Commit Graph

30991 Commits

Author SHA1 Message Date
Qifan Pan
5dfa2195fc [js-perf-test] Benchmark BigIntAdd without turbofan
Bug: v8:9407
Change-Id: Ie7993fcacc3e518da7b4af4c4ab20d8e4c47870c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905197
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#83364}
2022-09-21 13:29:03 +00:00
Jakob Kummerow
b588a3c658 [bigint] Make deserialization of invalid data more robust
There is no -0n, and we'd therefore never serialize such a BigInt.
But we can't trust serialized data to not have gotten corrupted
(or be fuzzer-generated), so guard against this case when
deserializing.

Fixed: chromium:1359937
Change-Id: If11d9a364480bae51911cc4a0ce8a719853139fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904414
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83362}
2022-09-21 12:48:23 +00:00
Jakob Linke
e414442717 [maglev] Fix regexp-tier-up-multiple flakes
This test breaks when interrupts occur with unfortunate timing. Maglev
increases flakiness of this test since finished Maglev compiles all
raise a new interrupt (and interrupts abort-and-retry regexp
execution).

Disable concurrent recompilation for this test, and drive-by fix the
--trace-regexp-tier-up flag.

Bug: v8:7700
Change-Id: I170c911fe2308b0b5ad9941e695f11f8925455f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904604
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83359}
2022-09-21 11:27:53 +00:00
Liu Yu
1861ab7e18 [loong64][mips64] Remove unused RelocInfo::Mode::RUNTIME_ENTRY
Port commit 3f99852796

Change-Id: Idbe8d53990b8c09e083f64774eecb146ecd2dc90
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905857
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Auto-Submit: Liu Yu <liuyu@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#83357}
2022-09-21 10:54:43 +00:00
Ting Chou
831ef4e6c8 [riscv] Fix cctest/test-assembler-riscv*/RISCV_UTEST_FLOAT_WIDENING_vfwredosum_vv.
Correct the test expect result as the spec specifies the accumulator is 2*SEW
bits. Fix the simulator implementation as well.

R=qiuji@iscas.ac.cn

Change-Id: Ia5d11b3214cf32635c3767df75992b2a50ee6980
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878452
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#83354}
2022-09-21 08:25:27 +00:00
Ting Chou
0d85646664 [riscv] Fix cctest/test-assembler-riscv*/RISCV_UTEST_FLOAT_WIDENING_vfwmacc_vf.
Correct the arguments for std::fma() to double as the instruction expects
both addend and destination are 2*SEW bits wide. Addressed corresponding
implementation in the simulator as well.

R=qiuji@iscas.ac.cn

Change-Id: Ib3963a61c00ee9dc73af019574a1665de406cc32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878448
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#83353}
2022-09-21 08:19:43 +00:00
Frank Tang
20db58cb52 [Temporal] Fix Duration toJSON/toString
1. Correct the return type of RoundTowardsZero to fix issue with
double value > 2^64

2. In TemporalDurationToString:
a. Use std::fmod instead of % to get the remainder
b. Use extra xx_add variables to hold additional value which may
overflow the double during computation.
c. Use BigInt for days if the value is too large for double
to ensure the precision.
3. Add tests with Number.MAX_SAFE_INTEGER
and Number.MAX_VALUE in values for Duration toJSON in mjsunit



Bug: v8:11544
Change-Id: Icac4f669ed1c591e947b51c82dd48bdef7a6db6e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3900813
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83344}
2022-09-20 20:17:33 +00:00
Shu-yu Guo
f65d0f62b4 [test262] Roll test262
9215420..465cf4a

Bug: v8:7834, v8:13302
Change-Id: Ieb9d6215984b0f7eab201514e5b855f7efcdda65
Fixed: v8:13302
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3906921
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83343}
2022-09-20 19:12:22 +00:00
Leszek Swirski
f4ee78f8b8 Revert "[wasm-gc] JS interop: Do not wrap structs/arrays by default"
This reverts commit 67106ff494.

Reason for revert: Test failure bisected locally to this (failure link: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/40535/overview). Not clear why but reverting to keep the tree green.

