When searching for a target map during map update, attempt to
update field representations in-place to the more general
representation, where possible.
Bug: chromium:1143772
Change-Id: I6a43c94910a1d2d8f8b0ad89048f94b51461f76c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2507715
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70887}
This allows GC to go slightly over the max heap limit in order to give
NearHeapLimitCallback a chance to run and increase the limit.
Based on the suggestion by Kenton Varda.
Change-Id: I9c084b5a4c8fb7b9ce331b565958391c1be56add
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2505724
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70884}
Fix super calls so that arguments are evaluated before the
super constructor is checked to be in fact a constructor.
A new bytecode is introduced to split the IsConstructor check
out from the current GetSuperConstructor bytecode.
Bug: v8:10111
Change-Id: I3af99e32a34d99493806bb01b547d6f671cdc9de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2493077
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70881}
This CL changes the "small" versions of ordered hash tables, like
SmallOrderedNameDictionary and the corresponding handlers, like
OrderedNameDictionaryHandler, to use InternalIndex rather than int
as the type used for indices.
This is part of an effort to make the interfaces of the
ordered and unordered name dictionaries more similar.
Bug: v8:7569
Change-Id: I3b6fe79dfd3c6743f58a04cfe82798fe2ef09e19
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2505720
Commit-Queue: Frank Emrich <emrich@google.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70876}
For-in now collect feedback as well, the test passes.
Tbr: neis@chromium.org
Bug: v8:8888
Change-Id: I4e2ae41b60aa43132a24f001dc4de460a270a1a8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2505766
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70874}
This changes the ordered hash data structures in ordered-hash-table.h to
use InternalIndex as the type used for indices, rather than int.
This makes the interface more similar to the (unordered) hash tables in
dictionary.h and hash-table.h
Bug: v8:7569
Change-Id: I2389b0c7d103eb7c33c5ed620b16eb198109b54c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2503949
Commit-Queue: Frank Emrich <emrich@google.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70873}
Inside of LoopPeeler::PeelInnerLoopsOfTree we call the typer, which
inspects heap objects, so we need to unpark the local heap.
Reverted in https://chromium-review.googlesource.com/c/v8/v8/+/2502333
Original change's description:
> [compiler] Replace Symbol with direct reads
>
> Bug: v8:7790
> Change-Id: I49120a6349777fd992a97d697940e79b2e71dbd1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2400988
> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#69812}
Bug: v8:7790, chromium:1137594
Change-Id: I8539175002e19b04b84009eb6b2cc5ced4ee53c9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2502339
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70872}
The speedup in https://crrev.com/c/2504853 left out checking the array
lengths, this adds that check.
Bug: v8:7783
Change-Id: I8de01fa2dff3e051246ee3a268cdce2128ad16ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2505252
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70869}
This is a reland of e68285e21d
Failing wasm tests seemed to recover on their own.
Original change's description:
> cppgc-js: heap snapshot: Add logic for querying detachedness
>
> Adds infrastructure to allow embedders specifying a detachedness state
> that is queried when encountering an object with a TraceReference that
> has a non-zero wrapper class id set.
>
> Change-Id: Ie7f2f253544ee25a25565eb08d82e9df5f0a74d2
> Bug: chromium:1056170
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2502345
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70841}
Bug: chromium:1056170
Change-Id: I293a9d38f841b4d0faa4af7408bb57544f11d566
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2505713
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70867}
This reverts commit 1eecdf3450.
Reason for revert: unacceptable binary size increase (+65.5 KiB)
We’ll reland once we implement a more efficient way to store the
sequences.
Original change's description:
> Update RegExp sequence property support
>
> This patch aligns --harmony-regexp-sequence with the latest version of
> the corresponding TC39 and Unicode proposals.
>
> The list of supported properties has been changed:
>
> - https://github.com/tc39/proposal-regexp-unicode-sequence-properties#proposed-solution
> - https://unicode.org/reports/tr18/#Full_Properties
>
> Furthermore, the Unicode data now uses Unicode v13.0.0 instead of v12.0.0.
>
> Bug: v8:7467
> Change-Id: I1ac386d87af68d68e84e919cb5ffc1313443844a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2497163
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Mathias Bynens <mathias@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70752}
TBR=yangguo@chromium.org,jgruber@chromium.org,mathias@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:7467
Change-Id: I6721f4862827dc686d96d79498a1e8fdae4481d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2505758
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70866}
Test was skipped because the generated test contains multi-byte opcode,
and wasn't correct. Fix up the test with the correct encoding. The
fuzzer now generates multi-byte opcodes correctly, and so shouldn't be
an issue.
Bug: v8:10486
Change-Id: I1f5ad7d456320a30da6c553f65fdca0fc86a291a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2505238
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70864}
PPC has a larger page size than other platforms, so increase the page
size in the test to account for this.
Change-Id: I392064e9ef3f87c5bddb7763b35661aee5b4669d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2502330
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Milad Fa <mfarazma@redhat.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70857}
This is a reland of 44f46defcf with a
fix for failures with --turbonci_as_mid_tier
Original change's description:
> [turboprop] Pass required parameters as value inputs to TierUpCheck node
>
> TierUpCheck node tail calls interpreter entry trampoline when additional
> processing is needed for tiering up. Calling IET requires target,
> new_target, input count and context as parameters. Earlier these were
> created as parameter nodes in effect-control-linearizer. This causes
> problems with Turboprop since TurboProp doesn't use the second scheduler
> and cannot reschedule these nodes to the start block. We should instead
> create these parameter nodes in bytecode-graph-builder and pass them
> as value inputs to TierUpCheck node.
>
> Bug: v8:9684
> Change-Id: Icfe5a33b4e628d5a3ba9a3121b2b0746be6aed5c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2498695
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Commit-Queue: Mythri Alle <mythria@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70790}
Bug: v8:9684
Change-Id: Ic1a7d39aab0a599d0dd421f237e7bc640fcd6eb1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2504258
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70856}
This CL splits the class definitions per .tq file, to realize the
following relationship:
A class defined in src/objects/foo.tq has a C++ definition in
src/objects/foo.h. Torque then generates:
- torque-generated/src/objects/foo-tq.inc
An include file (no proper header) to be included in src/objects/foo.h
containing the Torque-generated C++ class definition.
