Initialize the (thread-local) memory protection key permissions for any
isolate that joins the wasm engine. Otherwise it can happen that an
isolate gets Wasm code from the cache without ever compiling anything
(hence without ever changing memory protection key permissions), and
then it would not be allowed to access (read or execute) the code.
I tested this change manually on a PKU-enabled devices. The new test
crashed before the fix, and completes successfully afterwards.
R=ahaas@chromium.org
Bug: v8:11974, chromium:1280451
Change-Id: I90dded8b4fdaa8cf34b44107291d3f525ce16335
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3347563
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78413}
After https://crrev.com/c/3315446 we allocate the memory protection key
unconditionally, so the method is redundant.
R=ahaas@chromium.org
Bug: v8:11974
Change-Id: I205a0cda86dfaf394c68788a662241d76a3f8510
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3347562
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78412}
If a name is defined for a wasm function, we retrieve it from the module
and use it for tracing.
Change-Id: I42da12d2476af573017daaa3f216cca8a95efbbb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3344646
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78409}
We switch the order of inlining and loop unrolling optimizations. This
gives small improvements to wasm-gc benchmarks.
Changes:
- Change the loop analysis algorithm to accept loops directly connected
to the graph's end. This is required because some nodes in an inlined
function, such as tail calls, might be directly connected to the outer
function's end without an intervening LoopExit node.
- Based on the above, skip emitting loop exits for some Throw nodes in
WasmGraphBuildingInterface.
- Introduce WasmInliningPhase, add it before loop unrolling. Remove
inlining from WasmOptimizationPhase.
- Handle graph terminators in loop unrolling.
- Add loops in the inlined function to the callers loop_infos.
Drive-by:
- Allow more wasm builtins in unrolled loops.
- Reduce inlining parameters to reflect that functions are now slightly
smaller during inlining, as no unrolling has taken place yet.
Bug: v8:12166
Change-Id: Iadd6b2f75170aa153ca1efb47fbb0d185c2b8371
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3329783
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78394}
In the WebAssembly Turbofan pipeline, inlining should come before
unrolling. When we inline a function, we link unhandled throwing calls
in it to the handler of the caller node. If a throwing call is in a
loop, we need to generate loop exits between the call and the handler if
we want to unroll later.
This CL adds dangling IfException/LoopExit nodes following each throwing
call in an inlined function. These nodes are connected as required in
inlining.
Drive-by: Remove CheckForException from tail calls, which are kNoThrow.
Bug: v8:12166
Change-Id: Icb8371a0a27234f07d4880e5b3005fc90a91a4b6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3322975
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78391}
This CL renames a number of things related to the V8 sandbox.
Mainly, what used to be under V8_HEAP_SANDBOX is now under
V8_SANDBOXED_EXTERNAL_POINTERS, while the previous V8 VirtualMemoryCage
is now simply the V8 Sandbox:
V8_VIRTUAL_MEMORY_CAGE => V8_SANDBOX
V8_HEAP_SANDBOX => V8_SANDBOXED_EXTERNAL_POINTERS
V8_CAGED_POINTERS => V8_SANDBOXED_POINTERS
V8VirtualMemoryCage => Sandbox
CagedPointer => SandboxedPointer
fake cage => partially reserved sandbox
src/security => src/sandbox
This naming scheme should simplify things: the sandbox is now the large
region of virtual address space inside which V8 mainly operates and
which should be considered untrusted. Mechanisms like sandboxed pointers
are then used to attempt to prevent escapes from the sandbox (i.e.
corruption of memory outside of it). Furthermore, the new naming scheme
avoids the confusion with the various other "cages" in V8, in
particular, the VirtualMemoryCage class, by dropping that name entirely.
Future sandbox features are developed under their own V8_SANDBOX_X flag,
and will, once final, be merged into V8_SANDBOX. Current future features
are sandboxed external pointers (using the external pointer table), and
sandboxed pointers (pointers guaranteed to point into the sandbox, e.g.
because they are encoded as offsets). This CL then also introduces a new
build flag, v8_enable_sandbox_future, which enables all future features.
Bug: v8:10391
Change-Id: I5174ea8f5ab40fb96a04af10853da735ad775c96
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3322981
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78384}
With dynamic tiering, the "serialize" function provided by the c-api
does not work anymore, and it is unclear how it should work.
R=jkummerow@chromium.org
Bug: v8:12281
Change-Id: Ib70bf118ba42b0752eb5dab5f43893da0404931e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3338657
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78369}
An asm-js module has all wasm feature flags disabled, despite the global
flag configuration. Therefore, in WasmExportedFunction::New, we should
retrieve the enabled features from the NativeModule instead of the
flags.
Bug: chromium:1279151
Change-Id: Ic44fe535baa7cb851644457cce533c24d4c9824e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3338256
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78368}
This is a non-functional refactoring to make naming of stack traces more
consistent, and thus easier to reason about whether the "simple stack
trace" (stack trace API) or the "detailed stack trace" (inspector API)
is meant. Granted, these names aren't great by themselves, but at least
we should be consistent.
