1) when generating short builtin calls/jumps assemblers should use the
offset from the CodeRange base rather than the start of the code
range reservation because otherwise it's not guaranteed that the
PC-relative offset will fit into architecture's constraints.
The code range reservation start could be different from the code
range base in the following cases:
* when the "base bias size" is non-zero (on Windows 64),
* when we ended up over-reserving the address space for the code
range, which happens as a last resort to fulfil the CodeRange
alignment requirements.
See the VirtualMemoryCage description for details.
Drive-by fixes:
2) in case of over-reserving address space for external code range,
the pre-calculated hint for where the remapped embedded builtins
should be copied to was outside of the allocatable CodeRange region
and thus useless. The fix is to use the allocatable region instead
of the reservation region when calculating the hint.
3) when allocating CodeRange with zero base bias size we can create
the VirtualMemory reservation from the first attempt simply by
passing the required base alignment to the VirtualMemory
constructor.
Bug: v8:11880, chromium:1290591
Change-Id: If341418947e2170d967e22b38bcc371594939c1c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3412089
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78772}
Map::Hash relies on the fact that the map space is never compacted.
However this might change in the future, so instead of using the
address of the prototype's map, we use the prototype's identity hash
instead.
Bug: v8:12578
Change-Id: Ia4961ed55119681c0033aa187789f6710ff2d22c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3412085
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78768}
Exports are properties in the global object. Pre-reserve the space,
since we know the count upfront.
Bug: v8:11525
Change-Id: Ia8ea992234ed8cf71a1060254766b0ba31562436
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3416231
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78767}
In current BitwiseSmi bytecodes the code to do Smi operation is inside a
loop. This CL fast path the Smi operation by peeling the first Smi check
out of the loop, and avoid Smi->Int->Smi conversion where possible.
Drive-by fix: Add CSA_DCHECK in Smi shift to avoid unexpected use.
Bug: v8:12442
Change-Id: I1adce560fb22a4409337e2958779eccf9197e4ff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3328784
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Hao A Xu <hao.a.xu@intel.com>
Cr-Commit-Position: refs/heads/main@{#78764}
- Use raw pointer when setting the SFI in CreateJSFunction
- Use some more factory->xxx_value() handle accessor to avoid handle
creation
Bug: v8:11525
Change-Id: I5ed62f56cf2e53cc765566c0c129c7851b704813
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3401591
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78763}
This is a reland of 3cb4039cd1
Changes since revert:
- Fix FLAG_stress_scavenge interaction with shared Isolate
- Use the shared Isolate's global handles to keep shared values
alive in transit during a postMessage
Original change's description:
> [string] Support shared strings in Value{Serializer,Deserializer}
>
> When FLAG_shared_string_table is true, postMessaging strings will share
> instead of copy.
>
> Note that not all operations on shared strings are supported, and shared
> strings may be slower than non-shared strings for some operations.
>
> Bug: v8:12007
> Change-Id: I3462128e15410d2568868143571571b3025722c1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3277250
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#78614}
Bug: v8:12007
Change-Id: I5d9b99b2dac6f26d5ef046d7aec94f1a1d219419
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3389533
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78761}
Implementations are added to macro-assembler to be shared between
liftoff and code generator.
Change-Id: I6bde65dc50f1e52b8fbca150854e0b0863dff301
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3416190
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#78760}
When sandboxed external pointers are enabled, external pointers now only
require 32 bits of storage space in a HeapObject. This CL does not shrink
the size of EmbedderDataSlots, which will happen in a follow-up CL.
Bug: v8:10391
Change-Id: I3cf8b68c3b985cf806a45183717f50462a88c281
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3359629
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78754}
Implementations are added to macro-assembler to be shared between
liftoff and code generator.
Change-Id: I3fac2b82686836106cefa9a78f5feda6105679d4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3412359
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#78748}
Implementations are added to macro-assembler to be shared between
liftoff and code generator.
