Commit Graph

73647 Commits

Author SHA1 Message Date
Kevin Babbitt
e08f7ae558 Allow setting fatal error callbacks during Isolate initialization
This will enable proper reporting of OOM errors during snapshot
deserialization, for example https://crbug.com/614440#c27.

Bug: chromium:614440
Change-Id: I226fb763d2630d0b21f7552070ed1a4cc222f69b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3445203
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Kevin Babbitt <kbabbitt@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#79055}
2022-02-11 17:54:03 +00:00
Manos Koukoutos
318719a14d [wasm][fuzzer] Restructure and fix bugs in wasm-compile
Changes:
- GenerateInitExpr should emit a function reference to a function that
  is known to exist when funcref is expected.
- Add functions by signature index to the WasmModuleBuilder, so we avoid
  signature canonicalization, which currently does not work for wasm-gc.
- Remove printing of recursive groups in the WasmModuleBuilder. Instead,
  restrict type definitions to only refer to previous types.
- Some local restructuring of code, comments.

Bug: chromium:1296162
Change-Id: I5abd9bf8ec21ef6a51f00bc960b78519f2ec94f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3452433
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79054}
2022-02-11 17:03:03 +00:00
Kim-Anh Tran
b88c5a8d4f [debug] Handle instrumentation breakpoints separate from regular breaks
This changes the way how we are handling instrumentation breakpoints.

Motivation:
with instrumentation breakpoints, we need a way to break
on (conditional) breakpoints that were just set by the client on
the instrumentation pause.

How:
We want to first find out if we have an instrumentation break, and
trigger a pause. For this to work, we need to distinguish between
regular and instrumentation breakpoints in the debugger back-end.

On resume, we want to check if we have hit any breakpoints (may
now contain new breakpoints due to the client setting new breakpoints
at the previous instrumentation pause) and trigger a separate pause
for them.

Fixed: chromium:1292930
Change-Id: Idaadd276c44c693f856c4b08c7a72ea67271f420
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3442676
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79053}
2022-02-11 16:46:13 +00:00
Deepti Gandluri
7c60201194 Revert "[runtime] Refactor TransitionsAccessor"
This reverts commit c927ada76c.

Reason for revert: GC stress failures: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/37276/overview

Original change's description:
> [runtime] Refactor TransitionsAccessor
>
> Problems:
> - The class uses a bare Map field, but some methods can trigger GC
> causing it to have a potential dangling pointer in case of map
> compaction.
> - Some methods invalidate the object state and should not be used again.
> - Complicate logic with a no_gc and a gc aware constructors. Some
> methods can only be called if the object is constructed with a
> particular constructor (e.g, Insert and PutPrototypeTransition).
>
> Note: Most usages of this class is done by constructing an object and
> calling a single method:
> `TransitionAccessor(...).Method(...)`
> So we can easily change them to a static method.
>
> This CL:
> 1. Adds DISALLOW_GARBAGE_COLLECTION to the class.
> 2. Makes methods that can trigger GC static.
> 3. Creates static helper functions that wrap the class in a different
> scope, since TransitionsAccessor now forces the scope to disallow gc.
> 4. Removes now unnecessary "Reload" logic.
>
> Bug: chromium:1295133, v8:12578
> Change-Id: I85484e7235fbd5e69894e26f5e1c491c6f69635e
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450416
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Victor Gomes <victorgomes@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79051}

Bug: chromium:1295133, v8:12578
Change-Id: Ia567cdcae73bc7fdfaf08b62eeeb899d6a933e21
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3456682
Auto-Submit: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79052}
2022-02-11 16:42:13 +00:00
Victor Gomes
c927ada76c [runtime] Refactor TransitionsAccessor
Problems:
- The class uses a bare Map field, but some methods can trigger GC
causing it to have a potential dangling pointer in case of map
compaction.
- Some methods invalidate the object state and should not be used again.
- Complicate logic with a no_gc and a gc aware constructors. Some
methods can only be called if the object is constructed with a
particular constructor (e.g, Insert and PutPrototypeTransition).