This also adds a new `Isolate::GetSimpleStackTrace()` and uses that
directly to implement the Wasm C-API, avoiding the roundtrip via the
`JSMessageObject`, which actually carries a detailed stack trace (which
by chance worked out so far).
Doc: https://bit.ly/v8-stack-frame
Bug: chromium:1258599, chromium:1278647, chromium:1278650
Change-Id: I29e1a956ed156d6eeceb50150a28afaa2f11b9c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3334780
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78366}
This is the second step in the refactoring to make v8::StackFrame
more lightweight and usable for (long time storage) by the V8
inspector (see https://bit.ly/v8-stack-frame for an overview).
This is a purely mechanical change without any functional aspects.
The intention is to make the use case for the CallSiteInfo objects
clear, namely to serve as the backing store for the CallSite objects
exposed via the Error.prepareStackTrace() API and used under the
hood to implement the error.stack accessor.
Doc: https://bit.ly/v8-stack-frame
Bug: chromium:1258599, chromium:1278647, chromium:1278650
Change-Id: I39dffd1f1a8e5158ddc56f2a0a2b1b28321f487a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3300138
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78361}
Since the reftypes proposal has shipped, we remove the respective flag
and the code that handled its absence. We maintain a WasmFeature for
reftypes for feature detection purposes. We remove the flag declaration
from tests, and adapt some tests that make no sense without the flag.
Bug: v8:7581
Change-Id: Icf2f8d0feae8f30ec68d5560f1e7ee5959481483
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3329781
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78351}
With a recent addition to the type reflection proposal, 'anyfunc' gets
renamed to 'funcref'. For backwards compatibility, 'anyfunc' becomes an
alias for 'funcref'. With this CL, the string 'funcref' can be used to
create a funcref table or a funcref global. Additionally, 'funcref' is
returned as the type of imported and exported functions as well as
globals and tables.
R=manoskouk@chromium.org
Change-Id: If3ed4d507de862ebfcabd4eb967bbfaae1c6ccba
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3300135
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78341}
To make sure that Wasm memories don't exceed JSArrayBuffer size.
This change shouldn't affect real-world modules, because finding
enough contiguous address space to allocate that much memory is
virtually impossible anyway.
Fixed: chromium:1242339
Change-Id: I68873796b9afb798cb1a64e5e1acc495cf509159
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3328783
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78336}
Changes:
- Refactor all global base and offset computations into a single
function and simplify GlobalGet and GlobalSet.
- Remove unneeded pointer arithmetic in the simd case. This enables the
use of object operators, including LoadImmutableFromObject, which
might enable more loads to be eliminated.
Bug: v8:11510
Change-Id: Ieab45fd9433863780bcfd6d4596786c08e3951a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3320457
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78326}
scratch is already being initialized to avoid
overwriting offset_reg. We will need to use it instead of ip.
Change-Id: I4ffb93341f64dd8520e2409d6a28783738627ca2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3322977
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#78303}
Treat all stack pointers as roots:
- Maintain a global linked-list of StackMemories
- Update StackFrameIterator to process inactive stacks
- Visit roots in all inactive stacks (including root marking and root
pointer updating).
Drive-by:
- Fix some issues uncovered by the test
- Refactor the builtin constants
R=mlippautz@chromium.org,ahaas@chromium.org
Bug: v8:12191
Change-Id: I5b6381f9818166e2eabf80dd59135673dddb2afc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3310932
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78291}
We introduce a minimum length for the supertype array of gc maps. When
the depth of the rtt is known to be smaller than that length, we can
type check without bounds checking the supertype array of the object
map.
Bug: v8:7748, v8:11510
Change-Id: I88e67871040a8c4dd219e48a84527f7f3f3d0a96
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3312487
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78280}
Allocating a temp register in a conditional branch confuses
the LiftoffAssembler's state tracking, so this patch moves
allocation of the register into the unconditional part of the
control flow.
Fixed: chromium:1275711
Change-Id: Ic83ba8c098c5edb33d035c1a93931d54cc1f1caa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3320423
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78275}
This CL separates checks for hardware support from checks for software
configuration. We unconditionally allocate a protection key to know
whether hardware support is there, but then only use it if PKU is
enabled via flags.
This will allow us to collect statistics on hardware availability even
if PKU cannot be used yet on ChromeOS. Allocation should always be fine,
and has been finched for several weeks now. The remaining kernel issue
on ChromeOS does not affect allocation and deallocation of protection
keys, so it is safe to unconditionally enable that.
R=ahaas@chromium.org
Bug: v8:11974
Change-Id: I62fd48e6302aecae9843a62861d978f86ea52141
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3315446
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78258}
In particular
* use variadic templates in BodyDescriptorApply(),
* ensure all the relevant classes have BodyDescriptor definition,
* ensure "objects-body-descriptors[-inl].h" headers are included only
where necessary.
