4 instructions, i8x16, i16x8, i32x4, i64x2 relaxed lane select. These
instructions only guarantee results when the entire lane is set or
unset, so vpblendvb will give correct results for all of them.
Bug: v8:12284
Change-Id: I76959a23f2d97de8ecc3bef43d138184484e3c4d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3207006
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77401}
--trace-wasm-compilation-times: print one line per compiled function
with basic performance information. Useful for narrowing down
functions of interest before investigating them in more depth.
--wasm-tier-up-filter=N: only tier up function #N. Useful for focusing
features like --turbo-stats-wasm on a particular function.
Change-Id: Iaddb29bf815f4de8381a08e29187e96cc9945779
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3086341
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77399}
Since we introduced `array.init` as a way to create fully initialized
arrays, immutable arrays are no longer useless, and they enable certain
static optimizations, so this patch allows them.
Bug: v8:7748
Change-Id: I404aab60099826f4bd83cf54e5e1acbc38a3ca9b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3221151
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77397}
This is a reland of 3600aabf73
Original change's description:
> ppc: [liftoff] implement AtomicExch and AtomicCmpExch
>
> Change-Id: Ida66b9c42cfb9bd5b59a83188a2dfa0d602d4036
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3192427
> Reviewed-by: Milad Fa <mfarazma@redhat.com>
> Commit-Queue: Junliang Yan <junyan@redhat.com>
> Cr-Commit-Position: refs/heads/main@{#77148}
Change-Id: I84dc2d2c429c1f1646d0b97036ad9baa96961e56
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3216042
Commit-Queue: Junliang Yan <junyan@redhat.com>
Reviewed-by: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#77381}
Instead, pass a return parameter to store the error message, if any.
Change-Id: Ie71910149271a4268799ee41a8873df51812c505
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3218989
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77375}
GetUnusedRegister may spill registers and thus modify stack slots.
Therefore, we have to call it before fetching stack slots.
Bug: v8:7748
Change-Id: If7873efd986d9a7a6869fa8ec156d45affd7a8aa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3217199
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77334}
For debugging purposes, we print the validation error if the module
generated by WasmCompileFuzzer fails to validate.
Change-Id: I79d2827e489194d02150484ab5a196e979a302af
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3211574
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77295}
This patch adds infrastructure for collecting feedback about call_ref
call targets in Liftoff code, and using that feedback for turning
such calls into inlineable direct calls when building Turbofan graphs.
The feature is considered experimental quality and hence off by default,
--wasm-speculative-inlining turns it on.
Bug: v8:7748
Change-Id: I0d0d776f8a71c3dd2c9124d3731f3cb06d4f5821
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3205902
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77287}
So far the slot is set to 0; in an upcoming CL it will be
used for an actual feedback vector.
Bug: v8:7748
Change-Id: I79f7502757d2cd8b07ced7105bf7532f5bc9b4f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3205898
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77279}
WebAssembly dynamic tiering should be tested with an origin trial. For
the origin trial the feature flag value has to be loaded from blink.
This CL stores the value of the --wasm-dynamic-tiering flag in the
compilation state, from where it gets passed forward to all uses of the
flag. The flag value gets loaded from blink when a new NativeModule is
created.
R=clemensb@chromium.org
Bug: v8:12281
Change-Id: Ia26355a665b7dfcdb47144863c1bec296774abb2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3204963
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77256}
With dynamic tiering, typically not all functions of a WebAssembly
module get compiled with TurboFan, and therefore the code caching would
never get triggered. With this CL code caching is triggered whenever
{FLAG_wasm_caching_threshold} bytes of TurboFan code are generated.
This new caching event is only triggered when --wasm-dynamic-tiering is
enabled.
R=clemensb@chromium.org
Bug: v8:12281
Change-Id: I939325aea7e4310aa76c936636799661c05d4079
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3202593
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77251}
The Merge node for merging exceptions into the catch environment had
type kWord32, which is not a reference type. Because of this the GC does
not visit it and can collect it too early. Change the type to
kTaggedPointer.
Also change the type of ExceptionLocation() from IntPtr to TaggedPointer
for consistency. This one does not affect correctness because the
IfException node is already marked as tagged.
R=clemensb@chromium.org
Bug: v8:12254
Change-Id: I190d48b85f4b889ab083228b8fcedd439090e1de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3201994
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77232}
This is needed in case of 'let', where OpcodeLength transitively calls
{read_value_type()}.
Bug: v8:9495
Change-Id: I8aebffabc7ba1c47418d363dc9257f132fac33df
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200074
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77215}
Loop exits are only used during loop unrolling and are then removed, as
they cannot be handled by later optimization stages. Since unrolling
comes before inlining in the compilation pipeline, we should not emit
loop exits in inlined functions.
Bug: v8:12166
Change-Id: I28b3ebaf67c9e15b127eeb1a63906c4ecfd77480
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3195871
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77175}
We currently could produce the error message 'not enough arguments on
the stack for block, expected 0 more'. This CL fixes this by printing
the available number of arguments and the needed number, and adds
DCHECKs to catch similar miscomputations in the future.
It also adds a new test that produced the broken error before, and
includes the expected failure message in a few more tests for
robustness.
R=manoskouk@chromium.org
Change-Id: Ia08863889ae36ae0a05d96d36e92295b7159a01e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3194264
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77167}
The address space limit puts an arbitrary cap on the total reservation
size, thus limiting the total number of Wasm memories to around 100 on
64-bit systems.
Since the usable address space on 64 bit is much larger than the
1TB+4GB limit, this makes us reject code that we could otherwise just
execute.
This CL thus removes that limit completely.
See the linked issue for more discussion, including security
considerations.
R=jkummerow@chromium.org, rsesek@chromium.org
Bug: v8:12076
Change-Id: I1f61511d68efdab1f8cef4e09c0a39fc1d6fed60
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3190476
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77161}
I'm trying to remove annotations and make behavior more consistent. For
@generatePrint, there are two options: either generate printers for
every extern class, or never generate printers for extern classes. This
change implements the option of always generating printers. Classes that
require custom printing can easily hide the generated printer by using
DECL_PRINTER. This causes the generated file
gen/torque-generated/objects-printer.cc to grow to 1600 lines, including
many functions that are never used, but I think the consistency benefit
outweighs a little more compilation time on one file. This change also
removes custom printers in cases where the generated printer includes
all of the same content.
If folks would prefer the option to never generate printers, I'm open to
doing that instead. I like the notion that generating more code could
reduce the friction of adding new classes and thereby encourage people
to define precise types rather than using FixedArrays, but the current
implementation of generated printers is limited, and many printers have
been customized to show the data that matters the most. Unlike verifiers
and body descriptors, there are no correctness or safety concerns with
hand-written printers.
Some bugs showed up once we start generating printers for everything,
and this change fixes them:
- Printers incorrectly included ungettable fields like padding
- Printers called getters which might be hidden by hand-written classes
- The generated getter for Map::instance_type used
ReadField<InstanceType>, which is not an arithmetic type since it's an
enum
One more tiny drive-by fix: added a missing newline in the printers for
JSMap and JSSet.