Note: Most usages of this class is done by constructing an object and
calling a single method:
`TransitionAccessor(...).Method(...)`
So we can easily change them to a static method.

This CL:
1. Adds DISALLOW_GARBAGE_COLLECTION to the class.
2. Makes methods that can trigger GC static.
3. Creates static helper functions that wrap the class in a different
scope, since TransitionsAccessor now forces the scope to disallow gc.
4. Removes now unnecessary "Reload" logic.

Bug: chromium:1295133, v8:12578
Change-Id: I85484e7235fbd5e69894e26f5e1c491c6f69635e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450416
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79051}
2022-02-11 15:40:33 +00:00
Manos Koukoutos
5e6a64b515 [test] Reduce number of iterations for slow test
Bug: v8:12591
Change-Id: Ica2ee1bb74d4b6f7e5ed06e23511c860bcf204be
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3456083
Reviewed-by: Emanuel Ziegler <ecmziegler@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79050}
2022-02-11 14:34:03 +00:00
Leszek Swirski
3d02ccf7ac [compiler] Change liveness to use a flat array
Bytecode liveness needs a mapping from offset to liveness. This was
previously a hashmap with a very weak hash (the identity function) and
both inserts and lookups showed up as a non-trivial costs during
compilation.

Now, replace the hashmap with a simple flat array of liveness, indexed
by offset, pre-sized to the size of the bytecode. This will have a lot
of empty entries, but will have much better runtime performance and
probably ends up not much less memory efficient as a hashmap if the
hashmap has to resize inside the Zone, and is likely negligible compared
to the other compilation memory overheads.

Change-Id: Id21375bfcbf0d53b5ed9c41f30cdf7fde66ee699
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3455802
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79049}
2022-02-11 14:28:43 +00:00
Michael Lippautz
18de64a1a6 heap: Inline fast paths for AllocateRaw() and AllocateRawWith()
- Both paths are now inlined.
- Outline large object allocation, shrinking trampoline a bit.
- Support a fast path for AllocationType::kOld from AllocateRawWith().

Bug: v8:12615, chromium:1293284
Change-Id: I8f0b9aabc6fe47e1eee159c214403ccffea5eeab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3456082
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79048}
2022-02-11 14:26:33 +00:00
Michael Achenbach
a7a0b7650c [infra] More Python3 test-runner fixes
Bug: chromium:1292013
Change-Id: Ifcaad3fe346e59914050b34969bd63a230166491
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3452116
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Almothana Athamneh <almuthanna@chromium.org>
Commit-Queue: Almothana Athamneh <almuthanna@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79047}
2022-02-11 13:00:04 +00:00
Michael Lippautz
4b2c3ef0c0 heap: Fix AllocationTrackerForDebugging
Initialize thread-safe count properly.

Bug: v8:12620
Change-Id: Ifb43a860f1b8cefd410fea25ac408f5be55ab1af
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3455823
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79046}
2022-02-11 12:56:25 +00:00
Greg Thompson
6436e348f3 [fuchsia] Run v8_unittests via its CFv1 component manifest.
Bug: chromium:1296220
Change-Id: I8af141dc61a7abb31b460c5e43248aaef29aaf84
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3455423
Auto-Submit: Greg Thompson <grt@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79045}
2022-02-11 10:46:43 +00:00
Michael Lippautz
96162c7579 Remove FLAG_young_generation_large_objects
The flag has been turned on for a long time and we do not intend to
support a mode without young LO objects.

A side effect is that it removes a branch in AllocateRaw for the young
generation.

Drive-by: Reinstantiate the LO space verifier checking that only
certain types can appear as large objects.

