Valid prototype chain validity cells should have an initial value of
"Map::kPrototypeChainValid", not zero (even though they're the same).
Bug:
Change-Id: I7d3df7d2e3382f20ed598b387612bb48428e0fa0
Reviewed-on: https://chromium-review.googlesource.com/757140
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49196}
This is a reland of 34e3e7f91b
Original change's description:
> Introduce gc flag for fuzzing over compaction.
>
> Bug: v8:6972
> Change-Id: If1f4ee04ae00c6ae1e037bbb1ca758e952a8f843
> Reviewed-on: https://chromium-review.googlesource.com/738112
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Commit-Queue: Michał Majewski <majeski@google.com>
> Cr-Commit-Position: refs/heads/master@{#49191}
Bug: v8:6972
Change-Id: I690a72a6d5da17c6f15449b2be4cbb681a67e60e
Reviewed-on: https://chromium-review.googlesource.com/756894
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Michał Majewski <majeski@google.com>
Cr-Commit-Position: refs/heads/master@{#49195}
This gives up on earlier attempts to interpret DeadValue as a signal of
unreachable code. This does not work because free-floating dead value
nodes, and even pure branch nodes that use them, can get scheduled so
early that they get reachable. Instead, we now eagerly remove branches
that use DeadValue in DeadCodeElimination and replace DeadValue inputs
to value phi nodes with dummy values.
Reland of https://chromium-review.googlesource.com/715716
Bug: chromium:741225 chromium:776256
Change-Id: I251efd507c967d4a8882ad8fd2fd96c4185781fe
Reviewed-on: https://chromium-review.googlesource.com/727893
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49188}
Now that we only have the seeded variant, let's call it
number_dictionary_map. It's cleaner.
R=mstarzinger@chromium.org
Change-Id: I3e36ecb15140b5def835ca8ebe50ab829a21892d
Reviewed-on: https://chromium-review.googlesource.com/756749
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49183}
ZoneDeque is memory-inefficient, see
https://bugs.chromium.org/p/chromium/issues/detail?id=674287
As a downside, ZoneChunkList is not const correct, see
https: //bugs.chromium.org/p/v8/issues/detail?id=6473 .
Bug: v8:5516
Change-Id: I2db15006afd78aa932ab831cd9c0cff659229321
Reviewed-on: https://chromium-review.googlesource.com/750782
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49182}
The flag is --parallel-marking.
Bug: chromium:750084
Change-Id: I20ab5945d2cc41d44b29d7090a3436d028588540
Reviewed-on: https://chromium-review.googlesource.com/756709
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49178}
In the fast case, the feedback should be the same across all slots
(like a switch over enum values).
BUG=v8:7045
Change-Id: I2c32f81cda55874ea6fc8d6a18c85d9929cff1bb
Reviewed-on: https://chromium-review.googlesource.com/756701
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49177}
This value was uninitialized before. Initialize it to zero. Also, fix
the tracing output to actually print the start arity and not the end
arity.
R=rossberg@chromium.org
Change-Id: I1eda3be88ca842f60e40e3fb630eca254619ae83
Reviewed-on: https://chromium-review.googlesource.com/756702
Reviewed-by: Andreas Rossberg <rossberg@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49176}
The section name is printed two times currently: Once in
{WasmSectionIterator::next()}, once in
{ModuleDecoderImpl::DecodeSection}.
This is confusing when looking at the trace output, hence remove one of
the outputs.
R=ahaas@chromium.org
Change-Id: Icc699d5eb0e39325d2849ea6c345b9522985003b
Reviewed-on: https://chromium-review.googlesource.com/756703
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49175}
They are uncovered by existing test cases once we support globals and
memory operations.
R=ahaas@chromium.org
Bug: v8:6600
Change-Id: I66c7143b66c816ab9a032c18bf6b2c82f7291f68
Reviewed-on: https://chromium-review.googlesource.com/756705
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49174}
The bytecode generator has special handling for comparing the result of
the typeof operator against a string literal. This needs to be adapted
for bigints.
R=jkummerow@chromium.org, mythrie@chromium.org
Bug: v8:6791
Change-Id: I42d6c9e9225ce05e19393f10e01ae496ecb70c9c
Reviewed-on: https://chromium-review.googlesource.com/753465
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49172}
Actually all it does is throw a TypeError.
R=jkummerow@chromium.org
Bug: v8:6791
Change-Id: I884da4eaa937519c07c3516a1713829f52e28ad8
Reviewed-on: https://chromium-review.googlesource.com/753730
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49171}
Due to lazy deserialization, we need to ensure the snapshot blob is
not freed until the Isolate is destroyed.
Re-enable a few tests that can handle lazy deserialization just fine.
