This includes the class name of the target object as part of the
description for Proxy objects, i.e. `Proxy(HTMLElement)` for proxies
whose targets are `HTMLElement`s. This greatly improves the debugging
experience with proxies, which are becoming more common these days (for
example with Vue using proxies for their components).
Before: https://imgur.com/SbR4s6H.png
After: https://imgur.com/NWQJFj8.png
Fixed: chromium:1400253
Change-Id: I3bd2b0f91a3aeaa531d5e5dd2ca3e777e4663ba1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4109729
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84864}
Before this change, the mutation order of js-fuzzer was hard-coded
and always executed in the same order. This e.g. prevents certain
mutation interactions. E.g. in the typical V8 pattern:
%Prep(foo);foo(N);foo(N);%Opt(foo);foo(N);
This gets typically inserted by the FunctionCallMutator, but none
of the arguments N would get mutated later, since e.g. the
NumberMutator is executed earlier.
This change adds an experiment that makes the top-level mutation
flow more flexible. With a probability of 20% each we now also:
- Shuffle the different mutators.
- Run a few random extra mutators after the first round.
We annotate the output files with comments if the experiment was
chosen to easier analyze later if interesting new bugs were found.
Change-Id: I581d43b41a8e1d87ff1e8cab435a1b6e834db0f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096477
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84863}
The current version of CloneAndInlineBlock assumes that the inlined
block is a direct predecessor of the currently reduced block. With
recent Return reductions implemented in branch elimination that's no
longer the case, as we're looking one edge past the current block.
Bug: chromium:1399626
Change-Id: I2ce23672c0e33b2857a4663d8e7ad5ed1df3c20e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4097125
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84862}
The stack slot index in maglev is the offset from the frame pointer, so
it is always negative.
Storing it as an unsigned 32-bit integer causes issues when the value is
used as a 64-bit int (preventing sign extension).
Bug: v8:7700
Change-Id: I0c64fc8c96f72507f02b870155f2fe7655485894
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4107388
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84860}
When taking over large pages from another heap, allocated limits in
MemoryAllocator need to updated as well.
Bug: v8:13267, chromium:1401077
Change-Id: I2ef349578de34ff697a5fa76da17870fa171df95
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4108649
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84859}
This reverts commit 27c561617f.
Reason for revert: Causes some benchmarks to fail.
Original change's description:
> [d8] Do not dispose isolate in quit()
>
> With --shared-space the main isolate has to be disposed last, so we
> can't really dispose the main isolate while worker isolates are
> still running without violating our invariants.
>
> Solve this by not invoking Isolate::Dispose() for `quit()`.
>
> Bug: v8:13267, chromium:1400810
> Change-Id: Id9d6288c62d9c03d5c2f40c52efd0ac6422ac822
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4106751
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84846}
Bug: v8:13267, chromium:1400810
Change-Id: I51559ffdb0bbbd870de3f33f65812cb9056636b4
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110648
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84858}
marking_barrier_type_ wasn't initialized in MarkingBarrier's ctor.
With --shared-space and enabling incremental marking in the shared
heap this could lead to the load of an uninitialized value in
`is_minor` in the DescriptorArray write barrier.
The write barrier was also not using the right value for old_marked
when both minor and shared incremental marking were enabled.
Bug: v8:13267, chromium:1400730
Change-Id: Ibd682b9baba333ce16af028e4f66aefb6c8aaea7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4108028
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84855}
The comparison of an external pointer used `kRef` here which is the
ValueKind for Wasm GC references. As those references are only 32 bits
on pointer-compressed builds, a 32-bit-comparison is used.
(This was introduced with change https://crrev.com/c/4016816.)
If the pointer has the 32 least signficant bits zeroed out, it assumes
that the callref target is a WasmJSFunction looking in the code table
for this index for the JS function. As it is a wasm function, it has a
trap handler registered there causing the call to trap instead.
Fix: v8:13534
Change-Id: I35474e1eaeeefff3cbe5bec9c6ede470688a0ce6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4106850
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84853}
MSVC does not have cxxabi.h. Also, MSVC does not need demangling in this case.
Bug: v8:10572
Change-Id: I27f2335ba6cb2bb35132bad23ce95b78b66cd3fa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4103520
Commit-Queue: Choongwoo Han <choongwoo.han@microsoft.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84851}
Add paths to named and keyed loads with empty feedback (distinct from
insufficient feedback), which signals that this is a megamorphic load
(cf. ShouldUseMegamorphicLoadBuiltin in js-generic-lowering.cc).
