Currently it falls back to runtime for externalized strings.
Bug: v8:7700
Change-Id: I9bc09969915e437af5fcf563ba74a6edd9280779
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3956975
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83745}
TypeGuard nodes interpret their inputs to be of a given type, which
might not be reflected in the graph and hence may lead to a type
conflict being reported by the Simplified Lowering Verifier. This
CL adds an additional SLVerifierHint node to preserve this type
information for the verification step.
Bug: v8:12619, chromium:1370398
Change-Id: I5e4117d6b3ada053249bc000ba98d04021395ce1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3948704
Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83739}
The implementation of bytecode flushing assumes that there is a single
owning SharedFunctionInfo for each bytecode. However, sometimes there
can be two, because a couple of code paths copy content from one
SharedFunctionInfo to another (BackgroundCompileTask::FinalizeFunction
and BackgroundMergeTask::CompleteMergeInForeground). Usually this works
out okay in practice, because we only copy content from a
SharedFunctionInfo when we're about to abandon all references to it.
However, we shouldn't rely on this lucky timing, especially considering
a possible future where conservative stack scanning could retain the
copied-from SharedFunctionInfo for an arbitrarily long time due to
spurious stack references. This change updates the bytecode flushing
implementation to correctly handle the case of two SharedFunctionInfos
that point to the same BytecodeArray.
I don't know if this fixes the linked bug, but so far it's the only
semi-plausible explanation I've found.
Bug: chromium:1359773
Change-Id: Iaa2c6e4953afcb46df2ac4b17828271151d85e59
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3916272
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83728}
If Liftoff is disabled, inlining could try to inline an invalid function
body. Thus run validation explicitly if the function was not validated
before.
R=jkummerow@chromium.org
Bug: chromium:1374535, v8:13371
Change-Id: If9ce17bb90259e265dc94dbb2f9e4fb97c338f14
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3956977
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83727}
The new ref.cast (opcode 0xfb41) takes any reference and
expects a Heaptype immediate. the HeapType can be a
concrete or an abstract type.
Differently to the old ref.cast instruction, it traps on
null. A variant which doesn't trap on null (ref.cast null)
will be added in a future CL.
Bug: v8:7748
Change-Id: Id5764a7553a57c5cb838682c9ec331d15d7d25c0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3948663
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83724}
Serialize tiering information in the profile (which functions were
executed, which functions were tiered up). Use this information during
compilation (only synchronous compilation supported so far) to
immediately compile or tier up those functions.
R=jkummerow@chromium.org
Bug: v8:13209
Change-Id: I13d859ae57f60dbdb0dad3f1daf7aa0b920526d3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898997
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83720}
This is a reland of commit e3096c31d6.
The one additional use of FLAG_turboshaft is also rewritten now.
Original change's description:
> [flags] Remove FLAG_* aliases
>
> This removes the deprecated FLAG_* aliases, and switches remaining uses
> to the new v8_flags syntax.
>
> R=jkummerow@chromium.org
>
> Bug: v8:12887
> Change-Id: Icde494a3819a9b1386c91e44f5d72a55666d9eae
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3952350
> Reviewed-by: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83686}
Bug: v8:12887
Change-Id: I978df89f51e11c9a101ff3c1e385b1eced697a74
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3953292
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83717}
This CL fixes the ScopeInfo::Equals DCHECK when we update "unchanged"
functions. We don't need to make sure the outer scope info matches
exactly. LiveEdit already makes sure that outer scope infos don't
change in a way that would be bad for "unchanged" functions. It's
fine if they only change subtly by e.g. moving a outer context variable from `let` to `const`.
Note that we don't touch existing closures on the heap, those
will still reference the old scope info.
R=jarin@chromium.org
Bug: chromium:1363561
Change-Id: I5117d345d1f70e08ea436ed89f2c6deaff3f0538
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3953496
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83713}
This CL aligns minor sweeping with full sweeping such that no
sweeping happens in the atomic pause. If concurrent sweeping is
disabled, sweeping will be either on allocation or when we start
the next GC.
This CL doesn't yet enable concurrent sweeping for MinorMC.
Regressions on benchmarks with MinorMC enabled are expected.
Bug: v8:12612
Change-Id: I6df808b94783559122ee78306af932809860703d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3934769
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83712}
This is a reland of commit 3b883e787d
Fixed a test case that was merged in the meantime still using the old
kExprRefAsData which is now called kExprRefAsStruct.
Original change's description:
> Reland "[wasm-gc] Ref types: Convert dataref to structref"
>
> This is a reland of commit 20327d1599
>
> Changed in reland:
> - Added new flag wasm-gc-structref-as-dataref which defaults to true
> and preserves the existing behavior.
> - Passing --no-wasm-gc-structref-as-dataref enables the new behavior.
> - The flag affects static subtyping information between structref and
> arrays and the corresponding cast, test and br_on instructions.
> - Even with the old behavior the name still changed to "structref".
>
> Original change's description:
> > [wasm-gc] Ref types: Convert dataref to structref
> >
> > This change changes the type hierarchy in a non-backwards compatible
> > way: dataref is replaced with structref meaning that arrayref is
> > no longer a subtype of it.
> >
> > Bug: v8:7748
> > Change-Id: I965267d9ed11ea7c7d7df133cc39ee63e6b5abc3
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3929041
> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> > Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#83515}
>
> Bug: v8:7748
> Change-Id: I2d8dd49dbc56246c087ac93452a87f860ead2195
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3945109
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83697}
Bug: v8:7748
Change-Id: I54f7b141ffc5b7597420fa0c838412be825a260b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3952936
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83706}
This reverts commit 3b883e787d.
Reason for revert: gc-optimizations test is broken due to in-flight collision with another CL: https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket/8800403395649311857/+/u/Check/gc-optimizations
Original change's description:
> Reland "[wasm-gc] Ref types: Convert dataref to structref"
>
> This is a reland of commit 20327d1599
>
> Changed in reland:
> - Added new flag wasm-gc-structref-as-dataref which defaults to true
> and preserves the existing behavior.
> - Passing --no-wasm-gc-structref-as-dataref enables the new behavior.