Bug: v8:12615
Change-Id: I8c33019a04670f20459ea2faa9dc2f98b8cda40b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450420
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79044}
2022-02-11 10:37:55 +00:00
Nikolaos Papaspyrou
658012eac1 heap: Bug fix and refactor the tracing of GC cycles
This CL fixes a bug in the tracing of full GC cycles that was introduced
by https://crrev.com/3432211. In doing so, it refactors the tracing of
cycles by introducing an explicit state in GC tracing events, which
follows the phase within the GC cycle as perceived by the tracer. Two
new methods, (Start|Stop)AtomicPause are introduced; together with
(Start|Stop)Cycle they mark the state transitions. The existing methods
(Start|Stop)ObservablePause are now disentangled from cycles and state
transitions.

Bug: v8:12503
Bug: chromium:1154636
Change-Id: Ie4b863bc27f81dd6858103a8988874d89e6e8517
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3440663
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79043}
2022-02-11 08:36:53 +00:00
Dominik Inführ
599313b71e [heap] Sort map space pages in the sweeper
Now that the map space gets compacted as well, we want to sort pages
for that space when starting sweeping as well.

Bug: v8:12578
Change-Id: I8f25fb05f311d70697d2f7154bd428b4c3e56c13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3455142
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79042}
2022-02-11 08:08:54 +00:00
v8-ci-autoroll-builder
47e4193f02 Update V8 DEPS.
Rolling v8/build: 96cf77d..3408ba5

Rolling v8/buildtools/third_party/libc++abi/trunk: 53a6cf1..c69bde2

Rolling v8/buildtools/third_party/libunwind/trunk: 107cd56..2b08f99

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/954eec7..7b5325d

Rolling v8/third_party/depot_tools: ff8a62f..54e30e7

Rolling v8/third_party/googletest/src: 06519ce..0e40217

Rolling v8/third_party/zlib: 14f4303..dd9a133

Rolling v8/tools/clang: c7ca87f..b9894ca

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: I8d36950dab4270407ee2c6e460f953f1a7c40a87
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3453628
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#79041}
2022-02-11 04:06:22 +00:00
Dominik Inführ
1bd4c2a81a [heap] Drop objects promoted into shared heap from marking worklist
Scavenger can promote objects into the shared heap. Since the scavenger
might also run while incremental marking is on, the promoted object
could already be stored in the marking worklist. When updating the
worklist after the scavenger, we need to remove entries with objects
promoted into the shared heap.

Bug: v8:11708, v8:12582
Change-Id: I4ccad74d23de7921e02adcdb04d2b4e46d9b3a4d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3452115
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79040}
2022-02-10 19:54:25 +00:00
Dominik Inführ
5b9b539e4d [heap] Do not allocate external strings in shared heap
ExternalStrings in the shared heap currently conflicts with the sandbox
project. We would need concurrent concurrent allocation in the external
pointer table but also require different accessors for them.

Since the shared string table doesn't really need ExternalStrings in
the shared heap for now, simply keep ExternalStrings in the client
heaps.

Bug: v8:11708, v8:12617
Change-Id: I272e40eaec4b7f368ce44f42f7f69bf27d53f9c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3451717
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79039}
2022-02-10 19:53:22 +00:00
Michael Lippautz
f2d4a23db1 heap: Fix TSAN race in AllocationTrackerForDebugging
The previous CLs stealth-fixed an issue where we wouldn't receive
MoveEvent's even if FLAG_fuzzer_gc_analysis was true.

The fix uncovered a data race which is fixed here.

Bug: v8:12615
Change-Id: I646dc31918d6ebe717716290375e12eac562b4b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3452030
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79038}
2022-02-10 18:06:32 +00:00
Samuel Groß
a50d814e0b [sandbox] Make ExternalPointerTable::Allocate atomic
With external code space and background compilation, external pointer
table entries are now allocated on background threads. For this to work
properly, the implementation must be atomic.

As atomic operations are not currently available in CSA, the fast path
in CSA::InitializeExternalPointerField has been removed for now.

