In a few places we incorrectly assumed to know the instance type of the
heap object. In particular, in JSCallReducer::ReduceDataViewAccess,
doing map inference on the receiver and determining that all maps are
JSDataView maps does not guarantee that the receiver is a JSDataView
constant because we might deopt before getting to the data view
operation.
Bug: chromium:1146652
Change-Id: I1611308c3ebe0d33fa6b0cf0938d777b4e6449ff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2524440
Auto-Submit: Georg Neis <neis@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71034}
The test started failing on win64 ASan after a DEPS roll. Increase the
stack size to mitigate this.
Also, add a comment so say why we are restricting the stack size in the
first place.
R=thibaudm@chromium.orgCC=ahaas@chromium.org
Bug: v8:11120
Cq-Include-Trybots: luci.v8.try:v8_win64_asan_rel_ng
Change-Id: If0c084653687aef95acee8caa6712a1c872d2bca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2523203
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71016}
This reverts commit 0147db5a4a.
Reason for revert: Data races: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20TSAN/34056
Original change's description:
> [super] Optimize super property access in JSNativeContextSpecialization
>
> Generalize the existing property lookup machinery
> (JSNCS::ReduceNamedAccess) to handle the case where the
> lookup_start_object and the receiver are different objects.
>
> Design doc: https://docs.google.com/document/d/1b_wgtExmJDLb8206jpJol-g4vJAxPs1XjEx95hwRboI/edit#heading=h.xqthbgih7l2l
>
> Bug: v8:9237
> Change-Id: I28b6d87ce6537acd8cf972bbe7dc6d63d581aadc
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2487122
> Commit-Queue: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Michael Stanton <mvstanton@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70988}
TBR=marja@chromium.org,mvstanton@chromium.org,neis@chromium.org
Change-Id: Ib5ddb919ae569fe5ddf266d986f1c8bc0fe9621a
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9237
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2520908
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70992}
This reverts commit c3b2b64be4.
Reason for revert: Scheduled revert.
The flag flip is in 88.0.4315.0. Group report links:
https://chromeperf.appspot.com/group_report?rev=70949https://chromeperf.appspot.com/group_report?rev=823663
Original change's description:
> [nci] Enable --turbo-nci behind --future to gather perf data
>
> .. to be reverted in a day or two.
>
> Bug: v8:8888
> Change-Id: Iee156da614b50c351ca9a07cc497177c92de865d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2512907
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Lutz Vahl <vahl@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70949}
TBR=machenbach@chromium.org,jgruber@chromium.org,vahl@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:8888,v8:11087
Change-Id: I57411474d885dd69613a85f5fa3a801a573fcd08
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2517690
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70982}
This is a reland of adceb45979
Redesign test to not be OS dependent.
Original change's description:
> [x64][ia32] Add stack overflow check in InvokePrologue
>
> In case of no arguments adaptor frame, we massage the arguments in InvokePrologue pushing undefined objects if the actual argument count is below the parameter count. This CL adds a stack overflow check before pushing these undefined objects to the stack.
>
> Change-Id: I2a88bf6fdfd17958f6f6884143a67d50ea842fd2
> Bug: v8:10201
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2491039
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Victor Gomes <victorgomes@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70927}
Bug: v8:10201
Change-Id: Ifab3413b748cdf3bb998a5080cd1fcb3b67a737b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2517921
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70973}
Convert Profile, CodeMap and their helpers to ES6 classes.
Code cleanup will happen in a separate step.
Bug: v8:10667
Change-Id: Icfb28f6d9ef7f00efba93b347fdf210a9af36a49
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2509591
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70969}
.. by the runtime flag --enable-experimental-regexp-engine.
Introduced in https://chromium-review.googlesource.com/c/v8/v8/+/2461244
Tbr: neis@chromium.org
Bug: v8:10765
Change-Id: Ic32464ced7e5ddb4c31fe165eddb6b9d19260efc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2516920
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70963}
.. to be reverted in a day or two.
Bug: v8:8888
Change-Id: Iee156da614b50c351ca9a07cc497177c92de865d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2512907
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Lutz Vahl <vahl@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70949}
This reverts commit adceb45979.