Original change's description:
> [wasm-gc] JS interop: Do not wrap structs/arrays by default
>
> Bug: v8:7748
> Change-Id: I441fd294bc0f31c0396217bc55c27159abacdbd1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905725
> Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
> Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83338}

Bug: v8:7748
Change-Id: Ifb5e980dedf8e9824d05171c431ad383af180e50
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904416
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83341}
2022-09-20 16:14:13 +00:00
Matthias Liedtke
67106ff494 [wasm-gc] JS interop: Do not wrap structs/arrays by default
Bug: v8:7748
Change-Id: I441fd294bc0f31c0396217bc55c27159abacdbd1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905725
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83338}
2022-09-20 14:41:42 +00:00
Leszek Swirski
808ed0572d Revert "Remove some unused includes"
This reverts commit 0cb7542904.

Reason for revert: Suspect for waterfall closure - https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Maa%20-%20arm64%20-%20no%20pointer%20compression%20debug%20builder/1072/overview

Original change's description:
> Remove some unused includes
>
> Bug: v8:13006
> Change-Id: Iee530e965786583330ff5e00ccfe58358a813f76
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879500
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83332}

Bug: v8:13006
Change-Id: I9d9d88a84786cb683042ab2ed665d61656d6de3b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904415
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83335}
2022-09-20 14:19:42 +00:00
Matthias Liedtke
87d677096d [test][wasm-gc] Reference tables: Use interop flag in test
Bug: v8:7748
Change-Id: Ie68be87805fe85c954209cd3257a0915deec84be
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905191
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83334}
2022-09-20 13:27:32 +00:00
Manos Koukoutos
0cb7542904 Remove some unused includes
Bug: v8:13006
Change-Id: Iee530e965786583330ff5e00ccfe58358a813f76
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879500
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83332}
2022-09-20 13:16:52 +00:00
Matthias Liedtke
80ecaa320b [wasm-gc] JS interop: Allow wasm objects in prototype chain
This change allows to put Wasm structs / arrays into prototype
chains. While this isn't particularly useful (as any access lookup
on the wasm object will throw a TypeError), there isn't any reason
not to allow it.

Bug: v8:7748
Change-Id: I81cf709d2e8403b545bbba9ad9c538c1e9748c74
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3901979
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83329}
2022-09-20 13:02:43 +00:00
Stephen Roettger
3f99852796 Remove unused RelocInfo::Mode::RUNTIME_ENTRY
Change-Id: Ic1950646f880e5b752d2018fa2ad2715e3ad3292
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904233
Commit-Queue: Stephen Röttger <sroettger@google.com>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83328}
2022-09-20 12:52:52 +00:00
Marja Hölttä
ce572f953c [maglev] Disable Maglev for the default ctor omitting test
Maglev support is not implemented yet.

Also make Maglev conflict with --no-maglev.

Bug: v8:13091,v8:13253
Change-Id: Iac5f06a5697405348f681b29ec43044abf50d90a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3907725
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Marja Hölttä <marja@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83327}
2022-09-20 12:13:12 +00:00
Matthias Liedtke
1017e8e2f8 [x64][codegen] Fix bug reducing right shifts to 32 bit
If a shift right is performed with a negative value <= -32,
it may not be reduced to a 32 bit shift.
The reduction optimization was introduced by commit
2298b35f7c.

Fixed: v8:13290
Change-Id: Ifb16ed85560ab54d211ebb407690abe2c156e3a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905143
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83324}
2022-09-20 11:52:22 +00:00
Shu-yu Guo
a7093ce609 Fix optional thisArg for Array grouping
Array.prototype.group and Array.prototype.groupToMap have an optional
thisArg, which is currently not passed.

Bug: v8:13301, v8:12499
Change-Id: Ib927638401d39ed0cbcc0595ab41fde328ef43cc
Fixed: v8:13301
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905934
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83323}
2022-09-20 11:08:54 +00:00
Matthias Liedtke
7d00a97afb [wasm-gc] JS interop: Test import/export of wasm objects
Bug: v8:7748
Change-Id: I1d4d951b67546e0403854b96b04b681ce101deaf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3902053
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83321}
2022-09-20 10:17:52 +00:00
Simon Zünd
bf28ec635b [debug] Add new debug-evaluate block list test
This CL adds a test that checks the block list for outer functions is
also correctly calculated when pausing in inner functions.

R=kimanh@chromium.org

Bug: chromium:1363561
Change-Id: I2d7c1671475759b977e4e41c7e09856b3b2e7daf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904308
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83319}
2022-09-20 09:17:31 +00:00
Simon Zünd
354f4f0858 [debug] Refactor 'shadowing' tests for debug-evaluate
We currently use 1 test case per file for tests that check that
debug-evaluate correctly blocks the lookup of stack-allocated
variables.

