This is a reland of 7c42628676
Original change's description:
> [heap] Use normal marking write barrier for fixed array elements
>
> This simplifies the marking write barrier for elements to mark the
> values instead of revisiting the array.
>
> Bug: chromium:918485
>
> Change-Id: Id5da0d5b9ff8385a256fe14f4bf7171f9f6343e1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588459
> Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61125}
Bug: chromium:918485
Change-Id: I8075e0333b3a05bc6193eb4bc030bfdcd72e64d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593088
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61170}
This fixes a memory leak.
Bug: v8:9191, v8:7790
Change-Id: I0df49cd3a6791600638a67b4b7ad9687562e500b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588426
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61166}
This adds the next step to freeing code: We free the actual C++
{WasmCode} objects. This will cause UAF if any C++ code uses stale
references.
The underlying machine code will still not be freed.
For simplicity, this CL changes the vector of owned_code to an ordered
set, such that lookup and removal is much simpler. The drawback is that
insertion is now more expensive.
R=mstarzinger@chromium.org
Bug: v8:8217
Change-Id: I07fc81167816637fbaad6c06ff79e3f952f2fde8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593080
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61165}
This reverts commit b0c4a8764b.
Reason for revert:
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/26470
Original change's description:
> [json] Speed up json parsing
>
> - scan using raw data pointers + GC callback
> - scan using scanner tables
> - cap internalizing large string values
> - inline fast transitioning logic
>
> Fixes previous CL by moving AllowHeapAllocation to callers of
> ReportUnexpectedCharacter where needed to make it clear we need to exit.
>
> Tbr: ulan@chromium.org
> Change-Id: Icfbb7cd536e0fbe153f34acca5d0fab6b5453d71
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1591778
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61159}
TBR=ulan@chromium.org,ishell@google.com,ishell@chromium.org,verwaest@chromium.org
Change-Id: Ibe823e187d9ab999be7278140b0ed31868440e9e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593090
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61163}
Change-Id: I626e26fa2e1486365c858f3fc616422199242f5b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588422
Auto-Submit: Georg Neis <neis@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61162}
We won't remove the jump table for performance reasons. That would
complicate a lot of code and remove options for tiering and code
aging.
Thus remove the TODO.
R=titzer@chromium.org
No-Try: true
Change-Id: Ifbbfdeeeb17078feaea4f358169bc5943ba09ddb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593089
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61160}
- scan using raw data pointers + GC callback
- scan using scanner tables
- cap internalizing large string values
- inline fast transitioning logic
Fixes previous CL by moving AllowHeapAllocation to callers of
ReportUnexpectedCharacter where needed to make it clear we need to exit.
Tbr: ulan@chromium.org
Change-Id: Icfbb7cd536e0fbe153f34acca5d0fab6b5453d71
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1591778
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61159}
The problem is with element kinds transitions without going through
runtime (i.e., IC or optimizing compiler).
Bug: chromium:952682
Change-Id: I6fe2bb30a0ea6fecb8f6e0750427cc50cc50f9e1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593083
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61158}
- Add missing uses of MapInference::NoChange.
- Insert map checks even if inferred maps were reliable, because
they were inferred for an earlier effect input.
Bug: chromium:958420, chromium:958350, v8:9197
Change-Id: Id7677b1fc6f1e09dc12ae178f1155e4245b4e3e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593077
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61157}
Replace the unsafe function NodeProperties::HasInstanceTypeWitness
with a new safe method on MapInference.
Bug: v8:9197
Change-Id: I937433c7721946139dc761750ea34032e58e275c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1591612
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61156}
R=jarin
Change-Id: I36d4952f351cfa428532cfd56ecbb10c9fe3d39a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588469
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61154}
The "stress_background_compile" variant runs on all our bots. We
combine it with testing wasm code GC (which kind of fits into
background compile stressing) to get more coverage for that. Both
features are orthogonal, so we can test both at the same time without
loosing any coverage.
R=machenbach@chromium.orgCC=rmcilroy@chromium.org
Bug: v8:8217
Change-Id: Ib17decd4869978ff98e302694fa73d70ceec120e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588472
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61151}
Fixes several warnings reported for internal repo by:
* using vector::empty instead of vector::size() == 0
* removing redundant return; at the end of a function
* making operator= return OriginalType&
Bug: v8:9183
Change-Id: I8c725bd7b0bc011557fb2bb68a561ee413ab38f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1589978
Auto-Submit: Dan Elphick <delphick@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61149}
With bytecode flushing and lazy feedback allocation, we need to call
%PrepareForOptimization before we call %OptimizeFunctionOnNextCall
Bug: v8:8801, v8:8394
Change-Id: I1f84477a8cef27b4cff61b54daf6fe1a9e5f8e76
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1591775
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61148}
The index is an {int} initially. We then store it as {intptr_t}, and
the accessor returns it as {size_t}.
This CL consolidates everything to {int}, fixes naming of
{HasTrapHandlerIndex} and defines the simple accessors inline.
R=titzer@chromium.org
Bug: v8:9183
Change-Id: I1afa792117201d4dda3fcc437a4e518489b9ff17
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1590079
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61146}
Port 18c29ab939
Original Commit Message:
Port ed319e841c
Original Commit Message:
Failure addressed by not exposing the new test to the jitless environment.
(jgruber@ on TBR).
New enum RelocInfo::COMPRESSED_EMBEDDED_OBJECT created to support
compressed pointers in generated code. Enum name EMBEDDED_OBJECT
changed to FULL_EMBEDDED_OBJECT.
RelocInfo::[set_]target_object() abstract away the difference between
FULL_EMBEDDED_OBJECT and COMPRESSED_EMBEDDED_OBJECT.