Reason for revert:
- ConcurrentAllocationInLargeSpace fails in verify CSA bot: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20-%20verify%20csa/20547
- New test fail on Windows bot: https://ci.chromium.org/p/v8/builders/ci/V8%20Win32/29622
Original change's description:
> [x64][ia32] Add stack overflow check in InvokePrologue
>
> In case of no arguments adaptor frame, we massage the arguments in InvokePrologue pushing undefined objects if the actual argument count is below the parameter count. This CL adds a stack overflow check before pushing these undefined objects to the stack.
>
> Change-Id: I2a88bf6fdfd17958f6f6884143a67d50ea842fd2
> Bug: v8:10201
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2491039
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Victor Gomes <victorgomes@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70927}
TBR=neis@chromium.org,ishell@chromium.org,victorgomes@chromium.org
Change-Id: I7371e1603659ce512a39c0c0a8bb01baf7b916e0
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:10201
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2514505
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70928}
In case of no arguments adaptor frame, we massage the arguments in InvokePrologue pushing undefined objects if the actual argument count is below the parameter count. This CL adds a stack overflow check before pushing these undefined objects to the stack.
Change-Id: I2a88bf6fdfd17958f6f6884143a67d50ea842fd2
Bug: v8:10201
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2491039
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70927}
This commit adds the 'l' (linear) RegExp flag (as in e.g. /asdf|123/l)
that forces execution in linear time. These regexps are handled by the
experimental engine. If the experimental engine cannot handle the
pattern, an exception is thrown on creation of the regexp.
The commit also adds a new global V8 flag and changes an existing one:
* --enable-experimental-engine, which turns on recognition of the RegExp
'l' flag. Previously this flag also caused all supported regexps to
be executed by the experimental engine; this is not the case anymore.
* --default-to-experimental-regexp-engine takes over the previous
semantics of --enable-experimental-regexp-engine: We execute all
supported regexps with the experimental engine.
Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel_ng
Bug: v8:10765
Change-Id: I5622a89b19404105e8be280d454e9fdd63c003b3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2461244
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Martin Bidlingmaier <mbid@google.com>
Cr-Commit-Position: refs/heads/master@{#70892}
When searching for a target map during map update, attempt to
update field representations in-place to the more general
representation, where possible.
Bug: chromium:1143772
Change-Id: I6a43c94910a1d2d8f8b0ad89048f94b51461f76c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2507715
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70887}
Fix super calls so that arguments are evaluated before the
super constructor is checked to be in fact a constructor.
A new bytecode is introduced to split the IsConstructor check
out from the current GetSuperConstructor bytecode.
Bug: v8:10111
Change-Id: I3af99e32a34d99493806bb01b547d6f671cdc9de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2493077
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70881}
For-in now collect feedback as well, the test passes.
Tbr: neis@chromium.org
Bug: v8:8888
Change-Id: I4e2ae41b60aa43132a24f001dc4de460a270a1a8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2505766
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70874}
Inside of LoopPeeler::PeelInnerLoopsOfTree we call the typer, which
inspects heap objects, so we need to unpark the local heap.
Reverted in https://chromium-review.googlesource.com/c/v8/v8/+/2502333
Original change's description:
> [compiler] Replace Symbol with direct reads
>
> Bug: v8:7790
> Change-Id: I49120a6349777fd992a97d697940e79b2e71dbd1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2400988
> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#69812}
Bug: v8:7790, chromium:1137594
Change-Id: I8539175002e19b04b84009eb6b2cc5ced4ee53c9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2502339
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70872}
The speedup in https://crrev.com/c/2504853 left out checking the array
lengths, this adds that check.
Bug: v8:7783
Change-Id: I8de01fa2dff3e051246ee3a268cdce2128ad16ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2505252
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70869}
This reverts commit 1eecdf3450.
Reason for revert: unacceptable binary size increase (+65.5 KiB)
We’ll reland once we implement a more efficient way to store the
sequences.
Original change's description:
> Update RegExp sequence property support
>
> This patch aligns --harmony-regexp-sequence with the latest version of
> the corresponding TC39 and Unicode proposals.
>
> The list of supported properties has been changed:
>
> - https://github.com/tc39/proposal-regexp-unicode-sequence-properties#proposed-solution
> - https://unicode.org/reports/tr18/#Full_Properties
>
> Furthermore, the Unicode data now uses Unicode v13.0.0 instead of v12.0.0.