Bug: v8:7793
Change-Id: Ib9e9575fbcb57879935ff18bf4db49fe276d2966
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3172190
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#77152}
This fixes a long-standing TODO to disallow importing receivers that
have "toString" or "valueOf" patched. Calling those methods could have
observable side effects, so allowing that would require bigger
refactorings to ensure that we only call each such function exactly once
per import, and in the right order.
Since this use case is rare, we just forbid importing such receivers.
R=jkummerow@chromium.org
Bug: chromium:1248677
Change-Id: I99bbd7db950ec3c7ac9cc1f59e8c476688e7d7b6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3190475
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77149}
Because there can be fewer function signatures than there are
functions a new ForceAddSignature function was added which does
not deduplicate.
Bug: v8:11954
Change-Id: Ib028de47962dd1e797ead1b1f05a4e6815029487
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3186431
Commit-Queue: Maria Tîmbur <mtimbur@google.com>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77126}
Instead of hand-coding a loop, use range-based for loops for iterating
signatures. Similarly, {std::transform} can replace a hand-coded loop
for constructing values from return types.
R=thibaudm@chromium.org
Bug: v8:12244
Change-Id: I467656650b731cbcb9ea57c54f5311885bb158dd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3181520
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77054}
Rename the enum value to avoid variable shadowing.
R=clemensb@chromium.org
Bug: v8:12244
Change-Id: I96a3bee7615b44692bb9edfedf82c6020a803d0d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3181529
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77050}
NameSectionKindCode::kFunction got shadowed by
WasmCompilationResult::Kind::kFunction. NameSectionKindCode is not used
often, so this CL just adds "Code" to all fields of this enum.
R=clemensb@chromium.org
Bug: v8:12244
Change-Id: I87155a43084b868f6c118ddc2e44cb9c35b4249b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3181535
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77049}
In Liftoff, the result of table.grow was smi-untagged and sign-extended
to a ptr-sized value. However the result is typed as i32, so the upper
32 bits should be cleared on 64 bit platforms. In particular this is
observable when the value is used as an index for a memory operand,
which leads to the repro in the attached issue.
Match the TF behavior by untagging the value as a 32-bit int.
R=clemensb@chromium.orgCC=ahaas@chromium.org
Bug: chromium:1251465
Change-Id: Ia57fd8a69ecb2787b42bbf8217e448976aa1dbd9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3173680
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77044}
emitted comparison differs depending on the input type (signed
or unsigned).
This patch is needed to fix test failures after this CL:
https://crrev.com/c/3172765.
Change-Id: If709920d609c94dd3fa5abf14e509978bd7b40ff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3178970
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#77018}
i32 comparisons often compare against constants, in order to implement
conditional branches. This CL optimizes such code by not loading the
constant into a register first, but directly emitting the comparison.
The code is shared for implementing {if} and {br_if} (and thereby makes
those two methods more readable).
R=thibaudm@chromium.org
Change-Id: I3f2f071a1c9e4b02c7368a2757bf4aae2920bd69
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3172765
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77008}
Add support for heap sandbox on arm64 when building with v8_enable_heap_sandbox=true
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
Bug: v8:10391
Change-Id: I3080f5970d2a604ca67827c732cd77761f7611a3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3165057
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76986}
Drive-by edit to use ASM_CODE_COMMENT for better code comments for
all the more complicated macro-assembler functions.
Also undef macros (AVX_OP et al) since they are not longer used outside
of shared-macro-assembler.
Bug: v8:11589
Change-Id: I424f27b5b742a8efb26ccef87dbffb01eae60335
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3173892
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76973}
The shipping version was incorrect in the original CL.
R=ecmziegler@chromium.org
Bug: v8:7581
Change-Id: Ib382cdacb8f6aa80718e6917b535c026b83d88cd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3172766
Reviewed-by: Emanuel Ziegler <ecmziegler@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76966}
The function index encoded into the serialized module is already offset
by num_imported_functions. For lazy compilation, however, we added the
number of imported functions another time, which was incorrect.
R=clemensb@chromium.org
Change-Id: I56380e21e74b4d1935ebdbab6ef8cc388de49f2c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3172761
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76965}
Conditions are usually used in binary comparisons, and are named for
that purpose. When used in a unary comparison, {kEqual} means "equal to
zero" and {kUnequal} means "not equal to zero". This is noted in several
comments in {LiftoffCompiler}.
This CL introduces the alternative names {kEqualZero} and
{kNotEqualZero} to avoid the repeated comments and increase readability.
R=thibaudm@chromium.org
Bug: v8:12244
Change-Id: I720a3d91ea95a26a38a48c68161f1b0552937cd4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3172763
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76964}
Most call signatures are small enough to keep them on the stack. This CL
adds a little optimization to avoid two Zone allocations for such small
signatures (and one in the general case).
R=thibaudm@chromium.org
Change-Id: I20ea7b77bfe8f1c86f8aa66450baa3561d564de1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3168279
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76958}
This CL sets the prototype for the other WebAssembly API objects,
Module, Instance, Table, and Memory.
For Instance, the WebAssemblyInstanceImpl function got inlined, as
there was only one caller, and it made setting the prototype
complicated.
R=jkummerow@chromium.org
Bug: v8:12227
Change-Id: I93b459d69b917b099b27f957fb0e04b7e021bd59
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3168282
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76954}
This adds a few DCHECKs to ensure that the process-wide memory
protection key is not writable (per thread) in a few strategic places:
- Before switching it to writable (which implicitly checks the initial
state),
- when entering compiled code, and
- in the explicit unit test.
R=jkummerow@chromium.orgCC=mpdenton@chromium.org
Bug: v8:11974
Change-Id: I6037f599afe9009d5e48794eb382eb1979f3ce9f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3165060
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76953}
When dst != lhs, we moved lhs to dst, but dst can be == rhs, so we would
overwrite rhs, and end up comparing lhs with itself, always returning
false. We handle the different aliasing cases in the macro-assembler
function I64x2GtS, to simplify the checks in Liftoff a little bit.
TurboFan does not need to change as it will require dst == lhs when AVX
is not supported.
Bug: v8:12237
Change-Id: Icefa6eb79083c003e93dbbd11ccc419aae4b15d3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3169312
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76945}
... and move methods that use XXX::cast() there.
This will untangle the include cycle that'll happen in a follow-up CLs.
Bug: v8:11880
Change-Id: Iba46bc9b0e0df9530197f57d0469456eb9006e66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3164456
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76932}
This is a reland of db95e20b98
Changes compared to original:
Only invoke std::memcpy if source is not null.
Original change's description:
> [wasm] Introduce CallInfo in WasmGraphBuildingInterface
>
> The DoCall and DoReturnCall functions implement function calls in
> WasmGraphBuilderInterface. These functions need different arguments
> based on if the call is direct, indirect or call_ref. Right now, these
> arguments are misnamed in some cases, and callers have to pass default
> values for unused arguments.
> This CL tidies up the arguments of these functions by introducing a
> CallInfo class which provides different constructors based on the type
> of the call, where only the required arguments need to be passed.