- torque-generated/src/objects/foo-tq-inl.inc
An include file (no proper header) to be included in
src/objects/foo-inl.h containing inline function definitions.
- torque-generated/src/objects/foo-tq.cc
A source file including src/objects/foo-inl.h that contains non-inline
function definitions.
Advantages of this approach:
- Avoid big monolithic headers and preserve the work that went into
splitting objects.h
- Moving a definition to Torque keeps everything in the same place
from a C++ viewpoint, including a fully Torque-generated C++ class
definition.
- The Torque-generated include files do not need to be independent
headers, necessary includes or forward declarations can just be added
to the headers that include them.
Drive-by changes:
A bunch of definitions and files had to be moved or created to realize
a consistent 1:1 relationship between .tq files and C++ headers.
Bug: v8:7793
TBR: hpayer@chromium.org
Change-Id: I239a89a16d0bc856a8669d7c92aeafe24a7c7663
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2470571
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#70853}
This simplifies the logic since we can guarantee to have a
Handle<String>. The removed constructor was only used in tests.
Change-Id: I13519e474fe92892e9e8a39802d84cfab2c5b5ed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2505711
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70849}
Disable the BackgroundCompileTask and CompilerDispatcher unittests when
--finalize-streaming-on-background is enabled. The inner function API to
concurrent compilation doesn't yet support off-thread finalization, so
these tests break under that configuration.
Bug: chromium:1011762
Change-Id: If8d8d8e814161668e12f309e8d69ef8e8a29ab4a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2502329
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70846}
This reverts commit e68285e21d.
Reason for revert: ASAN test failing:
https://ci.chromium.org/p/v8/builders/ci/V8%20Mac64%20ASAN/29838?
Original change's description:
> cppgc-js: heap snapshot: Add logic for querying detachedness
>
> Adds infrastructure to allow embedders specifying a detachedness state
> that is queried when encountering an object with a TraceReference that
> has a non-zero wrapper class id set.
>
> Change-Id: Ie7f2f253544ee25a25565eb08d82e9df5f0a74d2
> Bug: chromium:1056170
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2502345
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70841}
TBR=ulan@chromium.org,mlippautz@chromium.org,omerkatz@chromium.org
Change-Id: Ic13337b9c5b336a81efa5f2672f5a501084b5326
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:1056170
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2505613
Reviewed-by: Francis McCabe <fgm@chromium.org>
Commit-Queue: Francis McCabe <fgm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70843}
https://github.com/tc39/proposal-dynamic-code-brand-checks
An experimental implementation of the TC39 "Dynamic Code Brand Checks". This
implementation sticks an API-only symbol on each "code kind" object, which
is more flexible, but costs memory for each instance.
Bug: chromium:1096017
Change-Id: Idfeca035c61204ca0cea8ec735fdfa40a49d85e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2339618
Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70842}
Adds infrastructure to allow embedders specifying a detachedness state
that is queried when encountering an object with a TraceReference that
has a non-zero wrapper class id set.
Change-Id: Ie7f2f253544ee25a25565eb08d82e9df5f0a74d2
Bug: chromium:1056170
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2502345
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70841}
The flag has been enabled by default for two version now, so it is time
to remove it.
R=binji@chromium.org
Bug: v8:9921
Change-Id: I833e04a3f9d238e7bcf27e93148c9492776af3c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2402034
Reviewed-by: Ben Smith <binji@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70838}
This is a reland of d7ece57e20 with
a fix to failures on NumFuzz.
Original change's description:
> [turboprop] Add a slot for optimization marker in feedback vector
>
> Optimization marker and the optimized code used to share the same slot
> in the feedback vector as they were mutually exclusive. With turboprop
> we would want to mark the function for tier up to Turbofan while holding
> the optimized code for Turboprop. So this cl uses the existing padding
> field to hold the optimization marker instead.
>
> As a driveby, removes unused JSFunction::ClearOptimizedCodeSlot function
> and fixes a minor bug in Runtime_GetOptimizationStatus.
>
> Bug: v8:9684
> Change-Id: I18c551a69648a0837d16c5453d023c0b295b1521
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2467836
> Commit-Queue: Mythri Alle <mythria@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70789}
Bug: v8:9684
Change-Id: Ie6aa3c061a852bb047b5921e4e747d43505568e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2502871
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70834}
The value of a node was accessed without prior HasValue check. With
WebAssembly this node is not guaranteed to be a value.
R=mslekova@chromium.org
Change-Id: I62170183f3940a04b0550dfbb78cb49d2f5d7f72
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2504250
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70833}
We made array-concat run faster in https://crrev.com/c/2504853.
Bug: v8:7783
Change-Id: Iabefb58f92e24ffa4e0589a7c8b9e2b3e12c6e47
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2504859
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70831}
The immediate might not be 2 bytes from start of instruction, because
the opcode is leb encoded.
Bug: chromium:1143053
Change-Id: I3c514e771419470ce34e02d4faa24e9e59676aa6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2504852
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70828}
Currently MockPlatformForUnmapper has shorter lifetime than the isolate that
uses it. This leads to use-after-free races in concurrent tasks that fetch
the mock platform just before it is freed.
This CL ensures that MockPlatformForUnmapper is valid throughout the whole
lifetime of the isolate
Change-Id: I94a658bf7eb70d924a19522dab09744f21782972
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2502809
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70826}
This test creates an array that is 500000 elements long. Calling
assertEquals on this with another array is really slow, especially on
simulator runs. Most of this array is empty, only the first few elements
and last few elements contain meaningful items, so we check those
specific indices.