Change-Id: Ia26b82de3f0af076ace3d53e285917029d2d5ac4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3407794
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#78746}
This is a reland of 91f08378bc
When the class scope does not need a context, the deserialized
outer scope of the initializer scope would not be the class scope,
and we should not and do not need to use it to fix up the allocation
information of the context-allocated variables. The original patch
did not consider this case and resulted in a regression when we
tried to reparse the initializer function to look for destructuring
assignment errors. This fixes the regression by not deserializing
the class scope that's going to be reparsed, and using the positions
of the scopes to tell whether the scope info matches the reparsed
scope and can be used to fix up the allocation info.
Original change's description:
> [class] implement reparsing of class instance member initializers
>
> Previously, since the source code for the synthetic class instance
> member initializer function was recorded as the span from the first
> initializer to the last initializer, there was no way to reparse the
> class and recompile the initializer function. It was working for
> most use cases because the code for the initializer function was
> generated eagarly and it was usually alive as long as the class was
> alive, so the initializer wouldn't normally be lazily parsed. This
> didn't work, however, when the class was snapshotted with
> v8::SnapshotCreator::FunctionCodeHandling::kClear,
> becuase then we needed to recompile the initializer when the class
> was instantiated. This patch implements the reparsing so that
> these classes can work with FunctionCodeHandling::kClear.
>
> This patch refactors ParserBase::ParseClassLiteral() so that we can
> reuse it for both parsing the class body normally and reparsing it
> to collect initializers. When reparsing the synthetic initializer
> function, we rewind the scanner to the beginning of the class, and
> parse the class body to collect the initializers. During the
> reparsing, field initializers are parsed with the full parser while
> methods of the class are pre-parsed.
>
> A few notable changes:
>
> - Extended the source range of the initializer function to cover the
> entire class so that we can rewind the scanner to parse the class
> body to collect initializers (previously, it starts from the first
> field initializer and ends at the last initializer). This resulted
> some expectation changes in the debugger tests, though the
> initializers remain debuggable.
> - A temporary ClassScope is created during reparsing. After the class
> is reparsed, we use the information from the ScopeInfo to update
> the allocated indices of the variables in the ClassScope.
>
> Bug: v8:10704
> Change-Id: Ifb6431a1447d8844f2a548283d59158742fe9027
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2988830
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Joyee Cheung <joyee@igalia.com>
> Cr-Commit-Position: refs/heads/main@{#78299}
Bug: chromium:1278086, chromium:1278085, v8:10704
Change-Id: Iea4f1f6dc398846cbe322adc16f6fffd6d2dfdf3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3325912
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/main@{#78745}
The allocatable registers have holes, so not all FP registers are one
half of a valid SIMD register. Thus check if {GetAliases} returned an
allocatable SIMD register before looking up if that register is being
used. Otherwise we run into a DCHECK because {simd_reg} is invalid.
The bug was only introduced recently: https://crrev.com/c/3404780R=thibaudm@chromium.org
Bug: chromium:1290079, v8:12330
Change-Id: I99df1645cfeec375daec82dbf41c110b5474339c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3412075
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78742}
This turns some CHECKs in the mid-tier register allocator into DCHECKs.
The ones inside {CheckConsistency} should be DCHECKs anyway, even if
they are inside an "#ifdef DEBUG" block. This will make ClusterFuzz
correctly detect them as "checks that only happen in debug mode".
Others were just unnecessarily always included, instead of only in debug
builds.
R=thibaudm@chromium.org
Bug: chromium:1271369
Change-Id: I51acde3c951c7a2af9dee36e25b196364ddf8f5c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3406760
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78741}
This minor change in how we iterate the virtual registers speeds up the
consistency checks by a factor of more than four.
R=thibaudm@chromium.org
Bug: chromium:1271369
Change-Id: Ieb9640d52c84fabacbbcf0fea56825fb594cfc21
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3406759
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78738}
Moves between stack slots are rare; they mostly happen for tail calls
or for multi-return blocks. The bug exists since a long time, but was
only uncovered by the fuzzer now.