Bug: v8:10391
Change-Id: I1119a9b5f97bc8d5f48de6872b62b9ddf001e9ce
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448381
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79037}
2022-02-10 18:03:22 +00:00
Omer Katz
fee3bf0952 heap: Remove build flag for MinorMC
The build flag is on by default and the actual functionality is guarded
by a runtime flag.

Bug: v8:12612
Change-Id: I6adbd5b766f502400af32eeeb035edca3a3606ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448383
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79036}
2022-02-10 16:49:22 +00:00
Manos Koukoutos
ca849f24ab [turbofan] Refine CsaLoadElimination::ComputeLoopState
Avoid killing the whole mutable state in the following two cases:
- When we encounter a mutable object store operation, we can only kill
  the respective object/field pair in the mutable state.
- When we encounter an immutable initialization operation, we do not
  have to modify the state. A DCHECK ensures we do not initialize the
  same field twice.

Drive-by: Avoid zone-allocating data structures for frame-local
variables.

Bug: v8:11510
Change-Id: I1c655f619cf620923256f460b30dc7371de571de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3452022
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79035}
2022-02-10 15:01:22 +00:00
Manos Koukoutos
3cd68b1c13 [wasm-gc] Fix recursive type group opcode
Bug: v8:7748
Change-Id: Ia70eeb49cd4fe142cad2cb210dae1f98ec4d076b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450417
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79034}
2022-02-10 14:53:42 +00:00
Michael Lippautz
a5c7137e67 heap: Actually attach allocation tracker
Bug: v8:12616, v8:12615
Change-Id: I57ce784c4c9b7a9d75a6e139063b7ce0cac511ab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3452024
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79033}
2022-02-10 14:45:02 +00:00
Joyee Cheung
1e6294d3c3 [class] initialize brand after super() in nested arrow function
Handle the case of nested super() by checking if the class scope
contains a private brand. In this case the ContextScope chain
is different from the actual context chain so this added back
the AddPrivateBrand() runtime function but with the additional
step of walking the context chain to get the correct class
context that will be stored as the value of the brand property
for the debugger.

Bug: v8:12354
Change-Id: Ieeb9b9d6372bfbb1a39c4c2dc9e9848e9109f02a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3275137
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/main@{#79032}
2022-02-10 14:05:48 +00:00
Thibaud Michaud
a684b5df50 [wasm] Enable Liftoff for fuzzing on arm
NaN detection is implemented on arm and arm64, so we can enable fuzzing
with Liftoff as the reference implementation on these architectures.

R=manoskouk@chromium.org

Bug: v8:11856, v8:11954
Change-Id: If80c2f16f52af59705d914396cfe029cb85e7293
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3451718
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79031}
2022-02-10 13:26:38 +00:00
Igor Sheludko
b7a45b5f05 [ext-code-space] Fix TSAN issues in JSFunctionRef::code()
This CL
1) adds relaxed version of CodeDataContainer::code_cage_base accessors
   and use them from relaxed CodeDataContainer::code accessors,
2) uses relaxed version of FromCodeT() in JSFunctionRef::code().

Bug: v8:11880, chromium:1293642
Change-Id: Idc9ba59a97a44a0963197cad50b5e5b440f9629e
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450423
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79030}
2022-02-10 13:23:01 +00:00
Michael Achenbach
c858e69c32 [infra] Try running gcmole on Python3 bot
No-Try: true
Bug: chromium:1292013
Change-Id: If2a52f19fc200d440d840ec903e053926eaeecd0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3452025
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Almothana Athamneh <almuthanna@chromium.org>
Commit-Queue: Almothana Athamneh <almuthanna@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79029}
2022-02-10 13:21:58 +00:00
Andreas Haas
f621275234 [wasm] Update spec tests
Change-Id: Ia3c6d3e9164b84b94ee5d6aee4c3c735df618522
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3451720
Reviewed-by: Emanuel Ziegler <ecmziegler@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79028}
2022-02-10 13:15:08 +00:00
Thibaud Michaud
eee88ca09b [wasm][liftoff] Fix multi-return regalloc issue
R=ahaas@chromium.org