On a local run this test goes from ~250s (--jitless) or ~111s to <1s.
out/arm64.build/d8 --test test/mjsunit/mjsunit.js
test/mjsunit/array-concat.js --random-seed=1 --nohard-abort
--testing-d8-test-runner [--jitless]
(using --jitless makes the test even slower)
Bug: v8:7783
Change-Id: I660d3a9f1b3fe3afaa58fce28f493641059ba226
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2504853
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70825}
This CL extracts some functionality from inspector-test.cc to be reused
by the inspector fuzzer.
It also puts all functions in the v8::internal namespace, and adds
separate functions in v8::internal to be called by ::main such that
we have direct access to the full namespace there.
R=szuend@chromium.org
Bug: chromium:1142437
Change-Id: I671317822bdc1c721334469811893affcc460f8f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2501847
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70821}
This is a reland of df34fb9534
Original change's description:
> [wasm-simd] Add more test cases for load lane
>
> Test load lane using memarg offset immediate, and also test all
> supported alignments.
>
> Bug: v8:10975
> Change-Id: Iac7e9f7e335bd86528a8723b04df97a17d7a7f66
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2500928
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Reviewed-by: Bill Budge <bbudge@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70816}
TBR=bbudge@chromium.org
Bug: v8:10975
Change-Id: I286776b351ecd3c78d56bec20c02a3ba283213df
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2504851
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70820}
This reverts commit df34fb9534.
Reason for revert: Broke msvc compile https://ci.chromium.org/p/v8/builders/ci/V8%20Win64%20-%20msvc/15566
Original change's description:
> [wasm-simd] Add more test cases for load lane
>
> Test load lane using memarg offset immediate, and also test all
> supported alignments.
>
> Bug: v8:10975
> Change-Id: Iac7e9f7e335bd86528a8723b04df97a17d7a7f66
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2500928
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Reviewed-by: Bill Budge <bbudge@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70816}
TBR=bbudge@chromium.org,zhin@chromium.org
Change-Id: Ia80d167846dac99070e6e9d280dd4ea53455af30
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:10975
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2504850
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70817}
Test load lane using memarg offset immediate, and also test all
supported alignments.
Bug: v8:10975
Change-Id: Iac7e9f7e335bd86528a8723b04df97a17d7a7f66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2500928
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70816}
And remove all ifdefs guarding the tests.
Bug: v8:11038
Change-Id: I91487a4bd60b6f2e327d1c2348289e446d6e93d1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2501967
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70811}
This is a reland of dde9376860
Original change's description:
> Add int64_t min and max to value helpers for test
>
> And also fix up a truncate float to int test that was using
> int list as input instead of a float list.
>
> Change-Id: I544e38b2d212f8d11dfb5758db4fe6b283acae0d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2419654
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70774}
Change-Id: Id196ea40eaf616d784d644346b912f1561fd97a0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2500926
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70810}
- Created status enum with statuses kStarted, kAlreadyStarted and
kErrorTooManyProfilers, returning when StartProfiling is invoked
- Tests spin up one profiler, check kStarted returned; spin up
another with same name, check kAlreadyStarted returned; Spin up 99
more profilers (100 total), check each returning kStarted, and
one more, expecting 101st to return kErrorTooManyProfilers
R=acomminos@fb.com, petermarshall@chromium.org, ulan@chromium.org
Change-Id: I64e2e6396775f90f9f49f75331a075a47efa7fca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2486240
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70808}
Wrapper nodes are merged into their corresponding C++ object nodes
when the reference between C++ and JS object has a wrapper class id
set.
Instead of iterating all global handles and checking for those with
class ids, the new algorithm discovers them while iterating C++
objects.
Note: Additional wrapper nodes, e.g., those from isolated worlds in
Blink are not merged.
Bug: chromium:1056170
Change-Id: I6dff8992e41d7a1a2c3b99a115a53df6b6fbb64c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2499661
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70804}
This reverts commit d7ece57e20.
Reason for revert: failures on NumFuzz
https://ci.chromium.org/p/v8/builders/ci/V8%20NumFuzz%20-%20debug/11818?
Original change's description:
> [turboprop] Add a slot for optimization marker in feedback vector
>
> Optimization marker and the optimized code used to share the same slot
> in the feedback vector as they were mutually exclusive. With turboprop
> we would want to mark the function for tier up to Turbofan while holding
> the optimized code for Turboprop. So this cl uses the existing padding
> field to hold the optimization marker instead.
>
> As a driveby, removes unused JSFunction::ClearOptimizedCodeSlot function
> and fixes a minor bug in Runtime_GetOptimizationStatus.
>
> Bug: v8:9684
> Change-Id: I18c551a69648a0837d16c5453d023c0b295b1521
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2467836
> Commit-Queue: Mythri Alle <mythria@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70789}
TBR=rmcilroy@chromium.org,mythria@chromium.org,jgruber@chromium.org
Change-Id: Ia9894fef713a522b9c3d349bef4abcde3e1e1832
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9684
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2502870
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70803}
cppgc must support the same feature set as the existing unified heap
system, which requires support for wrapper-specific handling (drop on
Scavenge, merge in snapshot).
Replace JSMember by TracedReference to support IsRootForNonTracingGC()
optimizations out of the box. cppgc support for wrapper/wrappable
pairs will be added as followup.
Change-Id: I3c6eff2b8dce5b71b04b2bd75182eb8672079a64
Bug: chromium:1056170
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2498685
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70801}
This CL provides synchronized get/set to feedback vector slots.
The FeedbackNexus is set up to use order preserving reads when used
on the background thread, and a lock to ensure coherent read
of information for ICKinds with two slots. The main thread takes
the lock on sets.
This test provides patterns to be followed by concurrent TurboFan.
We don't yet access the FeedbackVector on the background thread.
This CL only makes it safe to do so. The next step will come when
the optimizing compiler begins to query the the vector from the
background thread. Currently, with --concurrent-inlining turned on
this is done in bytecode serialization on the main thread. Without
concurrent inlining, it's also done on the main thread, in both
cases using the FeedbackNexus.
