V8_SANDBOX has been renamed to V8_ENABLE_SANDBOX in crrev.com/c/3647355
and its remaining uses in Chromium have now been renamed as well.
Bug: v8:10391
Change-Id: Ibb23ecab6687438b462685ef7fa044c0024dd098
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3660251
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80739}
There were multiple fields missing from the output.
R=jkummerow@chromium.org
Change-Id: Ie4c3171339943414c58c2fe6f0e507cdd531dd8b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3664497
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80738}
Add a generic DefineNamedOwn node for DefineNamedOwnProperty, and a
monomorphic fast path identical to SetNamedProperty for simple field
stores.
Bug: v8:7700
Change-Id: I35ff9d54be8bb8e437865e4d1ba38eb726034e24
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3663084
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80736}
This CL fixes a wrong assumption in the LiveEdit machinery. Namely
the assumption that every FunctionLiteral the parser finds, will have
a corresponding SFI created by the compiler. This assumption does not
hold in all cases. Inner functions that are never referenced by the
outer function don't get an SFI.
R=bmeurer@chromium.org
Fixed: chromium:1328453
Change-Id: I674f023f948954c1fcae04a4aa2afb69ea1642aa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3663443
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80735}
The Runtime_WasmCompileLazy function was returning a ptr-sized address,
wrapped in an Object. This worked because no GC is triggered between the
return from the runtime function and the point where we jump to the
returned address.
In a pointer-compressed world though, generated code assumes that all
objects live in the same 4GB heap, so comparisons only compare the lower
32 bit. On a 64-bit system, this can lead to collisions where a
comparison determines that the returned address equals a heap object,
even though the upper 32-bit differ.
This happens occasionally in the wild, where the returned function entry
pointer has the same lower half than the exception sentinel value. This
leads to triggering stack unwinding (by the CEntry stub), which then
fails (with a CHECK) because there is no pending exception.
This CL fixes that by returning a Smi instead which is the offset in the
jump table where the kWasmCompileLazy builtin should jump to. The
builtin then gets the jump table start address from the instance object,
adds the offset that the runtime function returned, and performs the
jump.
We do not include a regression test because this failure is very
spurious and hard to reproduce.
R=jkummerow@chromium.org
Bug: chromium:1311960
Change-Id: I5a72daf78905904f8ae8ade8630793c42e223984
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3663093
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80729}
The Wasm C API currently disabled dynamic tiering, in order to have
deterministic behaviour for serialization of Wasm modules.
As dynamic tiering is now shipped, also the C API should follow.
Serialization of a Wasm module now just serializes the current state, so
embedders are responsible for warming up a module before serializing it.
If requested, we can add an internal API to enforce full tier-up of all
functions, but we will leave that for later.
R=ahaas@chromium.org, jkummerow@chromium.org
Bug: v8:12899
Change-Id: I55df63f0b6c1f285e4983f9f7d5fb66aa41637bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3660261
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80727}
Math between disparate enums is deprecated. Use constexprs instead.
This requires switching some caller code to work with the new non-enum
constants also.
Bug: chromium:1284275
Change-Id: Ifb3c8757ed62e2a0966120f830f0a7e282b53a16
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3661148
Auto-Submit: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80722}
We can check map validity cells for Sminess without checking their
value, since their value as a Smi (and not a Cell) should always be
"valid"
Change-Id: Ie73079107144e352c358c0ec42abd0c10bdcf73a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3663090
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80721}
Clean up a couple of the StoreHandler methods returning Builtins to
directly return the Code object, so that it can be used as a handler
straight away without having to go via the MakeCodeHandler helper (which
wasn't making anything anymore).
Change-Id: I4976829d25e2bdad0cf41088b76121ac9b500cd5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3663083
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80720}
Stop the unmapper tasks before running a full GC. This ensures that all
freed memory is actually reusable in the following full GC. We also need
to keep freed pages around until after the GC in order to be able to
perform page flags checks on them when updating pointers. However,
when unmapper tasks are still running pages freed during the GC may be
unmapped too early.
Bug: chromium:1327132
Change-Id: I4fde7853b987975ae6ef304e89c53eb20b004d55
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3660247
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80718}
The phase is generally sub-ms. What's left as a follow up is to remove
the finalization step that schedules a finalization step (including
embedder callbacks) through a stack guard.
