This is part of an ongoing effort to reduce fragmentation in Chrome. Partition alloc shows v8 zones are a large user of memory in Renderer processes, and that there is fragmentation from these allocations. This CL will reduce this fragmentation by allowing v8 to use all allocated memory for its zones.
Bug: v8:13193, chromium:1238858
Change-Id: Ibeac8bdba9d0e7ff66b14a3dde10e7c87d3cf953
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3889361
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83235}
This CL introduces a new LookupIterator state WASM_OBJECT, and updates
all switches that need to handle it.
Bug: v8:7748
Change-Id: Ie3359aed2d37f5a6854e5577fa3799f0464391e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865559
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83234}
The split is rudimental and now is not needed at all:
- as part of the shared-cage effort we added HeapHandle pointer to the
BasePageHandle class (on the API side);
- for the value-full barrier we get HeapHandle from bitmasking the
value;
- for the value-less barrier we get it from the callback provided by the
caller.
The CL entirely removes the split and uses the single
BoundedPageAllocator. A minor note: the conservative stack scanning can
become sligthly more expensive.
Bug: chromium:1361582, chromium:1325007
Change-Id: I2a8aded3dd12037998f36341c68af8e23b0dcd88
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899320
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83232}
Since enabling the sandbox is now required for example for mkgrokdump,
add it to the default gn args. Also treat non-sandbox builds as
"non-shipping" in mkgrokdump.cc
Bug: v8:13281
Change-Id: I08042aa53057e25c556e166c059373e2fdb9d2c1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899317
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83231}
This CL introduces two MachineTypes - SignedBigInt64 and UnsignedBigInt64, which are represented as Word64 but will be rematerialized to BigInt in deoptimization. This will avoid unnecessary conversions for BigInt64s when they are passed to StateValues.
Bug: v8:9407
Change-Id: I65fdee3e028ed8f9920b1c20ff78993c7784de48
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858238
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#83230}
When ETW Events are enabled with the --enable-etw-stack-walking flag
we should not also enable the --interpreted-frames-native-stack by
default.
Showing the interpreted frames on the native stack is quite expensive
since it involves mulltiple copies of the interpreter trampolines, and
it's not always necessary to profile JS code, so it should be enabled
when necessary with a separate flag.
Bug: v8:11043
Change-Id: Id2d779e7fcac9b626f9da2e0c77edf9c30f853df
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893601
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83229}
Inner pointer resolution, to be used in conservative stack scanning,
assumes that all pages registered with the memory allocator are
iterable. Until this CL, this was not the case for pages that were
owned by the young generation semispaces but were unused. Such pages
are either in the "from" semispace, or in the "to" semispace but have
not yet been used.
This CL ensures that all pages owned by the young generation are iterable. It also adds tests to verify that inner pointer resolution
works correctly for unused young pages and for pointers above the
page area.
Bug: v8:13257
Change-Id: Ieff7cc216853403e01f83220b96bf8ff4cdea596
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3885893
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83226}
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.
R=jkummerow@chromium.org
Bug: v8:12887
Change-Id: I5bd5faaac89185c5f40b0eabb01f9b678f791498
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898934
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83225}
Also add a DCHECK to prevent this stupid mistake in the future.
Bug: v8:13190
Fixed: chromium:1363969
Change-Id: Ieb855ccfb42a1a6d84798eb09721d454c355935f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899313
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83222}
Cached template objects only need to be cached for reference identity
comparisons. If there is no strong reference to the cached template
object, then there's nothing to compare it against if it were to be
loaded from the cache, so we can hold it in the cache weakly.
Bug: v8:13190
Change-Id: I4a787eb33eab734fe9df6c424ff915d775fce70f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898692
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83220}
This test observes GC behavior and needs the garbage collector to work
in a somewhat predictable way.
Bug: v8:13286
Change-Id: I24e6a4f33a644b5f1845cd34558da03fc196f7e5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898721
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83218}
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.
R=szuend@chromium.org
Bug: v8:12887
Change-Id: I8123d18ae852807557bf26b1308e0061dc1ac123
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898937
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83216}
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.
R=jgruber@chromium.org
Bug: v8:12887
Change-Id: I0454426c664e54e9b8c8b39f903eeca1a80d4bc2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898933
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83214}
The kContextRegister can alias allocated registers - when setting it,
take care not to unintentionally clobber.