>
> Bug: v8:7467
> Change-Id: I1ac386d87af68d68e84e919cb5ffc1313443844a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2497163
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Mathias Bynens <mathias@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70752}
TBR=yangguo@chromium.org,jgruber@chromium.org,mathias@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:7467
Change-Id: I6721f4862827dc686d96d79498a1e8fdae4481d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2505758
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70866}
Test was skipped because the generated test contains multi-byte opcode,
and wasn't correct. Fix up the test with the correct encoding. The
fuzzer now generates multi-byte opcodes correctly, and so shouldn't be
an issue.
Bug: v8:10486
Change-Id: I1f5ad7d456320a30da6c553f65fdca0fc86a291a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2505238
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70864}
PPC has a larger page size than other platforms, so increase the page
size in the test to account for this.
Change-Id: I392064e9ef3f87c5bddb7763b35661aee5b4669d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2502330
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Milad Fa <mfarazma@redhat.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70857}
The flag has been enabled by default for two version now, so it is time
to remove it.
R=binji@chromium.org
Bug: v8:9921
Change-Id: I833e04a3f9d238e7bcf27e93148c9492776af3c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2402034
Reviewed-by: Ben Smith <binji@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70838}
We made array-concat run faster in https://crrev.com/c/2504853.
Bug: v8:7783
Change-Id: Iabefb58f92e24ffa4e0589a7c8b9e2b3e12c6e47
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2504859
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70831}
This test creates an array that is 500000 elements long. Calling
assertEquals on this with another array is really slow, especially on
simulator runs. Most of this array is empty, only the first few elements
and last few elements contain meaningful items, so we check those
specific indices.
On a local run this test goes from ~250s (--jitless) or ~111s to <1s.
out/arm64.build/d8 --test test/mjsunit/mjsunit.js
test/mjsunit/array-concat.js --random-seed=1 --nohard-abort
--testing-d8-test-runner [--jitless]
(using --jitless makes the test even slower)
Bug: v8:7783
Change-Id: I660d3a9f1b3fe3afaa58fce28f493641059ba226
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2504853
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70825}
The number of available double registers depends on supported CPU
features on arm. Any code that applies to all double regs must be
extra-careful to correctly handle either 16 or 32 registers.
This was not the case for deopt entries, which were recently moved
from a runtime-generated code stub to a mksnapshot-time-generated
builtin.
This CL fixes the issue by inspecting the runtime value of cpu
features and acting on it.
Bug: v8:8661,chromium:1142158
Change-Id: I6f4d2e6ee6a80217b9110194b8e1edbe8670d8d0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2498686
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70796}
Make the array elements in msunit/regress/regress-542823 larger, so that
it takes fewer of them to force the joined string to go into large
object space. Also, set the array's size dynamically based on the
maximum non-large object size, rather than having a fixed magic "large
enough" size, and verify that the resulting joined string is indeed in
LO space.
This reduces the runtime of this test under slow_path and gc-stress from
minutes to seconds.
Bug: v8:11060
Change-Id: I51d960b6a3e052199f50c1a6ba6fbce1b6d1ae38
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2498689
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70762}
For deserialized modules the compilation state was not set to
kFinishedTopTierCompilation and co. A consequence was that code that
required top tier compilation to be finished to block indefinitely.
With this CL the compilation state is initialized properly.
I tested this CL locally with the regression test mentioned in the bug
tracker issue. However, this regression test required to run this test
twice in separate processes. It would be possible to write a regression
test for this that runs on the bots, but I considered it not worth it.
R=clemensb@chromium.org
Bug: v8:11024
Change-Id: Ib4e75eae03fab13a3ff013118fc1f33a1278b33f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2494930
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70757}
msunit/regress/regress-542823 is intended to test large object
allocation in Array.prototype.join, but to do so it has a pretty
inefficient way of first building a large array.
Speed-up this test by using Array.prototype.fill, call .join directly,
and make the whole thing an IIFE to avoid global loads.
Bug: v8:11060
Change-Id: I5906bcb6c65b10ec830b026cf1f24acb6d5e1aaf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2498681
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70755}
The test creates an import error that references the current Script for
reporting the error location back to the embedder.
- This is not supported by the serializer
- We don't expect parse/import errors for serialization
Bug: v8:6513
Change-Id: Idf98e7ae189e8ffeaa478e5118a7b3f2d2c06047
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2497171
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70754}
Due to the previous change to that function, we can end up with
set (non-null) fields even when the overall serialized_ field is
unset. This can cause DCHECK failures (I don't think it's otherwise
observable).
