This will enable proper reporting of OOM errors during snapshot
deserialization, for example https://crbug.com/614440#c27.
Bug: chromium:614440
Change-Id: I226fb763d2630d0b21f7552070ed1a4cc222f69b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3445203
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Kevin Babbitt <kbabbitt@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#79055}
Changes:
- GenerateInitExpr should emit a function reference to a function that
is known to exist when funcref is expected.
- Add functions by signature index to the WasmModuleBuilder, so we avoid
signature canonicalization, which currently does not work for wasm-gc.
- Remove printing of recursive groups in the WasmModuleBuilder. Instead,
restrict type definitions to only refer to previous types.
- Some local restructuring of code, comments.
Bug: chromium:1296162
Change-Id: I5abd9bf8ec21ef6a51f00bc960b78519f2ec94f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3452433
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79054}
This changes the way how we are handling instrumentation breakpoints.
Motivation:
with instrumentation breakpoints, we need a way to break
on (conditional) breakpoints that were just set by the client on
the instrumentation pause.
How:
We want to first find out if we have an instrumentation break, and
trigger a pause. For this to work, we need to distinguish between
regular and instrumentation breakpoints in the debugger back-end.
On resume, we want to check if we have hit any breakpoints (may
now contain new breakpoints due to the client setting new breakpoints
at the previous instrumentation pause) and trigger a separate pause
for them.
Fixed: chromium:1292930
Change-Id: Idaadd276c44c693f856c4b08c7a72ea67271f420
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3442676
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79053}
This reverts commit c927ada76c.
Reason for revert: GC stress failures: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/37276/overview
Original change's description:
> [runtime] Refactor TransitionsAccessor
>
> Problems:
> - The class uses a bare Map field, but some methods can trigger GC
> causing it to have a potential dangling pointer in case of map
> compaction.
> - Some methods invalidate the object state and should not be used again.
> - Complicate logic with a no_gc and a gc aware constructors. Some
> methods can only be called if the object is constructed with a
> particular constructor (e.g, Insert and PutPrototypeTransition).
>
> Note: Most usages of this class is done by constructing an object and
> calling a single method:
> `TransitionAccessor(...).Method(...)`
> So we can easily change them to a static method.
>
> This CL:
> 1. Adds DISALLOW_GARBAGE_COLLECTION to the class.
> 2. Makes methods that can trigger GC static.
> 3. Creates static helper functions that wrap the class in a different
> scope, since TransitionsAccessor now forces the scope to disallow gc.
> 4. Removes now unnecessary "Reload" logic.
>
> Bug: chromium:1295133, v8:12578
> Change-Id: I85484e7235fbd5e69894e26f5e1c491c6f69635e
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450416
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Victor Gomes <victorgomes@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79051}
Bug: chromium:1295133, v8:12578
Change-Id: Ia567cdcae73bc7fdfaf08b62eeeb899d6a933e21
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3456682
Auto-Submit: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79052}
Problems:
- The class uses a bare Map field, but some methods can trigger GC
causing it to have a potential dangling pointer in case of map
compaction.
- Some methods invalidate the object state and should not be used again.
- Complicate logic with a no_gc and a gc aware constructors. Some
methods can only be called if the object is constructed with a
particular constructor (e.g, Insert and PutPrototypeTransition).
Note: Most usages of this class is done by constructing an object and
calling a single method:
`TransitionAccessor(...).Method(...)`
So we can easily change them to a static method.
This CL:
1. Adds DISALLOW_GARBAGE_COLLECTION to the class.
2. Makes methods that can trigger GC static.
3. Creates static helper functions that wrap the class in a different
scope, since TransitionsAccessor now forces the scope to disallow gc.
4. Removes now unnecessary "Reload" logic.
Bug: chromium:1295133, v8:12578
Change-Id: I85484e7235fbd5e69894e26f5e1c491c6f69635e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450416
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79051}
Bytecode liveness needs a mapping from offset to liveness. This was
previously a hashmap with a very weak hash (the identity function) and
both inserts and lookups showed up as a non-trivial costs during
compilation.
Now, replace the hashmap with a simple flat array of liveness, indexed
by offset, pre-sized to the size of the bytecode. This will have a lot
of empty entries, but will have much better runtime performance and
probably ends up not much less memory efficient as a hashmap if the
hashmap has to resize inside the Zone, and is likely negligible compared
to the other compilation memory overheads.
Change-Id: Id21375bfcbf0d53b5ed9c41f30cdf7fde66ee699
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3455802
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79049}
- Both paths are now inlined.
- Outline large object allocation, shrinking trampoline a bit.
- Support a fast path for AllocationType::kOld from AllocateRawWith().
