D8 enables the Wasm trap handler by default now, but we need to make sure the
older bounds check case still gets test coverage too, as bounds checks will
continue to be a supported configuration.
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I5b0bdded6929a9b3a8480e87d038398b8d2a0fd8
Reviewed-on: https://chromium-review.googlesource.com/1048835
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53078}
Removes lots of parameters that are never used (found using
-Wunused-parameter).
Also wires up the pretenure parameter for Factory::NewFrameArray so it's
actually used.
Change-Id: I486e22ac0683afb84bba6a286947674254f93832
Reviewed-on: https://chromium-review.googlesource.com/1041687
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53077}
Next SSCA mitigation: Mask the function index on indirect calls. This
avoids speculative jumps to arbitrary memory.
R=titzer@chromium.org
Bug: v8:6600, chromium:798964
Change-Id: Id4a54fbb42096655d48965b63202bb58f98dc9aa
Reviewed-on: https://chromium-review.googlesource.com/1049627
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53076}
If termination was requested on pause we should handle it properly as
soon as execution resumed.
R=yangguo@chromium.org
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ica50500094138097f115545db716264126fbe59e
Reviewed-on: https://chromium-review.googlesource.com/1049486
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53074}
Similar to msan.h, asan should get its own header file such that the
functionality can be reused.
R=ahaas@chromium.org
Bug: v8:7570
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: Ib81e4ff4b1d08158df7730c32345d4facf9453b0
Reviewed-on: https://chromium-review.googlesource.com/1046656
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53073}
In addition to a git grep I ran the
virtual/enable_wasm_streaming/http/tests/wasm_streaming/wasm_response_apis.html
layout test locally to confirm that the flag is not used in Chrome.
R=titzer@chromium.org
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I00d013b85b585d26e50aacaeb82fb0b1ce1ff56c
Reviewed-on: https://chromium-review.googlesource.com/1049965
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53072}
Currently, non-msan builds don't check the arguments for
MSAN_ALLOCATED_UNINITIALIZED_MEMORY and MSAN_MEMORY_IS_INITIALIZED
calls, so type errors will only be reported on the msan builder.
This CL adds static_asserts for non-msan builds.
Drive-by: Rename MEMORY_SANITIZER to V8_USE_MEMORY_SANITIZER and move
it to macros.h, where also other such macros (like
V8_USE_ADDRESS_SANITIZER) live.
R=ahaas@chromium.org
Bug: v8:7570
Change-Id: If6c3c6e0d1287b5f1e0c59828cd028d1beac933d
Reviewed-on: https://chromium-review.googlesource.com/1046655
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53071}
Fixes the MaybeObject->Object conversion in ObjectStats to allow Smis,
rather than just HeapObjects.
Change-Id: I845613c47bb6ca696d444a025100b471fb385980
Reviewed-on: https://chromium-review.googlesource.com/1049925
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53070}
When a custom workdir is used for the checkout, it differs from the workdir
for temporary state files. In this case, code ensuring the existing of the
parent dir wasn't executed.
NOTRY=true
Bug: v8:7735
Change-Id: Idc81b50bb8f880dea45fde08ba4d437c91e96a37
Reviewed-on: https://chromium-review.googlesource.com/1049552
Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53068}
Loading the length from a PropertyArray is currently broken.
Bug: v8:7732
Change-Id: Ia05f314f2f4822a8821801889b7a58f75b3f198c
Reviewed-on: https://chromium-review.googlesource.com/1049610
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53067}
To stay compatible with JSC, Array.p.sort did a post-processing step
that shadowed elements from the prototype chain.
Some time ago, JSC changed and no longer exhibits this behavior. To
preserve comptibility and stay consistent with RemoveArrayHoles,
this CL removes this post-processing step altogether and adjusts
tests to expect the new behavior.
R=cbruni@chromium.org, jgruber@chromium.org
Bug: v8:7382
Change-Id: Iecedc37cea25001d3768b99a3a9de3a2db90ba82
Reviewed-on: https://chromium-review.googlesource.com/1047286
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53066}
Code comments help a lot to understand the generated code. Add a
comment before each instruction, and some special comments for longer
instructions.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: Ic18974e5cc89e23533e3abc54b0389723b77ff73
Reviewed-on: https://chromium-review.googlesource.com/1049626
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53064}
Embedded builtins have been regressing benchmarks incrementally as
more and more builtins were moved to the embedded blob. This has made
recognition and analysis of other possible performance issues more
difficult.
Let's disable embedded builtins until their performance is at an
acceptable level.
