The fuzzer instantiates the module twice: Once for reference
interpretation / execution, and once for the actual execution of
Liftoff/TurboFan code.
For some reason, the two code paths for interpretation and Liftoff
reference execution used different patterns: Interpretation was using
the first instance, and then creating a second instance for actual
execution, whereas the Liftoff path used a second instance for the
reference execution and used the first one for the actual execution.
This CL refactors this to always create a "reference instance" first,
use that for either the interpreter or Liftoff, and then create a second
instance for the actual execution.
R=thibaudm@chromium.org
Bug: v8:12425
Change-Id: I19754264240d8570f00161abb7aecba1cc2b2ae0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3683323
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80900}
This is a partial reland of https://crrev.com/c/3597106 including fixes
from https://crrev.com/c/3654413
Before this change, a script cache key is the same format as an eval
cache key, which is a FixedArray containing:
- The SharedFunctionInfo of the containing function
- The source text
- The language mode in which the code was parsed
- The position in the source where eval was called
After this change, a script cache key is a WeakFixedArray containing:
- A weak pointer to the Script
- The hash value of the source text
This sets up for a subsequent change which can cause these keys to
outlive their corresponding values (top-level SharedFunctionInfos)
without leaking any memory beyond the key itself.
Bug: v8:12808
Change-Id: Ibdfe5d10eafe5b7392e554c500af47975baf45c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3668304
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#80899}
The OOB check belongs in ValidateIntegerTypedArray according to the
spec.
This also fixes the error types for OOB TypedArrays when doing Atomics:
OOB TypedArrays should get a TypeError, not RangeError.
Bug: v8:11111
Change-Id: Ice2e5695d69d84b2c20a4cf8f06880673d901a91
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3676859
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80898}
This CL addresses a TODO left from implementing Wasm entry to fast C
calls in https://chromium-review.googlesource.com/c/v8/v8/+/3440694/
and avoids generating a branch in case it's not needed (either because
the embedder isn't providing an options object, which is the case
for Wasm, or because we're not generating overloads).
Bug: chromium:1052746
Change-Id: I7323f85801c034f0c47877ea15f677a53d3acea3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3650923
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80897}
IsCompiledScope retains code to protect against code flushing. The
current API is easily misused by forgetting to initialize
IsCompiledScope with a SFI's current state.
Change-Id: Ie8ab60acc4fb85c4b8b76c52040976e2e34f9d5e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3674117
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80896}
Some parses are actually re-parses of an already parsed function; things
like source position collection, CallPrinter AST walks, debugger, etc.
These may want slightly different parse behaviour -- in particular, we
likely don't want to post parallel compile tasks for them. So, keep
track externally of which parses are reparses, and suppress parallel
compile tasks for them.
Change-Id: I8b38caad1a385e08231bd247774e9804a409de0e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3291317
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80895}
MinorMC only used a single color (grey) while the full MC used 2 colors
(grey and black). Update MinorMC to use black as well. This aligns and
brings full MC and MinorMC closer, and allows to reuse more of the
existing sweeping infrastructure for the non-moving MinorMC.
Bug: v8:12612
Change-Id: Ifa740537c4587dc197196e41829ea74a312b79d0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3683320
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80894}
The fuzzers sometimes fail to instantiate a module that we already
instantiated before. This is nondetermistic and hard to reproduce (maybe
an out-of-memory situation).
Make the fuzzers print the error message so we learn more about those
failures.
R=ahaas@chromium.org
Bug: chromium:1330572
Change-Id: I0db103bdb113b1c1cedf662e02fb7a7f9d34ebd7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3680298
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80893}
The last line of output (which is not terminated by a newline) was not
showing for me when running the merge script. We can either fix it by
specifying `flush=True` at the `print` statement, or flushing before
reading user input. The latter seems more future-proof.
R=machenbach@chromium.org
Change-Id: I61cb929d2f7cdd20b3e32b9beb1653fe2d5c5791
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3676857
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80890}
The removing the optimized OSR code logic depends on collecting
the reference of the optimized OSR code in ic.
