The CompilationUnitBuilder of the StreamingProcessor is cleared when an
error occurs in the streaming decoder. The clearing of the
CompilationUnitBuilder was guarded by the existence of the
ModuleCompiler, because this ModuleCompiler and the
CompilationUnitBuilder are created together. However, the
CompilationUnitBuilder is reset when the next section after the code
section is processed, whereas the ModuleCompiler exists until the end of
the AsyncCompileJob. With this CL the clearing of the
CompilationUnitBuilder is also guarded by its own existence.
R=clemensh@chromium.org
Bug: chromium:805346
Change-Id: I0e9e9eaff9239fadb21c0f17990da61cbfaa6856
Reviewed-on: https://chromium-review.googlesource.com/883527
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50844}
When reserving stack space by decrementing rsp/esp, we were ignoring
the constant size needed for the stack marker and the wasm context.
Later, we were using that space anyway, which can lead to errors if e.g.
interrupt handlers kick in and use that space below rsp/esp.
R=ahaas@chromium.org
Bug: v8:7366, v8:6600
Change-Id: I2f49ef5785d33e98c29c5cf4fe7624a02e8c7628
Reviewed-on: https://chromium-review.googlesource.com/883881
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50843}
Instead of collecting eagerly compilable inner function literals (IIFEs
etc.) during AST numbering, collect them during bytecode generation,
exposing them on the CompilationJob.
Bug: v8:7178
Change-Id: I47451f412d2796e5857b4bc38c4f29c80cb0745d
Reviewed-on: https://chromium-review.googlesource.com/873872
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50842}
It is analogous to Template::SetLazyDataProperty, but for a single
existing object. Similar to how SetNativeDataProperty exists on both.
Bug: v8:7303
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I634358ee455e28150198bd87a2bd79dc59e3e449
Reviewed-on: https://chromium-review.googlesource.com/867474
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Jeremy Roman <jbroman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50841}
In mode STORE_AND_GROW_NO_TRANSITION, the handler for elements stores
used to bail out when seeing a COW array, even if the store that
installed the handler had been operating on the very same array.
This CL adds support for COW arrays to the mode (and renames it to
STORE_AND_GROW_NO_TRANSITION_HANDLE_COW).
Bug: v8:7334
Change-Id: I6a15e8c1ff8d4ad4d5b8fc447745dce5d146c67c
Reviewed-on: https://chromium-review.googlesource.com/876014
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50840}
FixedArrays hanging off recursively of the constant pool without any
real objects in between can be considered as meta data. They are shared
with optimized code (embedder pointers).
Bug: v8:7266
Change-Id: I4006675e17e8eea3bdc8565254d80e2ffece0ad0
Reviewed-on: https://chromium-review.googlesource.com/883361
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50837}
This reverts commit 25ecc45f81.
Reason for revert: Two issues discovered with W^X in V8's 6.5 branch (see v8:7272 and chromium:793428). Still need a way to disable the feature.
Original change's description:
> [heap] Remove --write-protect-code-memory feature flag.
>
> R=hpayer@chromium.org
> BUG=v8:6792
>
> Change-Id: Id3413994de603dac1b7501c6fe376cdac1f9d7ce
> Reviewed-on: https://chromium-review.googlesource.com/866851
> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50759}
TBR=mstarzinger@chromium.org,hpayer@chromium.org,hablich@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:6792
Change-Id: Ie0d4409b36f22c97a6777e512618beafdef8c2f4
Reviewed-on: https://chromium-review.googlesource.com/883502
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50835}
This reverts commit bf19e60cc5.
Reason for revert: Two issues discovered with W^X in V8's 6.5 branch (see v8:7272 and chromium:793428). Still need a way to disable the feature.
Original change's description:
> [platform] Remove {PageAllocator::kReadWriteExecute}.
>
> Now that write-protection of code memory is enabled everywhere and V8 is
> fully W^X compliant, we can remove the permission mode in question.
>
> R=hpayer@chromium.org
> BUG=v8:6792
>
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Change-Id: I80fe95ac6bb0e2d1ad6d993154ce45d492d941be
> Reviewed-on: https://chromium-review.googlesource.com/866855
> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Reviewed-by: Bill Budge <bbudge@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50770}
TBR=bbudge@chromium.org,mstarzinger@chromium.org,hpayer@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:6792
Change-Id: If4a205497ac83084a4092560363affb13b391462
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/883461
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50834}
Add effect input and output to String.p.char[Code]At/codePointAt.
This is necessary to fix an hard to reproduce bug, a repro for
which is included. However, the only way to get the repro
included in this CL to fail is to run it with the patch of
873382:
[turbofan] Speculate on bounds checks for String#char[Code]At
but WITHOUT this patch. This fixes a scheduling problem triggered
by 873382 that caused a bounds check to get scheduled after the
associated access.