> - The flag affects static subtyping information between structref and
> arrays and the corresponding cast, test and br_on instructions.
> - Even with the old behavior the name still changed to "structref".
>
> Bug: v8:7748
> Change-Id: I2d8dd49dbc56246c087ac93452a87f860ead2195
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3945109
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83697}
Bug: v8:7748
Change-Id: Icb273a6d433c47a372563d0daf68725c6c5b15e3
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3952514
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#83698}
This is a reland of commit 20327d1599
Changed in reland:
- Added new flag wasm-gc-structref-as-dataref which defaults to true
and preserves the existing behavior.
- Passing --no-wasm-gc-structref-as-dataref enables the new behavior.
- The flag affects static subtyping information between structref and
arrays and the corresponding cast, test and br_on instructions.
- Even with the old behavior the name still changed to "structref".
Original change's description:
> [wasm-gc] Ref types: Convert dataref to structref
>
> This change changes the type hierarchy in a non-backwards compatible
> way: dataref is replaced with structref meaning that arrayref is
> no longer a subtype of it.
>
> Bug: v8:7748
> Change-Id: I965267d9ed11ea7c7d7df133cc39ee63e6b5abc3
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3929041
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83515}
Bug: v8:7748
Change-Id: I2d8dd49dbc56246c087ac93452a87f860ead2195
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3945109
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83697}
A circular ownership of ref-counted resources caused the leak as the
wasm::StreamingDecoder stored a callback that contained the decoder in
its scope (needed for the URL).
Bug: chromium:1368609
Change-Id: Ib07b066c92f16b658daa1daf482f71c33a16e89a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3942066
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83695}
When we change input to an AssertNotNull node as part of an
optimization, the type of the new input might be incompatible with its
current type. Therefore we need to untype the node to not trigger an
error later.
Bug: v8:7748
Change-Id: Ica560bde908e01785cb5d1d50c20a8951bdaabd7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3948609
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83694}
Make several changes to template object caching:
* Key the cache on Script rather than SFI, so that entries stay alive
even if the SFI dies (e.g. because its parent is code flushed) but
can be resurrected (because other functions from the same script can
recreate it)
* With the above change, identify the required template object by
comparing both function literal id and feedback slot id.
* Change the cache from a linked list of CachedTemplateObjects into an
ArrayList pointing directly to the template object JSArrays.
* With CachedTemplateObjects being gone, store the function literal id
and slot id directly on the JSArray behind private symbols. Fast
path access to them in the case where the template object has the
expected map, and look them up in a slow path if the map changed
(e.g. because the template object was used as a prototype and
transitioned to a dictionary map).
Change-Id: Id715cb2fd38b9605b8e6ddf5e35336bb4f0300d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3900376
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83693}
This removes the deprecated FLAG_* aliases, and switches remaining uses
to the new v8_flags syntax.
R=jkummerow@chromium.org
Bug: v8:12887
Change-Id: Icde494a3819a9b1386c91e44f5d72a55666d9eae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3952350
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83686}
Our previous assumption that the receiver is immutable is incorrect in
constructors. Change the current logic (which never generates an
exception phi for receivers, but instead re-uses the parameter slot)
into forcing the receiver exception phi to be allocated (and spilled) in
the receiver parameter slot.
Bug: v8:7700
Change-Id: I1ba92b2e711dc0fcd7c818526b9c199cadcdd3bf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3948586
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83684}
When not in unicode sets mode, '[' within a class is an ordinary
character (not the beginning of a nested class).
While scanning for capture groups, the flag (/v) was not taken into
account.
Bug: chromium:1374232
Change-Id: I05b9758bedba25633129b12d4634510031d01544
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3952253
Auto-Submit: Patrick Thier <pthier@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83683}
In production we will only compile Wasm code with TurboFan after it has
already been executed via Liftoff. Hence we know that the code is valid,
and can skip validation. This will save some binary size, and (minimal)
run time.
Under exotic circumstances (no Liftoff, Liftoff bailed out, ...) we did
not run validation yet. In that case, run it explicitly.
Note that the {kNoValidation} mode still has the validation checks as
DCHECKs, so fuzzers can find bugs in the new logic.
R=jkummerow@chromium.org
Bug: v8:13361, v8:13371
Change-Id: I2d0896bee44a80a9d09d9c273ec5fdbe9ab8da62
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3941891
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83676}
In order to drop validation from TurboFan, we need to know which
functions have already been validated when starting TurboFan
compilation. Under normal circumstances, that would be all of them. In a
TurboFan-only configuration, or for new code where Liftoff bails out, we
could need to run validation before TurboFan compilation though.
R=jkummerow@chromium.org
Bug: v8:13361, v8:13371
Change-Id: Ia59bdb1c25e4fc4300ca3d8cfe3ac3caf4985fa1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3942090
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83674}
After an error is encounterd during RegExp parsing, indicate that there
is no more work to do.
Bug: chromium:1374042
Change-Id: Ib547a06de855028e862933897930d8ba78f8f320
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3950294
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Patrick Thier <pthier@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83673}
After the let instruction was removed again, the number and types of
locals stays constant throughout the decoding of a function. Hence store
it in a plain array instead of a ZoneVector. This makes the decoder
smaller and saves bounds checks for the "safe libc++".
R=thibaudm@chromium.org
Bug: chromium:1358853
Change-Id: Iad69aa0cfdc254710e1c2219cfb2c972241ef473
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3944929
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83671}
This CL implements the heavy lifting for re-using block lists:
- On local debug-evaluate, we check if the paused function already
has a block list. If not, we do a full re-parse, calculate the
block lists and stash them in the global map.
- On a context lookup, we do the lookup slightly differently. The
block lists now store "outer" locals, so we need to check the
block list before we advance to the next context, not before we
do the lookup in the current context.
The CL also duplicates the debugger test that checks most of these
shadowing edge cases. While we keep working on the new feature
we still want to check both configurations, but the feature is too
small to warrant a separate bot. Note that the file with the flag
enabled has one additional test case that fails with the old
implementation. Unfortunately it's non-trivial to fix in the old
implementation.
