Mostly signed integer overflows, and a few cases of double
division by zero (which is defined by IEEE-754 to return
Infinity (or NaN for 0/0) but is UB in C++).
In base/ieee754.cc, use constants for NaN and Infinity instead
of computing these values.
In spaces-unittest.cc, ensure that a large enough allocation
is used.
Bug: v8:3770
Change-Id: I50d9a77dc860ef9993b7b269a5f8c117b0f62f9d
Reviewed-on: https://chromium-review.googlesource.com/c/1403454
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58701}
Pipeline::GenerateCodeForWasmNativeStub() currently does not pass
an Isolate to the PipelineData it creates, to ensure that compiled
code does not accidentally depend on a given Isolate. However, this
prevents the assembler from converting ExternalReference accesses to
RootArray offsets. This patch sets the corresponding AssemblerOption.
Bug: v8:3770
Change-Id: Ia4d5269e2e884a0af8abc6d122734f47db045ac0
Reviewed-on: https://chromium-review.googlesource.com/c/1404447
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58700}
Since all categories are now statically defined, there's no need to warm
any of them up explicitly in order for the categories to show up in the
tracing UI.
Depends on https://chromium-review.googlesource.com/c/chromium/src/+/1401273.
Bug: chromium:914579
Change-Id: I8ae8977130ae89d6ee3351194ad258d13f3c14f4
Reviewed-on: https://chromium-review.googlesource.com/c/1402779
Reviewed-by: Alexei Filippov <alph@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Sami Kyöstilä <skyostil@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58699}
This will make it easier to separate out parameter declaration from other other
parameter scope information tracking.
Change-Id: I8712dd7fc589c84bc1e1a1eab9038af6047b21cd
Reviewed-on: https://chromium-review.googlesource.com/c/1403118
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58698}
This reverts commit 5dee355fe6.
Reason for revert: https://ci.chromium.org/p/v8-internal/builders/luci.v8-internal.ci/v8_linux64_perf_1/4282
Original change's description:
> [test] add perf tests for String.p.startsWith
>
> Add performance tests for String.prototype.startsWith ahead of port to
> torque in order to keep track of how performance is affected.
>
> Bug: v8:8400
> Change-Id: Ifc753a6f13da20c1760e545a99fd693717e3acc6
> Reviewed-on: https://chromium-review.googlesource.com/c/1402934
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#58685}
TBR=jgruber@chromium.org,usharma1998@gmail.com
Change-Id: I5855b08fa5e55ab8594185a0a84a26f567e2b9d3
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8400
Reviewed-on: https://chromium-review.googlesource.com/c/1404446
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58697}
Mostly signed integer overflows, and a few cases of double
division by zero (which is defined by IEEE-754 to return
Infinity (or NaN for 0/0) but is UB in C++).
Bug: v8:3770
Change-Id: Id92725b0ac57cb357978124a3dc6f477430bc97d
Reviewed-on: https://chromium-review.googlesource.com/c/1403133
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58696}
The 'done' setting dance in BuildFillArrayWithIterator turned out to
not be useful, as the StoreInArrayLiteral call could not ever throw an
exception. Since iterator exceptions count as done, we are guarnteed to
be done as soon as we enter the loop.
Change-Id: Ibe2ba1fcbe383bfcfedb185169890b6931cc7884
Reviewed-on: https://chromium-review.googlesource.com/c/1402792
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58695}
The IteratorClose spec specifies that exceptions in
%GetMethod(iterator.return) are not suppressed by exceptions in the
given continuation (body of a loop, assignments in destructuring),
while exceptions in the execution of iterator.return() are.
This means that we have to split out the property access + a typeof
check to be outside the try-catch, and keep the call inside of it.
The non-split version is only for cases when there is no 'throws'
continuation (as is the case for yield* calling IteratorClose), so
the existing BuildIteratorClose can be renamed to reflect this.
Change-Id: Id71aea4fddd6ffb986bd9aaa09d29615a8800f71
Reviewed-on: https://chromium-review.googlesource.com/c/1402789
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58694}
Mostly signed integer overflows, and a few cases of double
division by zero (which is defined by IEEE-754 to return
Infinity (or NaN for 0/0) but is UB in C++).
Bug: v8:3770
Change-Id: I8007987594ff534ca697c1c3247215a72a001343
Reviewed-on: https://chromium-review.googlesource.com/c/1403132
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58693}
This CL disables RX (read and execute) permissions for Code memory
when in jitless mode. All memory that was previously allocated RX
is now read-only.
Bug: v8:7777
Cq-Include-Trybots: luci.v8.try:v8_linux_arm_lite_rel_ng
Change-Id: I52d6ed785d244ec33168a02293c5506d26f36fe8
Reviewed-on: https://chromium-review.googlesource.com/c/1390122
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58692}
As a follow up of https://crrev.com/c/1372857, this merges Windows
cases into others by using Move() and arg_reg_{1,2,3,4}.
Bug: v8:8124
Change-Id: Iff015089fd2bfce29565ab213c8e41c8ef1cd68f
Reviewed-on: https://chromium-review.googlesource.com/c/1404774
Commit-Queue: Taiju Tsuiki <tzik@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58691}
This reverts commit d024b9a1f5.
Reason for revert: Left-over static counter in the code.
Original change's description:
> [regalloc] Introduce LiveRangeBundles
>
> The idea behind this change is to restore some information about
> pre-ssa values to aid register allocation in sharing spill slots and
> reusing registers for connected live ranges.
>
> By itself, this change does not improve much but it allows upcoming
> changes to freely spill and reload ranges without worrying about
> keeping the assignment stable.