This CL adapts a similar approach to `debug-scopes.js`, making it
easier to add new test cases in the future.

R=kimanh@chromium.org

Bug: chromium:1363561
Change-Id: I8ff8cfe7d59f0b9808dc02c5579e058f490553eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904544
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83315}
2022-09-20 08:18:52 +00:00
jameslahm
c400af48b5 [symbol-as-weakmap-key] Implement Symbol as WeakMap Keys
Allow non-registered symbols as keys in weakmap and weakset.
Allow non-registered symbols as target and unregisterToken in
WeakRef and FinalizationRegistry.

Bug: v8:12947
Change-Id: Ieb63bda66e3cc378879ac651e23300b71caed627
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865056
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83313}
2022-09-20 07:24:42 +00:00
Frank Tang
fe1245edf8 [Temporal] Fix ZDT hoursInDay for non-integer hours
The hoursInDay could be fractional number on the date of changng
daylight saving time for time zone in half hours or some historical time
zone.
Ex: Australia/Lord_Howe on Sunday, April 3, 2022, 2:00:00 am clocks were
turned backward 0:30 hours to Sunday, April 3, 2022, 1:30:00 am local
standard time instead. so that day will have 24.5 hours.
On Sunday, October 2, 2022, 2:00:00 am clocks are turned forward 0:30
hours to Sunday, October 2, 2022, 2:30:00 am local daylight time
instead. So the hoursInDay for that day is only 23.5 hours.

Historically, Singapore from 1933 to 1941 moved clocks forward 20 minutes for daylight savings, resulting the day in 24.33333 and
23.66667 hours.

Test covered in https://github.com/tc39/test262/blob/main/test/staging/Temporal/ZonedDateTime/old/dst-properties.js

Change the return type from MaybeHandle<Smi> to MaybeHandle<Object> so
we can return non integer value. Also change the method of division by
first convert the value to second in BigInt, then divid 3600 (number of
seconds in a hour) in double.

Bug: v8:11544
Change-Id: Ia69d2606cd832e51f415a00440fb9cbc236883e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3901619
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83311}
2022-09-20 00:46:13 +00:00
Frank Tang
b16aa83fee [Temporal] Fix DST transition
Refactor the interface between intl and Temporal and pass
the nanosecond in BigInt to intl. Approximate the nanoseconds
to the correct close by millisecond depending on the usage
before calling ICU API and convert the result millisecond into
BigInt in nanosecond before return from intl.

Remove Maybe for function always complete.

Bug: v8:11544
Change-Id: Icc471b80312c513c9415b690804aa624df4a387d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3897165
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83310}
2022-09-20 00:44:42 +00:00
Michael Lippautz
d0944e3e03 cppgc: Fix LazySweepingNormalPages
Test was using concurrent sweeper which could lead to the concurrent
sweeper holding onto memory until the allocation succeeded in rare
cases.

Bug: v8:13308
Change-Id: I0f9f93cc503cdc17d6962b3c31bc4ea698b4cb42
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905183
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83309}
2022-09-19 20:02:41 +00:00
Camillo
014cadc948 [deserializer] ReadVarint and ReadVarintLoop should behave the same
Make sure both the fast and slow version return the same value in case
of wrong follow-bit values in the input.

Bug: chromium:1359230, chromium:1360735
Change-Id: Ic65f81109e5bbc288fa41a5540ec7e6cece10ffc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890998
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83307}
2022-09-19 15:51:52 +00:00
Jakob Linke
8ef5d8ddaa [maglev] Use PropertyAccessInfo to create deps for property loads
Missing deps were causing correctness issues due to missed deopts. In
this CL, we reuse PropertyAccessInfo creation to create appropriate
dependencies.

Bug: v8:7700
Change-Id: Ic6c20df01fa8a36f677aed80791fcea1ccc4b512
Fixed: v8:13289
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904603
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83304}
2022-09-19 13:10:31 +00:00
Igor Sheludko
c439efdadd [ptr-compr] Introduce compression scheme class
... which will contain all compression scheme related functions.
This will allow introducing custom compression schemes for certain
cases and use the compression scheme class as a template argument for
TaggedField or OffHeapCompressedObjectSlot implementations.