Bug: chromium:1142240,v8:7790
Change-Id: I2711fae8a73438277caf7aa539f24d628b03153c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2497170
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70753}
This is a reland of eb6b4ce1d8
Skip test that serializes Error which references a Script. All errors
created by ThrowAt store the current Script under the
error_script_symbol.
Original change's description:
> [runtime] Use Isolate::ThrowAt with MessageLocation
>
> Fix various missing source positions when reporting parse and compile
> errors. Namely this fixes missing source positions when having invalid
> module imports.
>
> - Use Isolate::ThrowAt with valid MessageLocation objects
> - Change public Isolate::Throw to no longer accept MessageLocation to
> avoid misues
> - Introduce private Isolate::ThrowInternal that accepts MessageLocation
>
> Bug: v8:6513
> Change-Id: I3ee633c9fff8c9d361bddb37f56e28a50c280ec1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2467839
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70623}
Bug: v8:6513
Change-Id: Icba74f74178e28fbda0fd0c237eeb7bacbc33570
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2487123
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70741}
The dynamic map check builtin loads the feedback vector from the
function's frame, therefore it doesn't work if we inline the
function. We don't do inlining on TurboProp so this is fine, but
it was possible to enable dynamic map checks on TurboFan which does.
This change prevents that, and also makes the dynamic map checks flag
specific to TurboProp and no longer an implication, which also allos
it to be switched on the command line independenly of --turboprop.
BUG=chromium:1141502,v8:9684
Change-Id: I365de461a6373335a45a7a154af7d4cf1c13dc2c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2494928
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70737}
If trap handlers are disabled, we don't need guard regions around wasm
memories. Hence use the dynamic {trap_handler::IsTrapHandlerEnabled()}
check, instead of always reserving guard regions on all 64-bit
platforms.
This will allow to reserve pretty much arbitrarily many wasm memories if
trap handlers are disabled.
Two tests are added to test the number of memories that can be
allocated: With trap handlers, at least 50 memories should always be
possible. Without trap handlers, 10000 small memories should not be a
problem (each one is taking 64kB, so it's 640MB overall).
Drive-by: Improve tracing.
R=ahaas@chromium.org
Bug: v8:11017
Change-Id: Ic4c620f63dfbef571e64df0b3372b83a1db566ab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2491034
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70732}
The TryMigrateInstance should be passed the instance object to migrate,
not the map of the object. Also make the runtime function explicitly
check for JSObjects.
BUG=v8:9684
Change-Id: I03605d9f3103b618243c12ad0b63035484ef4134
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2487270
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70731}
The register that holds the {new_value} for the AtomicCompareExchange8U
has to be a byte register on ia32. There was code to guarantee that, but
after that code there was code that frees the {eax} register, and that
code moved the {new_value} to a different register again. With this CL
we first free {eax}, and then find a byte register for the {new_value}.
R=clemensb@chromium.org
Bug: chromium:1140549
Change-Id: I1679f3f9ab26c5416ea251c7925366ff43336d85
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2491031
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70721}
Liftoff can currently run out of registers when compiling an atomic
compare-exchange instruction. In order to see this crash, the following
conditions must be met:
- The offset in the instruction doesn't fit in a 12-bit immediate
- Either FLAG_untrusted_code_mitigations is false, or trap handlers are
enabled, so that AddMemoryMasking decides to do nothing
The fix proposed in this CL is just to defer allocation of a temporary
register until after CalculateActualAddress has finished, because it
might have also needed a temporary register.
Change-Id: I28225614dcdbe2bcc9e52208f1e806baac89c5f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2488840
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70687}
This trap now used for all runtime type errors thrown when interfacing
with JS. Its name and message have been changed to reflect this.
Additional change: Remove the trap from the list of traps used
exclusively for RuntimeError (as opposed to TypeError) in
wasm-module-builder.js.
Change-Id: I517766837a60d94b562d4c0de922d52db786b635
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2488688
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70682}
Bug: chromium:1139782,v8:10765
Change-Id: I417cd037b2587599b925cce08d8652b2df1985ce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2488687
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Martin Bidlingmaier <mbid@google.com>
Cr-Commit-Position: refs/heads/master@{#70679}