Bug: v8:7790
Change-Id: I49d8b8031190f91a0da1c24f375b6b6d8a9fe038
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2276210
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70797}
The number of available double registers depends on supported CPU
features on arm. Any code that applies to all double regs must be
extra-careful to correctly handle either 16 or 32 registers.
This was not the case for deopt entries, which were recently moved
from a runtime-generated code stub to a mksnapshot-time-generated
builtin.
This CL fixes the issue by inspecting the runtime value of cpu
features and acting on it.
Bug: v8:8661,chromium:1142158
Change-Id: I6f4d2e6ee6a80217b9110194b8e1edbe8670d8d0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2498686
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70796}
We kept the CodeMap filled with entries between profiles, even in
kLazyLogging mode which will re-fill the CodeMap when profiling starts
again. See the bug for more details.
This fix manually clears the CodeMap after the last profile is deleted.
We already call DisableLogging() when the last profile is stopped. At
this point we still need the CodeMap alive because the profile object
we expose via the API is backed by the CodeEntry objects in the CodeMap.
Once the last profile is deleted though, we can empty the CodeMap.
There is still another bug, which is that we never delete CodeEntry
objects for deleted code, as there are no CodeDeleteEvents from the GC.
We will work on that separately, but this fix should stop those leaks
accumulating between profiles as we wipe the CodeMap entirely between
profiles (at least for kLazyLogging mode). kEagerLogging mode still has
this problem and will only be fixed by introducing CodeDelete events or
similar.
Bug: v8:11051
Change-Id: Iab9570747d17c657e6e318d434f935af8047d05f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2491033
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70792}
Optimization marker and the optimized code used to share the same slot
in the feedback vector as they were mutually exclusive. With turboprop
we would want to mark the function for tier up to Turbofan while holding
the optimized code for Turboprop. So this cl uses the existing padding
field to hold the optimization marker instead.
As a driveby, removes unused JSFunction::ClearOptimizedCodeSlot function
and fixes a minor bug in Runtime_GetOptimizationStatus.
Bug: v8:9684
Change-Id: I18c551a69648a0837d16c5453d023c0b295b1521
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2467836
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70789}
This CL makes the metadata offsets stored in Code headers
relative to the start of the metadata section (instead of to
the start of the instructions section).
In a follow-up, metadata for embedded builtins will be moved
from the .text section (with r-x or --x permissions) to the
.rodata section (with r-- permissions).
Drive-by: Simplify invariants around section alignment. A
new invariant is that the end of the instruction section is
aligned to Code::kMetadataAlignment.
Drive-by: Ensure trampoline Code objects contain no metadata
(metadata offsets all refer to the off-heap metadata section).
Tbr: dinfuehr@chromium.org
Bug: v8:11036
Change-Id: Idd0980913bbde9d3d1946b558e3ca58ec6356fcc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2491036
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70788}
The crash scenario is as follows:
1) Add a getter for 'then' to the Object prototype that is
considered side-effecting.
2) Evaluate a simple string using 'REPL' mode with side-effect checks
enabled.
Note: REPL mode is not strictly necessary, but it causes a 'then'
lookup as the evaluation result is not a promise.
3) Calling the 'then' getter causes a termination exception, due
to the side-effect check. JSPromise::Resolve then tries to
put the termination exception as the reject reason, which causes
a CHECK failure.
The solution is to check for termination in the "abrupt completion"
case when 'then' was retrieved.
Bug: chromium:1140845
Change-Id: I72b644cd49355cea40f599fcbe80264e99ed7bd6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2501283
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70785}
Implement these two instructions on arm.
Bug: v8:11038
Change-Id: I23d9c7291f60e29415cfbebced1bff323fd2465a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2485250
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70779}
This reverts commit dde9376860.
Reason for revert: ubsan failures https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20UBSan/13518
Original change's description:
> Add int64_t min and max to value helpers for test
>
> And also fix up a truncate float to int test that was using
> int list as input instead of a float list.
>
> Change-Id: I544e38b2d212f8d11dfb5758db4fe6b283acae0d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2419654
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70774}
TBR=clemensb@chromium.org,zhin@chromium.org
Change-Id: If0faa8be8c55715a529dfe777c0ad9819105fc5b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2500925
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70777}
The SpecialValue field used in the disassembler covers too wide a range,
this causes some duplication in the disassembler of instructions like
mov, since the SpecialValue includes a bit used for the immediate.
Attempt to refactor and follow the decoding guide given in the
architecture manual [0], F4.1 A32 instruction set encoding, with the
eventual goal for removing the duplicated instruction disassembly.
[0] ARM DDI 0487F.b ARMv8 A32 instruction set
Bug: v8:10933
Change-Id: Iddf4df317f9a5b29be2544ad2f9f93180e9bcdfc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2497395
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70775}
And also fix up a truncate float to int test that was using
int list as input instead of a float list.
Change-Id: I544e38b2d212f8d11dfb5758db4fe6b283acae0d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2419654
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70774}
This relands commit 61b56d1650
The fix is to capture variables used in the lambda.
Original change's description:
> [wasm-simd] Add more tests for v128 load zero
>
> Add tests for all valid alignments, and using memarg immediate offset
> instead of i32 index.
>
> Also randomize the memory to help catch cases where we are loading
more
> than we should, and accidentally get correct values with zero-ed
memory.
>
> Bug: v8:10713
> Change-Id: I443c2799ba0d539bf23c63760c08e18c4d36607f
> Reviewed-on:
https://chromium-review.googlesource.com/c/v8/v8/+/2487880
> Reviewed-by: Bill Budge <bbudge@chromium.org>
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70693}
Bug: v8:10713
Change-Id: Ib8fa58c6600d85a37fc0b6647ddbdb991f3b1c04
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2497382
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70769}
Make the array elements in msunit/regress/regress-542823 larger, so that
it takes fewer of them to force the joined string to go into large
object space. Also, set the array's size dynamically based on the
maximum non-large object size, rather than having a fixed magic "large
enough" size, and verify that the resulting joined string is indeed in
LO space.