Bug: v8:12615, chromium:1293284
Change-Id: I8f0b9aabc6fe47e1eee159c214403ccffea5eeab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3456082
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79048}
The flag has been turned on for a long time and we do not intend to
support a mode without young LO objects.
A side effect is that it removes a branch in AllocateRaw for the young
generation.
Drive-by: Reinstantiate the LO space verifier checking that only
certain types can appear as large objects.
Bug: v8:12615
Change-Id: I8c33019a04670f20459ea2faa9dc2f98b8cda40b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450420
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79044}
This CL fixes a bug in the tracing of full GC cycles that was introduced
by https://crrev.com/3432211. In doing so, it refactors the tracing of
cycles by introducing an explicit state in GC tracing events, which
follows the phase within the GC cycle as perceived by the tracer. Two
new methods, (Start|Stop)AtomicPause are introduced; together with
(Start|Stop)Cycle they mark the state transitions. The existing methods
(Start|Stop)ObservablePause are now disentangled from cycles and state
transitions.
Bug: v8:12503
Bug: chromium:1154636
Change-Id: Ie4b863bc27f81dd6858103a8988874d89e6e8517
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3440663
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79043}
Now that the map space gets compacted as well, we want to sort pages
for that space when starting sweeping as well.
Bug: v8:12578
Change-Id: I8f25fb05f311d70697d2f7154bd428b4c3e56c13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3455142
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79042}
Scavenger can promote objects into the shared heap. Since the scavenger
might also run while incremental marking is on, the promoted object
could already be stored in the marking worklist. When updating the
worklist after the scavenger, we need to remove entries with objects
promoted into the shared heap.
Bug: v8:11708, v8:12582
Change-Id: I4ccad74d23de7921e02adcdb04d2b4e46d9b3a4d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3452115
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79040}
ExternalStrings in the shared heap currently conflicts with the sandbox
project. We would need concurrent concurrent allocation in the external
pointer table but also require different accessors for them.
Since the shared string table doesn't really need ExternalStrings in
the shared heap for now, simply keep ExternalStrings in the client
heaps.
Bug: v8:11708, v8:12617
Change-Id: I272e40eaec4b7f368ce44f42f7f69bf27d53f9c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3451717
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79039}
The previous CLs stealth-fixed an issue where we wouldn't receive
MoveEvent's even if FLAG_fuzzer_gc_analysis was true.
The fix uncovered a data race which is fixed here.
Bug: v8:12615
Change-Id: I646dc31918d6ebe717716290375e12eac562b4b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3452030
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79038}
With external code space and background compilation, external pointer
table entries are now allocated on background threads. For this to work
properly, the implementation must be atomic.
As atomic operations are not currently available in CSA, the fast path
in CSA::InitializeExternalPointerField has been removed for now.
Bug: v8:10391
Change-Id: I1119a9b5f97bc8d5f48de6872b62b9ddf001e9ce
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448381
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79037}
The build flag is on by default and the actual functionality is guarded
by a runtime flag.
Bug: v8:12612
Change-Id: I6adbd5b766f502400af32eeeb035edca3a3606ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448383
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79036}
Avoid killing the whole mutable state in the following two cases:
- When we encounter a mutable object store operation, we can only kill
the respective object/field pair in the mutable state.
- When we encounter an immutable initialization operation, we do not
have to modify the state. A DCHECK ensures we do not initialize the
same field twice.
Drive-by: Avoid zone-allocating data structures for frame-local
variables.
Bug: v8:11510
Change-Id: I1c655f619cf620923256f460b30dc7371de571de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3452022
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79035}
Handle the case of nested super() by checking if the class scope
contains a private brand. In this case the ContextScope chain
is different from the actual context chain so this added back
the AddPrivateBrand() runtime function but with the additional
step of walking the context chain to get the correct class
context that will be stored as the value of the brand property
for the debugger.
Bug: v8:12354
Change-Id: Ieeb9b9d6372bfbb1a39c4c2dc9e9848e9109f02a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3275137
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/main@{#79032}
NaN detection is implemented on arm and arm64, so we can enable fuzzing
with Liftoff as the reference implementation on these architectures.
R=manoskouk@chromium.org
Bug: v8:11856, v8:11954
Change-Id: If80c2f16f52af59705d914396cfe029cb85e7293
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3451718
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79031}
This CL
1) adds relaxed version of CodeDataContainer::code_cage_base accessors
and use them from relaxed CodeDataContainer::code accessors,
2) uses relaxed version of FromCodeT() in JSFunctionRef::code().