Bug: v8:12425
Change-Id: I7a95ed94bf62952e3d22d419d4a65ad2fe959d57
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3312273
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78242}
The stack memory will be accessed through a global list later, so the
stack pointer should be accessible without the containing
WasmContinuationObject. This also saves some unnecessary allocations and
indirections already.
R=ahaas@chromium.org
Bug: v8:12191
Change-Id: Ic3d71ecadbb13b18f0440049527ba71d657589b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3312486
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78215}
Set the JS limit at a 40KB offset from the actual limit, like on the
native stack. This is an estimate of the maximum stack space needed for
runtime calls.
R=ahaas@chromium.org
Bug: v8:12191
Change-Id: I709d5b25c5e47d2474cf4205ebcb8ee7fc8e794c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3312485
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78212}
... as a prerequisite for adding InstructionStream heap object.
Bug: v8:11880
Change-Id: I22b4832cedd46bee4a4c5a0d7b5032eba10b2a7b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3310900
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78204}
We optimize away type upcasts for nominal types in WasmFullDecoder.
Upcasts trivially hold for nominal types, which is not the case for
structural types. Note that we already optimize away trivially-failing
checks (when types are unrelated) for both nominal and structural types.
Bug: v8:7748
Change-Id: I720c9803cb8b4071aa4bae112ce06d587b7a68fa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306984
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78201}
This CL removes the CallRefData data structure and accesses a funcref's
target and instance through the funcref.
Bug: v8:7748
Change-Id: Ic46b127f7775052d5df13b03c447e3b15328ad74
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306486
Commit-Queue: Richard Stotz <rstz@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78194}
Add suppose for compiling non-eager, non-top-level inner functions in
parallel, using the compiler dispatcher. This behaviour can be enabled
with --parallel-compile-tasks-for-lazy.
There are a couple of consequences:
* To support this we need support for off-thread ScopeInfo
deserialization, so this adds that too.
* The previous --parallel-compile-tasks flag is renamed to the more
descriptive --parallel-compile-tasks-for-eager-toplevel.
* Both parallel-compile-tasks flags are moved onto
UnoptimizedCompileFlags so that they can be enabled/disabled on a
per-compile basis (e.g. enabled for streaming, disabled for
re-parsing).
* asm.js compilations can now happen without an active Context (in
the compiler dispatcher's idle finalization) so we can't get a
ContextId for metric reporting; we'd need to somehow fix this if we
wanted asm.js UKM but for now it's probably fine.
* Took the opportunity to clean up some of the "can preparse" logic in
the parser.
Change-Id: I20b1ec6a6bacfe268808edc8d812b92370c5840d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3281924
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Emanuel Ziegler <ecmziegler@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78183}
- V8::Deprecate ShutdownPlatform in favor of V8::DisposePlatform
- Rename i::V8::TearDown to i::V8::Dispose
- Clean up i::V8::Initialize
- Remove needless V8::Initialize() calls in cctests
- Remove CcTest::DisableAutomaticDispose()
- Add checks to Isolate::Allocate and Isolate::Dispose that there is
and active platform
Change-Id: Iac84f9ade9d1781e9e8b8c88ea8fe74013f51c4a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306482
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78162}
The logic for printing a safepoint table is currently duplicated for
Wasm code and on-heap code, with slight differences.
This CL provides a central {SafepointTable::Print} method that is used
in both scenarios.
The format is slightly changed to explicitly specify which bitmap
corresponds to stack slots and which one to registers.
R=jkummerow@chromium.org
Bug: v8:12401
Change-Id: I67366b1f9a92450a6ebec4210ab4811800a54f34
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306976
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78159}
{WasmInternalFunction::external} might return a function that is not
a WasmExportedFunction, at which point the code in ProcessTypeFeedback
fails.
See crrev.com/c/3277878 for context.
Bug: v8:12436, v8:12166
Change-Id: I09ef96df3fc051586044dd9c2ce88d6aeeb34b9f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306391
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78139}
result needs to byte-swapped as it's currently in machine
native order and Wasm requires LE ordering.
Change-Id: Ib29e26985b122a4c1ebba715c47a4d4477bbad54
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3301460
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#78138}
{WasmInternalFunction::external} might return a function that is not
a WasmExportedFunction, at which point the code in ProcessTypeFeedback
fails.
See crrev.com/c/3277878 for context.
Bug: v8:12436
Change-Id: I447710cfa2dbdb64cba27922da85871d18bc79a3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3303613
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78126}
result needs to byte-swapped as it's currently in machine
native order and Wasm requires LE ordering.
Change-Id: I9c1d6752fbdaba18fb7a8d49a9848d04c1a21be8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3303954
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#78114}
See crrev.com/c/3277878 for context.
We should only transform extenral to internal function references when
passing a function value to a function-typed global or table. For their
externref counterparts, we should preserve the reference unchanged.
Bug: v8:11510, chromium:1273705
Change-Id: Ic1719c4d31e175f3a37ced6e4e4dfcd61a19ae57
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3302790
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78108}
Liftoff is also fixed to make sure r0/ip don't get used as
scratch as they might be already used as offset registers.