R=ahaas@chromium.org
Bug: chromium:1289678
Change-Id: Ibb0917717c6b7a468f5fcbb01be34267ba06a449
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3406749
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78736}
This is the only change in crrev.com/c/3398111 that may have impacted
performance.
Bug: chromium:1289597
Change-Id: I375535aa5c8382073565f1270dc5cc9c5598af4e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3406534
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78734}
This removes a dead method, makes constant fields constant, and avoids a
confusing macro (which just prevented me from finding the call to
{set_imported_mutable_globals}).
R=manoskouk@chromium.org
Bug: v8:12425
Change-Id: I76de744c273ed9e2e429647a2d26dc163e1f4525
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3406758
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78733}
This enables the --turbo-use-mid-tier-regalloc-for-huge-functions flag
by default. This configuration has been run through fuzzers for several
weeks, and all found issues have been fixed (see
https://crbug.com/v8/12330).
R=thibaudm@chromium.org
Bug: chromium:1287331, chromium:1285389, v8:12320, v8:12287
Change-Id: I82cec61a143a78bf705019b2b2bc2c6342f577fc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3404096
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78731}
Changes:
- Rename kWasmTrapDataSegmentDropped to the more accurate ~OutOfBounds.
- Drop unused argument from {WasmCompiler::ArrayInit}.
- Rename {Factory::NewWasmArray} -> NewWasmArrayFromElements.
- Add error handling to {InitExprInterface}.
- Allow the data count section to appear anywhere in the module under
--experimental-wasm-gc. Add the same capability in
wasm-module-builder.js.
- Add {WasmArray::MaxLength(uint32_t element_size_log2)}.
- Add kTrapArrayTooLarge in wasm-module-builder.js.
- Small test improvements in gc-nominal.js.
Bug: v8:7748
Change-Id: I68ca0e8b08f906503f0d82e5866395018d216382
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3401593
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78730}
Externref does not need a translation from WebAssembly to JavaScript.
The return value can therefore just be forwarded to JavaScript.
R=thibaudm@chromium.org
Bug: v8:12565
Change-Id: I3b3ae37578c2793f6c09d1345f4ee555b40c853d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3404779
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78721}
This is similar to the previous SIMD spilling fixes, but this time at
block merges. The logic is similar to the existing cases, but not quite
the same. I did not find a nice way to unify the different locations
where we check for SIMD register overlap.
R=thibaudm@chromium.org
Bug: chromium:1283395, v8:12330
Change-Id: I5ab9b6831368cbce40b8368e4ec7954e985bff96
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3404780
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78720}
The C-API does not support dynamic tiering and still waits for top-tier
compilation to finish before serializing code when the explicit
serialize() function gets called. This means that serialize() can only
finish if the kFinishedTopTierCompilation event was triggered first.
With this CL the kFinishedTopTierCompilation event is also triggered
after deserialization so that serialize() can work after
deserialization.
R=clemensb@chromium.org
Bug: v8:11024
Change-Id: I3dd14e37087e3cbfbc28cb5625c9f3715f6c236b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3404773
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78719}
We used to serialize the full source code of the script being
serialized. This CL makes the source code maximally minimal (only
including the needed outer functions) while maintaining the "inner
function is textually inside its outer function" relationship.
Bug: v8:11525
Change-Id: Ic42772f7ecb76744bc11b97fa1784d847558e1f6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3401864
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78716}
Save the PC in the jump buffer and implement the suspend builtin.
R=ahaas@chromium.org
CC=fgm@chromium.org
Bug: v8:12191
Change-Id: I1a6d965d7864dce0a572f6c8d7102046dad190fd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3345006
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78715}
Allow Wasm to generate calls directly to Fast API C functions.
This massively reduces the overhead of these calls (~300%).
Currently options parameter is not supported.
This is a reland of
https://chromium-review.googlesource.com/c/v8/v8/+/3364356
with a fix to a data race.
Bug: chromium:1052746
Change-Id: I8c1c255419496d03a94ec2b443329842469586d5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3398394
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#78714}