Bug: v8:7703, v8:11880
Change-Id: Ic78d36b7021110d6a4797a3150547a224d942b32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899262
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83302}
2022-09-19 12:37:23 +00:00
Shu-yu Guo
be5dff6be1 [rab/gsab] Fix transfer on empty ArrayBuffers
ArrayBuffers of length 0 may not have a BackingStore, so guard for that
case in ArrayBuffer.prototype.transfer.

Bug: v8:11111, chromium:1364738
Change-Id: I058d00f0f60183f9137c60682ad93973c7a6dcbb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3902517
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83301}
2022-09-19 12:15:35 +00:00
Matthias Liedtke
4893b1c0bd [wasm-gc] Basic JS interop handling for wasm objects
This change tests all JavaScript language constructs and builtins in
combination with the unwrapped Wasm objects.
For JavaScript, excluding some basic introspection (e.g.
`Object.isExtensible`) WebAssembly GC objects are treated opaque.
They can be passed around freely but don't allow any access to
properties, elements etc.

This behavior is currently exposed only if the `wasm-gc-js-interop`
flag is set.

Bug: v8:7748
Change-Id: If0dc368f99d4097e3eaf53edde4e244e3081e334
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879616
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83299}
2022-09-19 11:26:21 +00:00
Leszek Swirski
2d3f21cfd4 [maglev] Always use spill slots in lazy deopts
Lazy deopts are always after calls, so force them to spill their inputs.
This would normally be the case anyway, except for deferred calls, which
don't tell the register allocator to spill like normal calls do.

This makes lazy deopt regalloc always spill its inputs and use their
spill slot, but unlike calls, this doesn't additionally clear the
register, so subsequent nodes can continue using the register cached
value without having to reload it.

As drive-bys, fix the Throw* opcodes to have the Throw property, and use
detail::DeepForEachInput in a couple of extra locations (including for
lazy deopts).

Bug: v8:7700
Change-Id: I89b04f17ca781d4f69ff0ed07566fa583aa677e6
Fixed: chromium:1364074
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899009
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83293}
2022-09-19 07:58:33 +00:00
Jakob Kummerow
0661a0dd8f [stringrefs] Fix inlining, and some corner case bugs
1) Inlining functions that contain stringref operations require builtin
   calls to be marked as kNoThrow appropriately (or have exception
   handling support in the graph).
2) Some overly-large inputs for string creation hit DCHECKs before
   getting to the places where they would have thrown an orderly
   exception.
3) We still had a known issue that some exceptions thrown by JS-focused
   code were erroneously catchable by Wasm.
4) When string.concat attempted to create a too-long string, it ran into
   a DCHECK because we didn't clear the "thread in wasm" flag.
5) The builtin call for string.concat was erroneously marked as
   kEliminatable, which could cause the trap get eliminated.

Bug: v8:12868
Change-Id: Iad3ada0e2465bfd8f3d00bb064c32049d6b19d87
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3902522
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andy Wingo <wingo@igalia.com>
Reviewed-by: Andy Wingo <wingo@igalia.com>
Cr-Commit-Position: refs/heads/main@{#83292}
2022-09-19 07:52:41 +00:00
JialuZhang-intel
ea97572d47 [turbofan] Improve jump threading phase
Let jump threading phase be able to handle the jump with gap moves instructions.
Record the first occurrence of the gap jump instruction and forward
the same gap jump instructions into the recorded one.

For example:
  In this case, we merge the second instruction into the first one,
  because those two gap jump instructions have the same gap moves.

    -- Before jump threading phase:
    B0:
    1. gap(rdx=rbx)
       ArchJmp imm:3
    B1:
    2. gap(rdx=rbx)
       ArchJmp imm:3

    -- After jump threading phase:
    B0:
    1. gap(rdx=rbx)
       ArchJmp imm:3
    B1:
    2. ArchNop

This can eliminate redundant jump and move instructions.

Design doc: https://docs.google.com/document/d/1SpO7Kw4e6CnCesFT118MUnCufUHZDy3QaVSymcci5jE/edit?usp=sharing

Change-Id: Ie94c8f63e2f758824619f6ed9513cbdff00186c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858528
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jialu Zhang <jialu.zhang@intel.com>
Cr-Commit-Position: refs/heads/main@{#83288}
2022-09-19 03:44:11 +00:00
Frank Tang
87adde1bae [test262] Roll test262
7461973..9215420

Bug: v8:7834
Change-Id: I5f830a59c57133b3c0ebe7633b60c20b00caa3ff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3902516
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83283}
2022-09-17 00:55:09 +00:00
Frank Tang
96f67bb1c5 [Intl] Sync to intl-numberformat-v3 PR107
Return fallback while the useGrouping is "true" or "false"
but throw RangeError not in the list.