Bug: v8:6666
Change-Id: I21a1274f3d5a65063127b0a8604df6dd0d3c0c95
Reviewed-on: https://chromium-review.googlesource.com/1049550
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53062}
This CL re-implements CopyFromPrototype, that is used during sorting,
as a runtime function, in preparation to move Array.p.sort to CSA.
CopyFromPrototype is called for sparse non-arrays, where elements
might be available on the prototype chain. For compatibility with
JSC, we copy them to the object itself and sort only own properties.
Bug: v8:7382
Change-Id: I4f5c14995cf9769c4f9f1d62b3a5bfde6d386556
Reviewed-on: https://chromium-review.googlesource.com/1044205
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53061}
This CL implements the functionality of SafeRemoveArrayHoles (JS),
which is used as a pre-processing step for sorting, in a runtime
function.
SafeRemoveArrayHoles is a generic fallback, when an existing runtime
function fails to remove holes/move undefineds to the end of an array.
This CL extends the existing runtime function to also support JSProxy
objects, and objects where indices have accessors.
R=cbruni@chromium.org, jgruber@chromium.org
Bug: v8:7382
Change-Id: I4881539cf2171caba08ff6e3e50320291f49839c
Reviewed-on: https://chromium-review.googlesource.com/1041950
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53060}
On system which required a contiguous code range, we currently limit
the committed wasm code space to the heap code space. Since
https://crrev.com/c/1044195, this was only 128MB, making bigger
benchmarks fail.
There is no need to link the two limits, thus just remove that logic.
R=titzer@chromium.org
Change-Id: Id61f5dd28c96c3d2b7fcd730751285c6fc144bc5
Reviewed-on: https://chromium-review.googlesource.com/1049648
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53059}
This shares JS-to-Wasm wrapper code across instances belonging to the
same module object. We no longer need to copy the wrappers since they
are by now independent of the concrete instance.
R=titzer@chromium.org
BUG=v8:7424
Change-Id: I54188eae6378e53cc274cd19f8e652ffdba72ee5
Reviewed-on: https://chromium-review.googlesource.com/1049607
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53058}
This changes JS-to-Wasm wrappers to no longer embed a WeakCell with the
associated instance into the code, but load the instance object from the
passed {WasmExportedFunction} object instead.
R=titzer@chromium.org
BUG=v8:7424
Change-Id: I5403f882912eb23e760fabe70207440648754a69
Reviewed-on: https://chromium-review.googlesource.com/1028053
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53057}
at register is used a lot in macro-assembler-mips[64].cc and
we should not use it as temporary register in other parts of code
Change-Id: I7ef038cdf4f8c57aa76823e7ee0ffb40b62731cd
Reviewed-on: https://chromium-review.googlesource.com/1027816
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Reviewed-by: Sreten Kovacevic <sreten.kovacevic@mips.com>
Cr-Commit-Position: refs/heads/master@{#53055}
- Make FeedbackVector backing store a WeakFixedArray.
- "feedback" is always strong but "extra" might be weak.
- Whenever the handler stored in FeedbackVector is a WeakCell to a transition
Map, replace it with an in-place weak reference.
For a more detailed description of the changes, see the design doc
https://docs.google.com/document/d/1P8cIme2wKszdYt64ObAiuh6pXgLnrrn80Hpl1ejJbOU/edit#heading=h.ijx1oculrikp
BUG=v8:7308
Change-Id: I72c5cf6597ef24d4c22a1fe8e25b67ca196d4ec8
Reviewed-on: https://chromium-review.googlesource.com/1027855
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53051}
This CL introduces type narrowing and constant folding reducers
to constant fold code that comes out of inlined destructuring
of arrays. In particular, array iterator introduces code that
contains a phi of a temporary array that blocks escape analysis.
The phi comes from conditional that can be evaluated statically
(i.e., constant folded), so with better constant folding we
allow escape analysis to get rid of the temporary array.
On a quick micro-benchmark below, we see more than 6x improvement.
This is close to the hand-optimized version - if we replace
body of f with 'return b + a', we get 220ms (versus 218ms with
destructuring).
function f(a, b) {
[b, a] = [a, b];
return a + b;
}
function sum(count) {
let s = 0;
for (let i = 0; i < count; i++) {
s += f(1, 2);
}
return s;
}
// Warm up
sum(1e5); sum(1e5);
console.time("destructure array");
sum(1e8);
console.timeEnd("destructure array");
console.timeEnd: destructure array, 213.526000
console.timeEnd: destructure array, 1503.537000
Bug: v8:7728
Change-Id: Ib7aec1d5897989e6adb1af1eddd516d8b3866db5
Reviewed-on: https://chromium-review.googlesource.com/1047672
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53048}
We had four files in git which used CRLF. After adding a .gitattributes
file with "* text=auto", we should not get any new ones. This CL
converts the four existing files to LF.