>
> Change-Id: Ie03de6d3cf253a9baa0369f569589bb91d0b1866
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162606
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76910}
Change-Id: I85cb5479f013e6625adce421d011c0b2ae073260
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3168626
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76926}
This reverts commit db95e20b98.
Reason for revert: UBSan failures https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20UBSan/18300/overview
Original change's description:
> [wasm] Introduce CallInfo in WasmGraphBuildingInterface
>
> The DoCall and DoReturnCall functions implement function calls in
> WasmGraphBuilderInterface. These functions need different arguments
> based on if the call is direct, indirect or call_ref. Right now, these
> arguments are misnamed in some cases, and callers have to pass default
> values for unused arguments.
> This CL tidies up the arguments of these functions by introducing a
> CallInfo class which provides different constructors based on the type
> of the call, where only the required arguments need to be passed.
>
> Change-Id: Ie03de6d3cf253a9baa0369f569589bb91d0b1866
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162606
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76910}
Change-Id: Ie0b288b3cbb66de4858fb7fbf1bc992518e637d0
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3168284
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#76911}
The DoCall and DoReturnCall functions implement function calls in
WasmGraphBuilderInterface. These functions need different arguments
based on if the call is direct, indirect or call_ref. Right now, these
arguments are misnamed in some cases, and callers have to pass default
values for unused arguments.
This CL tidies up the arguments of these functions by introducing a
CallInfo class which provides different constructors based on the type
of the call, where only the required arguments need to be passed.
Change-Id: Ie03de6d3cf253a9baa0369f569589bb91d0b1866
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162606
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76910}
This fixes the first part of a failing spec test, the other WebAssembly
objects will follow in other CLs.
R=jkummerow@chromium.org
Bug: v8:12227
Change-Id: I7b57b0c518671f0614a88f0477b64e2507435aba
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3168272
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76907}
vragther require that the destination vector register group cannot overlap with the source vector
register groups, otherwise an illegal instruction exception is raised.
Change-Id: I6d23ea80edc4a80be961531ded855ff372ca0da0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3161777
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: Ji Qiu <qiuji@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#76895}
The default value for table entries in WebAssembly tables is null when
the table gets allocated from WebAssembly, but when the table gets
allocated from JavaScript, the default value is undefined when the
table type is externref. With this CL V8 handles the JavaScript case
spec-compliant.
R=manoskouk@chromium.org
Bug: v8:12227
Change-Id: Ic8a1361629d8e5dfb59e2ee22a5e0ae0f6de936d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162045
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76892}
Optimize i64x2mul when AVX is supported to elide some moves.
Bug: v8:11589
Change-Id: Ide0bba502a35cbb632e3fc311c9697c5f54f9d82
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3163280
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76889}
Behind the --wasm-inlining flag, we introduce speculative direct calls
as an alternative to invoking functions through references.
In pseudocode, call_ref(func_ref, args...) reduces to
if (func_ref == function_reference_at(expected_index)) {
call_direct(expected_index, args...)
} else call_ref(func_ref, args...)
The introduced direct call can later get inlined in WasmInliningPhase.
Currently, we always speculate that the reference is the function at
index 0. Proper heuristics, based on liftoff runtime feedback, will come
later.
Bug: v8:12166, v8:7748
Change-Id: Icd1319d3091b436e71906717fd8a2662bfbb8481
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162602
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76884}
Reason for revert: There was an out-dated wpt test in blink that
failed after this CL. I adjusted the test expectations in https://chromium-review.googlesource.com/c/chromium/src/+/3162980 so that I can land this CL.
Original change's description:
> Revert "[wasm][externref] Support default value for the table.set"
>
> This reverts commit 6b57898062.
>
> Reason for revert: Fails layout tests: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Blink%20Linux/13751/overview
>
> Original change's description:
> > [wasm][externref] Support default value for the table.set
> >
> > WebAssembly.Table.set allows a default value instead of the second
> > parameter, which was not supported by V8 so far.
> >
> > R=thibaudm@chromium.org
> >
> > Bug: v8:7581
> > Change-Id: I417790722b1cb4f854cd0056ecb8377c330c45fa
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3141574
> > Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
> > Commit-Queue: Andreas Haas <ahaas@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#76846}
>
> Bug: v8:7581
> Change-Id: I83d9be59c66ece3184b5708e5b8a3b401e4938ed
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3163257
> Auto-Submit: Clemens Backes <clemensb@chromium.org>
> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
> Cr-Commit-Position: refs/heads/main@{#76852}
Bug: v8:7581
Change-Id: I248f836ba4de2a4e3f3d80c00e6f1ac0b46a38d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162608
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76873}
Group all the SIMD (SSE/AVX) functions in macro-assembler-x64 together,
and move Ucomisd/Ucomiss to shared-macro-assembler.
Bug: v8:11589
Change-Id: Ia2246e816615aa8e143e94a1064838b2c314d8f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3160698
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76855}
This reverts commit 6b57898062.
Reason for revert: Fails layout tests: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Blink%20Linux/13751/overview
Original change's description:
> [wasm][externref] Support default value for the table.set
>
> WebAssembly.Table.set allows a default value instead of the second
> parameter, which was not supported by V8 so far.
>
> R=thibaudm@chromium.org
>
> Bug: v8:7581
> Change-Id: I417790722b1cb4f854cd0056ecb8377c330c45fa
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3141574
> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76846}
Bug: v8:7581
Change-Id: I83d9be59c66ece3184b5708e5b8a3b401e4938ed
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3163257
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#76852}
WebAssembly.Table.set allows a default value instead of the second
parameter, which was not supported by V8 so far.
R=thibaudm@chromium.org
Bug: v8:7581
Change-Id: I417790722b1cb4f854cd0056ecb8377c330c45fa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3141574
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76846}
Per https://github.com/WebAssembly/gc/issues/234, this implements
"nominal" type definitions with explicit supertypes, and statically
typed RTT-less instructions for allocation and testing/casting.
This should be fully backwards compatible with existing Wasm modules.
Spec: https://bit.ly/3cWcm6Q ("version 4")
Bug: v8:7748
Change-Id: Id5a1399b368fdfad22036cfd66f1bef593e640f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3144916
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76844}
We move the implementation in Liftoff (which is the most general and
handles AVX/SSE and also register aliasing) into shared-macro-assembler.
Also consolidate SSE/AVX for ia32.
No functionality change is expected.
Bug: v8:11589
Bug: v8:11217
Change-Id: I64cc71791f04332dd3505055f4672430c2daf5ac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3131373
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76805}
Move this from macro-assembler-x64 to shared-macro-assembler, and use
this implementation for ia32 (TurboFan and Liftoff).
Bug: v8:11589
Change-Id: If851560c8db1293924ca024725609c399c553a4a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3124099
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76803}
This fixes the order of declaring class members for LiftoffCompiler,
LiftoffAssembler, LiftoffRegister, and LiftoffRegList.
The recommended order according to the style guide is: types, constants,
constructors, other members, data members.