This CL drastically improves performance for conditional breakpoints
as they use local debug-evaluate under the hood. The worst case
example (https://crbug.com/1072939#c15) improves from 6.5 seconds
to 100ms.
R=jarin@chromium.org
Bug: chromium:1363561
Change-Id: I85f3d908d246f0d2e31ed272f4db6a852b9dbc39
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3941584
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83665}
Output of type UnsignedBigInt64 can be out of the range of small
BigInts. This CL inserts necessary conversion and checks for it.
Bug: chromium:1371935, v8:9407
Change-Id: I2553679452caa63111b97c89d072dd5fcc98aa7c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3939668
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#83661}
Reset() calls from the destructor of an Oilpan object were not
supported. There was no check that would prohibit such a call though
which would yield in a memory corruption.
Going forward, we support bailing out on such Reset() calls in a
graceful way, i.e., such calls are nops and merely reset the pointer
to the global handle. A subsequent GC would clean up unused nodes.
Bug: chromium:1371512, v8:13372
Change-Id: Icc86b442183fc2ab9ecd83b9a675266719acdad4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3941890
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83656}
MinorMC cannot shrink the space while concurrent sweeping is active.
This results in races between sweeping empty pages concurrently and
releasing them on the main thread.
Without concurrent sweeping, MinorMC sweeps all empty pages, then
preallocates more pages if needed, then shrinks by releasing some of
those empty/new pages.
MinorMC can instead shrink during sweeping/evacuation in the atomic
pause, before concurrent sweeping is active.
This resolves the conflict between concurrent sweeping and shrinking and
generally reduces the amount of work the GC has to do (i.e. don't
sweep/preallocate pages that will then be released by shrinking).
Bug: v8:12612
Change-Id: If898e5111c65b0b11d6ee9ee5dcd45751024650b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3933056
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83638}
AsyncGeneratorYieldNoAwait is equivalent to AsyncGeneratorResolve with
the constant false passed as the last argument. Remove it in favor of
calling AsyncGeneratorResolve directly.
Bug: v8:13275
Change-Id: Ie6a47e1f152285bccdc00ec1b7140e82460caf31
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3947530
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83637}
This is a reland of commit ed8953b695
Changes since revert:
- Work around recorded slot bug for external strings.
Original change's description:
> [strings] Fix dictionary forwarded string hash lookup
>
> Strings forwarded to external resources have their real hashes stored in
> the forwarding table. Dictionary mode lookups currently do not correctly
> load the hash for these tables, causing misses for properties that are
> in fact in the object.
>
> Bug: v8:12007
> Change-Id: I60ca4c084db7ddf6d2b7f7be8f63519c9cf3bc73
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3935218
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Patrick Thier <pthier@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83577}
Bug: v8:12007
Change-Id: Ifef5f99a46c239b2113aefa4efcdda1df1b4b6a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3940294
Reviewed-by: Patrick Thier <pthier@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83635}
Wait for TF optimisation to be requested (or to have happened) before
cranking up TF OSR urgency; this prevents us from getting into a
situation where we repeatedly call Maglev code which then OSRs into
TurboFan lots of times before finally tiering up to TurboFan properly.
Since we are waiting for TF optimisation to be requested, we also need a
mechanism to allow TF optimisation to be requested even when Maglev code
has been requested hasn't yet run (for direct Baseline->Turbofan tierup,
since Maglev can't OSR). Do so by re-trying the optimisation check if it
spits out Maglev but Maglev is already requested.
As a drive-by, clean up some naming around OSR code.
Bug: v8:7700
Change-Id: I483a412dd92fe13ee21f8aa46d86572bcf3f8a61
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3942385
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83630}
This reverts commit 4804c4de31.
Reason for revert: GC stress failure:
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20-%20gc%20stress/1075/overview
Original change's description:
> [wasm] Allocate feedback vectors on demand
>
> We previously allocated feedback vectors when instantiating the module,
> or when lazily compiling a function. That's not sufficient when there
> are multiple instances of the same NativeModule, or when we eagerly
> tier-down all code for debugging. This patch changes the "get vector from
> instance" sequence at the beginning of every Liftoff function to "get
> or allocate vector"; factored into a builtin call to avoid generating
> more code for every function.
>
> Bug: v8:12852
> Change-Id: I12ab96dc9575f5dff089147af1bf9b280616892d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3939667
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83610}
Bug: v8:12852
Change-Id: I200118185f265da7dd0956bbd5a45a4d40e4bbc0
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3943126
Owners-Override: Shu-yu Guo <syg@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83617}
We previously allocated feedback vectors when instantiating the module,
or when lazily compiling a function. That's not sufficient when there
are multiple instances of the same NativeModule, or when we eagerly
tier-down all code for debugging. This patch changes the "get vector from
instance" sequence at the beginning of every Liftoff function to "get
or allocate vector"; factored into a builtin call to avoid generating
more code for every function.
Bug: v8:12852
Change-Id: I12ab96dc9575f5dff089147af1bf9b280616892d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3939667
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83610}
This CL implements support for clamping floating point to integer
values when [Clamp] annotation is passed to a fast API call argument.
It uses min(max(value, lower_bound), upper_bound) as specified by
https://webidl.spec.whatwg.org/#es-integer-types-abstract-ops, step 7.
Bug: chromium:1052746
Change-Id: Ie12c0d98076863ac00aead9319f5770d7028773d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3749205
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83605}
This CL introduces statement positions before the right-hand side of
comma expressions, in order to align the stepping behavior (and also
generally the breakpoint behavior) around semicolon (;) and comma (,)
separated expressions.
The motivation here is that left-hand sides of comma expressions are
evaluated purely for their side-effects and as such, they aren't
really any different from statements from a developers perspective.
And more importantly, minifiers (like UglifyJS, terser, or esbuild)
by default turn statement expression lists into comma-separated
expressions, thus implicitly changing the stepping behavior in ways
that are difficult to understand for developers.
Doc: http://go/chrome-devtools:comma-stepping-proposal
Demo: https://devtools-dbg-stories.netlify.app/crbug-1370200.html
Video: https://i.imgur.com/5WC03wF.gif
Fixed: chromium:1370200
Change-Id: I38f288d964bc992d1de0dce2ed2becd4220793df
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3934288
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83599}
The process of checking a function body for validity is called
"validation" in the spec, hence also use this term in the code instead
of "verification".