Bug: v8:12775
Change-Id: I35f36e5ba07f9acb4e92acf2a414559ccd6ad9bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3663081
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80716}
Print the function, bytecode and feedback vector of any function we
attempt to compile with maglev while any of the printing flags are
enabled.
Bug: v8:7700
Change-Id: I92831fbd6c687e10afee7e0698ef2c42d11c63ee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3663085
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80715}
Due to differences in compiler versions and optimization levels,
std::floor treats snan differently, as does std::ceil and std::trunc.
So the implementation of some instructions is sometimes inconsistent
with the physical machine. We add extra processing to them.
Besides, fix Loong64Debugger::Debug error in simulator, IsTrap
returns true only if break is encountered.
Change-Id: I240d91ed658645a2453162107b6dd172735fbfef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3661259
Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Auto-Submit: Liu Yu <liuyu@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#80714}
Instead of invoking both the generational and marking barrier
explicitly, we can just invoke the combined barrier which does both
for us.
Also we simply use the full write barrier for all writes in the deserializer. While we could avoid the generational barrier in a few
cases, this only costs us a single predictable untaken branch without
an additional load.
Bug: v8:11708
Change-Id: Iebd0af06efe42a3ac4e5725131362600ab16bc7a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3662900
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80712}
Disable --always-use-string-forwarding-table when --shared-string-table
is set.
With --shared-string-table we can have parallel GCs in multiple client
isolates. With --always-use-string-forwarding-table we can have young
generation strings in the forwarding table, requiring table updates when
the string gets promoted. This is not supported for parallel GCs.
This CL also reverts the incorrect try to fix an issue with these flag
combination introduced in https://crrev.com/c/3650719
Bug: v8:12877, v8:12007
Change-Id: I49a2aa300af36b82007a7d215afe9a70ac1ce39e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3660258
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80710}
Previously the LookupIterator ignores private symbols
(including private names) for the access check. This patch
removes these exceptions so that they are always checked.
Drive-by: removes the unused should_throw parameter in
Runtime::DefineObjectOwnProperty()
Bug: chromium:1321899
Change-Id: I9677b1e377f01d966daa1603eee1ed9535ffab92
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3623419
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/main@{#80700}
Fix requesting an Int32 from a tagged value that was already converted
to Float64 (because it was on one side of Number feedback but was itself
a Smi), and DoubleRegister locations in deopts.
Bug: v8:7700
Change-Id: I01615a6c520c9e086f3544c2656aa04bf3fc1eaa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3660254
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80698}
My previous change https://crrev.com/c/3597106 led to some performance
regressions in time spent on parsing and compilation. Those regressions
might be due to increasing the reuse of old top-level
SharedFunctionInfos. If the top-level SFI is old enough that its
bytecode can be flushed, then perhaps other SFIs within the script have
already been flushed. In that case, discarding information from a
background compilation or code cache deserialization could be harmful.
Bug: v8:12808, chromium:1325566, chromium:1325567, chromium:1325601
Change-Id: Ia7651bed86eecdbef8878e6132b894ed10163cdc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657472
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80697}
This was an oversight in https://crrev.com/c/3557234, which led to a
really weird developer experience: once a `window.onerror` handler was
installed, typing into the Console or other side-effect free debug
evaluations triggered this handler.
Fixed: chromium:1328008
Bug: chromium:1295750
Change-Id: I4029ff19ceb7cfe0a8eb6afff19c3ef9a4a82e25
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3660253
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80696}
It sometimes meant just the field and sometimes the computed byte
length. This rename makes it less confusing.
Bug: v8:11111
Change-Id: I64bb8b6b9be2befb57d53ae5456b6ce8f6472456
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657429
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80695}
Add an implementation of BranchIfInt32Compare, which is emitted whenever
a compare op is immediately followed by a branch.
Bug: v8:7700
Change-Id: I2c56d9de199bac8de33b33201f8614aee8e9894e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647693
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80694}
SimulatorBase::ConvertArg should be a protect member so that
CallArgument::CallArgument can access it.
Change-Id: I60b23b45c2247cd28e73808df7b77e604d154932
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3659057
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Yu Liu <liuyu@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#80693}