R=thibaudm@chromium.org
Bug: v8:11879
Change-Id: I5c550ed11ed0169f07477b6a1723053316374707
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3157960
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76798}
Move some AVX_OP into shared macro-assembler, for reuse by ia32 in
future patches.
Movlhps is also unused in x64, so remove it.
Drive-by cleanup to use macro assembler helper Move to move 128-bit
const into a XMMRegister.
The change in liftoff-assembler-x64 is required because now the
macro-assembler functions are defined in the base class, so even though
we can use &TurboAssembler::Pcmpeqd to refer to that member function,
it actually resolves to &SharedTurboAssembler::Pcmpeqd.
Bug: v8:11589
Change-Id: Ie8f6a4dfd95b41192936f6e6be48c683042acec4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3150138
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76772}
We already have some logic to try to get a reasonable name for the
function when logging code. It looks up the name custom section, and
falls back to the function index. Extract this into a helper, and call
it when disassembly the code.
Bug: v8:12098
Change-Id: Ieebe6594bc3184fa655f878faa0cb67c248d7f56
Fixed: v8:12098
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3125355
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76769}
In the case that {dst}, {lhs} and {rhs} all point to the same register,
we would emit wrong code (negating the register and adding it to
itself). This CL fixes this by checking if {lhs == rhs}, and just
clearing the {dst} register in that case.
R=thibaudm@chromium.org
Bug: chromium:1247659
Change-Id: I7913617850adb34a5ad812369f16a7422358454d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3151955
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76765}
With statically in-bounds memory accesses (implemented in
https://crrev.com/c/2919827) we would only have an offset but no index
register for {TraceMemoryOperation}. This CL fixes that situation.
R=thibaudm@chromium.org
Bug: chromium:1248024
Change-Id: I856b263a560cb71791c61e446e78dd99c9664190
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3149464
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76763}
The t6-t8 are scratch registers and should not be allocatable.
Besides, add s0, s1, s2, s5 and s8 as allocatable registers.
Change-Id: I0805cc5273d0e0ec5040a0376bcbfba276202077
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3147315
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76739}
This adds some basic tests for WebAssembly code protection, in four
different configurations:
- no protection
- mprotect-based protection
- PKU-based protection
- PKU with fallback to mprotect
If PKU is not supported by the OS or hardware, then PKU is identical to
no protection, and PKU with fallback is identical to mprotect. We always
execute all four configurations anyway.
If protection is effective, we expect code to be writable within a
{CodeSpaceWriteScope}, and not writable otherwise. When trying to write
to non-writable code, we expect a crash of the process (checked via
{ASSERT_DEATH_IF_SUPPORTED}).
R=jkummerow@chromium.org
CC=mpdenton@chromium.org
Bug: v8:11974
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_dbg_ng
Change-Id: I4ec0ce9426f70ff41a292b9ea25be1e8956a670e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3138210
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76726}
We add an option to BuildTFGraph to not emit stack checks and call
tracing and use it in inlined functions.
Also, we add tests for zero/multiple return values, as well as infinite
loops in the inlined function.
Bug: v8:12166
Change-Id: I5f34c57d9870592085804853ff23ba94897cc8d5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3141589
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76718}
Simply putting all features behind --experimental-wasm-gc.
The intent is to simplify command lines.
Bug: v8:7748
Change-Id: Ibfaa4dc720087a490b177a2b95841620a4d25d89
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3141583
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76703}
- Add vsetivli/I8x16Add/vl/vse8
- In Rvv, Vector regs is different from Float Regs. But in this cl, in order to facilitate modification, it is assumed that the vector register and float register share a set of register codes.
- Because v0 is mask reg, we can't allocate it . And transfer float into vector reg, so i delete ft0 from AllocateReg.
Bug: v8:11976
Change-Id: I66185d1f5ead985489bcbdf671b131f02a6bd7c2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3005768
Commit-Queue: Ji Qiu <qiuji@iscas.ac.cn>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Ji Qiu <qiuji@iscas.ac.cn>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76700}
The receiver is now always included in the actual argument count and
the formal parameter count.
kDontAdaptArgumentsSentinel is changed from UINT16_MAX to 0 to preserve
the maximum allowed declared parameters.
The build flag activating the changes is not set for any architecture
yet.
Bug: v8:11112
Change-Id: I48a4969137949a1b4d1f47545209bb22b64e7e05
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3140608
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76699}
This is a reland of 1786f8d770. It turned
out that also x64 is broken, and only for TurboFan. Both is fixed now.
Original change's description:
> [arm64][liftoff] Fix trap handling on load lane
>
> This fixes the registered {protected_load_pc} to (always) point to the
> actual load instruction. If {dst != src} we would emit a register move
> before the load, and the trap handler would then not recognize the PC
> where the signal occurs, leading to a segfault.
>
> R=thibaudm@chromium.org
>
> Bug: chromium:1242300, v8:12018
> Change-Id: I3ed2a8307e353fd85a7ddedf6ecb73e90a112d32
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3136454
> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76642}
Bug: chromium:1242300, v8:12018
Change-Id: I79284ab9815f5363f759569d98c8c4b52d48e738
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3140609
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76698}
We add table operations to the fuzzed module.
GetTableType function is added in WasmModuleBuilder.
Alter alternatives array in GenerateOptRef to generate
less default values.
Bug: v8:11954
Change-Id: I433a6fac0ab10307aeede505b7d0c1d625d27477
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3137493
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Rakhim Khismet <khismet@google.com>
Cr-Commit-Position: refs/heads/main@{#76697}
We introduce basic wasm inlining infrastructure behind a flag. The
implementation is currently incomplete. Additionally, we always inline
the function at index 0; proper inlining heuristics will be added later.
Changes:
- Rename WasmInliningPhase -> JSWasmInliningPhase
- Introduce WasmInliningPhase and WasmInliner.
- Pass additional parameters as needed to GenerateCodeForWasmFunction.
- Remove EnsureEnd in WasmGraphAssembler. Create end node at the start
of compilation.
- Add a simple test.
Bug: v8:12166
Change-Id: Ifd7006ba378e9f74cd248b71e16869fbbb8a82be
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3141575
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76689}
Adds a USE(...) around a std::accumulate which appears to have nodiscard
on it in MSVC builds. Probably only manifests with debug flags on as
otherwise code is not compiled.
Change-Id: I78f4f2c07161598336fedcdd4a204379c4deb81b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3141579
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76671}
We use BuildCCall over CallBuiltin. This improves the performance of
array.copy by up to 2x for small arrays.
Bug: v8:7748
Change-Id: Ibbd6a69267edb229beda1f6de4ff1c48eb38b729
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3135580
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76661}
The WebAssembly.Table constructor supports a second parameter that was
not supported by V8 so far.
R=thibaudm@chromium.org
Bug: v8:7581
Change-Id: Id74c53a6b1bde7f49a4edea8397d1cab253e1a0e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3141571
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76660}
This reverts commit 1786f8d770.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64/44442/overview
Original change's description:
> [arm64][liftoff] Fix trap handling on load lane
>
> This fixes the registered {protected_load_pc} to (always) point to the
> actual load instruction. If {dst != src} we would emit a register move
> before the load, and the trap handler would then not recognize the PC
> where the signal occurs, leading to a segfault.