Unfortunately we can't do this for all tests as UNINITIALIZED_TEST does
not sufficiently set up the isolate for lazy deserialization (there's no
Isolate::snapshot_blob_).
Bug: v8:6624
Change-Id: Icf0d217da3a4c5ff1506facc7869d2dd1ac3a983
Reviewed-on: https://chromium-review.googlesource.com/756694
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49170}
Lazy TFJ builtins rely on a mechanism that uses the SharedFunctionInfo
to determine the builtin to deserialize. That obviously doesn't work if
we call the lazy builtin directly, so make sure this does not happen (at
least not through (Tail)CallBuiltin).
Bug: v8:6624
Change-Id: Iea95d83379a5a0e47324e1fef83c005350f2f02a
Reviewed-on: https://chromium-review.googlesource.com/754684
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49169}
This commit updates the jobs for generating postmortem
metadata. I96a8a7cdded6f7c37b6f1da659d63df9e3a5de2b moved
the Code class to a new file without updating the postmortem
jobs. This resulted in some constants used by Node.js to
disappear, leading to build failures on SmartOS.
See: https://github.com/nodejs/node-v8/issues/21
Bug:
Change-Id: Icf5f59fe464d933c4f5a3f622b08c01bc43c6a80
Reviewed-on: https://chromium-review.googlesource.com/741919
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49168}
This change
- adds new maps for elements, global, and named dictionaries.
- adds support to embed these dictionaries in the startup snapshot.
- adds support to embed these dictionaries in the code cache.
- refactors the rehashing logic.
TBR=mstarzinger@chromium.org, ishell@chromium.org, jgruber@chromium.org
Bug: v8:6593
Change-Id: I2455fe2a9cc6e93247940de99de5f124c2ada137
Reviewed-on: https://chromium-review.googlesource.com/756693
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49167}
This reverts commit 32f30f6338.
Reason for revert: broken Fuchsia build, https://logs.chromium.org/v/?s=chromium%2Fbb%2Fclient.v8%2FV8_Fuchsia%2F460%2F%2B%2Frecipes%2Fsteps%2Fcompile%2F0%2Fstdout
Original change's description:
> [platform] check return values from memory operations
>
> This change adds DCHECKs for calls such as mprotect, as well as marking some of
> the memory allocation and deallocation routines as V8_MUST_USE_RESULT. This
> additional checking gives us more useful information for failure in the presence
> of, for example, address space exhaustion.
>
> Bug:
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Change-Id: I5bc76c1da6160262d3d556fea49d284ddd4e02c5
> Reviewed-on: https://chromium-review.googlesource.com/721267
> Commit-Queue: Eric Holk <eholk@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49164}
TBR=hpayer@chromium.org,mlippautz@google.com,eholk@chromium.org
Change-Id: Ie4b57b45c801dcce7884645f50ff74f833de6dc4
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/756137
Reviewed-by: Eric Holk <eholk@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49165}
This change adds DCHECKs for calls such as mprotect, as well as marking some of
the memory allocation and deallocation routines as V8_MUST_USE_RESULT. This
additional checking gives us more useful information for failure in the presence
of, for example, address space exhaustion.
Bug:
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I5bc76c1da6160262d3d556fea49d284ddd4e02c5
Reviewed-on: https://chromium-review.googlesource.com/721267
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49164}
Resetting phantom handles while keeping finalizers alive leads to the
problem of eagerly resetting a handle although another finalizer keeps
it (transitively) alive.
This becomes a problem with internal pointers to Blink as without
global handle a Blink GC is free to collect wrappables.
This CL untangles finalizers handling from phantom handle resets by
introducing a separate path for resetting.
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel
Bug: chromium:781728
Change-Id: Ica138b72942698fd996c6e9fe0bdc19cc432c010
Reviewed-on: https://chromium-review.googlesource.com/753724
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49162}
This test uses a lot of memory and is causing OOM crashes on bots.
Bug: v8:7042
Change-Id: I63ff4d44ca8e26b65875df53ebd235976183c558
Reviewed-on: https://chromium-review.googlesource.com/755593
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49161}
The sampling heap profiles can now be retrieved without stopping
the profiler.
BUG=v8:6887
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I491206d0bafd7d4e198622117c12aab0057e6bc6
Reviewed-on: https://chromium-review.googlesource.com/749700
Reviewed-by: Pavel Feldman <pfeldman@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Commit-Queue: Alexei Filippov <alph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49160}
Previously StaNamedProperty and StaKeyedProperty were in a weird state where
they claimed to not touch the accumulator, but actually did in case they were
deopted in the middle. A frame was added in the middle to overwrite the
accumulator again with the right value before returning from the setter, using
a lot of complexity in the deoptimizer.