Bug: chromium:1294384
Change-Id: Iaf20d01b00966ef3dc0c8b38f520663b8ca75f8b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3451715
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79027}
2022-02-10 12:48:22 +00:00
Dominik Inführ
cf7234cc51 Revert "Reland "Reland "[heap] Support client-to-shared refs in Code objects"""
This reverts commit 2694b75eb9.

Reason for revert: Causes timeouts on waterfall (https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20debug/38375/overview)

Original change's description:
> Reland "Reland "[heap] Support client-to-shared refs in Code objects""
>
> This is a reland of 4b8f1b1cff
>
> After landing https://crrev.com/c/3447371, we can reland this CL as-is
> correctness-wise.
>
> What's new in this CL is that we now treat references from client
> objects into the shared heap as roots for the --track-retaining-path
> feature.
>
> Original change's description:
> > Reland "[heap] Support client-to-shared refs in Code objects"
> >
> > This is a reland of 12e46091a0
> >
> > Original change's description:
> > > [heap] Support client-to-shared refs in Code objects
> > >
> > > Support references from code objects in the client heaps to shared heap objects. Such references are stored in a remembered set during marking, which is later used for updating pointers.
> > >
> > > Bug: v8:11708
> > > Change-Id: I8aeb508ddd14514ca65fa5acf3030dd8c2040168
> > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3401588
> > > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> > > Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> > > Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> > > Cr-Commit-Position: refs/heads/main@{#78819}
> >
> > Bug: v8:11708
> > Change-Id: I47bcf44b452fcffe8675fba03244b736ede14247
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3422630
> > Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> > Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#78838}
>
> Bug: v8:11708
> Change-Id: I5b48e942fa469eabb40e797e221d06c25af16443
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3425358
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79023}

Bug: v8:11708
Change-Id: I3c5cb945261882122cd76a50aba5237106a25b65
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3451719
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79026}
2022-02-10 11:32:48 +00:00
Dominik Inführ
911f6f0365 [baseline] Fix race between baseline compiler and GC on page flags
We need to create the CodePageCollectionMemoryModificationScope *after*
setting up the LocalIsolate. Otherwise the destructor of that scope will
run after that thread detached from the isolate, when it isn't part of
the next GC safepoint anymore. This allows two concurrent operations
on the page flags:

1) The destructor of CodePageCollectionMemoryModificationScope protects
   the page again and accesses page flags in a DCHECK.
2) The GC unprotects the code pages for the collection and sets the
   the evacuation candidate flag.

Bug: chromium:1295738
Change-Id: I6de626bb075f43e26d74dba18e28fe34331fdfd2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3451714
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79025}
2022-02-10 10:16:45 +00:00
Marja Hölttä
ed04f49fd1 [rab/gsab] RAB / GSAB support for constructing TAs from TAs
Bug: v8:11111
Change-Id: Id4273832d6d48d5a516a04982afcdf92b2cf045d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3447366
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79024}
2022-02-10 09:38:04 +00:00
Dominik Inführ
2694b75eb9 Reland "Reland "[heap] Support client-to-shared refs in Code objects""
This is a reland of 4b8f1b1cff

After landing https://crrev.com/c/3447371, we can reland this CL as-is
correctness-wise.

What's new in this CL is that we now treat references from client
objects into the shared heap as roots for the --track-retaining-path
feature.

