Live bytes were accounted twice. Once when object is marked black and
once explicitly by the marking task. Drop the accounting by the marking
task.
This should also help reduce binary size.
Bug: v8:12612, chromium:1331317
Change-Id: I43e90413309709662b6fcd0dfdec96cac1b5f231
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3732930
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81429}
Before this CL, the caged heap was lazily initialized upon the first
call of HeapBase ctor. CagedHeap keeps a pointer to PageAllocator which
was provided from cppgc::Platform through the HeapBase ctor. This was
not generally safe: the platform is not enforced to be singleton. If it
happens to die first, then CagedHeap will have a stale pointer. The CL
fixes it simply by moving caged-heap initialization to
cppgc::InitializeProcess(), which already requires a constantly living
PageAllocator.
Bug: chromium:1338030
Change-Id: Ifb70a2db233ef36a99c919db09bed9ff9f3708ac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3732107
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81422}
The class is dead code, and has not been used for years. I tried to
deprecate the class first, but this caused build errors on GCC [1].
That's why this CL just deletes the class. Deleting the class is okay
because this class was part of the original implementation of streaming
compilation. There is only a single embedder who uses streaming
compilation, which is Chrome, and Chrome switched to the new API
already years ago. If there were other embedders that use this class,
then this embedder would already have no working implementation of
streaming compilation for years.
R=adamk@chromium.org
Bug: v8:12926
Change-Id: I3342167245822cf8ee52d9632cba236fb1b0646c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714236
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81421}
This is a reland of commit c801d52924
perfetto::DynamicString was supported in perfetto very recently.
This CL failed earlier because latest perfetto was not rolled in
v8. Relanding it after rolling the latest perfetto in v8 (see
parent CL).
Original change's description:
> Refactor dynamic name to perfetto::DynamicString
>
> Recently perfetto introduced `perfetto::DynamicString` to allow clients
> to wrap dynamic event name strings. So that clients don't have to
> manually set event name inside trace lambda.
>
> With that:
>
> TRACE_EVENT("cat", nullptr, [&](EventContext ctx) {
> ctx.event().set_name(dynamic_name_str)
> });
>
> is simplified to:
>
> TRACE_EVENT("cat", perfetto::DynamicString{dynamic_name_str});
>
> In this change we are making use of perfetto::DynamicString to pass
> dynamic event name string.
>
> Change-Id: Ic6b501df67409d6faa4d60b59095ad0e79ce585e
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716473
> Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
> Commit-Queue: Mohit Saini <mohitms@google.com>
> Cr-Commit-Position: refs/heads/main@{#81298}
Cq-Include-Trybots: luci.v8.try:v8_linux64_perfetto_dbg_ng
Change-Id: I70103606f397cd420a5dfccba703bee8962f822b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714946
Commit-Queue: Mohit Saini <mohitms@google.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Auto-Submit: Mohit Saini <mohitms@google.com>
Cr-Commit-Position: refs/heads/main@{#81420}
Only the parent of the continuation itself was updated. Also update the
parent of the suspender
R=ahaas@chromium.org
Bug: v8:12191
Change-Id: I06684548abe70f4bbda48c12e9e8adda84e1ec27
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3726293
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81419}
This change is only to get the API in place; the newly added functions
don't yet do anything.
Bug: v8:12808
Change-Id: Ic6a697d4f62c2b61761b2545dae6fcdf37653bbf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3681880
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#81418}
Fixes the test after a perfetto roll
Change-Id: Ib861edd1f87435b6bbc5e8b7599f118c72cc0776
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3732108
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81417}
Suppress a gcc array bounds warning in ComputeStackLimit, where we are
very intentionally accessing a location out of bounds.
Bug: chromium:1307180
Change-Id: If4b7ce182472a761f9f619824676e5e660b0277a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3732109
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81416}
When a receiver/closure is not used by a lazy deopt frame state, then
it cannot escape through the .getThis API. Therefore, it's safe to
dematerialize it.
Bug: chromium:1315901, chromium:1318126
Change-Id: I5cf9c30e8451a7af94d371162a94eb1ba0c9db4a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3726299
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81415}
In crrev.com/c/3714237, we changed the representation of constant
expressions in mjsunit wasm tests to byte arrays. This CL complements
this change by updating the output of --wasm-fuzzer-gen-test to the
new format.
Change-Id: I6a9d861b5abe13621ffd2ceb3a54863b0188b40c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3726294
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81414}
Changes for TF instruction selector will be pasted
in the CL comments and will get applied once all
relaxed opcodes have been implemented in codegen/liftoff.
Change-Id: I4f7e8263a8ae099e48034749846fadd82c6a7c49
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3723778
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#81413}
This remodels the tier-up checks on loop back edges to avoid
modifying the cache state by taking temp registers passed in
from the caller, and not causing the instance to get cached.
Additionally, this introduces FreezeCacheState scopes, which
allow us to enforce that certain ranges don't cause any cache
modifications. Conditional jumps require such a scope to be
around, which should help ensure that we don't forget to add
them to any future code we write.
Drive-by cleanup: drop {pinned} lists from a few Load helper
functions. They don't allocate registers (and shouldn't), so
they don't need to know about pinned registers.
Fixed: chromium:1339321
Change-Id: I1c7660418a85259e96c5e0dcfeaf12dab2114e8c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3724787
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81411}
This CL adds back a patch of Math.pow for correctness fuzzing, which
drops some precision and hides a difference on the fast path.