Bug: v8:7326
Change-Id: I4b97c1726caac92ff8f74c23df2788f0ecfb1304
Reviewed-on: https://chromium-review.googlesource.com/881781
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50832}
- Remove TypedArray.prototype.subarray in js/typedarray.js
- Implement TypedArray.prototype.subarray as a CSA
- Implement TypedArraySpeciesCreateByArrayBuffer as a CSA
- Move a helper function for relative index from builtins-string-gec.cc
to code-stub-assembler.cc
- Move SpeciesConstructor from builtins-promise-gen.cc to
code-stub-assembler.cc
Bug: v8:7161, v8:5929
Change-Id: If3340476e16aa21659540eb4b24e3ead54e6a313
Reviewed-on: https://chromium-review.googlesource.com/830992
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50831}
Instead of building suspend_ids in the AST numbering, collect suspend
counts in the parser and assigning suspend ids during bytecode
generation.
Bug: v8:7178
Change-Id: I53421442afddc894db789fb9d0d3e3cc10e32ff0
Reviewed-on: https://chromium-review.googlesource.com/817598
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50830}
This reverts commit fffa4555d0.
Reason for revert:
https://build.chromium.org/p/client.v8/builders/V8%20Win32%20ASAN/builds/1905
Original change's description:
> [build] Prepare switching win asan to 64 bits
>
> This switches the current win32 bots to win32 under the hood in MB. We'll
> remove them and replace them with win64 bots in a follow up on the infra
> side.
>
> This also infers the clang option from asan, because on windows we need
> to set clang explicitly.
>
> TBR=sergiyb@chromium.org
>
> Bug: chromium:786303
> Change-Id: I9dddd5050a21a364c302a761ff15ddd21e97c7dc
> Reviewed-on: https://chromium-review.googlesource.com/883103
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50828}
TBR=machenbach@chromium.org,sergiyb@chromium.org
Change-Id: I2e17aa6ddf44a03d9da29e8b7f7dd2c9f6fe4cb9
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:786303
Reviewed-on: https://chromium-review.googlesource.com/883501
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50829}
This switches the current win32 bots to win32 under the hood in MB. We'll
remove them and replace them with win64 bots in a follow up on the infra
side.
This also infers the clang option from asan, because on windows we need
to set clang explicitly.
TBR=sergiyb@chromium.org
Bug: chromium:786303
Change-Id: I9dddd5050a21a364c302a761ff15ddd21e97c7dc
Reviewed-on: https://chromium-review.googlesource.com/883103
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50828}
This will affect all manual test runs with x64. Most bots on x64 already
migrated.
TBR=sergiyb@chromium.org
NOTRY=true
Bug: v8:7343
Change-Id: I87f46f1848a813c0b320b3e9901481b9232025a5
Reviewed-on: https://chromium-review.googlesource.com/883101
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50825}
A while ago we introduced MutableBigInt in order to enforce this check.
R=jkummerow@chromium.org
Bug: v8:6791
Change-Id: I700ff0b1df854d4f6b8beff6f6c984e11cd07e40
Reviewed-on: https://chromium-review.googlesource.com/881174
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50823}
The chromium callers were updated in https://crrev.com/c/868287,
while the pdfium callers were updated in
https://pdfium-review.googlesource.com/c/pdfium/+/23058.
As a precaution to avoid a repeat of https://crbug.com/803330,
I've manually built pdfium, along with the additional gn flag
"pdf_enable_xfa = true".
Bug: v8:7269, v8:7282
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I5b8cfb629c2b78627447c940a133d75d7ef7c6e9
Reviewed-on: https://chromium-review.googlesource.com/875252
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50821}
The calls in Chromium were removed in https://crrev.com/c/865535.
Bug: v8:7269, v8:7276
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Iae9fadead1167363893b258ba2a21710a1e080a8
Reviewed-on: https://chromium-review.googlesource.com/869146
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50820}
Before we can set the length of the created array in CSA, first check
that it's possible and will do what we want. I.e. check
a) that the length is writable
b) the backing store is not copy-on-write and
c) the old length is not greater than the new length (as otherwise later
insertion past the end could restore values from the original
constructor).
If not then fall back on Runtime::kSetProperty.
Bug: chromium:804177
Change-Id: Id0e452f9d160704bbd71e87a075ba4e3983729a7
Reviewed-on: https://chromium-review.googlesource.com/880922
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50818}
Do a step before selecting the limit for the next step. However, as seen
on crbug.com/795323, while this fix makes us more precise in our
accounting, we do ending up seeing steps more frequently. This ends up
invoking the idle scavenger more frequently. To compensate, we adjust
the idle scavenger step size.
Bug:
Change-Id: I7bc2b1785a564dee27aa3ce6a5a196efe9eb6283
Reviewed-on: https://chromium-review.googlesource.com/838440
Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50816}
When finding the initial element in A.p.reduce[Right], we did
exclude holes, but did not reflect this is the type, which still
included the hole. This CL inserts a TypeGuard to ensure that
Turbofan knows the initial element is never the hole.
Bug: chromium:804837
Change-Id: Ia118ddafb8e16dd5c02559fa23216c9b139dd59a
Reviewed-on: https://chromium-review.googlesource.com/880967
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50814}
This delays removing dead loop's loop exits after we iterate all uses of
the loop. That way, we avoid mutating the use collection while iterating
it.