This reduces the runtime of this test under slow_path and gc-stress from
minutes to seconds.
Bug: v8:11060
Change-Id: I51d960b6a3e052199f50c1a6ba6fbce1b6d1ae38
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2498689
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70762}
This is a reland of bcb0a7c5c5.
Data races detected by TSan are fixed by using (relaxed) atomic
updates.
Original change's description:
> [wasm] Disallow late enabling of trap handlers
>
> It's dangerous if trap handlers are enabled after we already used the
> information whether they are enabled or not.
> This CL checks for such misbehaviour by remembering whether
> {IsTrapHandlerEnabled} was already called, and disallowing
> {EnableTrapHandler} afterwards. Also, calling {EnableTrapHandler}
> multiple times is disallowed now.
>
> The trap handler tests are changed to only enable trap handlers once,
> and to do that before allocating wasm memory or generating code.
>
> R=ahaas@chromium.org
>
> Bug: v8:11017
> Change-Id: Ib2256bb8435efd914c12769cedd4a0051052aeef
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2494935
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70750}
Bug: v8:11017
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_isolates_rel_ng
Change-Id: I24299c433ffa3ce31e2aac12134dc03f30609da2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2498683
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70761}
For deserialized modules the compilation state was not set to
kFinishedTopTierCompilation and co. A consequence was that code that
required top tier compilation to be finished to block indefinitely.
With this CL the compilation state is initialized properly.
I tested this CL locally with the regression test mentioned in the bug
tracker issue. However, this regression test required to run this test
twice in separate processes. It would be possible to write a regression
test for this that runs on the bots, but I considered it not worth it.
R=clemensb@chromium.org
Bug: v8:11024
Change-Id: Ib4e75eae03fab13a3ff013118fc1f33a1278b33f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2494930
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70757}
msunit/regress/regress-542823 is intended to test large object
allocation in Array.prototype.join, but to do so it has a pretty
inefficient way of first building a large array.
Speed-up this test by using Array.prototype.fill, call .join directly,
and make the whole thing an IIFE to avoid global loads.
Bug: v8:11060
Change-Id: I5906bcb6c65b10ec830b026cf1f24acb6d5e1aaf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2498681
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70755}
The test creates an import error that references the current Script for
reporting the error location back to the embedder.
- This is not supported by the serializer
- We don't expect parse/import errors for serialization
Bug: v8:6513
Change-Id: Idf98e7ae189e8ffeaa478e5118a7b3f2d2c06047
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2497171
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70754}
Due to the previous change to that function, we can end up with
set (non-null) fields even when the overall serialized_ field is
unset. This can cause DCHECK failures (I don't think it's otherwise
observable).
Bug: chromium:1142240,v8:7790
Change-Id: I2711fae8a73438277caf7aa539f24d628b03153c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2497170
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70753}
This reverts commit bcb0a7c5c5.
Reason for revert: TSAN failure (https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20TSAN/33868)
Original change's description:
> [wasm] Disallow late enabling of trap handlers
>
> It's dangerous if trap handlers are enabled after we already used the
> information whether they are enabled or not.
> This CL checks for such misbehaviour by remembering whether
> {IsTrapHandlerEnabled} was already called, and disallowing
> {EnableTrapHandler} afterwards. Also, calling {EnableTrapHandler}
> multiple times is disallowed now.
>
> The trap handler tests are changed to only enable trap handlers once,
> and to do that before allocating wasm memory or generating code.
>
> R=ahaas@chromium.org
>
> Bug: v8:11017
> Change-Id: Ib2256bb8435efd914c12769cedd4a0051052aeef
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2494935
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70750}
TBR=ahaas@chromium.org,clemensb@chromium.org
Change-Id: I1d93dcb399e2a0b5b0543aa60d34087317c01cb3
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:11017
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2497176
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70751}
It's dangerous if trap handlers are enabled after we already used the
information whether they are enabled or not.
This CL checks for such misbehaviour by remembering whether
{IsTrapHandlerEnabled} was already called, and disallowing
{EnableTrapHandler} afterwards. Also, calling {EnableTrapHandler}
multiple times is disallowed now.
The trap handler tests are changed to only enable trap handlers once,
and to do that before allocating wasm memory or generating code.
R=ahaas@chromium.org
Bug: v8:11017
Change-Id: Ib2256bb8435efd914c12769cedd4a0051052aeef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2494935
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70750}
This is a reland of b66993bcfb
Nothing changed in the reland, the original CL was not the
culprit for win32 failures. They started earlier, at
https://ci.chromium.org/p/v8/builders/ci/V8%20Win32/29444
Original change's description:
> [code] Separate instruction and metadata areas
>
> In this CL, Code object layout changes s.t. the instruction
> area is distinct / non-overlapping from the metadata area.
>
> On-heap Code objects now have a variable-size `body` area,
> containing distinct-but-adjacent `instruction` and `metadata`
> areas.
>
> Off-heap code (= embedded builtins) currently have the same,
> but in the future the metadata area will move elsewhere and
> no longer be adjacent to instructions.
>
> To implement this, the main changes are:
>
> - The Code object header now contains instruction and metadata
> sizes, and no longer contains the safepoint table offset
> (it's implicitly the first table of the metadata section).
> - The embedded metadata table contains information about both
> instruction and metadata areas.
>
> I've also added assertions in spots that currently rely on a
> contiguous body area.
>
> Bug: v8:11036
> Change-Id: I940f0c70c07ad511dafd2d2c3e337de8c92cd4b9
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2491025
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70743}
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Tbr: leszeks@chromium.org, clemensb@chromium.org, dinfuehr@chromium.org
Bug: v8:11036
Change-Id: I238562d7e25cf28cc689856ee8b17f25627aaee7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2497162
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70747}
This reverts commit b66993bcfb.
Reason for revert: Broke v8 win32 https://ci.chromium.org/p/v8/builders/ci/V8%20Win32/29454?