R=jkummerow@chromium.org
Bug: v8:13371
Change-Id: Icef65282f829f600975ae4b10eb0847ba75e7ae3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3941887
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83598}
The CL makes Oilpan use the same data-structure (two-layer bitmap) as V8
uses for the remembered set.
Bug: chromium:1029379
Change-Id: I1213d3ae06da5e85466430875378e3b8dfdee16e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3701592
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83594}
This reverts commit ed8953b695.
Reason for revert: test fails under GC stress:
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/44191/overview
Original change's description:
> [strings] Fix dictionary forwarded string hash lookup
>
> Strings forwarded to external resources have their real hashes stored in
> the forwarding table. Dictionary mode lookups currently do not correctly
> load the hash for these tables, causing misses for properties that are
> in fact in the object.
>
> Bug: v8:12007
> Change-Id: I60ca4c084db7ddf6d2b7f7be8f63519c9cf3bc73
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3935218
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Patrick Thier <pthier@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83577}
Bug: v8:12007
Change-Id: Idcfb670e05a5434165c714b7f1e7f5b1619d28c6
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3938917
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Adam Klein <adamk@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#83580}
If the largest freelist block was at the end of the page, it was not
accounted for sweep-on-allocation.
Change-Id: Ia7cfc9543c9c448b580444b1ce96eb37f7738ece
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3938228
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83579}
REPL mode always returns a promise since we basically turn the
evaluated script in an async function. More-over, we stash the result
as a property on a plain JS object. This prevents promise chains to
resolve too far if the result of the evaluation is a promise itself.
Long story short, we don't need to wrap REPL mode results in
`Promise.resolve`, but can add the then/catch handlers directly.
This fixes the DevTools console when working with broken promise
polyfills or broken thenables.
R=bmeurer@chromium.org
Fixed: chromium:1371072
Change-Id: I96aa8eaf5939fdf6231712b047b50fee734efc0b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3929037
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83578}
Strings forwarded to external resources have their real hashes stored in
the forwarding table. Dictionary mode lookups currently do not correctly
load the hash for these tables, causing misses for properties that are
in fact in the object.
Bug: v8:12007
Change-Id: I60ca4c084db7ddf6d2b7f7be8f63519c9cf3bc73
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3935218
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83577}
Stack slots are uncompressed, so we must always write the full
64-bit pointer.
Fixed: v8:13363
Change-Id: Iac5375388dd877dff2ddb3d6ef23ed56943da704
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3938230
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83574}
This CL revises the conservative stack scanning visitor, to use the
implementation of inner pointer resolution based on the marking bits.
Bug: v8:13257
Change-Id: I97203e1f571d89912f91b3513cff24521c1df662
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3934342
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83573}
This CL exposes BigInt binary operation builtins to the interpreter and fixes the return type of the external c calls to avoid unexpected behavior on Windows. The original return type was bool which would marshal to Windows BOOL (of the same size as int) causing the return value always being true if there is garbage in upper bits. Changing bool to int32 solves the problem.
Bug: v8:9407
Change-Id: Ib56f5b163deb77566ef79166860e1921ef0065c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3932951
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#83572}
This CL implemented Int64MulWithOverflow on x64 and arm64
to support type feedback collection for BigInt64 multiplication.
Bug: v8:9407
Change-Id: I4a0354038e02d3304d17a115e4e144afd386b5d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3934824
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#83570}
Fix breakage from moving configs into a central place
(https://crrev.com/c/3911515).
Change-Id: Id68d5c104cffccb4793417eff3088d7748a179fc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3938068
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83569}
This CL fixes two bugs in the unit test for inner pointer resolution,
implemented using the marking bitmap. First, the tests would not compile
after crrev.com/c/3925548, which moved the marking state from the
collector to the heap. Second, some tests would fail in builds without
pointer compression, because the size of words in heap is different.
Bug: v8:13257
Change-Id: I8e6c9c70daa9ed9a8f0ebd5a06f7c017445400e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3937964
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83563}
The function-body-decoder-impl.h header is really heavy, and a comment
at its beginning says that it should only be included for new
implementations of WasmFullDecoder.
While there are other nice reasons to include it (e.g. for the Immediate
types), many includes were not needed.
This CL removes them, and adds other needed includes as needed instead.
R=jkummerow@chromium.org
Bug: v8:13312
Change-Id: I84efab0814fc1a38643960f49c7641c824b75f71
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3933055
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83561}
Input sizes are reduced from 64 to 60 to satisfy the requirement
of "small" without influencing the scores in some existing
benchmarks.
Bug: v8:9407
Change-Id: I51ca0b9a7a8c128c9fc863e4ff0587eeebdd7bac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3929031
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#83560}
- For suspending WebAssembly.Functions imported as table elements,
ensure that we compile the suspending variant of the wasm-to-js
wrapper
- Fix stub call mode for WasmSuspend builtin call
R=jkummerow@chromium.org
Bug: v8:12191
Change-Id: I8edd4e8a5c735909e5163e5a3700cd5567a6e27a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3937965
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83559}
This is needed to simplify concurrent sweeping for MinorMC.
Also: move evacuation verifiers to a separate file so that they can be
used from heap.cc as well.
Bug: v8:12612
Change-Id: I2a738a31e83a357f4fdded8a30ccb2ff6ba70553
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3932720
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83557}
The CL sligthly generalizes SlotSet by parameterizing it with slot size.
SlotSet is abstracted into BasicSlotSet, which is moved to heap::base::.
V8 GC related parts stay in slot-set.h
Bug: chromium:1029379
Change-Id: I093332b77682d2b31e61a91d4b0110fa95b5c908
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695595
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83553}
Implements the normative change
https://github.com/tc39/ecma262/pull/2819, which removes the await
inside async generator yield*. The delegating iterator result is already
awaited, and this effectively removes an extra tick and unwrapping.
The implementation of `yield` uses the existing AsyncGeneratorYield
builtin, which already performs an Await. It is renamed to
AsyncGeneratorYieldWithAwait.