>
> R=thibaudm@chromium.org
>
> Bug: chromium:1242300, v8:12018
> Change-Id: I3ed2a8307e353fd85a7ddedf6ecb73e90a112d32
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3136454
> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76642}
Bug: chromium:1242300, v8:12018
Change-Id: I7bc9d00a4fba3101e7ee68695961d1b543268c4e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3138202
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76644}
This fixes the registered {protected_load_pc} to (always) point to the
actual load instruction. If {dst != src} we would emit a register move
before the load, and the trap handler would then not recognize the PC
where the signal occurs, leading to a segfault.
R=thibaudm@chromium.org
Bug: chromium:1242300, v8:12018
Change-Id: I3ed2a8307e353fd85a7ddedf6ecb73e90a112d32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3136454
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76642}
- Replace CodeStubArguments::GetLength() with GetLengthWithReceiver()
and GetLengthWithoutReceiver()
- Introduce and use Torque macros to load the formal parameter count
(with and without receiver).
- Add actual_count to Torque arguments structure for cases where the
argument count is not used, but just forwarded to other builtins.
Bug: v8:11112
Change-Id: I32278efeffa2fb08361989c6df8de56c74add8b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3124804
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76637}
Besides, fix an error in set_if_nan, because if src is a NaN, we should
set the i32 instead of i64 at address dst to a non-zero value.
Port e6961df23f
Bug: v8:11856
Change-Id: Icc9afda35d4cca4fd5ae82356ecaec77bf92d009
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3139055
Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Auto-Submit: Liu yu <liuyu@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#76636}
Also fix several out of date comments.
Change-Id: I15ee6c718ad50f231cd0a8e5c6416ccb58375140
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3121693
Commit-Queue: Ji Qiu <qiuji@iscas.ac.cn>
Reviewed-by: Brice Dobry <brice.dobry@futurewei.com>
Cr-Commit-Position: refs/heads/main@{#76633}
This is a reland of 6ae18c2d3c, with
{CompileWasmCapiCallWrapper} fixed to also contain a
{CodeSpaceWriteScope}.
Original change's description:
> [wasm] Move write scope out of NativeModule::AddCode
>
> {NativeModule::AddCode} is a central method that should usually be
> called in batches, where the caller holds a {CodeSpaceWriteScope} for a
> longer time (over several compilations).
> This CL moves us closer to that by removing the scope from that central
> method and instead putting it in callers where it becomes more visible.
> There are already TODOs to introduce caching or batching to avoid some
> switching, and one more TODO is added.
>
> Drive-by: Remove an unneeded {CodeSpaceMemoryModificationScope}.
>
> R=jkummerow@chromium.org
>
> Bug: v8:11974
> Change-Id: Ia13c601abc766e5fca6ca053bf1fc4d647b53ed0
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3098186
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#76344}
Bug: v8:11974
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_dbg_ng
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_rel_ng
Change-Id: I6367bbd9dc52c403513eb1a168aa1f6eb4044ca1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3129703
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76626}
This CL does the following for x64:
- Add seq cst TSAN helpers.
- Refactors codegen's handling of TSAN helpers to also support
seq cst accesses.
- Perform stores only once instead twice under TSAN, since
duplicating stores is unsound. Previously this was "fine"
because all duplicated stores were relaxed. SeqCst stores
are used for synchronization, however, and duplicating them
breaks the synchronization.
Bug: v8:7790, v8:11600, v8:11995
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel_ng
Change-Id: I43071b0ed516cb0917a10f3b2b9861d74edca041
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103308
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76612}
Instrument floating-point operations to set a flag if the result is NaN.
Port: e699762e06
Bug: v8:11856
Change-Id: Iae8121dd17ae8acf402ac74e41122cad77387db7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3099945
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/main@{#76605}
Avoid an additional copy of the name, and inline single-use (and small)
functions. Also, use an early exit for the generic wrapper to make the
code simpler.
R=zhin@chromium.org
Bug: v8:11879
Change-Id: Ic66a2c9430f7c3481b9038d2a517c4c76888503b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3132267
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76600}
WasmModuleBuilder is a class that is used to build Wasm modules in the
asm.js parser, in the fuzzer, as well as some tests. When it comes to
Wasm tables, WasmModuleBuilder currently supports only basic tables
(before the reftypes proposal) using an ad-hoc indirect-function index
vector.
This CL adds proper support for element sections and tables that use
them in the full potential of the reftypes extension. The new
functionality will only be used in the fuzzer and potentially some tests
in the future. Along this, we drop some functionality from
WasmModuleBuilder that was only used in tests and is redundant with the
new architecture.
Additionally, we remove tables other than externref and funcref from the
fuzzer (which were not supported properly or used anyway). We will
reintroduce them at a later time.
Bug: v8:11954
Change-Id: I0a4f6e7b63b6e3d9f7da03b5202fbf14d8678332
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3122162
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76597}
WriteInitializerExpressions did not emit the final 'end' opcode, and
expected call sites to do so, which they did not do consistently.
We move this functionality to WriteInitializerExpression.
Change-Id: Idf42272a3dbdfd0d7f22675731e193584f75c41f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3122159
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76532}
1. Move Abspd, Negpd from MacroAssembler into TurboAssembler so that we
can use it in code-generator
2. Add Absps and Negps (float32 versions of the instructions in 1)
3. Refactor SSE/AVX float32/float64 abs/neg to use these macro-assembler
helpers.
4. Use these helpers in Liftoff too
This has the benefit of not requiring to set up the masks in a temporary
register, and loading the constants via an ExternalReference instead.
It does require (in ins-sel) to have the input be in a Register, since
the ExternalReference is an operand (and the instruction can only have 1
operand input).
Bug: v8:11589
Change-Id: I68fafaf31b19ab05ee391aa3d54c45d547a85b34
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3123635
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76520}
No functionality change, moved the i8x16.popcnt algorithm
into shared-macro-assembler.
Bug: v8:11589
Change-Id: I3dd9d01589bf0176df1e33433f4c3c0c717c253d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3122572
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76516}
Also move Pshufb definition into shared-macro-assembler. We define a
Pshufb that handles both SSE and AVX, and in SSE case will move src to
dst if they are not the same.
Define operator== and operator!= in ia32's Operand class that will check
against XMMRegister, we can then use DCHECK_NE to ensure that a register
doesn't alias a operand wrapping a register.
Bug: v8:11589
Change-Id: I7c30881e8a9b322b736bb7301dde0c5424efacdd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3119997
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76515}
Bug: v8:11589
Change-Id: I7c97920d8ab94408b5cde4e90e7ff1aa9bcaeeba
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3119995
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76511}
Bug: v8:11589
Change-Id: I7b55efa76f60eacf31700a544f54042eec963f57
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3115545
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76495}
We create a ExternalReferenceAsOperand helper function in
SharedTurboAssemblerBase that delegates to the actual arch specific
implementation of TurboAssembler, because the ia32 and x64
ExternalReferenceAsOperand differs slightly in their implementation.
