The information was previously kept heap-global but is really only
used by spaces when refilling their LABs.
Bug: v8:12615
Change-Id: Iee256d35ffa0112c93ec721bc3afdc2881c4743b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3465898
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79122}
These should not be allowed inside the sandbox as they could be
corrupted by an attacker, thus posing a security risk. Furthermore,
executable pages require MAP_JIT on macOS, which causes fork() to become
excessively slow, in turn causing tests to time out.
Due to this, the sandbox now requires the external code space.
In addition, this CL adds a max_page_permissions member to the
VirtualAddressSpace API to make it possible to verify the maximum
permissions of a subspace.
Bug: v8:10391
Change-Id: Ib9562ecff6f018696bfa25143113d8583d1ec6cd
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3460406
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79119}
Now that different tiers use dedicated interrupt_budgets (which
determine how often the runtime profiler (now tiering manager) is
called), I don't see a meaningful way to use results from this counter.
Bug: v8:7700
Change-Id: I2ec2242d3c7f6c2b9deab075a6f0500cc1350e96
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3467595
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79117}
TierUpCheck and UpdateInterruptBudget were only used by Turboprop
(likewise feedback_cell_node).
Bug: v8:12552
Change-Id: Ic73d44a5734e183bc1a2eda58cdf85163220e4d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3463954
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79116}
This predicate is just confusing - it's a renamed version of
HasBytecodeArray; but HasBytecodeArray also returns true if the SFI
has attached Sparkplug code - and is thus not interpreted.
Simply replace it by HasBytecodeArray.
Bug: v8:7700
Change-Id: Id4be2048a625142ade1096044133d9cd2896b51d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3461935
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79115}
Rolling v8/build: d5f9249..62a6377
Rolling v8/buildtools/third_party/libc++abi/trunk: 01efcb5..738dc10
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/7bede42..6fbe580
Rolling v8/third_party/depot_tools: 4e4a2b8..d6a3040
Rolling v8/third_party/zlib: 03f3212..9538f41
Rolling v8/tools/clang: ad74e59..62e2cd9
Rolling v8/tools/luci-go: git_revision:fbbb5b9748a05dd16fe621f7ea48a4ece1913874..git_revision:c4791d15e395b201e6a85336f7d8a21cce973dfa
Rolling v8/tools/luci-go: git_revision:fbbb5b9748a05dd16fe621f7ea48a4ece1913874..git_revision:c4791d15e395b201e6a85336f7d8a21cce973dfa
R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com
Change-Id: I7ac51800087314d5c0bf5e6a186c63b059305f3f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3465720
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#79110}
Even though this is not a perfect protection, it will make it harder to
write to the wasm code space because it's not permanently RWX.
After optimizations (see https://crbug.com/v8/11974) the performance is
good enough that it's worth just enabling it.
R=ahaas@chromium.org
Bug: v8:11974
Change-Id: I82786e932387732863c3c5e3aa743f7836cc45e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3464035
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79109}
This was mostly unused. We should simply be able to use CodeKind plus
related predicates instead.
Replace FeedbackVector::optimization_tier with
maybe_has_optimized_code, which states whether the optimized code
cache is filled. The value is updated lazily and may lag behind the
actual code cache state. We only use this field for quick cache-empty?
checks from generated code.
Bug: v8:7700,v8:12552
Change-Id: Ibfc5c0128eac56167a68ecba5690eab2e9369640
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3460741
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79107}
Data segments were missing in the output of --wasm-fuzzer-gen-test.
R=manoskouk@chromium.org
Bug: v8:11863
Change-Id: I40e60ef8626125ca9df6bead688607215d9e5b58
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3461932
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79106}
Split small chunks of assembly instructions into separate functions.
This makes the code easier to follow and to maintain, especially for
register allocation.
Drive-by: simplify stack-switching test.
R=ahaas@chromium.org
Bug: v8:12191
Change-Id: Id7544a3b2d16085540d9f1863a0eabd1f72f22bb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3461929
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79105}
LocalAllocator was already renamed to EvacuationAllocator some time ago.
Rename files now as well.
Bug: v8:10315
Change-Id: I337f693998aaf5187a5ba05842cdb2474837b68d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3463719
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79104}
Both stability and performance looks good on Linux and ChromeOS, which
is the only operation systems that currently support PKU.
Hence enable the feature by default before launching via finch.
R=ahaas@chromium.org
Bug: v8:11974, chromium:1204982
Change-Id: I2c1e7e7bb70ba73218d4db630219870b198ba6e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3461934
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79103}
Instead of using runtime lookups of various bytecode properties (like
whether they read/write the accumulator, what their operands do to
registers, etc), do a switch over the bytecode itself once and dispatch
to update methods that are templated on the bytecode and statically know
everything about it.
Change-Id: I0ae111af54277c26c7d0d67a404a2ef75f81fcf4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3455826
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79102}
.. to resolve the overloaded 'runtime' term and overall pick a more
meaningful name for this class. It's neither very related to runtime
(instead it's called periodically when the bytecode interrupt budget is
exhausted); nor is profiling its main purpose.
This class is responsible for controlling tiering decisions, hence the
new name 'TieringManager'.
Bug: v8:7700
Change-Id: Id6f1edf4ebe016d0d81903d0a13e0e1fe6e02142
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3463716
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79101}
Now that all known correctness issues with map space compaction are
fixed, add more test coverage by enabling it with --future.