This changes those instructions to be marked as writing to the accumulator
(e.g., the result of the setter), and uses to manually store and reload into
the accumulator the value being stored.
If we want to avoid the additional bytecodes, we could make sure that bytecodes
that claim to leave the accumulator alone don't deopt back to Advance/Dispatch
but LoadAccumulatorWithValue/Advance/Dispatch. That's in a way similar to what
happened before this CL, but I believe could be implemented much simpler.
Bug:
Change-Id: I4850a690ef5a30976701d0e050951faa46fd1c18
Reviewed-on: https://chromium-review.googlesource.com/753487
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49159}
This reverts commit 3877bf6f4b.
Reason for revert: failed compilation on Win64/clang:
https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20clang/builds/9015
Original change's description:
> Snapshot: support rehashing property and element dictionaries.
>
> This change
> - adds new maps for elements, global, and named dictionaries.
> - adds support to embed these dictionaries in the startup snapshot.
> - adds support to embed these dictionaries in the code cache.
> - refactors the rehashing logic.
>
> R=ishell@chromium.org, jgruber@chromium.org, mstarzinger@chromium.org
>
> Bug: v8:6593
> Change-Id: I8d9a7ba7145f1af4e6e15301a4d5611f07c77f33
> Reviewed-on: https://chromium-review.googlesource.com/753323
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49155}
TBR=yangguo@chromium.org,mstarzinger@chromium.org,jgruber@chromium.org,ishell@chromium.org
Change-Id: I0b45d2d07da97b9a7953abf4ad24eec4ea944306
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6593
Reviewed-on: https://chromium-review.googlesource.com/755493
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49156}
This change
- adds new maps for elements, global, and named dictionaries.
- adds support to embed these dictionaries in the startup snapshot.
- adds support to embed these dictionaries in the code cache.
- refactors the rehashing logic.
R=ishell@chromium.org, jgruber@chromium.org, mstarzinger@chromium.org
Bug: v8:6593
Change-Id: I8d9a7ba7145f1af4e6e15301a4d5611f07c77f33
Reviewed-on: https://chromium-review.googlesource.com/753323
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49155}
Each valid memory module generated by one of the wasm fuzzers will now
also be executed in Liftoff, and the result of the execution will be
compared against the interpreted result.
R=ahaas@chromium.org
Bug: v8:6600
Change-Id: I6a437faae4230ce4dfc7924dd1418da20ea92356
Reviewed-on: https://chromium-review.googlesource.com/753328
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49154}
Initialize the home object when we create the initializer function
keeping this in line with other functions that initialize home object.
Bug: v8:5367
Change-Id: I1c5e32ae0cb496740341e6c99c9359f6c5e00875
Reviewed-on: https://chromium-review.googlesource.com/754163
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49153}
In current implementation Object.getOwnPropertyDescriptor calls native
getter. It can produce side effects. We can avoid calling it.
DevTools frontend will show clickable dots and on click returns value.
This CL does not affect Blink and only affect several Node.js
properties, e.g. process.title.
R=yangguo@chromium.org
Bug: v8:6945
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I5764c779ceed4d50832edf68b2b4c6ee2c2dd65c
Reviewed-on: https://chromium-review.googlesource.com/754223
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49152}
When initializing the cache state for a merge, we should never use
registers multiple times. Other code paths leading to the same merge
point might provide different values for the different slots there.
R=ahaas@chromium.org
Bug: v8:7035, v8:6600
Change-Id: I8e409b494af0fdc1a5045ec04571611b97fcaf86
Reviewed-on: https://chromium-review.googlesource.com/754816
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49150}
This is a reland of 2769a7c44b.
The failing test is fixed now.
Original change's description:
> [wasm] Test binary operations for more inputs
>
> Instead of hard-coding one or two inputs per binary operation, use all
> inputs provided by FOR_INT32_INPUTS.
>
> R=ahaas@chromium.org
>
> Change-Id: I534227f93068f52d69ea0ff0fcf686a9af034bad
> Reviewed-on: https://chromium-review.googlesource.com/753484
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49136}
Change-Id: Ied9d4e5977b13b3d0f644e6586b1b14bd412de26
Reviewed-on: https://chromium-review.googlesource.com/753389
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49148}
This adds code-space modification scopes to all sites that still rely on
mutation of {Code} objects after allocation. Currently some scopes also
potentially are in performance-critical places that might regress if the
protection would be enabled in its current form.
R=clemensh@chromium.org
BUG=v8:6792
Change-Id: I8d511e0e452324dae027e50a9da8e6f77224b86f
Reviewed-on: https://chromium-review.googlesource.com/751521
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49147}