Bug: v8:11589
Change-Id: I378ea6b72fb2bba1a37482cc31cd58db0ba35721
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114604
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76494}
This introduces a new flag, --experimental-wasm-unsafe-nn-locals, which
allows arbitrary unvalidated local.get operations on non-nullable
locals.
For invalid accesses, this will crash. The intention is to allow module
producers to experiment; if they find these locals particularly useful,
we will add engine-side validation later.
Bug: v8:7748
Change-Id: I9a05747eaff312448ce0acf57a412e76679ff061
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3110192
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76489}
In a follow-up CL, the backing stores will, when the sandbox is enabled,
be referenced from V8 objects through offsets rather than raw pointers.
For that to work, all backing stores must be located inside the virtual
memory cage. This CL prepares for that.
Bug: chromium:1218005
Change-Id: Ibb989626ed7094bd4f02ca15464539f4e2bda90f
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114136
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76486}
Bug: v8:11589
Change-Id: Ie51cfd6cd6315f7f14f0c584f190a478ed565b0e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114603
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76475}
This is a reland of d1b27019d3
Fixes include:
Adding missing file to bazel build
Forward-declaring classing before friend-classing them to fix win/gcc
Add missing v8-isolate.h include for vtune builds
Original change's description:
> [include] Split out v8.h
>
> This moves every single class/function out of include/v8.h into a
> separate header in include/, which v8.h then includes so that
> externally nothing appears to have changed.
>
> Every include of v8.h from inside v8 has been changed to a more
> fine-grained include.
>
> Previously inline functions defined at the bottom of v8.h would call
> private non-inline functions in the V8 class. Since that class is now
> in v8-initialization.h and is rarely included (as that would create
> dependency cycles), this is not possible and so those methods have been
> moved out of the V8 class into the namespace v8::api_internal.
>
> None of the previous files in include/ now #include v8.h, which means
> if embedders were relying on this transitive dependency then it will
> give compile failures.
>
> v8-inspector.h does depend on v8-scripts.h for the time being to ensure
> that Chrome continue to compile but that change will be reverted once
> those transitive #includes in chrome are changed to include it directly.
>
> Full design:
> https://docs.google.com/document/d/1rTD--I8hCAr-Rho1WTumZzFKaDpEp0IJ8ejZtk4nJdA/edit?usp=sharing
>
> Bug: v8:11965
> Change-Id: I53b84b29581632710edc80eb11f819c2097a2877
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097448
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Dan Elphick <delphick@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76424}
Cq-Include-Trybots: luci.v8.try:v8_linux_vtunejit
Bug: v8:11965
Change-Id: I99f5d3a73bf8fe25b650adfaf9567dc4e44a09e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3113629
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76460}
We add ref.func and ref.is_null to the fuzzed module.
ref.is_null returns i32, so it is added to i32 generator.
ref.func is added to GenerateOptRef.
GetRefType function is added to generate reftypes.
Bug: v8:11954
Change-Id: Ia1add950bed573a02b6bec1cba401273d401919e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3106925
Commit-Queue: Rakhim Khismet <khismet@google.com>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76431}
Abstract reference types in the fuzzer have only generated trivial
values. This CL adds the capability for them to generate values of their
subtypes in addition.
Drive-by: Fix emission of multiple tables in wasm-fuzzer-common.
Bug: v8:11954
Change-Id: Id434109c9ae6c1e1b799414c90f18180b8895755
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3109672
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76430}
This reverts commit d1b27019d3.
Reason for revert: Broke vtune build, tsan build and possibly others
Original change's description:
> [include] Split out v8.h
>
> This moves every single class/function out of include/v8.h into a
> separate header in include/, which v8.h then includes so that
> externally nothing appears to have changed.
>
> Every include of v8.h from inside v8 has been changed to a more
> fine-grained include.
>
> Previously inline functions defined at the bottom of v8.h would call
> private non-inline functions in the V8 class. Since that class is now
> in v8-initialization.h and is rarely included (as that would create
> dependency cycles), this is not possible and so those methods have been
> moved out of the V8 class into the namespace v8::api_internal.
>
> None of the previous files in include/ now #include v8.h, which means
> if embedders were relying on this transitive dependency then it will
> give compile failures.
>
> v8-inspector.h does depend on v8-scripts.h for the time being to ensure
> that Chrome continue to compile but that change will be reverted once
> those transitive #includes in chrome are changed to include it directly.
>
> Full design:
> https://docs.google.com/document/d/1rTD--I8hCAr-Rho1WTumZzFKaDpEp0IJ8ejZtk4nJdA/edit?usp=sharing
>
> Bug: v8:11965
> Change-Id: I53b84b29581632710edc80eb11f819c2097a2877
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097448
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Dan Elphick <delphick@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76424}
Bug: v8:11965
Change-Id: Id57313ae992e720c8b19abc975cd69729e1344aa
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3113627
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76428}
This moves every single class/function out of include/v8.h into a
separate header in include/, which v8.h then includes so that
externally nothing appears to have changed.
Every include of v8.h from inside v8 has been changed to a more
fine-grained include.
Previously inline functions defined at the bottom of v8.h would call
private non-inline functions in the V8 class. Since that class is now
in v8-initialization.h and is rarely included (as that would create
dependency cycles), this is not possible and so those methods have been
moved out of the V8 class into the namespace v8::api_internal.
None of the previous files in include/ now #include v8.h, which means
if embedders were relying on this transitive dependency then it will
give compile failures.
v8-inspector.h does depend on v8-scripts.h for the time being to ensure
that Chrome continue to compile but that change will be reverted once
those transitive #includes in chrome are changed to include it directly.
Full design:
https://docs.google.com/document/d/1rTD--I8hCAr-Rho1WTumZzFKaDpEp0IJ8ejZtk4nJdA/edit?usp=sharing
Bug: v8:11965
Change-Id: I53b84b29581632710edc80eb11f819c2097a2877
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097448
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76424}
This CL implements both the Register-Register and the
Register-Immediate variants needed by liftoff.
Change-Id: I148df8418097004710a17e0b216c2f18db808b8c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3105085
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#76420}
This reverts commit 6ae18c2d3c.
Reason for revert: breaks a bunch of tests on Mac arm64 bots:
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Mac%20-%20arm64%20-%20release/5754/overviewhttps://ci.chromium.org/ui/p/v8/builders/ci/V8%20Mac%20-%20arm64%20-%20debug/2421/overview
Original change's description:
> [wasm] Move write scope out of NativeModule::AddCode
>
> {NativeModule::AddCode} is a central method that should usually be
> called in batches, where the caller holds a {CodeSpaceWriteScope} for a
> longer time (over several compilations).
> This CL moves us closer to that by removing the scope from that central
> method and instead putting it in callers where it becomes more visible.
> There are already TODOs to introduce caching or batching to avoid some
> switching, and one more TODO is added.
>
> Drive-by: Remove an unneeded {CodeSpaceMemoryModificationScope}.