Bug: v8:7700
Change-Id: Ic32980f9217a7f1a3e44cc40444edf002cf4e6f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4106848
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84849}
Since its introduction (behind a compile-time flag), conservative stack
scanning was disabled by default on tests. This CL inverts this logic,
enabling CSS by default for all tests that do not define an explicit
scope to disable it.
Bug: v8:13257
Change-Id: I5ea4249d02f69b0b1e195415c2562daf5d8c0ea9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4100912
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84848}
... and the necessary IR nodes to test a simple
program: `"abc".charCodeAt(1)`
Bug: v8:7700
Change-Id: Ia670d8a44f39f4a0b8312d69d7d3f64cbc2b6831
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4106748
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84847}
With --shared-space the main isolate has to be disposed last, so we
can't really dispose the main isolate while worker isolates are
still running without violating our invariants.
Solve this by not invoking Isolate::Dispose() for `quit()`.
Bug: v8:13267, chromium:1400810
Change-Id: Id9d6288c62d9c03d5c2f40c52efd0ac6422ac822
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4106751
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84846}
Add gen-static-roots.py to conveniently re-generate the static roots
table when it needs changing.
Additionally, ensure the first read-only page is allocated as first page
during mksnapshot, to move static roots closer to start.
Bug: v8:13466
Change-Id: Ie72b64d0ad0dd3e5fccd3b41e8ed00a4a55a0033
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096481
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Olivier Flückiger <olivf@chromium.org>
Commit-Queue: Olivier Flückiger <olivf@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84844}
Since it (currently) needs to find the JumpLoop bytecode.
See comment in line 645.
Fixed: chromium:1400549
Bug: v8:7700
Change-Id: If73a9c8d2f5a85cceded34cdf1aa7b5895937990
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4103683
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84840}
The CL applies multiple changes:
1) Reverts back to using std::vector<> for young nodes. Distinguishing
between young and remembered nodes is still needed to allow fast
filtering.
2) Adds the has-old-host flag to TracedNode, which is used to remember a
node.
3) Adds bailouts for old objects into UnifiedHeapMarkinState and
ConservativeTracedHandlesMarkingVisitor.
Bug: v8:13475
Change-Id: Ib296ece9df6f783bb3d47ffa0794be16e6c1aea8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4080386
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84839}
If the current active tier is already Turbofan, then
we just return to JumpLoopPrologue codegen to deopt.
Fixed: v8:13585
Bug: v8:7700
Change-Id: Idf8f4990e8dfea9e9fd6e3378e15110ec09b1896
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4104623
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84838}
- Force using the isolate from VMState
- Mark all fields as const to allow for better code
Change-Id: I5538f615e22569dc365dbb0d1482138311932575
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4098629
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84837}
We should not enter V8 if it's marked for termination.
Bug: chromium:1382710
Change-Id: Ic58f7c7b32614431dce04e2429c60dd79040ec43
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030476
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84834}
- Both Call and CallKnownJSFunction are now architecture independent.
- Introduced PushReverse to push arguments.
- Added support for iterators to Push/PushReverse.
- Added RepeatIterator helper to push the same value N times.
Drive-by: Implement load/store from/to stack slot and double registers.
Bug: v8:7700
Change-Id: I4f995ded7e95b79d8c8c3d7b2ffd373f51e631d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4085006
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84833}
This CL adds support for BigIntEqual in turbofan and collects type
feedback for small BigInt equal and strict equal in ignition.
Bug: v8:9407
Change-Id: I29cbc4d3bdfe9fcde8c1717afe83654a84c25c36
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096557
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#84832}
With --shared-space we need the write barrier for incremental
marking.
Bug: v8:13267
Change-Id: I7fb6e6de0f793824f3c27b8ec3c29cba39901188
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4103241
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84831}
This is a reland of commit 303facf5e1
This CL fixes DCHECK failures by using BasicMemoryChunk in
RecordOldToSharedSlot.
Original change's description:
> [heap] Also promote strings in large objects into shared heap
>
> With --shared-string-table all in-place internalizable strings are
> directly promoted from new space into the shared heap. However, this
> wasn't the case with large objects. This CL fixes this and adds test
> to guide fuzzers.
>
> Bug: v8:13267, chromium:1400048
> Change-Id: I6f850d480956c63bfbe1a7060140df850e284933
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096818
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84805}
Bug: v8:13267, chromium:1400048, v8:13588
Change-Id: I221592ec723d2b5e92094ff2598a99576d72a677
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4098831
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84830}
Reflect the code attribution (in particular, "attribute non-functions to
JS functions") in the timeline view, which visualises the distribution
of each code kind. This allows easier visualisation of which tiers are
active, ignoring stubs that are shared between tiers (like ICs).
