Collect feedback for BigInt64 in interpreter and change the runtime
for BigInt64 addition.
Bug: v8:9407
Change-Id: Ic69ba2c1f5ada998ac5ee3279e8296efe084d600
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3909809
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83419}
MSVC is confused by initializer list and default parameter, and reports
an ambiguous call.
test/cctest/test-assembler-arm64.cc(12208): error C2668: 'v8::internal::Clobber': ambiguous call to overloaded function
test-utils-arm64.h(251): note: could be 'void v8::internal::Clobber(v8::internal::MacroAssembler *,v8::internal::CPURegList)'
test-utils-arm64.h(241): note: or 'void v8::internal::Clobber(v8::internal::MacroAssembler *,v8::internal::RegList,const uint64_t)'
Solution is to construct with explicit type.
Bug: v8:13312
Change-Id: I66f5ba48bcdf6eb30035beaf7214a3d26fc9f18b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3913034
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83406}
Array#with and TypedArray#with adapt their arguments because they have a
fixed arity of 2. Builtins that adapt arguments shouldn't use
...arguments in Torque, which results in a "don't adapt" sentinel to be
generated, resulting in incorrect frame size computation.
Bug: v8:12764, chromium:1367133
Change-Id: I81c1ef2cdef25d049fa0b8effcb2a953c2a9846b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3915939
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83405}
clang/clang-cl compiled happily (probably included transitively this
header), but not MSVC.
Bug: v8:13312
Change-Id: I69b6c15f76d8ef13e4fac33f733717429ba96f71
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3913033
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83402}
This aligns the breakpoint behavior of YieldExpression and
AwaitExpression with the behavior of AssignmentExpression
in V8. It basically boils down to not reporting expression
positions on SuspendGenerator bytecodes as breakable
locations.
In particular the initial implicit yield of any generator
function is no longer a breakable position. In light of
this changes we also refine https://crrev.com/c/2949099
to not be able to step to the initial implicit yield
either, which would otherwise be really odd.
Before: https://imgur.com/KYy9F1S.png
After: https://imgur.com/gCnWU8J.png
Doc: https://goo.gle/devtools-reliable-await-breakpoints
Bug: chromium:901814, chromium:1319019, chromium:1246869
Fixed: chromium:1319019, chromium:1357501
Change-Id: I0c5f83e279918eb392d8f77a8a04c4c0285f938e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3909688
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83392}
This is a reland of commit 80fb281561
This CL fixes the signedness of rematerialized Numbers from immediates, which was introduced by the original change. Besides, BigInt truncation to zero bits is lowered to Int64Constant instead of NumberConstant of zero, which will flow into the state values directly.
Original change's description:
> [turbofan] Rematerialize BigInt64 in deopt
>
> This CL introduces two MachineTypes - SignedBigInt64 and UnsignedBigInt64, which are represented as Word64 but will be rematerialized to BigInt in deoptimization. This will avoid unnecessary conversions for BigInt64s when they are passed to StateValues.
>
> Bug: v8:9407
> Change-Id: I65fdee3e028ed8f9920b1c20ff78993c7784de48
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858238
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Commit-Queue: Qifan Pan <panq@google.com>
> Cr-Commit-Position: refs/heads/main@{#83230}
Bug: v8:9407, chromium:1364319, chromium:1364400
Change-Id: I0b4e077b52f64af46018b6c045893bbd56153f32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899258
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83384}
V8-side implementation for trusted types fromLiteral.
Create a separate JSArray root map for template literal objects to
clearly identify untampered template literals belonging to a given
context.
Given that template literals are frozen arrays with a 'raw' property,
we don't expect additional polymorphism.
Drive-by-fix:
Avoid ValidateElements call in NewJSArrayWithElements.
Bug: chromium:1271149
Change-Id: I327b0fd99a2db3b57d35efa9293ddf2f14e555ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3572044
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83383}
We set the JSArray's length to the elements's length before,
which is wrong when the elements have the slack part. We could
serialize the correct length and only the actual elements excluding
the slack part for JSArray's elements. And we do the same thing
for the objects to avoid serializing unnecessary elements.
Bug: v8:13304
Change-Id: Ib68e06f409bfcab5c57fb5532e188aa0099d1140
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905061
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83380}
We don't remove the code just yet in case we need to re-enable the
feature. This could be in case we discover workflows not covered by
the "Scope View" and the scopes we report on "Debugger.paused".