>
> R=jkummerow@chromium.org
>
> Bug: v8:11974
> Change-Id: Ia13c601abc766e5fca6ca053bf1fc4d647b53ed0
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3098186
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#76344}
Bug: v8:11974
Change-Id: Ia6a6814f153f7602d5d691bc5c930601ff4622a7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3111268
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76414}
It must be possible to determine an object's size on the heap without
relying on the presence of any other objects. Specifically, if an
object and its WasmTypeInfo die at the same time, they can be swept
in any order, and the sweeper may need to know their sizes.
This patch solves the problem by repurposing two bytes in the Map,
where WasmStructs can store their instance size, and WasmArrays can
store their element size (which can be used to compute their size).
Fixed: chromium:1240670
Change-Id: Ib960fd0a409936aff1aef4daafed4c38b8497880
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3106649
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76391}
S10 is a Callee save register and be used in scratch_list.
In cctest, could use scratch but not does't go through the JSEntry function that can save callee save reg. So cctest could be crashed due to using s10.
Bug: v8:12124
Change-Id: I62c3582ad490681d5efb24e8bfe0884006d42e66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103425
Reviewed-by: Ji Qiu <qiuji@iscas.ac.cn>
Commit-Queue: Ji Qiu <qiuji@iscas.ac.cn>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#76375}
liftoff-assembler-ia32.h can now use it. TurboFan ia32 doesn't use it
because it generates different instruction codes (movlps, movhps).
Bug: v8:11589
Change-Id: I07540814acff2d8ea48e06d1e00023d80b276a3d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3095009
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76373}
Move optimized implementation (accounts for AVX2) into
shared-macro-assembler, and use it everywhere.
Drive-by fix in liftoff-assembler-ia32.h to use Movss and Movsd
macro-assembler functions to that they emit AVX when supported.
Bug: v8:11589
Change-Id: Ibc4f2709d323d5b835bcac175a32b422d47d3355
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3095008
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76372}
We snapshot all the code first, then log it without holding the lock.
Change-Id: I8c18b2db56678a9320ea6b63cd06290453c0a66a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097472
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76354}
Change i16x8.splat to use Punpcklqdq instead of Pshufd as the final step
to move low 32 bits to all lanes.
Move this implementation to shared-macro-assembler and use it
everywhere.
Bug: v8:11589,v8:12090
Change-Id: I968b1dca5a262e4e67875caea18c5c09828cb33a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3092558
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76353}
The optimal implementation is in TurboFan x64 codegen, move it into
shared-macro-assembler, and have TurboFan ia32 and Liftoff use it. The
optimal implementation accounts for AVX2 support.
We add a couple of AVX2 instruction to ia32 in sse-instr.h, not all of
them are used, but follow-up patches will use them, so we add support
(including diassembly and test) in this change.
Drive-by clean up to test-disasm-x64.cc to merge 2 AVX2 test sections.
Bug: v8:11589
Change-Id: I1c8d7deb0f8bb70b29e7a680e5dbcfb09ca5505b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3092555
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76352}
{NativeModule::AddCode} is a central method that should usually be
called in batches, where the caller holds a {CodeSpaceWriteScope} for a
longer time (over several compilations).
This CL moves us closer to that by removing the scope from that central
method and instead putting it in callers where it becomes more visible.
There are already TODOs to introduce caching or batching to avoid some
switching, and one more TODO is added.
Drive-by: Remove an unneeded {CodeSpaceMemoryModificationScope}.
R=jkummerow@chromium.org
Bug: v8:11974
Change-Id: Ia13c601abc766e5fca6ca053bf1fc4d647b53ed0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3098186
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76344}
This is a reland of a3b2c4ec81
The fix is in PS3, for UBSan. We use WriteUnalignedValue for
potentially unaligned memory writes.
Original change's description:
> [wasm][diagnostics] Support WasmCode in gdb JIT integration
>
> - Add new enum WASM_CODE to JitCodeEvent::CodeType
> - Use AddressRegion instead of AddressRange (remove the latter)
> - Change CodeDescription constructor to take an AddressRegion,
> both JIT_CODE and WASM_CODE use this
> - Add a simple mjsunit test that sets --gdbjit to check that
> we don't crash.
> - Add a api test for adding WASM_CODE
>
> Bug: v8:11908
> Change-Id: I6e87fadc2df67978144d78caf9800c3982bc3705
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3067754
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#76271}
Bug: v8:11908
Change-Id: I5ded6d01cff40803b2f70525163f760edcf97165
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3093506
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76327}
The {CodeSpaceWriteScope} in {InstanceBuilder::Build} was kept open
while processing imports, which could compile another wasm module via
{compiler::ResolveWasmImportCall} and
{WasmEngine::SyncCompileTranslatedAsmJs}. This leads to errors since
{CodeSpaceWriteScope}s for different modules cannot be held open at the
same time.
This CL fixes that by only opening the {CodeSpaceWriteScope} for the
actual compilation of import wrappers.
Drive-by: Only call {ProcessImports} if there are imports to be
processed, to avoid some of the overhead of {ProcessImports} and
{CompileImportWrappers}.
R=jkummerow@chromium.org
Bug: chromium:1239522
Change-Id: Ifbaf64a4be92088ae4a3fd7e9700a33397b2a967
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097283
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76311}
Bug: v8:12008
Change-Id: I2e1d918a1370dae1e15919fbf02d69cbe48f63bf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3089095
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76308}
We need to drop the object and the rtt from the liftoff stack before
loading the result.
Bug: v8:7748
Change-Id: Idbd4878ededc35892c951cafb3f8a8298133adff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3094015
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76304}
The static limit didn't account for possible S128 elements.
This patch makes the limit element type specific.
Fixed: chromium:1237024
Change-Id: Ic1e37656e2882c0eb7ea6400c83e4094eb747e88
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097269
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76303}
This reverts commit a3b2c4ec81.
Reason for revert: UBSan https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket/8839060153390139249/+/u/Check/gdbjit
Original change's description:
> [wasm][diagnostics] Support WasmCode in gdb JIT integration
>
> - Add new enum WASM_CODE to JitCodeEvent::CodeType
> - Use AddressRegion instead of AddressRange (remove the latter)
> - Change CodeDescription constructor to take an AddressRegion,
> both JIT_CODE and WASM_CODE use this
> - Add a simple mjsunit test that sets --gdbjit to check that
> we don't crash.
> - Add a api test for adding WASM_CODE
>
> Bug: v8:11908
> Change-Id: I6e87fadc2df67978144d78caf9800c3982bc3705
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3067754
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#76271}
Bug: v8:11908
Change-Id: Ic1a74a9239e8ef6107efd36f61c089ae6bfc5b6c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3093365
Auto-Submit: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#76274}
- Add new enum WASM_CODE to JitCodeEvent::CodeType
- Use AddressRegion instead of AddressRange (remove the latter)
- Change CodeDescription constructor to take an AddressRegion,
both JIT_CODE and WASM_CODE use this
- Add a simple mjsunit test that sets --gdbjit to check that
we don't crash.