https://github.com/tc39/proposal-intl-numberformat-v3/pull/107

Bug: v8:13271
Change-Id: Ia325cd8fe74ff9fb501fd765e9ec2d94f8c97e38
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3886070
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83282}
2022-09-16 20:52:26 +00:00
Frank Tang
4b0e8569cc [Temporal] Add ParseTimeZoneIdentifier ParseCalendarName to parser
Needed for https://chromium-review.googlesource.com/c/v8/v8/+/3893552
and also https://chromium-review.googlesource.com/c/v8/v8/+/3901196

Bug: v8:11544
Change-Id: Ieb946abde1c623e9edcca608d737e8bf65a34637
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3901195
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83281}
2022-09-16 20:44:37 +00:00
Manos Koukoutos
45d4d220d2 [wasm] Move js-to-wasm wrappers to the isolate
We move js-to-wasm wrappers to a WeakFixedArray in the isolate,
indexed by their canonical type index. This ensures that they are
reused across instances, and get GC'd when no longer needed.
We also remove eager compilation of wrappers.
This CL fixes some issues that were caused by out-of-bounds accesses
to wrapper arrays attached to module objects.

Bug: chromium:1363859, chromium:1363895

Change-Id: Idec0925e775f51fdfa7cd380379b0d1798295a0c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893860
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83275}
2022-09-16 15:08:53 +00:00
Manos Koukoutos
1135c0fca4 [wasm-gc][liftoff] Check for null before calling CallRefIC
Bug: v8:7748, chromium:1364036
Change-Id: I0263a21671fc602127aaae3b3ce022190be91407
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899295
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83274}
2022-09-16 14:33:13 +00:00
Dominik Inführ
79ac0de424 Fix some random presubmit failures
Change-Id: Ibd4c958875d777ba5241a6424ab23f8a2d0ac5ce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899263
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83256}
2022-09-16 10:41:24 +00:00
Clemens Backes
c582eb4ee2 [wasm] Use a single source of truth for feedback vector size
The number of feedback vector slots is currently stored in the
{WasmFunction}, returned in the {WasmCompilationResult}, and implicitly
stored as the size of the {call_targets} vector in
{FunctionTypeFeedback}.

This CL uses the latter as the source of truth, encapsulated in a new
{NumFeedbackSlots} function. This can be updated when adding new kinds
of feedback that need additional slots.
For now, the implementation of {NumFeedbackSlots} requires taking a
mutex, which we can hopefully avoid when productionizing speculative
inlining. We also take the mutex on every Liftoff compilation, which
adds synchronization between concurrent compilation which we previously
tried very hard to avoid (because it introduced significant overhead for
eager compilation).

As a nice side-effect, this CL reduces the per-function overhead by 8
bytes, independent of enabled features.

R=jkummerow@chromium.org

Bug: v8:13209
Change-Id: I2fe5f7fe73154328032a3f0961e88d068c5d07ae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899299
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83253}
2022-09-16 10:26:34 +00:00
Leszek Swirski
e7b9604040 [runtime] Don't update template map for existing templates
The cached template object weakmap shouldn't be updated when we update
an existing cached template object, because this update can truncate the
linked list of cached template objects.

Bug: v8:13190
Change-Id: Icea61fcbd5c05d4293a884d1872523ddcdfc3323
Fixed: chromium:1364429, chromium:1364471
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899256
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83248}
2022-09-16 08:55:23 +00:00
Clemens Backes
00a341994f [cctest] Use v8_flags for accessing flag values
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.

R=mliedtke@chromium.org

Bug: v8:12887
Change-Id: I417eee6311fadef9b60043cfc9a42926859c7ab9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899304
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83247}
2022-09-16 08:22:03 +00:00
pthier
3cb7a8146f Reland "[strings] Fix raw hash lookup for forwarded strings"
This is a reland of commit 0a1f0e335e

Changes since revert:
- Deferred label for loading from forwarding table.
- Check if hash is computed instead of checking if it is a forwarding index.
- Retreive hash from forwarding table only if hash is assumed to be computed.