Change-Id: I8b5636b805acdb7df12af4a7a2f2868bf5889cd2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3298254
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#78076}
Design doc: bit.ly/3jEVgzz
We separate the internal representation of function references in Wasm
from their JSFunction-based (external) representation. This improves
performance of call_ref by requiring less indirections to load the
context and call target from a function reference. In the boundary
between wasm and JS/the C API, we add transformations between the two
representations.
Detailed changes:
- Introduce WasmInternalFunction, containing fields required by
call_ref, as well as a reference to the corresponding
WasmExternalFunction. Add a reference to the WasmInternalFunction in
WasmFunctionData. The {WasmInternalFunction::FromExternal} helper
extracts the internal out of an external function.
- Change {WasmInstanceObject::external_functions()} to internal
functions.
- Change wasm function tables to contain internal functions.
- Change the following code to use internal functions:
- call_ref in liftoff and Turbofan
- function type checks in liftoff and Turbofan
- CallRefIC and GenericJSToWasmWrapper builtins
- {InitExprInterface::RefFunc}
- module-compiler.cc in {ProcessTypeFeedback}
- In module-instantiate.cc, in function-rtt creation.
- Add transformations between internal and external functions in:
- WasmWrapperGraphBuilder::{ToJS, BuildUnpackObjectWrapper, FromJS,
BuildJSToJSWrapper}.
- debug-wasm-objects.cc in {FunctionProxy::Get},
{WasmValueObject::New} and {AddWasmTableObjectInternalProperties}.
- runtime-wasm.cc in ReplaceWrapper
- the C and JS APIs
- module-instantiate.cc, in import and export processing, as well as
{InitializeIndirectFunctionTables}
- WasmTableObject::{IsValidElement, SetFunctionTableEntry}
- {WasmGlobalObject::SetFuncRef}
- Simplify body descriptors of WasmExternalFunction variants.
- Adjust tests.
Bug: v8:11510
Change-Id: I8377f46f55c3771391ae1c5c8201a83854ee7878
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3277878
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78068}
This CL optimizes ByteReverse 16/32/64 ops on PPC<10 as
well as PPC_10_PLUS.
A 32bit sign extension is also added to `ByteRev32` in codegen.
Change-Id: I6379ac4222f3574ab226971546238142039fe977
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3298308
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/main@{#78048}
With dynamic tiering, caching is triggered multiple times as there is
no single event anymore that triggers when the module should be cached.
This CL adds a counter for the number of times caching is triggered.
This counter can indicate whether our current caching heuristics are
good or should get adjusted.
R=thibaudm@chromium.org
Bug: v8:12281
Change-Id: I8ed9ed73a556d11df643c31ec6d20760a257e0d4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3295578
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78045}
This CL adds `can_use_compiled_module` parameter to
WasmStreaming::Finish() that is used by Chromium
https://chromium-review.googlesource.com/c/chromium/src/+/3282643
to invalidate compiled module bytes after SetCompiledModuleBytes().
Bug: chromium:1260939
Change-Id: Iebf0e8615c27c8622721777c664b06a53fb9ee91
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3297548
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78044}
Many safepoint tables do not contain any deoptimization info and/or no
callee-saved registers. Do not emit empty fields for all entries in this
case.
This often shrinks the size of the encoded safepoint table by more than
50%.
Drive-by cleanups:
- Rename fields of the safepoint table entries to clarify their meaning
("tagged slots" instead of "bits", "tagged register indexes" instead of
"register bits").
- Include the PC in the decoded {SafepointEntry} to make it the single
source of truth.
R=jkummerow@chromium.org
Bug: v8:12401
Change-Id: If5c24a688a434842ed3b6427f5f1f3ea9232173a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3289173
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78021}
With dynamic tiering, not all functions get compiled with TurboFan,
and not all functions can therefore get cached. With this metric we
want to keep track of the time needed to compile missing functions with
Liftoff.
R=jkummerow@chromium.org
Bug: v8:12281
Change-Id: I1f2de3e1f6b004477985df5d2116f69371528c3f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3289178
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78020}
Many callers already pass an int, so there is no point in storing as an
uint32_t internally. The style guide also recommends int as the general
data type for integers, even if it's statically known that only positive
values will occur.
R=jkummerow@chromium.org
Bug: v8:12401
Change-Id: I6067139f514895f925d1c536112b4cb5c2c24a36
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3289157
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77975}
NONE clashes with the PropertyAttributes::NONE, which is defined in
v8::internal namespace. PropertyAttributes have too many call sites
and depend on using the enums as masks, making it hard to convert
to an enum class. So we are changing the name instead.
Bug: v8:12244
Change-Id: Iec0be12c626549cca137aceeaee0e30fafab8b05
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3284003
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77956}
For streaming compilation, include the source URL in tracing, to
help identifying problems with caching.