Bug: v8:11880, chromium:1293642
Change-Id: Idc9ba59a97a44a0963197cad50b5e5b440f9629e
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450423
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79030}
We need to create the CodePageCollectionMemoryModificationScope *after*
setting up the LocalIsolate. Otherwise the destructor of that scope will
run after that thread detached from the isolate, when it isn't part of
the next GC safepoint anymore. This allows two concurrent operations
on the page flags:
1) The destructor of CodePageCollectionMemoryModificationScope protects
the page again and accesses page flags in a DCHECK.
2) The GC unprotects the code pages for the collection and sets the
the evacuation candidate flag.
Bug: chromium:1295738
Change-Id: I6de626bb075f43e26d74dba18e28fe34331fdfd2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3451714
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79025}
This is a reland of 4b8f1b1cff
After landing https://crrev.com/c/3447371, we can reland this CL as-is
correctness-wise.
What's new in this CL is that we now treat references from client
objects into the shared heap as roots for the --track-retaining-path
feature.
Original change's description:
> Reland "[heap] Support client-to-shared refs in Code objects"
>
> This is a reland of 12e46091a0
>
> Original change's description:
> > [heap] Support client-to-shared refs in Code objects
> >
> > Support references from code objects in the client heaps to shared heap objects. Such references are stored in a remembered set during marking, which is later used for updating pointers.
> >
> > Bug: v8:11708
> > Change-Id: I8aeb508ddd14514ca65fa5acf3030dd8c2040168
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3401588
> > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> > Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> > Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#78819}
>
> Bug: v8:11708
> Change-Id: I47bcf44b452fcffe8675fba03244b736ede14247
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3422630
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#78838}
Bug: v8:11708
Change-Id: I5b48e942fa469eabb40e797e221d06c25af16443
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3425358
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79023}
--shared-string-table assumes that all old strings are in the shared
heap. However, when also using --expose-gc we create an external string
for the GC function name. So far external strings are always allocated
in the local old space though, which results in a heap verification
error. This CL creates external string in the shared old heap with
--shared-string-table enabled.
In order to pass all the tests this CL also has to:
* Stop marking into the shared heap for VisitEmbeddedPointer and
VisitCodePointer.
* Relax DCHECK in String::GetFlatContent: We cannot check the thread
id for any shared string. Even if that string isn't really shared atm.
Bug: v8:11708
Change-Id: I51fec5ba038d035be5fe5e1277ef9286efc8dc2a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3447371
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79022}
StoreArgsInStackSlot sometimes does unaligned store.
Relate to commit 18469ec4bf.
In MemoryFill, size is an 8-byte integer, but is stored into a
4-byte aligned memory;
Bug: v8:10949, chromium:1281995
Change-Id: I9f18a0168432cdd6d27eacc98b980fa5b6d57d79
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3447932
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Yu Liu <liuyu@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#79019}
When the debugger is active and a Promise begins executing,
Isolate::PushPromise adds a global handle for that Promise. If the
debugger is no longer attached when the Promise finishes executing, then
there is no corresponding call to PopPromise which would clean up the
global handle. To avoid leaking memory in that case, we should clean up
the Promise stack when detaching the debugger.
Bug: v8:12613
Change-Id: I47a2c37713b43b482e23e2457e96fba5f52623f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448949
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#79017}
As a temporary solution to reenable wasm-gc fuzzing, we modify
{WasmModuleBuilder} to optionally wrap all types in a recursive group.
Bug: v8:7748
Change-Id: Ib0f8ab17c48ecbe04b51da2b1d01502be77ad35a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450414
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79015}
Move on-allocation and on-move events to a designated tracker that is
only installed when running with debugging flags. This eliminates a
bunch of flag checks as they are all moved behind the allocation
trackers.
Bug: v8:12615
Change-Id: Ied6819991511328351825e2341375c36ae34916b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450419
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79014}
This is required when allocating external pointer table entries from
background threads through the LocalFactory interface.
Bug: v8:10391
Change-Id: Ice5eee1000e1c7341bd0e58782cbb175080a5a74
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448376
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79010}
We need to properly handle the case of uninitialized embedder data slots
which contain the "undefined" value and thus might look like valid
external pointer table indices.
Bug: v8:10391
Change-Id: I169a3e42132dde223ea151c1a5d5956c72341f8d
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448378
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79009}
Another encoding fix and test coverage for it.
No-Try: true
Bug: chromium:1292013
Change-Id: Id54f505848f93b4869710156fa77ad2e258c5dd6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3447905
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79007}
When iterating slots for promoted objects we now also need to visit
the map word slot since maps might get compacted. If we do not do this,
we risk losing the already recorded slot for the map word in case that
object already got marked.
Bug: v8:12578, chromium:1295239
Change-Id: I34fbf7ae4b9e36eae8e7e3df354b5fd19adcb08f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448373
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79006}