The implementation of `yield*` uses a new builtin named
AsyncGeneratorYieldNoAwait, which does not perform an Await.
Bug: v8:13275
Change-Id: I88569f1e982edfb6a193c2fa07544fc59732f380
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3919916
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83545}
This reverts commit 20327d1599.
Reason for revert: The code for structref/dataref is in use in
combination with array types, so the change breaks their use cases.
Reverting to restore the previous semantics of dataref.
Original change's description:
> [wasm-gc] Ref types: Convert dataref to structref
>
> This change changes the type hierarchy in a non-backwards compatible
> way: dataref is replaced with structref meaning that arrayref is
> no longer a subtype of it.
>
> Bug: v8:7748
> Change-Id: I965267d9ed11ea7c7d7df133cc39ee63e6b5abc3
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3929041
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83515}
Bug: v8:7748
Change-Id: I2a0bcafafe6f67df87aac86813f74573b708cce4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3936156
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#83544}
Detach the marking state from the collectors and move them to heap.
Also update users to access via heap and reduce dependencies on the
collectors.
This is a prerequisite for moving sweeper to the heap, which is needed
for concurrent sweeping in MinorMC.
Bug: v8:12612
Change-Id: Ia0bb2b7566b24eeb0d75c911edbfd626f07dad0f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3925548
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83542}
Currently, LiveEdit updates the source positions of unchanged SFIs
in-place (the SFI could have moved due to other functions changing).
This interfere with our plans to re-use ScopeInfo-based blocklists
for debug-evaluate. Entries in the global block list cache are keyed
by ScopeInfo's source position. Any closure that escaped a
debug-evaluate will point to the old ScopeInfo in its context chain
and the block lists should stay in-place in case the escaped closure
is called again.
Rather than updating ScopeInfos in-place, this CL updates the
ScopeInfo object wholesale for unchanged SFIs. This is safe todo
given that the old and new ScopeInfo are identical modulo source
positions.
Drive-by: Take the source position of the function token from the
`FunctionLiteral` rather than doing a more expensive position
translation.
Bug: chromium:1363561
Change-Id: I2b8476edd8d7dc4c618e53551aa5692a21d6fb32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3932724
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83536}
This CL fixes the remaining test failures when running test with the
--shared-heap flag locally:
* Remove uses of shared_isolate()
* Fix slot recording in Mark-Compact and Scavenger
* Fixes DCHECKs in tests that do not hold with --shared-heap
Bug: v8:13267
Change-Id: I6869ece70f1e6156d9bb1281e6cd876cf8d471eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3918377
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83530}
Shared heap requires write barriers to keep track of old to shared
references.
This CL also disables all shared-memory/* mjsunit tests for single
generation configurations. These tests generally should not work
since the single generation bot also disables write barriers.
This should resolve the remaining single generation failures.
Bug: v8:11708, v8:13322
Change-Id: Ie0b0cbbc782afb607c1d13ccb4edcb2672ebf51b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3934770
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83528}
Source map urls can be parsed from the magic comments. Expose them with
public apis on the UnboundModuleScript, similar to the UnboundScript.
Change-Id: Ia5dfdc8ff25f825c9fa7d241d0d79ba20028586b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3917379
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Chengzhong Wu (legendecas) <legendecas@gmail.com>
Cr-Commit-Position: refs/heads/main@{#83527}
The Symbols-as-WeakMap-keys proposal allows non-Symbol.for Symbol values
in weak collections, which means it can show in EntryPreviews.
Also apparently Symbols in regular Maps and Sets were also unsupported.
Bug: v8:13350, v8:12947
Change-Id: Ib10476fa2f3c7f59af67933f0bf61640be1bbd97
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3930037
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83518}
This change changes the type hierarchy in a non-backwards compatible
way: dataref is replaced with structref meaning that arrayref is
no longer a subtype of it.
Bug: v8:7748
Change-Id: I965267d9ed11ea7c7d7df133cc39ee63e6b5abc3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3929041
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83515}
Due to stack slot reuse, any of the moves that are part of the handler
trampoline may conflict and thus need parallel move resolution.
Materialisations (= calls to the NewHeapNumber builtin) add an addtl
complication since a) materialising moves can also be part of any
move conflict, b) the builtin call may clobber arbitrary registers,
and c) materialisation need a spot to store the NewHeapNumber result.
We resolve this by materialising into new temporary stack slots
before the main move sequence, and popping into the final target
locations after the main move sequence.
Bug: v8:7700
Change-Id: I1734faf189d02e38af07a817a9b647e2dce54f22
Fixed: chromium:1368046
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3921515
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83511}
This CL merely maintains concurrent marking in MinorMC in a stable
state, i.e. it builds and passes tests.
Bug: v8:13012
Change-Id: I866fdbdfcdcc9ae101b63323aa43ceeeab882b45
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3934271
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83510}
Provide dummies for performance methods that are irrelevant for
differential fuzzing.
Bug: chromium:1370405
Change-Id: I91dcadc446314dbfc97b09a95f054c867574e345
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3932722
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83509}
There are a few DCHECKs that weren't updated to allow for Symbols as
weak collection keys. This CL updates those DCHECKs and also does the
following refactors for clarity:
- Add Object::CanBeHeldWeakly
- Rename GotoIfCannotBeWeakKey -> GotoIfCannotBeHeldWeakly to align with
spec AO name
Bug: chromium:1370400, chromium:1370402, v8:12947
Change-Id: I380840c8377497feae97e3fca37555dae0dcc255
Fixed: chromium:1370400, chromium:1370402
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3928150
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83507}
This CL fixes a use-after-free bug where we try to access an
`InjectedScript` object after it died. This can happen when we
transition into JS and back and the context group dies in the mean
time (e.g. because of a navigation). Normally we check for this but
we missed a call to `Promise#then`.
The access that triggers the UaF is when we try to stash away the
protocol callback function after returning from `Promise#then`.
The callback function is responsible for sending the protocol
response back to DevTools containing the result of the evaluation.
There are two objects with different lifetimes involved:
- InjectedScript: Owns the `EvaluationCallback`. We keep a
a reference in case the context group dies. This allows us to
cancel any pending evaluate requests.