Original change's description:
> [code] Separate instruction and metadata areas
>
> In this CL, Code object layout changes s.t. the instruction
> area is distinct / non-overlapping from the metadata area.
>
> On-heap Code objects now have a variable-size `body` area,
> containing distinct-but-adjacent `instruction` and `metadata`
> areas.
>
> Off-heap code (= embedded builtins) currently have the same,
> but in the future the metadata area will move elsewhere and
> no longer be adjacent to instructions.
>
> To implement this, the main changes are:
>
> - The Code object header now contains instruction and metadata
> sizes, and no longer contains the safepoint table offset
> (it's implicitly the first table of the metadata section).
> - The embedded metadata table contains information about both
> instruction and metadata areas.
>
> I've also added assertions in spots that currently rely on a
> contiguous body area.
>
> Bug: v8:11036
> Change-Id: I940f0c70c07ad511dafd2d2c3e337de8c92cd4b9
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2491025
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70743}
TBR=jgruber@chromium.org,leszeks@chromium.org,clemensb@chromium.org,dinfuehr@chromium.org
Change-Id: Ia52ac609a47b8a2038a2511f0af8526ebdfe4719
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:11036
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2497381
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70744}
In this CL, Code object layout changes s.t. the instruction
area is distinct / non-overlapping from the metadata area.
On-heap Code objects now have a variable-size `body` area,
containing distinct-but-adjacent `instruction` and `metadata`
areas.
Off-heap code (= embedded builtins) currently have the same,
but in the future the metadata area will move elsewhere and
no longer be adjacent to instructions.
To implement this, the main changes are:
- The Code object header now contains instruction and metadata
sizes, and no longer contains the safepoint table offset
(it's implicitly the first table of the metadata section).
- The embedded metadata table contains information about both
instruction and metadata areas.
I've also added assertions in spots that currently rely on a
contiguous body area.
Bug: v8:11036
Change-Id: I940f0c70c07ad511dafd2d2c3e337de8c92cd4b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2491025
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70743}
This is a reland of eb6b4ce1d8
Skip test that serializes Error which references a Script. All errors
created by ThrowAt store the current Script under the
error_script_symbol.
Original change's description:
> [runtime] Use Isolate::ThrowAt with MessageLocation
>
> Fix various missing source positions when reporting parse and compile
> errors. Namely this fixes missing source positions when having invalid
> module imports.
>
> - Use Isolate::ThrowAt with valid MessageLocation objects
> - Change public Isolate::Throw to no longer accept MessageLocation to
> avoid misues
> - Introduce private Isolate::ThrowInternal that accepts MessageLocation
>
> Bug: v8:6513
> Change-Id: I3ee633c9fff8c9d361bddb37f56e28a50c280ec1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2467839
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70623}
Bug: v8:6513
Change-Id: Icba74f74178e28fbda0fd0c237eeb7bacbc33570
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2487123
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70741}
The dynamic map check builtin loads the feedback vector from the
function's frame, therefore it doesn't work if we inline the
function. We don't do inlining on TurboProp so this is fine, but
it was possible to enable dynamic map checks on TurboFan which does.
This change prevents that, and also makes the dynamic map checks flag
specific to TurboProp and no longer an implication, which also allos
it to be switched on the command line independenly of --turboprop.
BUG=chromium:1141502,v8:9684
Change-Id: I365de461a6373335a45a7a154af7d4cf1c13dc2c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2494928
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70737}
This is a reland of 90ea9b35cb
Original change's description:
> cppgc: Port backing store compaction.
>
> This CL ports the existing backing store compaction algorithm from
> blink. It does not attempt to improve on the existing algorithm.
>
> Currently only unified heap uses the compaction implementation. It is
> never triggered through standalone GCs.
>
> The compaction implementation resides within an internal "subtle" namespace.
>
> Bug: v8:10990
> Change-Id: I4aa781db1b711e7aafc34234c4fb142de84394d7
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2485228
> Commit-Queue: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Anton Bikineev <bikineev@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70714}
Bug: v8:10990
Change-Id: I527c2042a26648d058bfe4d355527cce9a3eeadc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2492331
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70736}
If trap handlers are disabled, we don't need guard regions around wasm
memories. Hence use the dynamic {trap_handler::IsTrapHandlerEnabled()}
check, instead of always reserving guard regions on all 64-bit
platforms.
This will allow to reserve pretty much arbitrarily many wasm memories if
trap handlers are disabled.
Two tests are added to test the number of memories that can be
allocated: With trap handlers, at least 50 memories should always be
possible. Without trap handlers, 10000 small memories should not be a
problem (each one is taking 64kB, so it's 640MB overall).
Drive-by: Improve tracing.
R=ahaas@chromium.org
Bug: v8:11017
Change-Id: Ic4c620f63dfbef571e64df0b3372b83a1db566ab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2491034
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70732}
The TryMigrateInstance should be passed the instance object to migrate,
not the map of the object. Also make the runtime function explicitly
check for JSObjects.
BUG=v8:9684
Change-Id: I03605d9f3103b618243c12ad0b63035484ef4134
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2487270
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70731}
CppHeap is currently set up to always finalize with no stack.
Finalizing with actual current stack state breaks our unified heap
unittests. This is fixed by having test specify which stack state
to pass CppHeap.
Bug: chromium:1056170
Change-Id: I1a6c3870abbdf56917c20c6a75580b6c516d828c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2494924
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70729}
The test was not flaky. Instead it seems compiiler optimizations discarded
of the test-allocated object such that stack scanning could no longer find it.
Bug: v8:11052
Change-Id: Ie8018ccecb03b22e6c4f2dada3e6663b04c551fd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2493160
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70722}
The register that holds the {new_value} for the AtomicCompareExchange8U
has to be a byte register on ia32. There was code to guarantee that, but
after that code there was code that frees the {eax} register, and that
code moved the {new_value} to a different register again. With this CL
we first free {eax}, and then find a byte register for the {new_value}.
