This is a reland of commit 0a1a579ad2
The original CL has a bag in assigning no_reg to scoped Register variable.
To fix it Scoped guard was added for automated release of scoped registers.
Original change's description:
> Port JS-Wasm Promise Integration for arm64
>
>
> Port Generic JS-Wasm Wrapper for arm64
>
> Change-Id: I256e6511d47af9ab04c577beb6b829dfee34a6ed
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3841074
> Commit-Queue: Ilya Rezvov <irezvov@chromium.org>
> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83038}
Change-Id: I7b8b355f5689e51529223f1156e74e980c3b50ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879492
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Ilya Rezvov <irezvov@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83068}
Add the missing KB multiplier. Also add a flag to set the fixed stack
size.
R=clemensb@chromium.org
Bug: v8:12191
Change-Id: I9782192d2eef1986286f726a05444a4bec49fc66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3875902
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83065}
ShouldFinalize should only be called if major incremental marking is
active, and can crash if minor incremental marking is active, if
MajorMC's local_marking_worklists_ was reset.
The only caller is IsMarkingComplete. This CL changes the IsMarking
check to IsMajorMarking to solve this issue, and renames
IsMarkingComplete to IsMajorMarkingComplete.
Bug: v8:13012
Change-Id: Iba6bd5b7977ec8566c3ab0f047646d8cafd45038
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879485
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83064}
BytecodeArray::Disassemble fails a SLOW_DCHECK when invoking from
a background thread, due to the little hack to recover the handle
inside the function.
This CL changes the method to static with a handle as input.
The old method calls the static one, since it is allowed to be
called by the main thread.
Change-Id: I3546f0d2b160d15386da0980efc539693672c230
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879498
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83063}
Fix broken DCHECK:
When using MinorMC, new space is a paged space and only uses the
TO_PAGE page flag. New large object space however still uses both
TO_PAGE and FROM_PAGE page flags. With MinorMC it still possible
to find reference to FROM_PAGEs, but those pages have to be large
pages.
Fix broken test:
MinorMC may only free empty pages when shrinking. Therefore, shrink
may actually not change the space capacity at all (e.g. when all
pages have live objects on them). More specifically, the capacity is
not guaranteed to be half the previous capacity.
Bug: v8:12612
Change-Id: Ib0edcafd758828f821f82bc8c796c205f162809c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879493
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83061}
On allocation failure in new space we used to do at most 2 GCs before
calling the near heap limits callback. The 2 GCs would empty new space,
thus insuring that the current allocation can succeed.
With MinorMC the 2nd GC has no effect and we should do a full GC instead
to empty new space.
Bug: v8:12612
Change-Id: I4f767136283b5d26fee4f4a3998359b3c1e2108b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879495
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83060}
For accessors, instead of storing the descriptor index + holder in the
LoadHandler, store the getter directly (avoiding the
map->descriptor->pair->getter hops). For the non-prototype case, where
there's no LoadHandler, store the AccessorPair directly as a weak
handler instead of the Smi handler. We can't store the getter here
directly, because it could be in new space, and then we can't use it in
the stub cache.
Required some rejiggling of ic.cc method signatures, to allow
ComputeHandler to return a weak ref.
Change-Id: I22c0e64bec9880a3ba23c2d1eeb3a1c23179ca4b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865557
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83059}
assertEquals() compares objects by comparing each property for both
objects. This was done by using Object.keys() which however only returns
enumerable properties.
With this change also non-enumerable properties are compared.
Still, the comparison doesn't require the properties to be equal.
So, if one property is marked enumerable in one object but not the
other, the objects would still be considered equal.
This could be adapted in a follow-up CL if desired.
The prototype is still ignored for the comparison.
Change-Id: I1bb9df055bfb764ac1c02d971ac6f4a50f4a98e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876384
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83058}
This is a reland of commit 24e60017d4
The reland changes %ClearFunctionFeedback to clear *all* feedback
slot kinds including binary/compare/for-in slots. In the tests we
thus no longer have to resort to tricks to restore the function to
it's initial state, instead simply call %ClearFunctionFeedback.
Original change's description:
> [maglev] Deopt on overflow in >>>
>
> Re-enable the int32 fast path for ShiftRightLogical, but account for
> Maglev's missing signed/unsigned representation tracking by a)
> removing rhs==0 as the identity value (a shift by 0 is still a
> signed-unsigned conversion) and b) deoptimizing if the result cannot
> be converted to a non-negative smi.