- Add a api test for adding WASM_CODE
Bug: v8:11908
Change-Id: I6e87fadc2df67978144d78caf9800c3982bc3705
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3067754
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76271}
Move the implementation into shared macro-assembler. TurboFan and
Liftoff for both ia32 and x64 can now share the implementation. No
functionality change expected.
Bug: v8:11589
Change-Id: Ia1f680ba139fca627e82e7dc0a9cf1c833e483cf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3088513
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76268}
Move the implementation into shared macro-assembler. TurboFan and
Liftoff for both ia32 and x64 can now share the implementation. No
functionality change expected.
Bug: v8:11589
Change-Id: I8d3567ef6e4a430fe8e007e44d5d55cf8e8a6a7a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3088273
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76264}
This should not be needed any more after https://crrev.com/c/2944808,
which made job execution deterministic in predictable mode.
R=thibaudm@chromium.org
Bug: v8:11848, v8:10936
Change-Id: I7f71af063d366ca2ba9223afeb6c2caa77b02a99
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3090334
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76258}
These are no longer enabled, so remove the code mitigation logic from
the codebase.
BUG=chromium:1003890
Change-Id: I536bb1732e8463281c21da446bbba8f47ede8ebe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3045704
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76256}
Make "emit_s128_set_if_nan" take LiftoffRegisters rather than Registers.
The decoding of the FP register code is architecture dependent, and in
particular we expect an FP pair on arm.
R=clemensb@chromium.org
Bug: v8:11856
Change-Id: I44a364c3ef3a0c41000ea1f6cead4916ee04145d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3089165
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76246}
Move I32x4SConvertF32x4 into shared implementation, and takes care of
both AVX and no-AVX implementation. Instruction selector still requires
dst == src to save a move in codegen.
Bug: v8:11589
Change-Id: Ie982682b3002192ab27700bf73f8c1e66aeba492
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3086732
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76243}
MovFloatToInt and MovIntToFloat have been optimized
on Power8 and above to use VSX instructions instead if
using the memory.
Change-Id: I77af9aa20aa477f8f9e3ec9545445ef777aa0c72
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3087726
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/master@{#76241}
This adds dedicated histograms for measuring the memory consumption and
compilation time for compiling "huge functions". Those are functions
with a body of more than 100kB. They are a *very* small fraction of all
functions (<0.01% according to current data), but their compile time is
often unproportionally large. Since they would just disappear in the
overall histograms, this CL adds dedicated histograms to make the
compile time and memory consumption of those functions more visible.
R=ecmziegler@chromium.org
Bug: chromium:1238828
Change-Id: I30bd07792ef4d9d67ff60c49c9edd0892c5c6e6d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3089166
Reviewed-by: Emanuel Ziegler <ecmziegler@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76239}
TurboFan currently calls into runtime for these two instructions, but
there is a better 4-instruction lowering that Liftoff already uses. Move
this into macro-assembler so we can share this across both compilers. We
name this PopcntHelper because there isn't a Cnt on ARM64 that works on
Word32/Word64.
Bug: v8:12071
Change-Id: I182bf466b76cbad985d8c5b8ddae0f4352f71cd2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3087812
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76236}
This is a reland of 1c0cca0f56. It is
modified now to use V8_HAS_PTHREAD_JIT_WRITE_PROTECT and is rebased on
https://crrev.com/c/3085271 which fixes the definition of that macro.
Original change's description:
> Reland: [wasm] Check correctness of thread-local write protection
>
> The fix landed as a separate CL: https://crrev.com/c/3081522
> This is an unmodified reland.
>
> Original description:
> We make an undocumented assumption in {CodeSpaceWriteScope} that a
> single thread will only work on one module at a time. If this is
> violated, the thread-local {code_space_write_nesting_level_} would
> prevent the second module from being switched to writable.
>
> This CL adds a second thread local (in debug only) to check that if
> there is already a {CodeSpaceWriteScope} open that it contains the same
> {NativeModule} as any nested scope.
>
> R=jkummerow@chromium.org
>
> Bug: v8:11974
> Cq-Include-Trybots: luci.v8.try:v8_linux_gc_stress_dbg_ng
> Cq-Include-Trybots: luci.v8.try:v8_mac64_gc_stress_dbg_ng
> Change-Id: Id827b6ca472f695e4500584349aba159aa07eed1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3080578
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#76177}
Bug: v8:11974
Change-Id: Iffc510e85c8c56f26bfa88115ed3a8bdd33ef422
Cq-Include-Trybots: luci.v8.try:v8_linux_gc_stress_dbg_ng
Cq-Include-Trybots: luci.v8.try:v8_mac64_gc_stress_dbg_ng
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3085269
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76235}
The combination of --wasm-write-protect-code-memory and MAP_JIT was not
handled correctly. We were trying to unnecessarily switch permissions,
and a DCHECK was failing because the writers count was not increased
previously (because the {CodeSpaceWriteScope} uses a separate
implementation if MAP_JIT is available).
This CL fixes the issues by explicitly setting
{WasmCodeAllocator::protect_code_memory_} to false if MAP_JIT is being
used.
R=jkummerow@chromium.org
Bug: v8:12070
Change-Id: Ifb05ba01f8e2e7781d7c29fe80d1144a3d65543b
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3089159
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76233}
Use logical shifts to emulate arithmetic shift, by first adding a bias
to make all signed values unsigned, then subtracting the shifted bias.
Details are in code comments for SharedTurboAssembler::I64x2ShrS.
Also refactor ia32 (which was already using this algorithm) to use the
shared macro-assembler function. And convert Liftoff's implementation as
well.
Bug: v8:12058
Change-Id: Ia1fd5fe5a9a0b7a7f31c426d4112256c8bf7021b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3083291
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76209}
This reverts commit 1c0cca0f56.
Reason for revert: this made tree closed. (https://crbug.com/1238174)
Original change's description:
> Reland: [wasm] Check correctness of thread-local write protection
>
> The fix landed as a separate CL: https://crrev.com/c/3081522
> This is an unmodified reland.
>
> Original description:
> We make an undocumented assumption in {CodeSpaceWriteScope} that a
> single thread will only work on one module at a time. If this is
> violated, the thread-local {code_space_write_nesting_level_} would
> prevent the second module from being switched to writable.
>
> This CL adds a second thread local (in debug only) to check that if
> there is already a {CodeSpaceWriteScope} open that it contains the same
> {NativeModule} as any nested scope.
>
> R=jkummerow@chromium.org
>
> Bug: v8:11974
> Cq-Include-Trybots: luci.v8.try:v8_linux_gc_stress_dbg_ng
> Cq-Include-Trybots: luci.v8.try:v8_mac64_gc_stress_dbg_ng
> Change-Id: Id827b6ca472f695e4500584349aba159aa07eed1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3080578
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#76177}
Bug: v8:11974, 1238174
Change-Id: I74d8723344e4b9015d956ebfe3fda492280356b6
Cq-Include-Trybots: luci.v8.try:v8_linux_gc_stress_dbg_ng
Cq-Include-Trybots: luci.v8.try:v8_mac64_gc_stress_dbg_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3084041
Auto-Submit: Minoru Chikamune <chikamune@google.com>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#76184}