R=clemensb@chromium.org
Bug: chromium:1140549
Change-Id: I1679f3f9ab26c5416ea251c7925366ff43336d85
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2491031
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70721}
This reverts commit 90ea9b35cb.
Reason for revert: https://ci.chromium.org/p/v8/builders/ci/V8%20Mac64%20-%20debug/31274?
Original change's description:
> cppgc: Port backing store compaction.
>
> This CL ports the existing backing store compaction algorithm from
> blink. It does not attempt to improve on the existing algorithm.
>
> Currently only unified heap uses the compaction implementation. It is
> never triggered through standalone GCs.
>
> The compaction implementation resides within an internal "subtle" namespace.
>
> Bug: v8:10990
> Change-Id: I4aa781db1b711e7aafc34234c4fb142de84394d7
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2485228
> Commit-Queue: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Anton Bikineev <bikineev@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70714}
TBR=mlippautz@chromium.org,bikineev@chromium.org,omerkatz@chromium.org
Change-Id: Iadae1ee0c6c0400f0e1a0a3805be5316a1d4b979
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:10990
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2492330
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70716}
The test WeakContainerTest.ConservativeGCTracesWeakContainer failed on
one of the bots:
https://ci.chromium.org/p/v8/builders/ci/V8%20Mac64%20ASAN/29755?
This seems like flakiness related to stack scanning.
Bug: v8:11052
Change-Id: Ia60d64e63a071335c4c3f648a4ba0c1823841617
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2492324
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70715}
This CL ports the existing backing store compaction algorithm from
blink. It does not attempt to improve on the existing algorithm.
Currently only unified heap uses the compaction implementation. It is
never triggered through standalone GCs.
The compaction implementation resides within an internal "subtle" namespace.
Bug: v8:10990
Change-Id: I4aa781db1b711e7aafc34234c4fb142de84394d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2485228
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70714}
This CL adds TraceWeakContainer and VisitWeakContainer to the Visitor
api. It also introduces the weak_container_worklist_ used to force
re-tracing of weak containers that are reachable from stack.
Bug: chromium:1056170
Change-Id: I4ba75bd64939b8df9ece7422828a5ac647b03fd1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2491022
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70708}
Refactor the {options} output parameter of the fast callback to a
reference, since it can never be nullptr for functions created with
MakeWithFallbackSupport. This allows embedders to spare the nullptr
check.
Bug: chromium:1052746
Change-Id: I3e22f07af4740ebe8522691da51b6addbc980f24
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2491026
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70706}
Since JS arguments are always reversed now (https://crrev.com/c/2466116), the logic for skipping the arguments adapter is dead.
It has been subsumed by the complete removal of the adaptor frame (https://crrev.com/c/2440098).
Doc: bit.ly/v8-faster-calls-with-arguments-mismatch
Change-Id: Ia02e0807b7d23a9de371650fa6357113e409d338
Bug: v8:10201
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2489684
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70704}
No major functional changes in this CL, mostly it moves code around
to make follow-up CLs less messy.
- Document Code layout.
- New concepts: 'body' and 'metadata' areas of Code objects. The
metadata area contains metadata tables, the body area includes
both instructions and metadata (this is currently the 'instructions'
area). Add accessors for these new areas.
- An interesting detail: embedded builtins will have non-adjacent
instruction and metadata areas, thus a concept of 'body' doesn't
make sense there.
- Also add raw_instruction_X_future accessors; these are used where
we are actually interested in the instructions range, not the entire
body. In a follow-up, current raw_instruction_X accessors will be
replaced by raw_body_X, and raw_instruction_X_future by
raw_instruction_X.
Bug: v8:11036
Change-Id: I1d85146b652e0c097c3602d4db1862d5d3898a7e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2491023
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70701}
Originally, the Torque-generated verifier for a field with type
Undefined|Zero|NonNullForeign would check `f.IsUndefined() || f.IsZero()
|| f.IsNonNullForeign()`. At some point, we changed Torque so that it
now generates the much weaker `f.IsOddball() || f.IsSmi() ||
f.IsForeign()`. This change returns the verifiers to their initial
precision. Mostly we can use the names of abstract types to build up the
correct type check expression, but a few abstract types like
PodArrayOfWasmValueType have no way that we can tell them apart from
their parent type at runtime. It would be confusing to have a function
Object::IsPodArrayOfWasmValueType which actually just checks whether the
object is a ByteArray, so this change introduces a new annotation which
allows abstract type declarations to state that they should use their
parent type during verification.
This change also adds new test cases to help avoid future regressions of
this logic.
Bug: v8:7793
Change-Id: Ie5046d742fd45e0e0f6c2ba387d909e9f2ac6df1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2469960
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#70698}
This reverts commit 61b56d1650.
Reason for revert: Breaks tests on MSVC bot:
https://ci.chromium.org/p/v8/builders/ci/V8%20Win64%20-%20msvc/15485
Original change's description:
> [wasm-simd] Add more tests for v128 load zero
>
> Add tests for all valid alignments, and using memarg immediate offset
> instead of i32 index.
>
> Also randomize the memory to help catch cases where we are loading more
> than we should, and accidentally get correct values with zero-ed memory.
>
> Bug: v8:10713
> Change-Id: I443c2799ba0d539bf23c63760c08e18c4d36607f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2487880
> Reviewed-by: Bill Budge <bbudge@chromium.org>
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70693}
TBR=bbudge@chromium.org,zhin@chromium.org
Change-Id: I9391c5e948c528f00dc966bbf33f709da30d1b17
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:10713
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2490479
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70694}
Add tests for all valid alignments, and using memarg immediate offset
instead of i32 index.
Also randomize the memory to help catch cases where we are loading more
than we should, and accidentally get correct values with zero-ed memory.
Bug: v8:10713
Change-Id: I443c2799ba0d539bf23c63760c08e18c4d36607f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2487880
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70693}
Implements https://github.com/tc39/ecma262/pull/2154, which allows
module export names to be string literals.