R=mathias@chromium.org
Bug: v8:7570
Change-Id: Ia9c92f4bed14c6669de7d60390627a11de6450b8
Reviewed-on: https://chromium-review.googlesource.com/1047611
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53046}
This attribute will apply to newly added file only. If they contain
CRLF, this will be converted to LF automatically.
R=mathias@chromium.org
Bug: v8:7570
Change-Id: Idbf1f15d55dda18f623f9b3c7be8bba686569af0
Reviewed-on: https://chromium-review.googlesource.com/1047608
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53044}
If trap handlers cannot be installed, we printed two lines to stdout
and stderr, both not terminated by a newline. This CL adds a newline to
one output and uses the FATAL macro for the other, highlighting the
error better and showing the location where it happens.
R=eholk@chromium.org
Bug: v8:7570
Change-Id: Ic24f48f92b87528e0fd5889badf2c90d765e451a
Reviewed-on: https://chromium-review.googlesource.com/1047606
Reviewed-by: Eric Holk <eholk@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53043}
This API will be used by Node.js to provide output compatible with
Chrome devtools.
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I265495f8af39bfc78d7fdbe43ac308f0920e817d
Reviewed-on: https://chromium-review.googlesource.com/1044491
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Eugene Ostroukhov <eostroukhov@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53041}
This moves the internal fields on {WasmExportedFunction} objects from
being properties with private symbols to a separate structure instead.
The new {WasmExportedFunctionData} structure can hang off the underlying
shared function info which is created for each exported function. This
reduces the number of transitions, speeds up instantiation, and makes it
easier to reach them from generated code (in the future).
R=titzer@chromium.org
BUG=v8:7424
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: Iaa733b6c9f7bea96246d6680756aa7101669a1a9
Reviewed-on: https://chromium-review.googlesource.com/1047025
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53040}
The RareData objects contain fields that often absent in CodeEntry'es.
They are created as needed when a corresponding field is added.
This reduces CodeEntry size on x64 by 40% from 136 to 80 bytes.
BUG=v8:7719
Change-Id: I1f3c6255aa2f228895e835b536c743396131db31
Reviewed-on: https://chromium-review.googlesource.com/1045885
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Alexei Filippov <alph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53039}
We lost the print functionality for stub schedules somewhere on the
way. This re-adds the appropriate call to TraceSchedule to get it
going again.
Bug: v8:7327
Change-Id: I245823b440542708410d2253f9f4e78b2e22f3c9
Reviewed-on: https://chromium-review.googlesource.com/1047270
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53038}
In preparation for cleaning up PipelineData to use a MachineGraph
where appropriate, move the dead node up to MachineGraph.
R=ahaas@chromium.org
Bug: v8:7721
Change-Id: I3f9d456aef7cf4d80adbc93ae938636ffcc3712d
Reviewed-on: https://chromium-review.googlesource.com/1046828
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53037}
Retpolines were never used for off-heap wasm code. This CL adds them.
R=titzer@chromium.org
Bug: chromium:840376, chromium:798964
Change-Id: I9f1b2150cce484f831a83663d1fb06555e7eac82
Reviewed-on: https://chromium-review.googlesource.com/1047385
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53036}
Trying to reduce use of our self-baked data structures.
Bug: v8:7570
Change-Id: I419a932b6b8904810844d40a5636e423df832197
Reviewed-on: https://chromium-review.googlesource.com/1032739
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53033}
The hard-coded timeout in the test is so near, that e.g., adding DCHECKs pushes
the test over the limit. The test is ran with dcheck_always_on=true.
We shouldn't do any performance testing with dcheck_always_on=true; this creates
the wrong incentive to not add DCHECKs (or in this case, CLs which add more
DCHECKs or cause more DCHECKs to be hit cannot land at all).
Change-Id: Ia4d1b2b17ce5a5330b929f984253c89ba273f661
Reviewed-on: https://chromium-review.googlesource.com/1046548
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53032}
The DCHECK was incorrect. This new API method can be called from any
debug mode since the embedder does not know which mode we are in.
It should only apply the side effect logic when the mode is
kSideEffects.
Bug: chromium:829571
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I11b0e5194b151a2b88171d6be21c3ccbba9cd408
Reviewed-on: https://chromium-review.googlesource.com/1046162
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Erik Luo <luoe@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53030}