Change-Id: I1f2818ffd4e466ce18c01627865186e6a94e2bed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4105021
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84829}
After computing the branch offset but before emitting the actual branch,
we should not emit a constant pool. Otherwise the previously computed
offset would be off.
Instead of handling this indirectly via the Assembler::branch_offset
method, do this directly in the Assembler::b method (and friends), so it
is not missed on other call sites.
R=jkummerow@chromium.org
Bug: chromium:1399424
Change-Id: I0cbb219ced5b671001a296b1cc7c339f395abffe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4102800
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84828}
Currently, any session can resume instrumentation breaks by sending
Debugger.resume command. That can lead to unreliable breakpoint
placement because sessions can resume too early.
The early resumption can happen in two ways:
- When we have two instrumented sessions, the first one to resume
can prevent the other one from setting its breakpoints
before executing the code.
- With one instrumented session and one without instrumentation
breakpoints, the uninstrumented session's Debugger.resume
command can resume the instrumentation pause before the
instrumented session can set its breakpoints.
This patch fixes both of these issues by changing the instrumentation
pause resumption logic to take note of the sessions that were notified
about the instrumentation breakpoints. The debugger will only resume
once all those sessions resume (or disconnect).
Bug: chromium:1354043
Change-Id: I84cf16b57187dbb40645b2f7ec2e08f0078539dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4100466
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84827}
This CL adds v8::ArrayBuffer::NewResizableBackingStore.
This API is needed to support Mojo cross-process serialization of
resizable buffers. See https://chromium-review.googlesource.com/c/chromium/src/+/4086949
Bug: chromium:1396361, v8:11111
Change-Id: I1d3ad367f28015184fd80fd2f05a37a3659d3a66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4093555
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84826}
Asm.js code (translated to Wasm) is valid by design, do not try to
validate it.
This is achieved by fully populating the {validated_functions} bitset
for asm.js modules. To make this safe(r) we do not allow to change the
origin or a WasmModule after initialization, which requires some
refactoring mostly in tests.
R=ahaas@chromium.org
Bug: v8:13447, v8:13565
Change-Id: I174c01f13185ff4117b02882b953c6ba29a3644d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4100686
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84824}
There were compile errors when building v8 with v8_enable_precise_zone_stats = true.
../../src/zone/type-stats.cc:30:24: error: no type named 'Free' in namespace 'v8::base'
if (buffer_) base::Free(buffer_);
../../src/zone/zone.h:255:3: error: use of undeclared identifier 'stdd'; did you mean 'std'?
stdd::atomic<size_t> freed_size_for_tracing_ = {0};
Bug: v8:10572
Change-Id: If1035edc99eff05c418e0bc65de8a8729f75e30f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4098379
Commit-Queue: Choongwoo Han <choongwoo.han@microsoft.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84822}
This is necessary to allow running GC epilogue callbacks after a
GC in the safepoint. Handle dereferences are allowed even if that
particular thread is parked. They may generally also happen from a
different thread than expected by DCHECKs in the case shared GCs
combined with multiple main threads.
This CL solves this issue by adding an additional assertion scope
that can temporarily allow such derefs for running the callbacks.
Unlike other assert scopes the new assert scope is disabled by
default.
Bug: v8:13267, chromium:1399379
Change-Id: Ibc741ad6bebb740cf24ae8be116d770f62ae6481
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4100826
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84821}
According to the style guide, field definitions should be the last thing
in the private section.
R=ahaas@chromium.org
Change-Id: I2b0890b7f5f5c8a9a19213a80c400bd9db080a05
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4097429
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84820}
AffectedFile.LocalPath returns a path with backward slashes in Windows. Update the presubmit script to handle this case properly.
Bug: v8:13582
Change-Id: Iabc46ded5a8448e5d373679162108f94846c06e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4099007
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Choongwoo Han <choongwoo.han@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#84819}
Build mode for serializing the read only heap as a memory dump in the
startup snapshot. This makes compressed pointers of root objects
statically known at mksnapshot time.
This CL also adds a feature to mksnapshot to dump the static addresses
to a C++ header file. This will allow us to use these addresses in the
future.
The mode is disabled for now since we need some build infrastructure
first to conveniently re-generate the table when the layout changes.
Bug: v8:13466
Change-Id: I975b15bd89fedf713fb7d12b4929935ece78139d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4056181
Commit-Queue: Olivier Flückiger <olivf@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84815}