- ProtocolPromiseHandler: Has a reference to `EvaluationCallback`.
The handler itself is managed by the V8 GC via `v8::External`
and a weak `v8::Global`.
When the `ProtocolPromiseHandler` wants use the callback to send
a response, it needs to take ownership first.
We could invert the ownership but it's preferable for evaluation
callbacks to die together with execution contexts and not when the
GC feels like it.
We fix the UaF by using an `InjectedSript::ContextScope` and reloading
the `InjectedScript` after we return from `Promise#then`. Then
we can take proper ownership of the callback and use it in case the
call failed.
R=jarin@chormium.org
Fixed: chromium:1366843
Change-Id: I3a68e8609a9681d7343c71f43cc6e67064f41530
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3925937
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83506}
When incremental marking has started and the scavenger is triggered,
young generation pages that end up in the "from" space may contain
unclean markbits. In this case, inner pointer resolution may return
base pointers to the start of objects that are not on the page anymore.
This is problematic if the page contents have been zapped. This CL fixes
this and improves the corresponding unit test.
Bug: v8:13257
Change-Id: I9f4a05270a66e15e86519a2d6574b4afe100a48d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3925935
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83496}
This will be used for lowering 64bit division by a constant.
Change-Id: I79153b81fe58757feeffb6c6c170f6f62fdd2a60
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872268
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83493}
... when iteration over fast array is aborted. This change affects
JSCollection constructors.
According to the iteration protocol the iterator must be properly
closed in case the element can't be added to the collection.
Bug: chromium:1357318
Change-Id: I30cff249449dbb5ac0f48111a681caedcf37e326
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3928743
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83486}
With BigInt64 feedback, SpeculativeBigIntAdd can be lowered to
CheckedBigInt64Add with type checks for input. Deopt is triggered if
the result overflows or the input is out of range.
A unit test is added to make sure there is no deopt loop.
Bug: v8:9407
Change-Id: I61a25737208c81a9619d959961fc5ab10e069546
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3921521
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83485}
Add simple implementations of performance.mark/performance.measure --
these aren't fully to spec, and in particular don't have the right base
class or prototype, but they're similar enough for simple use.
Additionally, log trace events for performance.measure, similar to
Chromium -- this allows us to annotate traces collected with d8's
--enable-tracing.
Change-Id: Ib4d7104ba94a261493c57334b2008956e4d89dd1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3918092
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83478}
The new ref.test (opcode 0xfb40) takes an any reference (vs. data on
the old instruction) and expects a HeapType immediate.
The HeapType can be a concrete or an abstract type.
Bug: v8:7748
Change-Id: Iaa2010af21d3fee76e27a5f4476ae00f5ca837a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3913028
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83475}
assertThrows catches both early errors during parse time and exceptions
thrown during runtime.
To be able to test more specificially, add assertEarlyError to check for
syntax errors during parsing and assertThrowsAtRuntime to check that
code throws while executed.
Change-Id: I61ee78c4b2beec266dfbed3999cd4df1786d0c9a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3925198
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83472}
This reverts the following commits:
* [runtime] Clean up dead entries in the template cache"
8436c0059c.
* [runtime] Don't update template map for existing templates
e7b9604040.
* [runtime] Fix hash used in template cache
caa087bb18.
* [runtime] Hold cached template objects weakly
5d19e724d2.
* [runtime] Key template object cache on Script
f3a0e8bccf.
There are gerrit UI issues which appear to be template object caching
related.
For dashboard:
This reverts commit 8436c0059c.
This reverts commit e7b9604040.
This reverts commit caa087bb18.
This reverts commit 5d19e724d2.
This reverts commit f3a0e8bccf.
Bug: v8:13190
Bug: chromium:1366900
Change-Id: I9759771441a4dece2a5dbb47e462ce0c0c01b182
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3925696
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83471}
Following up on https://crrev.com/c/3916453, we also remove the
confusing breakable and steppable positions from spreads in array
literals. These positions provide no meaningful advdantage for
developers, but just makes it annoying to step through code that
contains spreads.
Drive-by: Add similar inspector tests to ensure that the positions in
the stack are correctly inferred when stopped in the Symbol.iterator or
the next methods.
Before: https://imgur.com/jVf2JeB.png
After: https://imgur.com/u8SfNhy.png
Fixed: chromium:1368971
Change-Id: Ibf791167936c1ed28ac3240acb7c0846b11ebecb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3925200
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83469}
Since JSPI doesn't work without type reflection, this ensures that
passing --experimental-wasm-stack-switching alone doesn't leave
developers (or users) in a broken state.
Bug: v8:12191
Change-Id: Idfabc39b7c9352dd20009924fda07504c4e5087b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3919913
Auto-Submit: Adam Klein <adamk@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83467}
This reverts commit 178148045f.
Reason for revert: regresses JetStream2 a lot.
Original change's description:
> [runtime] Invalidate XxxIteratorLookupChain protectors
>
> ... when "return" property is added to respective iterator or might be
> added somewhere up the prototype chain.
>
> According to the iterator protocol the "return" callback must be
> called when iteration is aborted in the middle.
>
> Bug: chromium:1357318
> Change-Id: I36d81b90cfd40e417136ab97ec53ad7054f4df77
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3916630
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83427}
Bug: chromium:1357318, chromium:1368400, v8:13335
Change-Id: I8b14a2c47819a89d9b2c869a7bcb52e2c2457427
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3925199
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83466}
... exception.
Array#join depends array_join_stack to avoid infinite loop
and ensures symmetric pushes/pops through catch blocks to
correctly maintain the elements in the join stack.
However, the stack does not pop the elements and leaves in
an invalid state when throwing the uncatchable termination
exception. And the invalid join stack state will affect
subsequent Array#join calls. Because all the terminate
exception will be handled by Isolate::UnwindAndFindHandler,
we could clear the array join stack when unwinding the terminate
exception.
Bug: v8:13259
Change-Id: I23823e823c5fe0b089528c5cf654864cea78ebeb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878451
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#83465}
... after gc.
This CL also adds a runtime test function GetWeakCollectionSize
to get the weak collection size.