Original change's description:
> Reland "[heap] Support client-to-shared refs in Code objects"
>
> This is a reland of 12e46091a0
>
> Original change's description:
> > [heap] Support client-to-shared refs in Code objects
> >
> > Support references from code objects in the client heaps to shared heap objects. Such references are stored in a remembered set during marking, which is later used for updating pointers.
> >
> > Bug: v8:11708
> > Change-Id: I8aeb508ddd14514ca65fa5acf3030dd8c2040168
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3401588
> > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> > Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> > Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#78819}
>
> Bug: v8:11708
> Change-Id: I47bcf44b452fcffe8675fba03244b736ede14247
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3422630
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#78838}

Bug: v8:11708
Change-Id: I5b48e942fa469eabb40e797e221d06c25af16443
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3425358
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79023}
2022-02-10 09:25:23 +00:00
Dominik Inführ
01eb8ff9d0 [heap] Support --expose-gc with shared heap
--shared-string-table assumes that all old strings are in the shared
heap. However, when also using --expose-gc we create an external string
for the GC function name. So far external strings are always allocated
in the local old space though, which results in a heap verification
error. This CL creates external string in the shared old heap with
--shared-string-table enabled.

In order to pass all the tests this CL also has to:

* Stop marking into the shared heap for VisitEmbeddedPointer and
  VisitCodePointer.
* Relax DCHECK in String::GetFlatContent: We cannot check the thread
  id for any shared string. Even if that string isn't really shared atm.

Bug: v8:11708
Change-Id: I51fec5ba038d035be5fe5e1277ef9286efc8dc2a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3447371
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79022}
2022-02-10 07:43:27 +00:00
v8-ci-autoroll-builder
211a4240a9 Update V8 DEPS.
Rolling v8/build: a4e7e5a..96cf77d

Rolling v8/buildtools: 2a745cc..169eef5

Rolling v8/buildtools/third_party/libc++abi/trunk: a18d792..53a6cf1

Rolling v8/buildtools/third_party/libunwind/trunk: b86911d..107cd56

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/25f38be..954eec7

Rolling v8/third_party/depot_tools: cc0f7a5..ff8a62f

Rolling v8/third_party/googletest/src: 43efa0a..06519ce

Rolling v8/third_party/zlib: 3fc7923..14f4303

Rolling v8/tools/clang: d7bcddc..c7ca87f

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: I7c8070fa5f42d7a3fe22b674e73050b1c527d7e0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450174
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#79021}
2022-02-10 03:52:08 +00:00
Milad Fa
61bcc4d1f2 S390 [liftoff]: Implement simd FP trunc saturate
Change-Id: If7a0742b694d3dc475442a6aee3f6c967291eda1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3451360
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#79020}
2022-02-10 03:35:17 +00:00
Liu Yu
0a8fae41fd [wasm] Use unaligned store in StoreArgsInStackSlot
StoreArgsInStackSlot sometimes does unaligned store.

Relate to commit 18469ec4bf.
In MemoryFill, size is an 8-byte integer, but is stored into a
4-byte aligned memory;

Bug: v8:10949, chromium:1281995
Change-Id: I9f18a0168432cdd6d27eacc98b980fa5b6d57d79
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3447932
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Yu Liu <liuyu@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#79019}
2022-02-10 01:56:17 +00:00
Milad Fa
ca443726db S390 [liftoff]: Implement simd extend add pairwise
Change-Id: I346ff7d125027caeb14cbfead74eba0bd30c6f2d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450900
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#79018}
2022-02-09 19:46:36 +00:00
Seth Brenith
aae45ca822 Avoid leaking Promises when detaching debugger
When the debugger is active and a Promise begins executing,
Isolate::PushPromise adds a global handle for that Promise. If the
debugger is no longer attached when the Promise finishes executing, then
there is no corresponding call to PopPromise which would clean up the
global handle. To avoid leaking memory in that case, we should clean up
the Promise stack when detaching the debugger.