The same suppression was previously used on https://crbug.com/693426.
No-Try: true
Bug: chromium:1339320
Change-Id: Id52f25f8a2b6b5aeca956587b16a10c61aa68e36
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3726295
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81408}
Don't actually free memory as that would maintain free bytes accounting.
Instead, just write a filler that is reclaimed on next garbage
collection, updating counters.
Bug: v8:13000, chromium:1338687
Change-Id: I5339505160fde4b2f522a1a4212d23d7afc2b5f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3726292
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81407}
This CL introduces a compile flag v8_enable_inner_pointer_resolution_mb.
Behind it, it introduces a method `FindBasePtr` in `MemoryChunk`, which
implements inner pointer resolution using the chunk's marking bitmap.
This method is intended to be used for conservative stack scanning, to
resolve inner pointers to heap objects, at some point late in the
marking phase.
It also delays stack scanning during the marking phase of a full GC, to
ensure that marking has proceeded and most heap objects have already
been marked.
Bug: v8:12851
Change-Id: I40e291a86bb8d2587a2c1d9505574dde3c65eb16
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3703837
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81404}
Point to the same version as Chromium does:
http://shortn/_8kg7qPA03I
Bug: v8:13002
Change-Id: Ief1da2951499767e011cbf309f0ce99fea44ab22
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3726211
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81403}
The ExternalPointerTags are assumed to be compile-time constants in most
cases, so turning them into template parameters enforces that. As
decisions such as whether to use the per-isolate or the shared external
pointer table are encoded into the tag values, forcing those to be
compile-time constants guarantees that the compiler will be able to
inline the correct logic when accessing an external pointer.
With this, there are now two (high-level) ways of accessing external pointer fields from C++: the Read/WriteExternalPointerField methods
which require the ExternalPointerTag to be a template parameter, and the
ExternalPointerSlot class which takes the tag as an argument. The latter
is for example used for snapshot deserialization and by the garbage
collector (more generally, by the ObjectVisitor::VisitExternalPointer
method), where the tag is not a compile-time constant.
Finally, this CL also introduces a new ExternalPointerHandle type which
represents the (opaque) on-heap representation of a reference to an
entry in an ExternalPointerTable when sandboxing is enabled. Making this
its own type makes the code a bit more readable.
Bug: v8:10391
Change-Id: I867b8ce41d15d485f1dc66786f233c710c56afcb
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3720641
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81402}
is before a new nesting loop
This is probably a JumpLoop to loop nesting level 0 getting removed if
it's dead code. Add before a new nesting loop to break condition of
removing OSR code cache if deopt at inside of loop.
Bug: chromium:1330883
Change-Id: I010e3ca2adaafae8dcc606c49860ca0a70442952
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3713093
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Tao Pan <tao.pan@intel.com>
Cr-Commit-Position: refs/heads/main@{#81401}
- Change definition to macro-style to be able to assert that masks/tags
are correct.
- Split definition of shared/non-shared tags.
- Use bit 62 (for now) to indicate tags are shared.
Bug: v8:10391
Change-Id: Ia3ad6294cf5e6fd0c4dc2a328f976f295da762f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3726009
Reviewed-by: Samuel Groß <saelo@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81400}
Parameter of class UnoptimizedFrame and JavaScriptFrame was removed.
Change-Id: I37c43ff491f039820f40d60ed9ada43fd59e7c05
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3725613
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Tao Pan <tao.pan@intel.com>
Cr-Commit-Position: refs/heads/main@{#81398}
Since v8config.h already defines the related logic for OS detection, it
should be fine to move arch detection also there. The CL also makes
Oilpan use one of those macros to avoid discrepancy between the compiler
and custom macros (the discrepancy occurs for host tools, e.g. mksnapshot).
Bug: chromium:1336222
Change-Id: Ibe7d9116d27c3e816f4778fd4c149d8142d0f7a9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3726208
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81397}
And add a test to ensure we've caught them all and won't
forget any others in the future.
Change-Id: I9bed83ada1c8991eaf08af4b34d4ccda7dc0e600
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3724788
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81388}
The following flag combinations run into a CHECK in d8:
('--assert-types', '--stress-concurrent-inlining')
('--assert-types', '--stress-concurrent-inlining-attach-code')
All flags can be passed as clusterfuzz trials on d8 fuzzers and lead
to poor fuzzing outcomes. This lowers their probability as a
mitigation until a better solution is found.
No-Try: true
Bug: chromium:1336577
Change-Id: I63747bb0a466c01d2789fc76cb9232f7afe720f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3721382
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81387}
- Use the lowered 32-bit signature when linking the inlined and caller
graphs.
- Tolerate non-projection uses of Call nodes when linking the graphs.
These can be left over by Int64Lowering.
- Drive-by: Inline really small functions even if their call count is
low.
Bug: v8:12166
Change-Id: I5b472d3f617f2f23820a5d142102c0a6c5c769dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3720715
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81386}
It is no longer necessary to postpone the allocation of backing stores
to avoid triggering GC. As such, the logic around ArrayBuffer
deserialization can be simplified.
Bug: v8:10391, v8:11111
Change-Id: I7410392a6e658cd4be77e2192483c6d412b63412
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3717982
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81384}