Bug: v8:12947
Change-Id: I4aff39165a54b63b3d690bfea71c2a439da01d00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905071
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#83464}
This CL moves the code for requesting a GC from a non-main thread from
LocalHeap to Heap into CollectGarbageBackground().
The CL then makes use of this method in CollectGarbageShared() to
request a GC with --shared-space.
Bug: v8:13267
Change-Id: I2946cf5068ef8eb9eb99f9d396ac466d68abc7ec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3916634
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83456}
This change removes the confusing statement positions that were
previously emitted for every binding identifier within both array
and object destructurings. These statement positions were reported as
breakable positions to the debugger front-end, and during stepping, the
debugger would also stop on them. This is confusing and very different
from how other expressions work (we don't emit statement positions
within expressions normally).
Instead we emit expression positions for the binding identifiers, which
are used to construct the source positions for stack traces. As a drive
by we also add the missing position (and test cases) for sub-patterns.
In particular this aligns the stepping and breakpoint behavior around
destructuring expressions with that of Firefox DevTools.
We also remove the original test cases, introduced with
https://codereview.chromium.org/1542813003 and
https://codereview.chromium.org/1533313002, which were written as
debugger tests, with new inspector tests that also ensure that the
call positions are correct.
Fixed: chromium:1368444
Bug: v8:811
Doc: http://go/chrome-devtools:destructuring-breakpoints-design
Change-Id: I4d53ad059b5eede73abd01d9bc9fdf8263c55c9d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3916453
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Kim-Anh Tran <kimanh@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83455}
Also drive-by adds a test for toSpliced on an empty array.
Bug: chromium:1367651, v8:12764
Change-Id: I59ff19ef73dd6c5ea972dc6f39f1968858099ef8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3919870
Commit-Queue: Adam Klein <adamk@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83441}
It is possible, though unlikely, that V8 will deserialize code cache
data, decide to merge that new data with an existing script from the
Isolate compilation cache, and subsequently do nothing in the background
portion of the merge (make no heap changes, and request no follow-up
changes on the main thread). In this case, the most optimal outcome is
to reuse the script from the Isolate compilation cache, not to use the
newly deserialized script.
CodeSerializer::FinishOffThreadDeserialize uses
BackgroundMergeTask::HasPendingForegroundWork to determine whether it
should complete the merge and use the Script from the compilation cache
or complete the deserialization and use the newly deserialized Script.
This change updates HasPendingForegroundWork so that it will return true
even if the merge was a no-op.
Bug: v8:12808
Change-Id: I08fcb814e797218e5be2b4ce4f45bd4e0637ec80
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3916270
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83439}
This CL decouples the Wasm GC JS interop from the experimental
string <-> array conversions as the interop is now enabled by
default, still there are some issues discovered with the
conversions.
The functions are fixed via https://chromium-review.googlesource.com/c/v8/v8/+/3916633.
Bug: chromium:1366881
Change-Id: I27730523a51d24a7ea18199e1668e8c76f0bcb4d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3916088
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83435}
ref.cast_nop is used for internal testing only.
0xfb48 will become ref.test null.
Bug: v8:7748
Change-Id: Iaee762dd97a993a361edddf656090210876178a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3913205
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83430}
... when "return" property is added to respective iterator or might be
added somewhere up the prototype chain.
According to the iterator protocol the "return" callback must be
called when iteration is aborted in the middle.
Bug: chromium:1357318
Change-Id: I36d81b90cfd40e417136ab97ec53ad7054f4df77
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3916630
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83427}
Collect feedback for BigInt64 in interpreter and change the runtime
for BigInt64 addition.
Bug: v8:9407
Change-Id: Ic69ba2c1f5ada998ac5ee3279e8296efe084d600
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3909809
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83419}
MSVC is confused by initializer list and default parameter, and reports
an ambiguous call.
test/cctest/test-assembler-arm64.cc(12208): error C2668: 'v8::internal::Clobber': ambiguous call to overloaded function
test-utils-arm64.h(251): note: could be 'void v8::internal::Clobber(v8::internal::MacroAssembler *,v8::internal::CPURegList)'
test-utils-arm64.h(241): note: or 'void v8::internal::Clobber(v8::internal::MacroAssembler *,v8::internal::RegList,const uint64_t)'
Solution is to construct with explicit type.
Bug: v8:13312
Change-Id: I66f5ba48bcdf6eb30035beaf7214a3d26fc9f18b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3913034
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83406}
Array#with and TypedArray#with adapt their arguments because they have a
fixed arity of 2. Builtins that adapt arguments shouldn't use
...arguments in Torque, which results in a "don't adapt" sentinel to be
generated, resulting in incorrect frame size computation.
Bug: v8:12764, chromium:1367133
Change-Id: I81c1ef2cdef25d049fa0b8effcb2a953c2a9846b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3915939
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83405}
clang/clang-cl compiled happily (probably included transitively this
header), but not MSVC.
Bug: v8:13312
Change-Id: I69b6c15f76d8ef13e4fac33f733717429ba96f71
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3913033
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83402}
This aligns the breakpoint behavior of YieldExpression and
AwaitExpression with the behavior of AssignmentExpression
in V8. It basically boils down to not reporting expression
positions on SuspendGenerator bytecodes as breakable
locations.
In particular the initial implicit yield of any generator
function is no longer a breakable position. In light of
this changes we also refine https://crrev.com/c/2949099
to not be able to step to the initial implicit yield
either, which would otherwise be really odd.
Before: https://imgur.com/KYy9F1S.png
After: https://imgur.com/gCnWU8J.png
Doc: https://goo.gle/devtools-reliable-await-breakpoints
Bug: chromium:901814, chromium:1319019, chromium:1246869
Fixed: chromium:1319019, chromium:1357501
Change-Id: I0c5f83e279918eb392d8f77a8a04c4c0285f938e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3909688
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83392}
This is a reland of commit 80fb281561
This CL fixes the signedness of rematerialized Numbers from immediates, which was introduced by the original change. Besides, BigInt truncation to zero bits is lowered to Int64Constant instead of NumberConstant of zero, which will flow into the state values directly.