Bug: v8:12613
Change-Id: I47a2c37713b43b482e23e2457e96fba5f52623f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448949
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#79017}
2022-02-09 16:40:56 +00:00
Manos Koukoutos
0d05f1807d [test] Disable flaky test
Bug: v8:12607
Change-Id: I937366634f77648bb76e36934c5a2952fb0e184f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450422
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79016}
2022-02-09 15:57:19 +00:00
Manos Koukoutos
775f27c69b [wasm-gc][fuzzer] Wrap types in recursive group
As a temporary solution to reenable wasm-gc fuzzing, we modify
{WasmModuleBuilder} to optionally wrap all types in a recursive group.

Bug: v8:7748
Change-Id: Ib0f8ab17c48ecbe04b51da2b1d01502be77ad35a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450414
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79015}
2022-02-09 15:42:18 +00:00
Michael Lippautz
df04c04261 heap: Avoid branches for debugging flags in Heap::AllocateRaw
Move on-allocation and on-move events to a designated tracker that is
only installed when running with debugging flags. This eliminates a
bunch of flag checks as they are all moved behind the allocation
trackers.

Bug: v8:12615
Change-Id: Ied6819991511328351825e2341375c36ae34916b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450419
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79014}
2022-02-09 14:28:28 +00:00
Tamer Tas
eb56ac927d [run_perf] Replace usage of numpy with python3 statistics package
R=machenbach@chromium.org,liviurau@chromium.org,alexschulze@chromium.org

Bug: v8:12610
Change-Id: I24a1af48bf7a748e06c719439fb368ad75dd0160
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448377
Auto-Submit: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Tamer Tas <tmrts@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79013}
2022-02-09 14:12:13 +00:00
Igor Sheludko
8eb43b92ad [ext-code-space] Disable external code space by default on arm64 Fuchsia
Bug: v8:11880, chromium:1292638
Change-Id: Ia457f391098aa2027988dae404948ab6f7fa8fab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450415
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79012}
2022-02-09 13:06:52 +00:00
Manos Koukoutos
642828eb8b [wasm] Use plain Load for instance cache nodes
Bug: v8:11510
Change-Id: I15d3758532d964ce6a7203c4152ba3e34c3d9601
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448375
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79011}
2022-02-09 12:32:02 +00:00
Samuel Groß
959d67e11b [sandbox] Properly initialize LocalFactory::isolate_for_sandbox
This is required when allocating external pointer table entries from
background threads through the LocalFactory interface.

Bug: v8:10391
Change-Id: Ice5eee1000e1c7341bd0e58782cbb175080a5a74
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448376
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79010}
2022-02-09 11:23:17 +00:00
Samuel Groß
aa83ce1efe [sandbox] Fix EmbedderDataSlot::ToAlignedPointerSafe
We need to properly handle the case of uninitialized embedder data slots
which contain the "undefined" value and thus might look like valid
external pointer table indices.

Bug: v8:10391
Change-Id: I169a3e42132dde223ea151c1a5d5956c72341f8d
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448378
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79009}
2022-02-09 11:22:14 +00:00
Manos Koukoutos
dacaff0b6c [wasm][test] Disable flaky test
Bug: v8:12605
Change-Id: Ic353570757b0271279d9a00352017b0341281e05
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448382
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79008}
2022-02-09 10:12:51 +00:00
Michael Achenbach
d87b764ec5 [infra] Migrate auto-roller commands to Python3
Another encoding fix and test coverage for it.

No-Try: true
Bug: chromium:1292013
Change-Id: Id54f505848f93b4869710156fa77ad2e258c5dd6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3447905
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79007}
2022-02-09 10:05:11 +00:00
Dominik Inführ
d01a024cc8 [heap] Iterate map word for promoted objects in scavenger
When iterating slots for promoted objects we now also need to visit
the map word slot since maps might get compacted. If we do not do this,
we risk losing the already recorded slot for the map word in case that
object already got marked.

Bug: v8:12578, chromium:1295239
Change-Id: I34fbf7ae4b9e36eae8e7e3df354b5fd19adcb08f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448373
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79006}
2022-02-09 10:01:23 +00:00