Bug: chromium:1330405, chromium:1330452, chromium:1330454, chromium:1330486, chromium:1330545
Change-Id: I0981a6b2f41bd7f90b74a1866c91d6eb35c5c591
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3679846
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Tao Pan <tao.pan@intel.com>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80886}
List all variants for the --variant help text
Change-Id: I249d8140b19e13dc3eceedaade2b856b1fdb1567
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3663088
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80884}
When injecting locations for block-end gap moves into Phis, make sure to
maintain register frame state too, so that the subsequent
MergeRegisterValues call sees the result of these moves.
Bug: v8:7700
Change-Id: I4f68e386c5a6cc578d26904306cb9b0c2f7a90d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3676861
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80879}
Add a method which optionally merges dead fallthrough paths, in case the
iteration in EmitUnconditionalDeopt reaches a merge point that is live
from another jump but dead on the fallthrough.
Bug: v8:7700
Change-Id: Ie505cd5356fcf70208f2f6d3e52b805956485f74
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3663086
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80878}
Rolling v8/build: b2f1ec8..fb6ee35
Rolling v8/buildtools: a5fa465..8b16338
Rolling v8/buildtools/linux64: git_revision:c547ca1497e3ff0dcbc0b2cb036b3d40380cbeeb..git_revision:37baefb026b199605affa7bcb24810d1724ce373
Rolling v8/buildtools/third_party/libc++/trunk: 79a2e92..b126981
Rolling v8/buildtools/third_party/libc++abi/trunk: 4ad92ec..c30c515
Rolling v8/buildtools/third_party/libunwind/trunk: d03f56b..5e737be
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/a1cf7a2..fba169d
Rolling v8/third_party/depot_tools: 4e6aa25..e1197f0
Rolling v8/third_party/fuchsia-sdk/sdk: version:8.20220522.3.1..version:8.20220531.3.1
Rolling v8/third_party/zlib: 80b28c9..64bbf98
Rolling v8/tools/clang: 6df1876..393c871
Rolling v8/tools/luci-go: git_revision:0ef9351a5b73943d547fb27d463d5f4a1572727f..git_revision:de014227dd270df7c61bfab740eb4ae4b52ac2a7
Rolling v8/tools/luci-go: git_revision:0ef9351a5b73943d547fb27d463d5f4a1572727f..git_revision:de014227dd270df7c61bfab740eb4ae4b52ac2a7
R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com
Change-Id: I350575968cfc4adfe6d6785146735d83debfa0a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3682481
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#80876}
This is a reland of commit ea9a1f1cbe
Changes since revert:
- Make the state field uintptr-aligned since arm64 faults on
atomic accesses to non-naturally aligned addresses.
Original change's description:
> [shared-struct] Add Atomics.Mutex
>
> This CL adds a moving GC-safe, JS-exposed mutex behind the
> --harmony-struct flag. It uses a ParkingLot-inspired algorithm and
> each mutex manages its own waiter queue.
>
> For more details, please see the design doc: https://docs.google.com/document/d/1QHkmiTF770GKxtoP-VQ1eKF42MpedLUeqiQPfCqus0Y/edit?usp=sharing
>
> Bug: v8:12547
> Change-Id: Ic58f8750d2e14ecd573173d17d5235a136bedef9
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3595460
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80789}
Bug: v8:12547
Change-Id: I776cbf6ea860dcc6cb0ac51694a9b584b53d255c
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3673354
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80875}
When async compilation finishes for WebAssembly, the promise returned by
`WebAssembly.compile()` gets resolved. Resolving the promise creates a
microtask that should get executed automatically when the call stack
empties up when MicrotasksPolicy::kAuto is used. However, this policy
requires a CallDepthScope to work, but there is no CallDepthScope when
WebAssembly compilation finishes. This CL adds this CallDepthScope.