Bug: v8:7700
Change-Id: I0635d334fb14fa15540582a4873d4186fffa2199
Fixed: chromium:1363450
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3897634
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83212}
.. in TryBuildMonomorphicLoadFromLoadHandler. If data1 is cleared,
emit an unconditional eager deopt.
Note all early-return paths must happen before any code is emitted.
Bug: v8:7700
Change-Id: I00d5ff258cc88a0cb2423267b362c05540d09839
Fixed: chromium:1359714
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898691
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83211}
This can happen when we have a load from a double field of a value that
canonicalises to a Smi, and we then use that Smi value in Smi-feedback
arithmetic.
Bug: v8:7700
Fixed: v8:13282
Change-Id: I6d8245b8393f7595c3442985087ebb8e806061eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890999
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83210}
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.
R=nicohartmann@chromium.org
Bug: v8:12887
Change-Id: Ibdf60bd42ed577f367eee7da4de3a7e3dd6799e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871205
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83209}
Running the libfuzzer fuzzers locally (with an experimental flag turned
on) found crashes, but did not produce crash files because we were
generating a software interrupt ("trap") instead of properly aborting.
Disabling the "hard-abort" feature fixes that.
This will hopefully not flush out previously missed crashes. If so,
please do manually bisect across this CL, instead of assigning to me :)
Drive-by: Move more initialization logic from {InitializeFuzzerSupport}
to the {FuzzerSupport} constructor, where other similar work is
performed.
R=thibaudm@chromium.org, saelo@chromium.org
Bug: v8:13283
Change-Id: Id8d4e92f5ab6bb27676adeae6b3b1eb042b8ba3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892061
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Samuel Groß <saelo@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83208}
Temporaries and the allocated result register may alias, thus order is
important when setting the result value.
Fixed: TestUndetectable, LogicalNot, SetPendingMessage.
Drive-by: Pass Label::kNear in a few spots I passed by.
Bug: v8:7700
Change-Id: Ice3de1d1014ad05d8fa9fb18d967887386bfed0d
Fixed: chromium:1359723
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898530
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83207}
Rolling v8/build: 4157fb6..ccee528
Rolling v8/buildtools: e713c13..040e851
Rolling v8/buildtools/linux64: git_revision:b4851eb2062f76a880c07f7fa0d12913beb6d79e..git_revision:fff29c1b3f9703ea449f720fe70fa73575ef24e5
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/37391a1..0d1854a
Rolling v8/third_party/depot_tools: 9ebcfa6..5e4d749
Rolling v8/third_party/fuchsia-sdk/sdk: version:9.20220913.3.1..version:9.20220914.1.1
Rolling v8/tools/clang: 02a202a..12149f2R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com
Change-Id: I4afeac189d64d4ef62599de14187f9bd2348ff5f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3897654
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#83206}
Correct the call the the one which take the UTC based time
instead of the one taking the local wall time.
Bug: v8:11544
Change-Id: Ib288617e8f98b21865c306ca36cd905a3e5315bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892639
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83205}
A couple of customers have asked about using devtools to get information
about temporary allocations, with the goal of reducing GC time and/or
peak memory usage. Currently, the sampling heap profiler reports only
objects which are still alive at the end of the profiling session. In
this change, I propose adding configuration options when starting the
sampling heap profiler so that it can optionally include information
about objects which were discarded by the GC before the end of the
profiling session. A user could run the sampling heap profiler in
several different modes depending on their goals:
1. To find memory leaks or determine which functions contribute most to
steady-state memory consumption, the current default mode is best.
2. To find functions which cause large temporary memory spikes or large
GC pauses, the user can request data about both live objects and
those collected by major GC.
3. To tune for minimal GC activity in latency-sensitive applications
like real-time audio processing, the user can request data about
every allocation, including objects collected by major or minor GC.
4. I'm not sure why anybody would want data about objects collected by
minor GC and not objects collected by major GC, but it's also a valid
flags combination.
Change-Id: If55d5965a1de04fed3ae640a02ca369723f64fdf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3868522
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#83202}
When regenerating v8heapconst.py, the v8 sandbox now has to be enabled
explicitly (using the v8_enabe_sandbox=true gn arg) as it is enabled by
default in Chromium builds, but not standalone v8 builds.