>
> Note this is not a deopt loop, since a non-smi result will change the
> feedback to kSignedSmallInputs (from kSignedSmall).
>
> To fix this properly, we should track signed/unsigned representations
> and convert the result to a heap number if it doesn't fit within smi
> range.
>
> Bug: v8:7700
> Change-Id: Ifd538d227a6f1290eb7f008d9bfad586ff91ea0f
> Fixed: v8:13251
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876366
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Jakob Linke <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83025}
Bug: v8:7700
Change-Id: I2f607a0fb863b80e8589c9c1e86ee31fbac48c25
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879491
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83057}
Attempting to set a FunctionTemplate without a code handler as an
accessor for a property will fail in the runtime, which expects to be
able to call the handler. Add an API check that guards against this.
Change-Id: I270f0ca3d20de507bc9bde2c4c8d23b2614313dd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879490
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83055}
The current abort will crash if the generator is created by the
interpreter and resumed by the maglevved code.
This current workaround is not ideal since it can introduce
a deopt-reopt loop.
Bug: v8:7700, v8:13109
Change-Id: I7db71a896711255d866ace98eddde85538aa2903
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879228
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83054}
At the moment the shared heap is internally implemented as its own
isolate - the shared isolate. This CL prepares to remove the shared
isolate and replace it with shared spaces in the main isolate.
This CL introduces the --shared-space flag to opt-in into this shared
heap-approach. Isolate::is_shared_space_isolate() and
Isolate::shared_space_isolate() are added as well to identify the
main isolate (or shared space isolate).
Bug: v8:13267
Change-Id: I1a79c839de3b3b9cc988401e2e6e70ce3b02fa22
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3874928
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83050}
.. to increase bus factor in EU time zones.
Change-Id: I7f1bca0fd765f8f1720ff5534823b4daaa290ea3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879488
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83049}
Set COMPACTION_WAS_ABORTED page flag also when aborting evacuation
due to OOM.
Bug: chromium:1359294, v8:12578
Change-Id: Ia9833dbf9213375698cb7b1595ade7df5e24189d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3877145
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83047}
This CL fixes redesigns the current API, which does not correctly
manage lifetimes of the shared object conveyors.
See design doc at
https://docs.google.com/document/d/1TV6agY9dafVJFvdPrUAGbEvos8wL2WDnsmf84n3OJVU/edit?usp=sharing
This CL also removes the incorrect behavior of serializing all shared
strings by sharing instead of copying. Shared strings may be sent to
another process, which should still work.
Bug: v8:12547
Change-Id: I7413abd2d871fd3d52c9b433445cfa1d03e4a732
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3868713
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83044}
Change-Id: I46763c17f7078a3a5730c5a160ec899663ed990b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879483
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83043}
The src/wasm/stacks.h file became progressively bigger, create a
cc file for it and move some function definitions there.
R=clemensb@chromium.org
Bug: v8:12191
Change-Id: I6880a4e11884856bd2f4d777cb745a3c06c71841
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3874936
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83039}
When stress testing compaction, also abort evacuation for 5% of the
pages somewhere in the middle of the page.
Bug: chromium:1359294, v8:12578
Change-Id: Ie2e9873660ea2c330f175607b443f536f5d3abd2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876369
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83036}
.. which sets the --interrupt-budget-for-maglev to a very low value
s.t. that tiering to Maglev happens very early. Note this affects
both normal tierup and OSR.
Also add flag handling to fuzzer.py, both as added globally with
probability 0.1, and added to InterruptBudgetFuzzer (which I also
updated with other tiering-related flags).
Bug: v8:7700
Change-Id: I844cf53a6a2da459565d0ad0ccae02b04853cd26
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878165
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83033}
- Remove the {ValueRepr} parameter from Wasm table and global object
internals. It is now the responsibility of the user to transform
to/from a JS object. This removes duplicate work in some cases (type
checking in the caller, transforming in the callee).
- For the reverse direction in the JS API, introduce
{WasmObjectToJSReturnValue}.
Bug: v8:7748
Change-Id: Ie7625cc0f08d38fe74dbe57e69004de2d93b8a11
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876184
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83031}
This reverts commit 703b0b31db.
Reason for revert: a simpler approach will be used instead.