R=ahaas@chromium.org
Change-Id: Iefda71890024a4fc9ec933c34c5870ba697bbff9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3289148
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77950}
Due to a bug on AIX, some of the glibc FP functions do not
preserve the sign bit when a negative input is passed by
value and the output is rounded to 0:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97086
This CL continue the fixes previously added here:
https://crrev.com/c/2468618
Change-Id: I2afa1f67ac1d29ec0606de6d6ebcf05be0664b8d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3282308
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#77915}
With eager compilation, CompilationEventCallbacks get released when all
compilation units in the compilation state are finished. This is
possible because no future compilation event could get triggered after
that. With dynamic tiering, though, the {FinishedCompilationChunk} event
can trigger repeatedly, even after all compilation units finish at some
point in time, as dynamic tiering can create new CompilationUnits. As
a temporary fix, CompilationEventCallbacks don't get released when
dynamic tiering is enabled.
This CL fixes this issue by turning the callback from an std::function
into a class, and adding a second function to the class which indicates
whether the callback can be released when all compilation units in the
compilation state are finished. Thereby all callbacks can be deallocated
except the ones like the code caching callback which waits for the
{FinishedCompilationChunk} events.
R=jkummerow@chromium.org
Bug: v8:12289
Change-Id: I0f73f4bd2dffe644c9a26c274cb52ac6fa49ab67
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3264288
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77890}
In each wasm CallDescriptor, we store the signature of the call based on
the real parameters passed to the call. This signature is more precise
than the formal function signature. We use this signature in inlining
to enable more optimizations.
Changes:
- Add wasm_sig_ field to CallDescriptor.
- Construct the real signature in {DoCall} and {DoReturnCall} in
graph-builder-interface, and pass it to all call-related functions in
WasmGraphBuilder.
- Update {ReplaceTypeInCallDescriptorWith} to use ValueType over
MachineType. Construct the updated function signature.
- In wasm-inlining, kill the Call node after inlining.
- Add two tests.
Bug: v8:11510
Change-Id: Ica711b6b4d83945ecb7201be26577eab7db3c060
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3270539
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77889}
FLAG_wasm_dynamic_tiering is still off by default. When enabled,
it now uses the technique previously behind --new-wasm-dynamic-tiering.
Bug: v8:12281
Change-Id: I365c2c066e62418cd6abc7830f95d1fe0f950e33
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3275570
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77883}
Switching stack affects all instances, therefore make the active
continuation a root object instead of an instance field.
Bug: v8:12191
Change-Id: Ia521bf4e7c3cbca035f916e47804c2f75bbd8f18
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3268296
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77876}
Since the indirect function table at index 0 in an instance is now
represented like the other tables, the IndirectFunctionTableEntry
abstraction is no more useful. We replace it with direct access to the
tables and a simpler abstraction {FunctionTargetAndRef}.
Bug: v8:11510
Change-Id: Iab4a6ca7eda8eb1757dbd321cb3997e98e78267e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3247030
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77754}
Design doc: https://bit.ly/3jEVgzz
We represent the indirect function table of a WasmInstanceObject at
index 0 like the rest of the tables, i.e., as the 0th element of the
instance's indirect_function_tables() field. For performance, we
maintain direct links from the instance to the contents of table 0
(indirect_function_table_{size, sig_ids, refs, targets} in
WasmInstanceObject).
Bug: v8:11510
Change-Id: Ice49fd855109051d304ef9033cac7a495b68ab8b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3246970
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77752}
The isolate root pointer in a WasmApiFuncionRef cannot be sandboxed,
because we would need the isolate root in the first place to decode it.
Therefore we do not use Foreign as the parent class of
WasmApiFunctionRef.
Bug: v8:11510
Change-Id: Idcbe654274c543ee571a335cb8e212ca3492d973
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3262134
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77751}
CodeSpaceMemoryModificationScope should only be used by the main
thread and during a safepoint. This adds a check in
CodeSpaceMemoryModificationScope.
The reason for this is that CodeSpaceMemoryModificationScope is not
thread-safe. It assumes that no other thread is modifying code space
(either by setting memory permission or adding a new page).
This CL also replaces CodeSpaceMemoryModificationScope to
CodePageCollectionMemoryModificationScope in a few occurrences, where
the former is not needed. This should not hurt performance.
Bug: v8:12054
Change-Id: I2675e667782c6ad8410877a4e64374899066bcd1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3263890
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77732}
We enable struct.new and array.init initializer expressions in the JS
testcase generated by --wasm-fuzzer-gen-test. We needed to make some
changes in the WasmInitExpr class, and to implement a new interface for
the WasmFullDecoder, which constructs a WasmInitExpr.
Changes:
- Make WasmInitExpr a ZoneObject. Use a pointer for its operands_ field.
This is needed so WasmInitExpr is trivially copiable, and thus usable
as a Value type in WasmFullDecoder.
- Implement a WasmFullDecoder interface in wasm-fuzzer-common that
constructs a WasmInitExpr. Use it to decode initializers in the
module generated by the fuzzer.
