumped those values during
tear down. This CL fixes this by dumping counters only after all
background threads are stopped.
Original change's description:
> [test] Avoid disabling of RCS during runtime
>
> Test was flaky since disabling of RCS at runtime is unsafe. Some code
> (e.g. TRACE_GC) is run only in case RCS is enabled and such code paths
> might also DCHECK that RCS is enabled.
> A background thread (sweeping in this case) could've already
> entered such a code path right before RCS is disabled. In this case the
> guard at the entry still saw that RCS is enabled but subsequent DCHECKs
> that ensure that RCS is enabled might fail.
>
> We could fix this by completing the sweeper tasks before disabling RCS
> but there might be other similar tasks which might be run at that point
> in the future (e.g. memory unmapper).
>
> Disabling the flag doesn't even seem to be needed for the initial
> regression test, so it seems simpler to just not disable RCS anymore.
>
> Bug: v8:12026
> Change-Id: I878f7dd9a7a4abb6a501f7a7651a1240ef2082a6
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162043
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76845}
Bug: v8:12026, v8:12234
Change-Id: I5cb577051d188d17b02ca7da79a3f1d9aa646cae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162050
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76859}
vpython's default verification does not yet include this platform,
so this allows us to ensure that v8 vpython specs stay mac-arm64
compatible.
Bug: chromium:1235841
Change-Id: I0cfe369f07a786a0606f7dac13b581820c060445
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3163003
Commit-Queue: Brian Ryner <bryner@google.com>
Auto-Submit: Brian Ryner <bryner@google.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76856}
Group all the SIMD (SSE/AVX) functions in macro-assembler-x64 together,
and move Ucomisd/Ucomiss to shared-macro-assembler.
Bug: v8:11589
Change-Id: Ia2246e816615aa8e143e94a1064838b2c314d8f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3160698
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76855}
These tests don't depend on initializing VM (for Context) or even an
isolate, so we can remove the setup code, and use UNINITIALIZED_TEST
(will not even set up an isolate).
Bug: v8:12207
Change-Id: I4b509b95cc8272db22892c32b53464678403dc7d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3160748
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76854}
This reverts commit 6b57898062.
Reason for revert: Fails layout tests: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Blink%20Linux/13751/overview
Original change's description:
> [wasm][externref] Support default value for the table.set
>
> WebAssembly.Table.set allows a default value instead of the second
> parameter, which was not supported by V8 so far.
>
> R=thibaudm@chromium.org
>
> Bug: v8:7581
> Change-Id: I417790722b1cb4f854cd0056ecb8377c330c45fa
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3141574
> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76846}
Bug: v8:7581
Change-Id: I83d9be59c66ece3184b5708e5b8a3b401e4938ed
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3163257
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#76852}
This reverts commit 16df1dfa13.
Reason for revert: Multiple failures, e.g. https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux/43844/overview
Original change's description:
> [arm64][wasm-simd] Use Cm(0) for integer comparison with 0
>
> Use an immediate zero operand for integer comparison when possible. This
> gives ~1% runtime performance improvement in some benchmarks on Neoverse
> N1.
>
> Change-Id: I727a8104f8e6ca3d122d6b5b8b3d38d7bdd76c47
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3158327
> Reviewed-by: Zhi An Ng <zhin@chromium.org>
> Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
> Cr-Commit-Position: refs/heads/main@{#76847}
Tbr: zhin@chromium.org
Change-Id: I7039106d885c59aecad24dd8dda4d151b8e1f022
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162053
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76851}
Instead of trying to detect which sanitizer we run on, just allow the
output that any sanitizer would produce.
Note that the regular expression syntax is pretty limited, so we cannot
express this as a single regex.
This removes the single use of {V8_USE_UNDEFINED_BEHAVIOR_SANITIZER}
again, but for completeness I leave it in {macros.h} for now.
TBR=jkummerow@chromium.org
Bug: v8:12226
Cq-Include-Trybots: luci.v8.try:v8_linux64_msan_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_ubsan_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_cfi_rel_ng
Change-Id: I37a6d15ebb9fdafbdbee0158ba6c540582c31301
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162046
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76850}
This reverts commit 11045926ca.
Reason for revert: Uncovered TSAN failure
Original change's description:
> [test] Avoid disabling of RCS during runtime
>
> Test was flaky since disabling of RCS at runtime is unsafe. Some code
> (e.g. TRACE_GC) is run only in case RCS is enabled and such code paths
> might also DCHECK that RCS is enabled.
> A background thread (sweeping in this case) could've already
> entered such a code path right before RCS is disabled. In this case the
> guard at the entry still saw that RCS is enabled but subsequent DCHECKs
> that ensure that RCS is enabled might fail.
>
> We could fix this by completing the sweeper tasks before disabling RCS
> but there might be other similar tasks which might be run at that point
> in the future (e.g. memory unmapper).
>
> Disabling the flag doesn't even seem to be needed for the initial
> regression test, so it seems simpler to just not disable RCS anymore.
>
> Bug: v8:12026
> Change-Id: I878f7dd9a7a4abb6a501f7a7651a1240ef2082a6
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162043
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76845}
Bug: v8:12026
Change-Id: I154817fc5ddeab68c69c745d08f3d77c48896dc4
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162049
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#76848}