Bug: chromium:803022
Change-Id: I17462dd82c3cb78f2f630e5db81d8ccdcc517d83
Reviewed-on: https://chromium-review.googlesource.com/878329
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50813}
This adds a tri-state flag --infra-staging and --no-infra-staging, which
can be used to explicitly opt in or out of the staging test runner.
If not specified, a new architecture whitelist will enable roll-out per
arch for manual (none CI) runs.
We'll start whitelisting archs in follow ups.
Bug: v8:7343
Change-Id: I1228e48969fd379f5c231a2b8fad4afc01da94c0
Reviewed-on: https://chromium-review.googlesource.com/881169
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50812}
Introduce option to run fuzzer processor without analysis phase.
It will be used in fuzzing combined tests.
Bug: v8:6917
Change-Id: Ic96d6b8c5a35c81da80340555bdd75c0d518cb5a
Reviewed-on: https://chromium-review.googlesource.com/880948
Commit-Queue: Michał Majewski <majeski@google.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50810}
This CL moves allocations in array-multiple-receiver-maps.js
to prevent gc fuzzing from cleaning out code objects, which
will mess with assertOptimized in the test.
Bug: v8:7338
Change-Id: I9ee88cf5518307ff12302df2fdaca5258c23b779
Reviewed-on: https://chromium-review.googlesource.com/880957
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50809}
As per TODO, this is its rightful place, which gets the module-compiler
out of the business of doing finalization.
R=mstarzinger@chromium.org,clemensh@chromium.org
Bug: v8:7316
Change-Id: Ie419a1e348f14f2613f62fed7083e19365cd9347
Reviewed-on: https://chromium-review.googlesource.com/880950
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50805}
Currently, yields and awaits inside loops compile to bytecode which
switches to the top of the loop header, and switch again once inside the
loop. This is to make loops reducible.
This replaces this switching logic with a single switch bytecode that
directly jumps to the bytecode being resumed. Among other things, this
allows us to no longer maintain the generator state after the switch at
the top of the function, and avoid having to track loop suspend counts.
TurboFan still needs to have reducible loops, so we now insert loop
header switches during bytecode graph building, for suspends that are
discovered to be inside loops during bytecode analysis. We do, however,
do some environment magic across loop headers since we know that we will
continue switching if and only if we reached that loop header via a
generator resume. This allows us to generate fewer phis and tighten
liveness.
Change-Id: Id2720ce1d6955be9a48178322cc209b3a4b8d385
Reviewed-on: https://chromium-review.googlesource.com/866734
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50804}
Anonymous functions have no index, thus we cannot get their source
position table.
Technically, we are not even allowed to call {index()} on anonymous
functions, as this will DCHECK that {index_} contains a value.
R=mstarzinger@chromium.org
Change-Id: I9a8b07cf836671e080cc1784c1712ecd88778972
Reviewed-on: https://chromium-review.googlesource.com/880921
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50802}
It must be monotone.
R=bmeurer@chromium.org
Bug: v8:7354
Change-Id: I08dcd3333518029eef08c074c2b91b5c20ad699e
Reviewed-on: https://chromium-review.googlesource.com/880982
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50801}
Reduce the code duplication overhead in the InternalPerformPromiseThen
helper, which saves quite a bit of space and makes code more concise and
readable.
Bug: v8:7253, v8:7310
Change-Id: I64d11661d7258ced32df564d2e83c5ea45955415
Reviewed-on: https://chromium-review.googlesource.com/880722
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50800}
This fixes a corner-case where deserialization of a module containing
multiple exported functions of the same signature forgot to properly
unprotect the code-space. Test coverage has been added.
R=clemensh@chromium.org
TEST=mjsunit/wasm/compiled-module-serialization
BUG=chromium:804767
Change-Id: I0082303db19bcc14c4de30f29d604665e281d79d
Reviewed-on: https://chromium-review.googlesource.com/880844
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50799}
As part of the effort to despecialize WASM code, convert many uses of
WasmInstanceObject which were simply indirecting through to either
the compiled module or the shared module data with helpers on
the respective Frame objects.
R=mstarzinger@chromium.org
Bug:
Change-Id: I05bd1a18b1d81cceef8a80d9f6988e4f5d537e66
Reviewed-on: https://chromium-review.googlesource.com/876125
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50798}
When spilling a value to the stack, make sure to fill it as the same
type later. Otherwise, we might load garbage from the stack and violate
the assumption that the upper 32 bits of a 64 bit register are zero if
it currently holds a 32 bit value.
R=titzer@chromium.org
Bug: v8:7353, v8:6600
Change-Id: I7f2b1b31b7f3c13aa152c682cb59400fb5a3ebf0
Reviewed-on: https://chromium-review.googlesource.com/880682
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50797}
Now that SuspendGenerator returns, we have to update the interrupt
budget during that return to ensure that generators can be optimized.
Bug: chromium:804796
Change-Id: I8a9fa1c2399da81a3c2a7d8a07a774d5648d1c5e
Reviewed-on: https://chromium-review.googlesource.com/880821
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50796}