Bug: v8:12578
Change-Id: I23d04a162f742480c4e83de1f3980509543e5a97
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3460409
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79100}
This CL replaces evacuation in MinorMC with always promoting pages.
Pages in new space are promoted first within new space and then to old
space upon a second GC.
This implementation should not yet be used in production and is guarded
behind a runtime flag.
In case all pages in new space have at least one live object on them,
all pages will be promoted and new space will still be out of memory,
thus immediately triggering a second young gen GC that will promote all
objects to old space.
Further CLs will mitigate this issue.
Bug: v8:12612
Change-Id: I329ea01d6d15c0942db2eeeea87c5cefcac75502
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448385
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79099}
Originally, 'Promise.allSettled.call()' will throw
"Promise.all called on non-object". It should be
"Promise.allSettled called on non-object". Add test
for it.
Bug: v8:12122
Change-Id: I496a7c9d31baeb5b99012461387cfbccc4100d2b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3463063
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79096}
The hash of signatures currently has redundancy: We hash both the
parameter count and the return count, plus all contained values.
The total count of contained values is already implicitly captured by
{hash_combine}ing the individual values, thus it's enough to only
include one of parameter count and return count.
R=manoskouk@chromium.org
Bug: v8:12593
Change-Id: I6d3e8b15f4251964e3a74ae5411d06a7d41183a8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3460415
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79095}
.. in preparation for integrating addtl tiers into a single tiering
system.
1. Explicitly spell out whether the request is concurrent or not.
2. Explicitly request the target compiler.
Bug: v8:7700
Change-Id: I9d6e9f6a5d5f0f7218fe136ff50cea2ad7987f67
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3460739
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79092}
The module builder was outputting the address as an unsigned LEB value
instead of a signed value, leading to wrong results.
R=manoskouk@chromium.org
Bug: v8:11863
Change-Id: I547ca98defcae0ba15b4004a506b65387534b08a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3463715
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79090}
We must not use TransferColor on objects promoted into shared objects
when performing a scavenger during incremental marking.
Bug: v8:12628, v8:11708
Change-Id: I5833c0da8aa3dcd03287d3803a68189e85875bc1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3463714
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79089}
Originally, the accessors wont be copied into global object from
deserialized global. And the accessors in serialized global object
will be lost. Fix to copy accessors in deserialized global
into global object when recreating new global object using passed
global proxy template.
Tests credited to xiangyangemail@gmail.comhttps://chromium-review.googlesource.com/c/v8/v8/+/3405405
Bug: v8:12564
Change-Id: Iefb3a6dbfa5445b227d87c26eb423cf1b924dbb4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3459937
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79087}
Adding ldflags for aix. This is a todo item noticed
Change-Id: I09dc86a3e956408edb1bfeba6b60bf67843caf4d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3439339
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79086}
Originally, 'Promise.allSettled.call()' will throw
"Promise.all called on non-object". It should be
"Promise.allSettled called on non-object".
Bug: v8:12122
Change-Id: Ib2c8eba32abec474feece3aaebf0e6c7d09c433a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3459923
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79085}
Since we do not yet have canonicalization for types, when emitting
ref.func in the fuzzer, it is not enough to pick a function whose
signature is equivalent with the requested type; we have to pick a
function that is declared exactly with the requested signature index.
Bug: chromium:1296936
Change-Id: Ie307a9a370bb9ba2c8c334ddf05268ed9c7077d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3460411
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79081}
With String contents being accessible off-main-thread or from multiple
main threads, add a SLOW_DCHECK that the hash of the string contents
inside a String::FlatContent doesn't change during its lifetime.
Bug: v8:12007
Change-Id: Iaf6bb785e44c97c13ac2fe9c5c20099bf1e0d2fd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3451355
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79080}
This struct is reused across various GC cycles. In the way that it's
used here, std::move does not clear the vector of events.
Change-Id: I21e3f74e3ce13fad063499bed19c287902cb90cf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3460408
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79078}
Various cleanups around young generation GCs.
These include:
(*) Repalce minor_mark_compact_collector_ with a unique_ptr and merge
initialization with the mark_compact_collector_ and
scavenger_collector_.
(*) Rename IncrementalMarking::UpdateMarkingWorklistAfterScavenge to
IncrementalMarking::UpdateMarkingWorklistAfterYoungGenGC.
(*) Remove redundant MarkingTreatmentMode parameter from
MakeIterable.
Bug: v8:12612
Change-Id: Ifac7006d3425808a4b9e4c8e1af054a60c073180
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448380
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79077}
This CL simplifies the reporting of full GC cycles and the connection
between the GC of the managed C++ heap and the managed Javascript heap.
It moves the call to GCTracer::RecordFullCycleToRecorder to be part of
GCTracer::StopCycle.
Bug: v8:12503
Bug: chromium:1154636
Change-Id: I332dbcd81d2e5bdda83f3353c6526fc18e23ebd5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3456563
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79075}
The generational barrier for source objects records the entire source
object to be processed later during remembered set visitation. It's
planned to be used for Blink backing stores when an inlined object (or a
range thereof) is added (HeapAllocator::NotifyNewObject(s)).
An alternative approach would be to eagerly process the inlined objects
using a custom callback. However, this requires changing Visitors to
bring slots into the context. This approach should better work for
scenarios where small ranges or single elements are added, to avoid
processing potentially large backing stores. The followup CL implements
this idea.
Bug: chromium:1029379
Change-Id: Iacb59e4b10a66354526ed293d7f43f14d8761a8f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3460402
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79073}