- Change AppendInitExpr to take a WasmInitExpr as argument.
- Fix an issue with printing of struct definitions.
- Change initializer expression used for structs to struct.new_with_rtt.
This is consistent with the currently used structural types.
Bug: v8:11954
Change-Id: I65a87cc98701a54f32500be192b3b6eef2ff6c8c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3257712
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77730}
The wasm serialization format only contains TurboFan code. All other
functions are only represented by placeholders. With this CL
serialization fails if the serialized module does not contain any
TurboFan functions and would therefore consist only of placeholders.
This is a defense in depth approach, because ideally serialization
only gets triggered when TurboFan code is available. However, in some
scenarios like debugging it can happen that modules without TurboFan
code get serialized.
Bug: v8:12281
Change-Id: Ib05430ff89eb2317da80fc0d086ce1d7ab0e919d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3212510
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77715}
The old "gc-safe" implementation to get the off-heap type information
wasn't quite as gc-safe as it needs to be.
Due to parallel compaction, we shouldn't check for forwarding pointers;
instead we should rely on the old location of the Foreign, but make sure
not to look at its Map (which might be a forwarding pointer).
Bug: v8:12185
Change-Id: I4570b00a5300a0d7ed8c042fa21d355373e0e691
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3260513
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77707}
This reverts commit a3480b5551.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20-%20debug%20-%20header%20includes/22234/overview
Original change's description:
> Reland "[torque] Don't generate k(?:Start|End)Of\w+FieldsOffset constants"
>
> This is a reland of 7366f6e204
>
> The test that failed after the initial commit was just flaky and has
> been fixed; see https://bugs.chromium.org/p/v8/issues/detail?id=12341
>
> Original change's description:
> > [torque] Don't generate k(?:Start|End)Of\w+FieldsOffset constants
> >
> > Torque currently generates constants like kStartOfWeakFieldsOffset and
> > kEndOfStrongFieldsOffset, which can be used when writing custom
> > BodyDescriptors. However, these offsets have some potentially confusing
> > behaviors:
> >
> > * They don't take inheritance into account and describe only the fields
> > defined by the current class itself, so there might be (for example)
> > strong fields before kStartOfStrongFieldsOffset if they were defined
> > by a superclass.
> > * kStartOfWeakFieldsOffset points to the first field defined in Torque
> > using the keyword `weak`, which indicates fields with *custom*
> > weakness semantics (those that should be visited with
> > IterateCustomWeakPointers), not those that may contain standard weak
> > pointers (visited with IterateMaybeWeakPointers). (As a follow-up, I'd
> > like to also rename `weak` to `@customWeak`.)
> >
> > Given that these constants have very low usage and somewhat bizarre
> > semantics, I propose that we remove them. This change does so, and
> > updates the existing usages to either define the required constants
> > directly in C++ or not use them. I know that defining these constants in
> > C++ is more brittle, but I think that brittle and clear is better than
> > automatic and incomprehensible.
> >
> > Bug: v8:7793
> > Change-Id: I87f8c85ccae4027f61ac73d4e7e4e2820e92003b
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3199731
> > Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> > Cr-Commit-Position: refs/heads/main@{#77411}
>
> Bug: v8:7793
> Change-Id: Iefdd4014ce4b85b48c19ead79a0316774a5ecd45
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3258082
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Cr-Commit-Position: refs/heads/main@{#77688}
Bug: v8:7793
Change-Id: I7b9667268901b7aef85a95832d40860056e61050
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3259656
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Owners-Override: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77689}
This is a reland of 7366f6e204
The test that failed after the initial commit was just flaky and has
been fixed; see https://bugs.chromium.org/p/v8/issues/detail?id=12341
Original change's description:
> [torque] Don't generate k(?:Start|End)Of\w+FieldsOffset constants
>
> Torque currently generates constants like kStartOfWeakFieldsOffset and
> kEndOfStrongFieldsOffset, which can be used when writing custom
> BodyDescriptors. However, these offsets have some potentially confusing
> behaviors:
>
> * They don't take inheritance into account and describe only the fields
> defined by the current class itself, so there might be (for example)
> strong fields before kStartOfStrongFieldsOffset if they were defined
> by a superclass.
> * kStartOfWeakFieldsOffset points to the first field defined in Torque
> using the keyword `weak`, which indicates fields with *custom*
> weakness semantics (those that should be visited with
> IterateCustomWeakPointers), not those that may contain standard weak
> pointers (visited with IterateMaybeWeakPointers). (As a follow-up, I'd
> like to also rename `weak` to `@customWeak`.)
>
> Given that these constants have very low usage and somewhat bizarre
> semantics, I propose that we remove them. This change does so, and
> updates the existing usages to either define the required constants
> directly in C++ or not use them. I know that defining these constants in
> C++ is more brittle, but I think that brittle and clear is better than
> automatic and incomprehensible.