R=kimanh@chromium.org
Bug: chromium:1365858
Change-Id: I636cc861af932156944a3f6e0a149cce0f939329
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905185
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83379}
This reverts commit 2a7f86edcb.
Reason for revert: Blocking the roll (https://ci.chromium.org/ui/p/chromium/builders/try/mac-rel/b8802346196479466065/test-results?q=ExactID%3Aninja%3A%2F%2Fgin%3Agin_unittests%2FGinShellTest.HelloWorld+VHash%3A46648b293475ce2a&clean=)
Original change's description:
> Reland "[v8] Use |AllocateAtLeast| for resizing v8 zones."
>
> This is a reland of commit 4444874cdf
> This fixes a failure on the UBSan bots caused by assuming |Realloc| is always in-place if the new size is <= the value of |malloc_usable_size|.
>
> Original change's description:
> > [v8] Use |AllocateAtLeast| for resizing v8 zones.
> >
> > This is part of an ongoing effort to reduce fragmentation in Chrome. Partition alloc shows v8 zones are a large user of memory in Renderer processes, and that there is fragmentation from these allocations. This CL will reduce this fragmentation by allowing v8 to use all allocated memory for its zones.
> >
> > Bug: v8:13193, chromium:1238858
> > Change-Id: Ibeac8bdba9d0e7ff66b14a3dde10e7c87d3cf953
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3889361
> > Reviewed-by: Adam Klein <adamk@chromium.org>
> > Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
> > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#83235}
>
> Bug: v8:13193, chromium:1238858
> Change-Id: I923bcbce8403dd7d84642340fd7202087b8a4440
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3910268
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83372}
Bug: v8:13193, chromium:1238858
Change-Id: I32f9c4701a29c0516e3f587f1c6028e4d4158466
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3909358
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83378}
Blink has shipped import assertions since M91, so it is safe enough to
go straight to shipping here.
Bug: v8:10958
Change-Id: I3256172473a1ae8ce74e7fa63b14137e24568360
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3911378
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83373}
This is a reland of commit 4444874cdf
This fixes a failure on the UBSan bots caused by assuming |Realloc| is always in-place if the new size is <= the value of |malloc_usable_size|.
Original change's description:
> [v8] Use |AllocateAtLeast| for resizing v8 zones.
>
> This is part of an ongoing effort to reduce fragmentation in Chrome. Partition alloc shows v8 zones are a large user of memory in Renderer processes, and that there is fragmentation from these allocations. This CL will reduce this fragmentation by allowing v8 to use all allocated memory for its zones.
>
> Bug: v8:13193, chromium:1238858
> Change-Id: Ibeac8bdba9d0e7ff66b14a3dde10e7c87d3cf953
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3889361
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83235}
Bug: v8:13193, chromium:1238858
Change-Id: I923bcbce8403dd7d84642340fd7202087b8a4440
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3910268
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83372}
This CL implements collection of garbage in the shared spaces in
the shared heap isolate. GC on such an isolate should now work
correctly without worker isolates. Support for worker isolates will
be implemented in a subsequent CL.
Bug: v8:13267
Change-Id: I30125ce3b791e2faa0504d065f23639d6106e6b6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904647
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83371}
- Use non-idle tasks to be able to process finalizers on time.
- Only process finalizers while concurrent marking is still running.
Bug: v8:13294
Change-Id: I1a2812c3fc350ea679c4c916c230cf736f2aa3ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904648
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83367}
There is no -0n, and we'd therefore never serialize such a BigInt.
But we can't trust serialized data to not have gotten corrupted
(or be fuzzer-generated), so guard against this case when
deserializing.
Fixed: chromium:1359937
Change-Id: If11d9a364480bae51911cc4a0ce8a719853139fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904414
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83362}
This test breaks when interrupts occur with unfortunate timing. Maglev
increases flakiness of this test since finished Maglev compiles all
raise a new interrupt (and interrupts abort-and-retry regexp
execution).
Disable concurrent recompilation for this test, and drive-by fix the
--trace-regexp-tier-up flag.
Bug: v8:7700
Change-Id: I170c911fe2308b0b5ad9941e695f11f8925455f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904604
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83359}
Correct the test expect result as the spec specifies the accumulator is 2*SEW
bits. Fix the simulator implementation as well.