Original change's description:
> [ptr-compr-8gb] Align runtime allocations to 8 bytes
>
> In order to support a larger heap cage (8GB, 16GB), the cage offset
> will take up more than 32 bits. As a consequence, for 8GB cages, the
> least significant bit of the cage offset will overlap with the most
> significant bit of the tagged offset. To avoid this, allocations need
> to be aligned to 8 bytes to free up one bit from the offset.
> All changes are deactivated behind the build flag
> `v8_enable_pointer_compression_8gb`.
>
> Bug: v8:13070
> Change-Id: Ibb0bd0177f3e88dcd24fc0ee7526335df0faa987
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3791052
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Auto-Submit: Teo Dutu <teodutu@google.com>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82299}
Bug: v8:13070
Change-Id: I5cb60f8e4500c908bdef5d417393edbe89652c9c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3877146
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Teo Dutu <teodutu@google.com>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83030}
This reverts commit 24e60017d4.
Reason for revert: Change breaks maglev GC stress tests.
Original change's description:
> [maglev] Deopt on overflow in >>>
>
> Re-enable the int32 fast path for ShiftRightLogical, but account for
> Maglev's missing signed/unsigned representation tracking by a)
> removing rhs==0 as the identity value (a shift by 0 is still a
> signed-unsigned conversion) and b) deoptimizing if the result cannot
> be converted to a non-negative smi.
>
> Note this is not a deopt loop, since a non-smi result will change the
> feedback to kSignedSmallInputs (from kSignedSmall).
>
> To fix this properly, we should track signed/unsigned representations
> and convert the result to a heap number if it doesn't fit within smi
> range.
>
> Bug: v8:7700
> Change-Id: Ifd538d227a6f1290eb7f008d9bfad586ff91ea0f
> Fixed: v8:13251
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876366
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Jakob Linke <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83025}
Bug: v8:7700
Change-Id: Ibd4c29cc57b999e1cfcd040cee3228ea27a74029
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876374
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83029}
... which works for stale pointers. The default == operator contains
a DCHECK guarding against Code vs. non-Code object comparisons and
thus it can't be used for stale pointer.
Bug: chromium:1360793, v8:11880
Change-Id: Ic5faf9b05e1586a15388cc1cbf3e8dcddbea452f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879222
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83028}
Re-enable the int32 fast path for ShiftRightLogical, but account for
Maglev's missing signed/unsigned representation tracking by a)
removing rhs==0 as the identity value (a shift by 0 is still a
signed-unsigned conversion) and b) deoptimizing if the result cannot
be converted to a non-negative smi.
Note this is not a deopt loop, since a non-smi result will change the
feedback to kSignedSmallInputs (from kSignedSmall).
To fix this properly, we should track signed/unsigned representations
and convert the result to a heap number if it doesn't fit within smi
range.
Bug: v8:7700
Change-Id: Ifd538d227a6f1290eb7f008d9bfad586ff91ea0f
Fixed: v8:13251
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876366
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83025}
Abort evacuation for ~10% of evacuation candidates during stress
testing. This should make aborting of evacuation more frequently and
uncover bugs sooner.
Bug: chromium:1359294, v8:12578
Change-Id: I2fb2124b10456ea71da12df71ef92cf2c3d89c03
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878173
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83023}
The laneidx of LoadLaneParameters will be taken as char type when
PrintParameter. Fix operator<< to print laneidx with integer type.
Change-Id: Ibe9992326014d912f9aa09e785c8c3632ed02c06
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878768
Auto-Submit: Yolanda Chen <yolanda.chen@intel.com>
Commit-Queue: Yolanda Chen <yolanda.chen@intel.com>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83022}
We've previously used JSFunction::GetActiveTier, which looks at
JSFunction::code to determine the active tier. However, that may
diverge from the actually active tier (i.e. the calling frame type),
e.g. when Turbofan code is available but we haven't yet tiered up
because we're stuck in a longrunning loop.
With this CL, we determine the caller code_kind by splitting the
BytecodeBudgetInterrupt runtime function up into _Ignition,
_Sparkplug, and _Maglev variants s.t. the tier is passed implicitly
without extra overhead at runtime.
Bug: v8:7700
Change-Id: I46d19c4676e3debb6d608d9fbc53495feef5cadf
Fixed: chromium:1358577
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871196
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83020}