>
> Bug: v8:7793
> Change-Id: I87f8c85ccae4027f61ac73d4e7e4e2820e92003b
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3199731
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Cr-Commit-Position: refs/heads/main@{#77411}
Bug: v8:7793
Change-Id: Iefdd4014ce4b85b48c19ead79a0316774a5ecd45
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3258082
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#77688}
We only expect the "wasm_exception_values_symbol" property to be a fixed
array if the property actually exists. If the property is not found,
JSReceiver::GetProperty returns "undefined", so skip the check in this
case.
R=clemensb@chromium.org
Bug: chromium:1262582
Change-Id: I28d7891064bdd7632ff1a4c94ba021163401fd88
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3244416
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77685}
Design doc: https://bit.ly/3jEVgzz
Summary:
We change the context for WasmJSFunction and WasmCapiFunction from a
tuple containing the instance to a triple WasmAPIFunctionRef =
{isolate root, context, callable}. This way we do not have to maintain
the correct instance at runtime. Also, a few places in the code get
simplified.
Changes:
- In WasmGraphBuilder, support having a WasmAPIFunctionRef at parameter
0.
- Remove unpacking of (instance, callable) tuple from code generators.
- Remove the part in WasmGraphBuilder and LiftoffCompiler that used to
set the instance field of the function reference.
- Modify code that handles the 'ref' field in wasm-objects.*, factory.*
and c-api.cc.
- Fix the recorded safepoint address for arm when calling a C function
from wasm.
- (Drive-by) Remove WasmAllocatePair.
Bug: v8:11510
Change-Id: I2a4ef3abaf9da36c4a2d85b434965a40a289b9ec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3236719
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77639}
Port commit 7a93bd647c
Port commit afd1554963
Change-Id: I7b5d59d448d210d80ee656d81c8134c780586296
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3256981
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Commit-Queue: ji qiu <qiuji@iscas.ac.cn>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#77636}
Port 7a93bd647c
Original Commit Message:
Temporarily behind a new flag: --new-wasm-dynamic-tiering
The plan is to merge this into the existing --wasm-dynamic-tiering
flag once it's been confirmed to be generally beneficial.
R=jkummerow@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N
Change-Id: I1ba28b60e628dc2ded33b267be62debcf1b03099
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3250936
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/main@{#77628}
Temporarily behind a new flag: --new-wasm-dynamic-tiering
The plan is to merge this into the existing --wasm-dynamic-tiering
flag once it's been confirmed to be generally beneficial.
Bug: v8:12281
Change-Id: I191d03170f8d5360073a45fea170f432074f7534
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3247632
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77620}
If dst.low_gp and src_op_upper.rm are the same register,
then the first Ulw destroys src_op_upper.rm and the second Ulw
reads the memory from bad address.
Change-Id: I5e385296c9a95707ad2416124a2595af29176a61
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3252869
Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Auto-Submit: Liu yu <liuyu@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#77604}
4 instructions, int32x4.trunc_f32x4_{s,u},
int32x4.trunc_f64x2_{s,u}_zero.
Drive-by cleanup to wasm-interpreter to use saturated_cast.
The machine ops are named <int>Trunc<float>, dropping the "sat" since
these don't do any saturation anymore.
Bug: v8:12284
Change-Id: I2d4d6a61b819b287fee69e3eea03dd3151cfa10d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3223166
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77598}
Implement `LiftoffAssembler::emit_i16x8_sconvert_i32x4` for riscv.
Add tests for rvv integer and floating-point instructions.
Add simulator support for rvv instructions, e.g. `vfmadd`, `vnclip`.
Fixed order of operands for `vfdiv.vv`.
Bug: v8:11976
Change-Id: I0691ac66771468533c5994be1fc8a86b09d3c738
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3225319
Reviewed-by: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#77595}
Using the jslimit can race with a concurrent interrupt request.
Also remove one unnecessary indirection.
R=ahaas@chromium.org
Bug: v8:12343
Change-Id: I8b6cc726124797e3687854b1eb2cd57d822c4769
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3247036
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77576}
This object will be used for the 'ref' field of WasmCapiFunctionData and
WasmJSFunctionData, replacing the currently used pair.
Design doc: https://bit.ly/3jEVgzz
Bug: v8:11510
Change-Id: Ic5dec88458b562883d571b3463269b2308f489c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3236718
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77575}
Recompute the spill offsets for values in the merge region, instead of
reusing the offsets of the source. This ensures that spill slots stay
contiguous (modulo alignment).
This also solves a correctness issue where the spill offsets in the
merge region could move up, thereby overwriting the source of another
move.
With this change, the spill offsets always move down (to fill the gap)
or stay the same, such that processing them from bottom to top
can only overwrite sources of already-processed moves.
Since we do not reuse the current state's offsets, this might generate
extra stack moves and regress generated code performance a bit.
Drive-by: print spill offsets in the Liftoff trace
R=clemensb@chromium.org
Bug: v8:12270
Change-Id: I8d20df8fc1e80dd36b6f651de457686e9935a628
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3245115
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77556}
Relaxed f32x4 and f64x2 min and max.
