liftoff-assembler-ia32.h can now use it. TurboFan ia32 doesn't use it
because it generates different instruction codes (movlps, movhps).
Bug: v8:11589
Change-Id: I07540814acff2d8ea48e06d1e00023d80b276a3d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3095009
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76373}
Move optimized implementation (accounts for AVX2) into
shared-macro-assembler, and use it everywhere.
Drive-by fix in liftoff-assembler-ia32.h to use Movss and Movsd
macro-assembler functions to that they emit AVX when supported.
Bug: v8:11589
Change-Id: Ibc4f2709d323d5b835bcac175a32b422d47d3355
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3095008
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76372}
This adds the option to list disallowed flags for differential
fuzzing directly in the harness. Flags that can crash in smoke
tests shoule be added there.
No-Try: true
Bug: chromium:1240812
Change-Id: I57c772bedeac0ca6ba023c6b4929515b4b0e6cca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103314
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76369}
This is probably a latent bug, but since we didn't have a test that used
'--gdbjit', our fuzzers weren't testing this code path.
Bug: chromium:1240714
Change-Id: I6225e17b60d3a7a73a9c5502fde315207b8e721a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3101265
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76368}
After building V8 using Clang (./out/x64.release/v8_build_config.json
says that "is_clang" is true), I could reproduce the referenced bug
report locally. Replacing the getMinutes() calls with getUTCMinutes()
calls fixed the test failure.
Signed-off-by: Darshan Sen <raisinten@gmail.com>
Bug: v8:11200
Change-Id: Ia36be481f2c8728380d550ead856ef8e51b1069c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3093362
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76367}
.. instead of a FlatStringReader. This is in preparation for reusing
the regexp parser directly from the JS parser, which uses different
string types (AstRawString instead of heap Strings).
Drive-by: Hide parser internals in the .cc file.
Bug: v8:896
Change-Id: I06bd08f2ef5fd7a5e9812c123d88b89cacf5d864
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3101488
Commit-Queue: Patrick Thier <pthier@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76365}
The heap snapshot view in the dev tools reports a lot of incorrect
retaining paths involving weak references from FeedbackVectors. To fix,
when IndexedReferencesExtractor encounters a weak reference, it should
record a weak reference rather than a hidden reference. This way, the
forward reference is still visible when exploring in the summary view,
but weak references aren't reported as retainers.
Bug: v8:12112
Change-Id: Ib3bafc49482fb4f515877a90bae8707483d0a7a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3101266
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#76364}
This is an internal property that should not be used publicly.
The following methods are going to be deprecated:
- v8::TryCatch::JSStackComparableAddress
- v8::BackupIncumbentScope::JSStackComparableAddress
Change-Id: Iaecfdece4660eaf1aef88121ff0f0c501c0ced5b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097451
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76363}
We see too many regressions for now in M94 (~10% more misses in
some cases).
This CL reverts the logic to the state before landing
https://crrev.com/c/3069152 without having to revert the several
refactoring CLs that landed on top of it.
Bug: v8:10284, chromium:1238312, chromium:1237242
Change-Id: I57e66b9e0d58c36d2f1563b07720e3729c88ec94
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103006
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76362}
The heap sandbox will rely on the virtual memory cage to protect the
data pointers in ArrayBuffers, TypedArrays, and DataViews.
Bug: v8:10391
Change-Id: Ib0ee352e0eba07dea0fb9e0dc4957cb74d37ba3b
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3101489
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76361}
This introduces a new, optional `nonIndexedPropertiesOnly` flag to the
`Runtime.getProperties` inspector request, which tells the inspector to
only report properties whose name is not an (typed) array index. This is
to support retrieving all properties except for the indexed ones when
the DevTools front-end decides to use the array bucketing mechanism.
Previously the DevTools front-end had some quite complicated logic in
place to simulate this via injected JavaScript, but that logic didn't
pick up internal properties and was also interfering with the inherited
accessor mechanism. With this new flag, it's straight-forward to
implement the correct behavior in the DevTools front-end.
The corresponding devtools-frontend CL is https://crrev.com/c/3099011.
Before: https://imgur.com/hMX6vaV.png
After: https://imgur.com/MGgiuJQ.png
Bug: chromium:1199701
Change-Id: Iacbe9756ed8a2e6982efaebe1e7c606d37c05379
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3099686
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Philip Pfaffe <pfaffe@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76360}
In follow-up work, the parser will be refactored to take the input as
raw char arrays instead of a FlatStringReader s.t. it can be reused by
the V8 parser (which has AstRawStrings instead of Strings).
Bug: v8:896
Change-Id: I0e0bda4b34bc23b8bc427ddf3f9516081c42bb8a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3099947
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76359}
These tests test allocation failure and time out on MSAN.
TBR=adamk@chromium.org
Bug: v8:11852
Change-Id: Ie0b042ab6bc37028c41a4b12d4911aba7f9af375
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3101574
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76356}
Bug: v8:11852
Change-Id: I1d3c01b827e847bb7edcd2ebe7d3b340f7d53069
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097473
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76355}
We snapshot all the code first, then log it without holding the lock.
Change-Id: I8c18b2db56678a9320ea6b63cd06290453c0a66a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097472
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76354}
Change i16x8.splat to use Punpcklqdq instead of Pshufd as the final step
to move low 32 bits to all lanes.
Move this implementation to shared-macro-assembler and use it
everywhere.
Bug: v8:11589,v8:12090
Change-Id: I968b1dca5a262e4e67875caea18c5c09828cb33a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3092558
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76353}
The optimal implementation is in TurboFan x64 codegen, move it into
shared-macro-assembler, and have TurboFan ia32 and Liftoff use it. The
optimal implementation accounts for AVX2 support.