R=qiuji@iscas.ac.cn
Change-Id: Ia5d11b3214cf32635c3767df75992b2a50ee6980
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878452
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#83354}
Correct the arguments for std::fma() to double as the instruction expects
both addend and destination are 2*SEW bits wide. Addressed corresponding
implementation in the simulator as well.
R=qiuji@iscas.ac.cn
Change-Id: Ib3963a61c00ee9dc73af019574a1665de406cc32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878448
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#83353}
1. Correct the return type of RoundTowardsZero to fix issue with
double value > 2^64
2. In TemporalDurationToString:
a. Use std::fmod instead of % to get the remainder
b. Use extra xx_add variables to hold additional value which may
overflow the double during computation.
c. Use BigInt for days if the value is too large for double
to ensure the precision.
3. Add tests with Number.MAX_SAFE_INTEGER
and Number.MAX_VALUE in values for Duration toJSON in mjsunit
Bug: v8:11544
Change-Id: Icac4f669ed1c591e947b51c82dd48bdef7a6db6e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3900813
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83344}
This change allows to put Wasm structs / arrays into prototype
chains. While this isn't particularly useful (as any access lookup
on the wasm object will throw a TypeError), there isn't any reason
not to allow it.
Bug: v8:7748
Change-Id: I81cf709d2e8403b545bbba9ad9c538c1e9748c74
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3901979
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83329}
If a shift right is performed with a negative value <= -32,
it may not be reduced to a 32 bit shift.
The reduction optimization was introduced by commit
2298b35f7c.
Fixed: v8:13290
Change-Id: Ifb16ed85560ab54d211ebb407690abe2c156e3a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905143
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83324}
Array.prototype.group and Array.prototype.groupToMap have an optional
thisArg, which is currently not passed.
Bug: v8:13301, v8:12499
Change-Id: Ib927638401d39ed0cbcc0595ab41fde328ef43cc
Fixed: v8:13301
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905934
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83323}
This CL adds a test that checks the block list for outer functions is
also correctly calculated when pausing in inner functions.
R=kimanh@chromium.org
Bug: chromium:1363561
Change-Id: I2d7c1671475759b977e4e41c7e09856b3b2e7daf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904308
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83319}
We currently use 1 test case per file for tests that check that
debug-evaluate correctly blocks the lookup of stack-allocated
variables.
This CL adapts a similar approach to `debug-scopes.js`, making it
easier to add new test cases in the future.
R=kimanh@chromium.org
Bug: chromium:1363561
Change-Id: I8ff8cfe7d59f0b9808dc02c5579e058f490553eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904544
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83315}
Allow non-registered symbols as keys in weakmap and weakset.
Allow non-registered symbols as target and unregisterToken in
WeakRef and FinalizationRegistry.
Bug: v8:12947
Change-Id: Ieb63bda66e3cc378879ac651e23300b71caed627
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865056
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83313}
The hoursInDay could be fractional number on the date of changng
daylight saving time for time zone in half hours or some historical time
zone.
Ex: Australia/Lord_Howe on Sunday, April 3, 2022, 2:00:00 am clocks were
turned backward 0:30 hours to Sunday, April 3, 2022, 1:30:00 am local
standard time instead. so that day will have 24.5 hours.
On Sunday, October 2, 2022, 2:00:00 am clocks are turned forward 0:30
hours to Sunday, October 2, 2022, 2:30:00 am local daylight time
instead. So the hoursInDay for that day is only 23.5 hours.
Historically, Singapore from 1933 to 1941 moved clocks forward 20 minutes for daylight savings, resulting the day in 24.33333 and
23.66667 hours.
Test covered in https://github.com/tc39/test262/blob/main/test/staging/Temporal/ZonedDateTime/old/dst-properties.js
Change the return type from MaybeHandle<Smi> to MaybeHandle<Object> so
we can return non integer value. Also change the method of division by
first convert the value to second in BigInt, then divid 3600 (number of
seconds in a hour) in double.
Bug: v8:11544
Change-Id: Ia69d2606cd832e51f415a00440fb9cbc236883e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3901619
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83311}
Refactor the interface between intl and Temporal and pass
the nanosecond in BigInt to intl. Approximate the nanoseconds
to the correct close by millisecond depending on the usage
before calling ICU API and convert the result millisecond into
BigInt in nanosecond before return from intl.
Remove Maybe for function always complete.
Bug: v8:11544
Change-Id: Icc471b80312c513c9415b690804aa624df4a387d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3897165
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83310}