Semantics highlights:
- It is a SyntaxError for string literal export names to have unpaired
UTF16 surrogates.
- It is a SyntaxError for string literal export names to be used as
the local name without being followed by a 'from' clause. For example,
`export { "foo" }` and `export { "foo" as "bar" }` are errors, but
`export { "foo" } from "./module.js"` is allowed.
The remaining failing test262 test is wrong:
https://github.com/tc39/test262/issues/2866
Bug: v8:10964
Change-Id: Ib3e06e1ee6b3f1b60ed7f24e21902e17ddfc0351
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2482335
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70692}
Liftoff can currently run out of registers when compiling an atomic
compare-exchange instruction. In order to see this crash, the following
conditions must be met:
- The offset in the instruction doesn't fit in a 12-bit immediate
- Either FLAG_untrusted_code_mitigations is false, or trap handlers are
enabled, so that AddMemoryMasking decides to do nothing
The fix proposed in this CL is just to defer allocation of a temporary
register until after CalculateActualAddress has finished, because it
might have also needed a temporary register.
Change-Id: I28225614dcdbe2bcc9e52208f1e806baac89c5f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2488840
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70687}
This trap now used for all runtime type errors thrown when interfacing
with JS. Its name and message have been changed to reflect this.
Additional change: Remove the trap from the list of traps used
exclusively for RuntimeError (as opposed to TypeError) in
wasm-module-builder.js.
Change-Id: I517766837a60d94b562d4c0de922d52db786b635
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2488688
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70682}
Follow the marker pattern where actual logic is moved into a dedicated
state class and the visitors merely forward to that class.
Change-Id: Id3c6b7414343da82759bdba3dbb8286adee44cf4
Bug: chromium:1056170
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2480502
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70680}
Bug: chromium:1139782,v8:10765
Change-Id: I417cd037b2587599b925cce08d8652b2df1985ce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2488687
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Martin Bidlingmaier <mbid@google.com>
Cr-Commit-Position: refs/heads/master@{#70679}
This is a reland of fbfa9bf4ec
The arm64 was missing proper codegen for CFI, thus sizes were off.
Original change's description:
> Reland "[deoptimizer] Change deopt entries into builtins"
>
> This is a reland of 7f58ced72e
>
> It fixes the different exit size emitted on x64/Atom CPUs due to
> performance tuning in TurboAssembler::Call. Additionally, add
> cctests to verify the fixed size exits.
>
> Original change's description:
> > [deoptimizer] Change deopt entries into builtins
> >
> > While the overall goal of this commit is to change deoptimization
> > entries into builtins, there are multiple related things happening:
> >
> > - Deoptimization entries, formerly stubs (i.e. Code objects generated
> > at runtime, guaranteed to be immovable), have been converted into
> > builtins. The major restriction is that we now need to preserve the
> > kRootRegister, which was formerly used on most architectures to pass
> > the deoptimization id. The solution differs based on platform.
> > - Renamed DEOPT_ENTRIES_OR_FOR_TESTING code kind to FOR_TESTING.
> > - Removed heap/ support for immovable Code generation.
> > - Removed the DeserializerData class (no longer needed).
> > - arm64: to preserve 4-byte deopt exits, introduced a new optimization
> > in which the final jump to the deoptimization entry is generated
> > once per Code object, and deopt exits can continue to emit a
> > near-call.
> > - arm,ia32,x64: change to fixed-size deopt exits. This reduces exit
> > sizes by 4/8, 5, and 5 bytes, respectively.
> >
> > On arm the deopt exit size is reduced from 12 (or 16) bytes to 8 bytes
> > by using the same strategy as on arm64 (recalc deopt id from return
> > address). Before:
> >
> > e300a002 movw r10, <id>
> > e59fc024 ldr ip, [pc, <entry offset>]
> > e12fff3c blx ip
> >
> > After:
> >
> > e59acb35 ldr ip, [r10, <entry offset>]
> > e12fff3c blx ip
> >
> > On arm64 the deopt exit size remains 4 bytes (or 8 bytes in same cases
> > with CFI). Additionally, up to 4 builtin jumps are emitted per Code
> > object (max 32 bytes added overhead per Code object). Before:
> >
> > 9401cdae bl <entry offset>
> >
> > After:
> >
> > # eager deoptimization entry jump.
> > f95b1f50 ldr x16, [x26, <eager entry offset>]
> > d61f0200 br x16
> > # lazy deoptimization entry jump.
> > f95b2b50 ldr x16, [x26, <lazy entry offset>]
> > d61f0200 br x16
> > # the deopt exit.
> > 97fffffc bl <eager deoptimization entry jump offset>
> >
> > On ia32 the deopt exit size is reduced from 10 to 5 bytes. Before:
> >
> > bb00000000 mov ebx,<id>
> > e825f5372b call <entry>
> >
> > After:
> >
> > e8ea2256ba call <entry>
> >
> > On x64 the deopt exit size is reduced from 12 to 7 bytes. Before:
> >
> > 49c7c511000000 REX.W movq r13,<id>
> > e8ea2f0700 call <entry>
> >
> > After:
> >
> > 41ff9560360000 call [r13+<entry offset>]
> >
> > Bug: v8:8661,v8:8768
> > Change-Id: I13e30aedc360474dc818fecc528ce87c3bfeed42
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2465834
> > Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#70597}
>
> Tbr: ulan@chromium.org, tebbi@chromium.org, rmcilroy@chromium.org
> Bug: v8:8661,v8:8768,chromium:1140165
> Change-Id: Ibcd5c39c58a70bf2b2ac221aa375fc68d495e144
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2485506
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70655}
Tbr: ulan@chromium.org, tebbi@chromium.org, rmcilroy@chromium.org
Bug: v8:8661
Bug: v8:8768
Bug: chromium:1140165
Change-Id: I471cc94fc085e527dc9bfb5a84b96bd907c2333f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2488682
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70672}