We add a couple of AVX2 instruction to ia32 in sse-instr.h, not all of
them are used, but follow-up patches will use them, so we add support
(including diassembly and test) in this change.
Drive-by clean up to test-disasm-x64.cc to merge 2 AVX2 test sections.
Bug: v8:11589
Change-Id: I1c8d7deb0f8bb70b29e7a680e5dbcfb09ca5505b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3092555
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76352}
The old implementation had an implicit assumption that
IsolateData::builtin_entry_table_offset is a uint12, i.e.
<4096. We're about to cross that threshold, so this patch
frees up a temp register to let the code generator handle
larger offsets.
Bug: v8:12110
Change-Id: I2c313918be4b1c4fdd2984259e5e8cc02bb24035
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097108
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76350}
ArrayBuffer backing stores will instead use the virtual memory cage and
be referenced through offsets rather than pointers when the sandbox is
enabled. This will be implemented in an independent CL.
Bug: v8:10391
Change-Id: Icc9781003e53c76dbbf4c84ee165151e4182da4b
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3086458
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76348}
The API doesn't forbid passing in a "no cache reason" even when there's
a cache.
Change-Id: I4392bd9707333e8bc39129de72de753d88265c5c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3099950
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76347}
{NativeModule::AddCode} is a central method that should usually be
called in batches, where the caller holds a {CodeSpaceWriteScope} for a
longer time (over several compilations).
This CL moves us closer to that by removing the scope from that central
method and instead putting it in callers where it becomes more visible.
There are already TODOs to introduce caching or batching to avoid some
switching, and one more TODO is added.
Drive-by: Remove an unneeded {CodeSpaceMemoryModificationScope}.
R=jkummerow@chromium.org
Bug: v8:11974
Change-Id: Ia13c601abc766e5fca6ca053bf1fc4d647b53ed0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3098186
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76344}
Don't create DataField and FastDataConstant access infos with a kNone
field representation. Instead return Invalid.
Bug: chromium:1239601
Change-Id: I4df7aa298974f9dcd650ead50aaa349c84feb487
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097463
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76343}
Changing the protections of a kNoAccess region to something different
can fail due to OOM. We should handle this properly.
Bug: chromium:1240062
Change-Id: I35e8837a57d66930390067eb0d1ab4bc76709948
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3099685
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76342}
Make off-thread deserialization play well with the Isolate compilation
cache, by moving the Finish call into GetSharedFunctionInfoForScript.
This means that
a) The isolate cache is checked before the Finish, allowing it to be
hit, and
b) Results of off-thread deserializations are written into the Isolate
cache.
Bug: chromium:1075999
Change-Id: I535935180bbe77f3e718253830e649bd62857634
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3094006
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76341}
This is a reland of 2261e05333
This patch can now be relanded as some space was made for more opcodes:
https://bugs.chromium.org/p/v8/issues/detail?id=12093
Original change's description:
> [arm64][wasm] Use NEON S/Usra for Wasm SIMD add(shr(x, imm), y)
>
> A single AArch64 SIMD signed/unsigned Shift Right and Accumulate can be
> used to implement Wasm SIMD add(shr(x, imm), y). This gives a 1-1.5%
> improvement on some compute intensive Wasm benchmarks on Neoverse-N1.
>
> Mla and Adalp optimisations were refactored to match the style of the
> added code.
>
> Change-Id: Id5959a31ca267e02b7d60e7ff6f942adb029b41e
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3089157
> Reviewed-by: Zhi An Ng <zhin@chromium.org>
> Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
> Cr-Commit-Position: refs/heads/master@{#76280}
Change-Id: Idd166b7d3c960af33049bbce6e7276763c28f286
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097284
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76340}
The validation was too strong in the case where the incrementation
produces type None.
Bug: chromium:1236716
Change-Id: I948b370594fa7dad1ba6e5b951f473855bf1346b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097865
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76338}
Change-Id: If641c8a4a466f6f9ea1dc9d8c15184fab17f52c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3098008
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76329}
This is a reland of a3b2c4ec81
The fix is in PS3, for UBSan. We use WriteUnalignedValue for
potentially unaligned memory writes.
Original change's description:
> [wasm][diagnostics] Support WasmCode in gdb JIT integration
>
> - Add new enum WASM_CODE to JitCodeEvent::CodeType
> - Use AddressRegion instead of AddressRange (remove the latter)
> - Change CodeDescription constructor to take an AddressRegion,
> both JIT_CODE and WASM_CODE use this
> - Add a simple mjsunit test that sets --gdbjit to check that
> we don't crash.
> - Add a api test for adding WASM_CODE
>
> Bug: v8:11908
> Change-Id: I6e87fadc2df67978144d78caf9800c3982bc3705
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3067754
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#76271}
Bug: v8:11908
Change-Id: I5ded6d01cff40803b2f70525163f760edcf97165
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3093506
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76327}
When the ToString Torque builtin has already found and called a
`toString` or `valueOf` method on a JSReceiver, and still needs
to call the runtime afterwards, it should do so with the result
of that first step, as opposed to the original input.
Fixed: v8:11689
Change-Id: I672249f9a6c230c3e61921b043f372c25a0178cf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097270
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76326}
Adds a heap verification GN arg to gate the marking verifier and live
bytes verification on. The flag may be used in future for other more
expensive checks as well.
Currently, the flag is automatically enabled in dcheck_is_on and debug
builds.
The change enables live bytes verification for the library in regular
debug builds which may flush out issues.
Bug: v8:11785
Change-Id: I0f41bc0d76ebea9f6a8c9315c947598015ee5d68
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097868
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76325}