R=jkummerow@chromium.org
Bug: chromium:1297672
Change-Id: I1bd607dec9daf08b3dbb1294393a8af255d222ff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3679579
Auto-Submit: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80872}
Modification is needed since after this CL:
https://crrev.com/c/3676642
Bug: v8:12781
Change-Id: Icb2644c9cd6f20e37c4b0ba0c4b861417c84b7f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3679980
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#80871}
This CL introduces the following changes to the experimental
implementation of the object start bitmap, that is evaluated as
a mechanism for resolving inner pointers (behind the flag
v8_enable_conservative_stack_scanning):
- Manually iterate through page objects, instead of using the
PagedSpaceObjectIterator, for performance (avoid calling
MakeHeapIterable all the time) and to simplify the handling
of filler objects.
- Clear bits when reusing evacuated pages of the new space.
- Use the cage base to iterate correctly through code objects.
- Introduce a method for verifying the validity of the object
start bitmap.
- Minor fixes, additional checks and cleanup.
Bug: v8:12851
Change-Id: I245937ffe6f4b53c4c2dcf5126e8836aec4dc79e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3675099
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80869}
Remove code size and compilation time sampling for the "top tier
finished" event. With dynamic tiering, this event will never be reached.
R=ahaas@chromium.org
Bug: v8:12899
Change-Id: I1b0d053e31fe8cd1f8ba3b23bfff4c5879569b45
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647691
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80867}
The macro list makes it difficult to impossible to deprecate individual
methods (like the one receiving a {WasmModuleTieredUp} struct).
Hence avoid the macro list and instead call the macro explicitly for
each definition.
R=cbruni@chromium.org
Bug: v8:12899
Change-Id: I4139de7721c4a1450920c5be312e91e7478e6fa7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3667076
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80865}
This will be useful for implementing crbug.com/1328448.
Bug: v8:12916
Change-Id: Id22ae96f6c1f9b72ab09508dd1f6dc2d70f8b5d4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3677654
Commit-Queue: Clark DuVall <cduvall@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80863}
Add a new late escape analysis pass to JS late optimizations.
The new pass simply removes allocations that are not used (besides
initializing stores to the object).
Bug: v8:12200
Change-Id: I01fc6233cca2f369c77ff2116ed7c4da1a232d95
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3677298
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80862}
After AssertNoTypedSlotsInFreeMemory being a CHECK for some time now to
get more test coverage, turn this into a DCHECK again.
This CL also renames the methods used by the sweeper to clear typed
slots in free memory. It was previously called "invalid slots" but
IMHO that could be a bit misleading, since this isn't about object slot
invalidation (where we also filter slots) but only really about slots in
free memory.
Bug: v8:12760
Change-Id: I8f414be06207460531fa54189b9ef1be85f4ecb6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3679578
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80860}
The method is already misleading, as with dynamic tiering the "top tier"
is defined to be the same as the "baseline tier" (i.e. Liftoff). Hence
the method does not do what you would expect it to do.
Fixing it to wait for all functions to be compiled with TurboFan would
result in a deadlock, if we do not also trigger tier-up of all
functions.
Hence remove the method.
R=ahaas@chromium.org
Bug: v8:12899
Change-Id: I4ba76febd796f6a9ad1252e6d73a72e569fd648c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657436
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80859}
This CL adds the serialization and deserialization
for properties in function. And we only support fast
properties in property array now.
Bug: v8:11525
Change-Id: If0bb3fee400ca957009d046ed74b92d8192c2514
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3650675
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80858}
Add support for LoadHandlers with the kConstantFromPrototype kind. With
some dependency checks, this becomes a map check and constant load.
Bug: v8:7700
Change-Id: I865eee7be4df9bd0ba56943814f601e3e950ed80
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3675101
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80855}
This CL fixes all spots where wasm Turbofan code did not satisfy the
invariant that all nodes with effect outputs are connected to another
node. Also, it enables the related verification for wasm code.
Drive-by:
- Simplify how stack checks are removed during loop unrolling.
- Fix a test declaration in test-gc.cc.
Change-Id: Id32af8584ba0ec281f4bf7757bd2915e6d8bf443
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3676862
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80854}
This makes the following use cases produce a visible error:
- deserializing invalid data w/ d8 [previously broken]
- error in the script embedded in the web snapshot
- d8 can't read web snapshot files
Bug: v8:11525,v8:12820
Change-Id: I40a993194f9992a40c877261ebf9882e018b669b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3672415
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80852}