Original change's description:
> [turbofan] Rematerialize BigInt64 in deopt
>
> This CL introduces two MachineTypes - SignedBigInt64 and UnsignedBigInt64, which are represented as Word64 but will be rematerialized to BigInt in deoptimization. This will avoid unnecessary conversions for BigInt64s when they are passed to StateValues.
>
> Bug: v8:9407
> Change-Id: I65fdee3e028ed8f9920b1c20ff78993c7784de48
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858238
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Commit-Queue: Qifan Pan <panq@google.com>
> Cr-Commit-Position: refs/heads/main@{#83230}
Bug: v8:9407, chromium:1364319, chromium:1364400
Change-Id: I0b4e077b52f64af46018b6c045893bbd56153f32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899258
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83384}
V8-side implementation for trusted types fromLiteral.
Create a separate JSArray root map for template literal objects to
clearly identify untampered template literals belonging to a given
context.
Given that template literals are frozen arrays with a 'raw' property,
we don't expect additional polymorphism.
Drive-by-fix:
Avoid ValidateElements call in NewJSArrayWithElements.
Bug: chromium:1271149
Change-Id: I327b0fd99a2db3b57d35efa9293ddf2f14e555ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3572044
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83383}
We set the JSArray's length to the elements's length before,
which is wrong when the elements have the slack part. We could
serialize the correct length and only the actual elements excluding
the slack part for JSArray's elements. And we do the same thing
for the objects to avoid serializing unnecessary elements.
Bug: v8:13304
Change-Id: Ib68e06f409bfcab5c57fb5532e188aa0099d1140
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905061
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83380}
We don't remove the code just yet in case we need to re-enable the
feature. This could be in case we discover workflows not covered by
the "Scope View" and the scopes we report on "Debugger.paused".
R=kimanh@chromium.org
Bug: chromium:1365858
Change-Id: I636cc861af932156944a3f6e0a149cce0f939329
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905185
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83379}
This reverts commit 2a7f86edcb.
Reason for revert: Blocking the roll (https://ci.chromium.org/ui/p/chromium/builders/try/mac-rel/b8802346196479466065/test-results?q=ExactID%3Aninja%3A%2F%2Fgin%3Agin_unittests%2FGinShellTest.HelloWorld+VHash%3A46648b293475ce2a&clean=)
Original change's description:
> Reland "[v8] Use |AllocateAtLeast| for resizing v8 zones."
>
> This is a reland of commit 4444874cdf
> This fixes a failure on the UBSan bots caused by assuming |Realloc| is always in-place if the new size is <= the value of |malloc_usable_size|.
>
> Original change's description:
> > [v8] Use |AllocateAtLeast| for resizing v8 zones.
> >
> > This is part of an ongoing effort to reduce fragmentation in Chrome. Partition alloc shows v8 zones are a large user of memory in Renderer processes, and that there is fragmentation from these allocations. This CL will reduce this fragmentation by allowing v8 to use all allocated memory for its zones.
> >
> > Bug: v8:13193, chromium:1238858
> > Change-Id: Ibeac8bdba9d0e7ff66b14a3dde10e7c87d3cf953
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3889361
> > Reviewed-by: Adam Klein <adamk@chromium.org>
> > Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
> > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#83235}
>
> Bug: v8:13193, chromium:1238858
> Change-Id: I923bcbce8403dd7d84642340fd7202087b8a4440
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3910268
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83372}
Bug: v8:13193, chromium:1238858
Change-Id: I32f9c4701a29c0516e3f587f1c6028e4d4158466
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3909358
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83378}
Blink has shipped import assertions since M91, so it is safe enough to
go straight to shipping here.
Bug: v8:10958
Change-Id: I3256172473a1ae8ce74e7fa63b14137e24568360
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3911378
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83373}
This is a reland of commit 4444874cdf
This fixes a failure on the UBSan bots caused by assuming |Realloc| is always in-place if the new size is <= the value of |malloc_usable_size|.
Original change's description:
> [v8] Use |AllocateAtLeast| for resizing v8 zones.
>
> This is part of an ongoing effort to reduce fragmentation in Chrome. Partition alloc shows v8 zones are a large user of memory in Renderer processes, and that there is fragmentation from these allocations. This CL will reduce this fragmentation by allowing v8 to use all allocated memory for its zones.
>
> Bug: v8:13193, chromium:1238858
> Change-Id: Ibeac8bdba9d0e7ff66b14a3dde10e7c87d3cf953
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3889361
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83235}
Bug: v8:13193, chromium:1238858
Change-Id: I923bcbce8403dd7d84642340fd7202087b8a4440
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3910268
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83372}
This CL implements collection of garbage in the shared spaces in
the shared heap isolate. GC on such an isolate should now work
correctly without worker isolates. Support for worker isolates will
be implemented in a subsequent CL.
Bug: v8:13267
Change-Id: I30125ce3b791e2faa0504d065f23639d6106e6b6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904647
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83371}
- Use non-idle tasks to be able to process finalizers on time.
- Only process finalizers while concurrent marking is still running.
Bug: v8:13294
Change-Id: I1a2812c3fc350ea679c4c916c230cf736f2aa3ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904648
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83367}
There is no -0n, and we'd therefore never serialize such a BigInt.
But we can't trust serialized data to not have gotten corrupted
(or be fuzzer-generated), so guard against this case when
deserializing.
Fixed: chromium:1359937
Change-Id: If11d9a364480bae51911cc4a0ce8a719853139fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904414
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83362}
This test breaks when interrupts occur with unfortunate timing. Maglev
increases flakiness of this test since finished Maglev compiles all
raise a new interrupt (and interrupts abort-and-retry regexp
execution).
Disable concurrent recompilation for this test, and drive-by fix the
--trace-regexp-tier-up flag.
Bug: v8:7700
Change-Id: I170c911fe2308b0b5ad9941e695f11f8925455f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904604
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83359}
Correct the test expect result as the spec specifies the accumulator is 2*SEW
bits. Fix the simulator implementation as well.
R=qiuji@iscas.ac.cn
Change-Id: Ia5d11b3214cf32635c3767df75992b2a50ee6980
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878452
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#83354}