Compressed embedded objects can only be created at this time on
x64 with pointer compression turned on. Arm64 constant pools don't
support compressed objects at this time.
R=miladfar@ca.ibm.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: I97ef9b7394f384c2a1b97aab9fdac0eeb80eb734
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1591993
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#61143}
Port 0875682600
Original Commit Message:
Port 4b0f9c856e
Original Commit Message:
Our {Vector} template provides both {start} and {begin} methods. They
return exactly the same value. Since the {begin} method is needed for
iteration, and is also what standard containers provide, this CL
switches all uses of the {start} method to use {begin} instead.
Patchset 1 was auto-generated by using this clang AST matcher:
callExpr(
callee(
cxxMethodDecl(
hasName("start"),
ofClass(hasName("v8::internal::Vector")))
),
argumentCountIs(0))
Patchset 2 was created by running clang-format. Patchset 3 then
removes the now unused {Vector::start} method.
R=miladfar@ca.ibm.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: Ief052e7655ede161504cf058eddd81714e6e5929
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1590168
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61142}
This is a reland of 9284ad5731, after
adding a missing speculation mode check in ReduceCallApiFunction.
Original change's description:
> [turbofan] Avoid raw InferReceiverMaps in JSCallReducer
>
> Instead provide an abstraction that makes it hard to forget
> dealing with unreliable maps.
>
> This also fixes a deopt loop in Function.prototype.bind and
> one in Array.prototype.reduce.
>
> Bug: v8:9137
> Change-Id: If6a51182c8693a62e9fb6d302cec19b4d48e25cb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578501
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61106}
Tbr: jarin@chromium.org
Bug: v8:9137, v8:9197
Change-Id: I0db68d267055969553c0c1b85fad7b909075c062
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1589976
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61140}
Wasm compilation units got smaller and smaller with recent refactorings
(https://crrev.com/c/1587386, https://crrev.com/c/1587387,
https://crrev.com/c/1587388, plus previous CLs).
They now only store a function index and the requested compilation
tier. Hence there is no reason any more to heap-allocate them.
This CL changes the compilation unit queues and interfaces to store and
pass compilation units by value. Methods that could return an empty
{unique_ptr} before are now returning a {base::Optional}.
R=mstarzinger@chromium.org
Bug: v8:8343
Change-Id: I63037156b1a700095c13010450e5fedb51544401
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588456
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61133}
This is an extension of 138d2dfcb1.
Change-Id: Icb10aab6e6799ab4f45dcbd26fc69206dbef29bb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588430
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61131}
This reverts commit 7c42628676.
Reason for revert: Compile error on cfi: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20-%20cfi/20196
Original change's description:
> [heap] Use normal marking write barrier for fixed array elements
>
> This simplifies the marking write barrier for elements to mark the
> values instead of revisiting the array.
>
> Bug: chromium:918485
>
> Change-Id: Id5da0d5b9ff8385a256fe14f4bf7171f9f6343e1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588459
> Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61125}
TBR=ulan@chromium.org,hpayer@chromium.org,mlippautz@chromium.org
Change-Id: I8576fe00b19db906aa80ca9cb54c3b8cc95e3d97
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:918485
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1590076
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61128}
TraceIC always expects a valid feedback vector to check for state
transitions. With lazy feedback allocations, it is possible that we don't
have feedback vectors. This cl fixes TraceIC to also work when there is no
feedback vector.
Bug: v8:8394
Change-Id: If7e40a9f16de7415e04a812440ccc0cfcf1cbc07
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584322
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61126}
This simplifies the marking write barrier for elements to mark the
values instead of revisiting the array.
Bug: chromium:918485
Change-Id: Id5da0d5b9ff8385a256fe14f4bf7171f9f6343e1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588459
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61125}
Remove unused function {UseLazyStubs}. Lazy compile stubs are now set on
a per function basis. This made the function {UseLazyStubs} redundant.
Change-Id: I8e715d6a9774c39841219c04c42364fc2e964569
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588473
Commit-Queue: Frederik Gossen <frgossen@google.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61124}
Port ed319e841c
Original Commit Message:
Failure addressed by not exposing the new test to the jitless environment.
(jgruber@ on TBR).
New enum RelocInfo::COMPRESSED_EMBEDDED_OBJECT created to support
compressed pointers in generated code. Enum name EMBEDDED_OBJECT
changed to FULL_EMBEDDED_OBJECT.
RelocInfo::[set_]target_object() abstract away the difference between
FULL_EMBEDDED_OBJECT and COMPRESSED_EMBEDDED_OBJECT.
Compressed embedded objects can only be created at this time on
x64 with pointer compression turned on. Arm64 constant pools don't
support compressed objects at this time.
R=mvstanton@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: I8bdb5391fd2b2565d2fcaf6c806fcdbe1a1f27b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1589862
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#61123}
With bytecode flushing and lazy feedback allocation, we need to call
%PrepareForOptimization before we call %OptimizeFunctionOnNextCall
Bug: v8:8801, v8:8394
Change-Id: I81918f174b2f97cbaa8b8ef2e459080c2581f535
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588415
Commit-Queue: Mythri Alle <mythria@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61122}
Relative code targets are emitted as pc-relative jumps. The
relocation delta must be subtracted (not added) from the branch
offset.
Before GC:
|-------- branch offset --->|
[host code object] [target code object]
After GC:
|- delta ->| |- new offset -->|
[host code object] [target code object]
See also the similar fix for mips in https://crrev.com/c/1581239.
Bug: v8:6666
Change-Id: Ie0867d98906d4a8daa7e335884f7a4d814333872
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581260
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61121}