Original change's description:
> [strings] Fix raw hash lookup for forwarded strings
>
> Raw hashes may need to be looked up via the forwarding table when
> internalized strings are forwarded to external resources. Notably, the
> megamorphic ICs were not correctly fetching the raw hash.
>
> Bug: v8:12007
> Change-Id: Ibbc75de57e707788f544fbd1a0f8f0041350e29d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3885379
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Patrick Thier <pthier@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83115}

Bug: v8:12007
Change-Id: Ia88ed51a49c62170bc960b8f69673bb1e59a6009
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3888057
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83246}
2022-09-16 08:15:13 +00:00
Nico Hartmann
1d693043bd Revert "[turbofan] Rematerialize BigInt64 in deopt"
This reverts commit 80fb281561.

Reason for revert: https://bugs.chromium.org/p/chromium/issues/detail?id=1364400

Original change's description:
> [turbofan] Rematerialize BigInt64 in deopt
>
> This CL introduces two MachineTypes - SignedBigInt64 and UnsignedBigInt64, which are represented as Word64 but will be rematerialized to BigInt in deoptimization. This will avoid unnecessary conversions for BigInt64s when they are passed to StateValues.
>
> Bug: v8:9407
> Change-Id: I65fdee3e028ed8f9920b1c20ff78993c7784de48
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858238
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Commit-Queue: Qifan Pan <panq@google.com>
> Cr-Commit-Position: refs/heads/main@{#83230}

Bug: v8:9407
Change-Id: I77d278ce302621db03b787318641709780348cc8
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3901814
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#83245}
2022-09-16 07:33:08 +00:00
Marja Hölttä
ebc9556108 [rab/gsab] TypedArray.p.slice fix in Torque: Destination can be resizable
Bug: v8:11111,chromium:1362487
Change-Id: Ifc7649ec945a0cb13e02c52a47f8ab68fa8ab848
Fixed: chromium:1362487
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890915
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83242}
2022-09-16 07:09:39 +00:00
Adam Klein
59c070a285 Revert "[v8] Use |AllocateAtLeast| for resizing v8 zones."
This reverts commit 4444874cdf.

Reason for revert: CHECK failure under UBSan
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20UBSan%20-%20builder/5103/overview

Original change's description:
> [v8] Use |AllocateAtLeast| for resizing v8 zones.
>
> This is part of an ongoing effort to reduce fragmentation in Chrome.  Partition alloc shows v8 zones are a large user of memory in Renderer processes, and that there is fragmentation from these allocations. This CL will reduce this fragmentation by allowing v8 to use all allocated memory for its zones.
>
> Bug: v8:13193, chromium:1238858
> Change-Id: Ibeac8bdba9d0e7ff66b14a3dde10e7c87d3cf953
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3889361
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83235}

Bug: v8:13193, chromium:1238858
Change-Id: I03c8c1ad7bb1cd20770323bffe1c42a4be47c454
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3900814
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83237}
2022-09-15 20:18:17 +00:00
Frank Tang
adc30b07c0 [Temporal] Fix timezone and calendar parsing issue
Need to reset tzi_xxx and calendar_xxx in parser state if the
post-condition of CalendarName and TimeZoneIdentifier is not met.

Bug: v8:11544
Change-Id: If2df6c8fc8cf2418ddd5443abab02066d423a0c3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893554
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83236}
2022-09-15 20:01:58 +00:00
Thiabaud Engelbrecht
4444874cdf [v8] Use |AllocateAtLeast| for resizing v8 zones.
This is part of an ongoing effort to reduce fragmentation in Chrome.  Partition alloc shows v8 zones are a large user of memory in Renderer processes, and that there is fragmentation from these allocations. This CL will reduce this fragmentation by allowing v8 to use all allocated memory for its zones.

Bug: v8:13193, chromium:1238858
Change-Id: Ibeac8bdba9d0e7ff66b14a3dde10e7c87d3cf953
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3889361
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83235}
2022-09-15 19:59:08 +00:00
Jakob Kummerow
116e217b5f [wasm-gc] Minimal JS interop: the basics
This CL introduces a new LookupIterator state WASM_OBJECT, and updates
all switches that need to handle it.

Bug: v8:7748
Change-Id: Ie3359aed2d37f5a6854e5577fa3799f0464391e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865559
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83234}
2022-09-15 19:05:08 +00:00
Clemens Backes
f9bb65eb9f [unittests] Use v8_flags for accessing flag values
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.

R=mliedtke@chromium.org

Bug: v8:12887
Change-Id: I06e12314495c2d89135e58e5d3a01310f108e865
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899303
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83233}
2022-09-15 17:51:59 +00:00