These instructions only guarantee results when the inputs are non nans,
and when the inputs are not 0s of opposite signs.
Reuse existing float binop testing harnesses and add special checks for
such constants when relaxed operations are being tested.
Drive-by rename of x64 instruction codes to be Minps/Maxps/Minpd/Maxpd
since they map down exactly to a single instruction.
Bug: v8:12284
Change-Id: I1449dbfa87935a96d7d260db22667ab7b9e86601
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3218196
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77484}
This CL improves wasm inlining heuristics in Turbofan, for an average
8,5% performance improvement in selected benchmarks.
Changes:
- In WasmInliner::Reduce(), only collect inlining candidates into a
priority queue, according to WasmInliner::LexicographicOrdering.
Move actual inlining to Finalize().
- Remove the InlineFirstFew heuristic. Add two limits to inlining:
Maximum relative size increase (reversely proportional to the function
size), and absolute size increase.
- Pass information about call frequency from liftoff-collected feedback
to the WasmInliner though the wasm module.
- Run wasm inlining along other optimizations in the pipeline.
- Split inlining and speculative inlining tests.
Bug: v8:7748, v8:12166
Change-Id: Iccee22093db765981889a24451fb458dfce1f1a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3222764
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77428}
This reverts commit 7366f6e204.
Reason for revert: Speculative revert for cctest/test-debug-helper/GetObjectProperties failures
https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket/8833300564873660401/+/u/Check/GetObjectProperties
Original change's description:
> [torque] Don't generate k(?:Start|End)Of\w+FieldsOffset constants
>
> Torque currently generates constants like kStartOfWeakFieldsOffset and
> kEndOfStrongFieldsOffset, which can be used when writing custom
> BodyDescriptors. However, these offsets have some potentially confusing
> behaviors:
>
> * They don't take inheritance into account and describe only the fields
> defined by the current class itself, so there might be (for example)
> strong fields before kStartOfStrongFieldsOffset if they were defined
> by a superclass.
> * kStartOfWeakFieldsOffset points to the first field defined in Torque
> using the keyword `weak`, which indicates fields with *custom*
> weakness semantics (those that should be visited with
> IterateCustomWeakPointers), not those that may contain standard weak
> pointers (visited with IterateMaybeWeakPointers). (As a follow-up, I'd
> like to also rename `weak` to `@customWeak`.)
>
> Given that these constants have very low usage and somewhat bizarre
> semantics, I propose that we remove them. This change does so, and
> updates the existing usages to either define the required constants
> directly in C++ or not use them. I know that defining these constants in
> C++ is more brittle, but I think that brittle and clear is better than
> automatic and incomprehensible.
>
> Bug: v8:7793
> Change-Id: I87f8c85ccae4027f61ac73d4e7e4e2820e92003b
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3199731
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Cr-Commit-Position: refs/heads/main@{#77411}
Bug: v8:7793
Change-Id: Ia12b5d773db35739283ca8871d3dd6922413cc82
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3226783
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77415}
GetUnusedRegister may spill registers and thus modify stack slots.
Therefore, we have to call it before fetching stack slots.
This is another instance of
https://chromium-review.googlesource.com/c/v8/v8/+/3217199.
Bug: v8:7748
Change-Id: I9ff28b26f2dce93ef7b71c1100d9bf88f7c2f7c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3226327
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77414}
This adds a few more trace events, also tracing the number of wrappers.
This can help to understand instantiation time better.
R=ahaas@chromium.org
Bug: v8:12287
Change-Id: Ic1a03b2e278af64908f0dc45cd5db60ecf7c79f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3226323
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77412}
Torque currently generates constants like kStartOfWeakFieldsOffset and
kEndOfStrongFieldsOffset, which can be used when writing custom
BodyDescriptors. However, these offsets have some potentially confusing
behaviors:
* They don't take inheritance into account and describe only the fields
defined by the current class itself, so there might be (for example)
strong fields before kStartOfStrongFieldsOffset if they were defined
by a superclass.
* kStartOfWeakFieldsOffset points to the first field defined in Torque
using the keyword `weak`, which indicates fields with *custom*
weakness semantics (those that should be visited with
IterateCustomWeakPointers), not those that may contain standard weak
pointers (visited with IterateMaybeWeakPointers). (As a follow-up, I'd
like to also rename `weak` to `@customWeak`.)
Given that these constants have very low usage and somewhat bizarre
semantics, I propose that we remove them. This change does so, and
updates the existing usages to either define the required constants
directly in C++ or not use them. I know that defining these constants in
C++ is more brittle, but I think that brittle and clear is better than
automatic and incomprehensible.
Bug: v8:7793
Change-Id: I87f8c85ccae4027f61ac73d4e7e4e2820e92003b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3199731
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#77411}
This makes it easier to see if a module is taken from the cache.
R=thibaudm@chromium.org
Bug: v8:12287
Change-Id: I6b7acf15f1aa20f6531d746d37890608462606de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3226326
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77410}