Bug: v8:13281
Change-Id: I1a0861b1d63f340465d7433e042b27eace706ca7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3895622
Commit-Queue: Adam Klein <adamk@chromium.org>
Auto-Submit: Samuel Groß <saelo@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83201}
JumpIfTagged access the stack for 4 byte compressed ptrs
so we need to add stack bias for that for big endian
Change-Id: Ifefa56018cf4ddccb337704775b38937e47ac3ed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893419
Reviewed-by: Milad Farazmand <mfarazma@redhat.com>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/main@{#83198}
Check whether the exception phi for the accumulator (i.e. the exception
message object) is dead, and don't assign rax to it if yes. Note that
maglev node liveness can differ from bytecode liveness, since the
bytecode accumulator could have been considered "live" just because of a
move to a (dead) register.
Bug: v8:7700
Change-Id: If1384284f6f55a565e2ae94e5e7a32455fdedb93
Fixed: chromium:1359382
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892353
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83197}
Use Script as the key for the template object cache, instead of the
SharedFunctionInfo. This is because SharedFunctionInfos can be garbage
collected and then later recompiled, which would mean that we break the
spec's expectation that the template object stays constant.
Now the association of cached template object with SharedFunctionInfo is
via the function_literal_id of the SharedFunctionInfo, stored on the
CachedTemplateObject. These are linearly searched, similar to the linear
search over slot ids.
Bug: v8:13190
Change-Id: I3f67811c16ea4cd39c99b2fa034aa7e1f03c171e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892787
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83195}
This struct represents the freelist of an ExternalPointerTable and
contains both the size and the head of the freelist. It is encoded and
stored as a single Atomic64 field (freelist_) inside the
ExternalPointerTable class. This ensures that the freelist head and size
are always synchronized.
Previously, the freelist size was encoded in freelist entries in the top
bits. This only works as long as the maximum table size is relatively
small however, as it requires both the freelist size and the index of
the next entry on the list to fit into 24 bits. To allow for bigger
maximum table sizes in the future, this CL moves the freelist size
directly into the table as part of the freelist_ field.
Bug: v8:10391
Change-Id: Id09c9b28d09d79b704ac47e6566029cfb209ecd1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891256
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83193}
This reverts commit 7c64e5b43b.
Reason for revert: MinorMC passes all CQ bots again (crrev.com/c/3872266)
Original change's description:
> [heap] Remove MinorMC variant from bots
>
> As part of revising MinorMC, it would soon be broken and bots should
> not be red because of it.
>
> Bug: v8:12612
> Change-Id: I0551d0a115ac2f4fa7fc32190458850f80b84cf5
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3810353
> Commit-Queue: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Almothana Athamneh <almuthanna@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82197}
Bug: v8:12612
Change-Id: I4a08f79efc3b5fc133a0a920a11d2af559b5bf4f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3885890
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Almothana Athamneh <almuthanna@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83191}
Based on bots and local testing, MinorMC has reached a stable state in
terms of correctness.
Enable fuzzing with MinorMC to flush out additional issues.
Bug: v8:12612
Change-Id: I9cf8c5791d7256ff63c777b295863506436ee165
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872265
Reviewed-by: Almothana Athamneh <almuthanna@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83190}
Fix build error:
../../v8/src/wasm/module-compiler.cc:147:10: error: ‘unique_lock’ is not a member of ‘std’
147 | std::unique_lock<std::shared_mutex> queues_guard{queues_mutex_};
| ^~~~~~~~~~~
Bug: chromium:957519
Change-Id: I0d14730d5b8dd76820fcc0a47d66ab0bd3e38f24
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3880498
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83189}
The numfuzz fuzzer.py has a loop to send a new test after receiving
a result. When all test processors go into stopped state, attempts
of sending new tests return False. That case wasn't handled here
and we kept looping forever.
Bug: v8:13113
Change-Id: Ief2686614d9703fb590400ac3e73b6ac9008c8f6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891373
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83188}
Document ownership with using std::unique_ptr<Space> for the space_
array.
Bug: v8:13267
Change-Id: I12861d97cd52d2a8cf9ceb43a2f90008be87b2a3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890913
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83187}
SimulateFullSpace starts with no LAB, iterates over pages and allocates
all free space on each page. After the first page, the LAB is empty but
is no longer null.
Bug: v8:12612
Change-Id: I2c00b9ba68fdd5f60eda086ea940cb6e211a986e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891294
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83186}