>
> Change-Id: I9320522592546655cc8fd0236d45fe075276a49e
> Reviewed-on: https://chromium-review.googlesource.com/c/1375665
> Commit-Queue: Stephan Herhut <herhut@chromium.org>
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#58688}
TBR=sigurds@chromium.org,herhut@chromium.org
Change-Id: Id4f84a0e418e17729a301c848a7b9694f0eb9931
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/1404439
Reviewed-by: Stephan Herhut <herhut@chromium.org>
Commit-Queue: Stephan Herhut <herhut@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58690}
The idea behind this change is to restore some information about
pre-ssa values to aid register allocation in sharing spill slots and
reusing registers for connected live ranges.
By itself, this change does not improve much but it allows upcoming
changes to freely spill and reload ranges without worrying about
keeping the assignment stable.
Change-Id: I9320522592546655cc8fd0236d45fe075276a49e
Reviewed-on: https://chromium-review.googlesource.com/c/1375665
Commit-Queue: Stephan Herhut <herhut@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58688}
Minor refactoring to introduce kMaxRegisters instead of relying on
the fact that kMaxGpRegisters <= kMaxFpRegisters.
Bug: v8:8562
Change-Id: If8221a799199c62d5262cfad762489a5088351c7
Reviewed-on: https://chromium-review.googlesource.com/c/1403120
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Stephan Herhut <herhut@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58687}
Add performance tests for String.prototype.startsWith ahead of port to
torque in order to keep track of how performance is affected.
Bug: v8:8400
Change-Id: Ifc753a6f13da20c1760e545a99fd693717e3acc6
Reviewed-on: https://chromium-review.googlesource.com/c/1402934
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58685}
This moves |root_register_value| parameter of JSEntryFunction to the
first. I.e. the type of entry function will be changed from
Object*(Object* new_target, Object* target, Object* receiver,
int argc, Object*** args,
Address root_register_value)
to
Object*(Address root_register_value,
Object* new_target, Object* target, Object* receiver,
int argc, Object*** args),
and moves all parameter handling except for |root_register_value| from
JSEntryVariant to JSEntryTrampolineHelper.
This is a preparation to add another JS entry point for RunMicrotasks,
whose type will be
Object*(Address root_register_value, MicrotaskQueue*).
The new entry point requires |root_register_value| to be the first to
share the implementation of the EntryFrame setup with existing ones.
Bug: v8:8124
Change-Id: I675376a2ccd240f61cf04eea6fe9a91031e06ede
Reviewed-on: https://chromium-review.googlesource.com/c/1372857
Commit-Queue: Taiju Tsuiki <tzik@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58683}
If the key of the u-ext has no value it will return error so
we should just return undefined for that case.
Bug: v8:8663
Change-Id: I7446ad74c8d0609ad268385b6f4d986060424ce9
Reviewed-on: https://chromium-review.googlesource.com/c/1404194
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58682}
This is the analogue to CanInlineArrayIteratingBuiltin.
Change-Id: Ic96a8e230f50493d2482d5990d190ac2e7483fe9
Reviewed-on: https://chromium-review.googlesource.com/c/1400405
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58680}
Now that we no longer have ObjectPtr and Object* return types,
one way to load the slot's contents is enough.
Bug: v8:3770
Change-Id: I5acaeed22e68595b0e0ba036fcc4ac3d15c57462
Reviewed-on: https://chromium-review.googlesource.com/c/1400416
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58678}
Instead of spawning several foreground tasks, execute the work in a
single chunk.
This will allow us in a follow-up step to remove the deferred handle
scope and pass the handles directly.
R=ahaas@chromium.org
Bug: v8:7921, v8:8423
Change-Id: I4dae6241e2a33e89e304a04cb67c2229c34f7b99
Reviewed-on: https://chromium-review.googlesource.com/c/1402545
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58677}
Since register can be used multiple times on the stack, they can also
be spilled into multiple stack slots. At merge points, we then might
have to reload the spilled slots. A DCHECK currently checks that each
register is only loaded once. Instead of failing, just load the first
stack slot, the others are statically known to contain the same value
anyways.
R=ahaas@chromium.org
Bug: v8:6600, chromium:919533
Change-Id: Ic0c806238b2997f006829b4b509a50468a55befa
Reviewed-on: https://chromium-review.googlesource.com/c/1403124
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58676}
The unwinding info writer was assuming that a block that had no initial
state must be the start or end block. It was trying to check if the
block was the start or end by asserting that the block had either
no predecessors or no successors. Loop rotation breaks this assumption,
since it can move a block from inside a loop to before the loop
header, and the block can then be the "start" block. But since
such a block has both predecessor(s) and a successor, the check was
wrong.
R=clemensh@chromium.org
BUG=chromium:913844
Change-Id: Ic24c67a822d510cb082f25608089d313c3459be8
Reviewed-on: https://chromium-review.googlesource.com/c/1373770
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58675}
Emit a single destructuring assignment for destructuring declarations,
which can be desugared by the bytecode generator. This allows us to
remove destructuring desugaring from the parser (specifically, the
pattern rewriter) entirely.
The pattern "rewriter" is now only responsible for walking the
destructuring pattern to declare variables, mark them assigned, and
potentially rewrite scopes for the edge case of parameters with a sloppy
eval.
Note that since the rewriter is no longer rewriting, we have to flip the
VariableProxy copying logic for var re-lookup, so that we now pass the
new VariableProxy to the variable declaration and leave the original
unresolved (rather than passing the original through and rewriting to a
new unresolved VariableProxy).
This change does have some effect on breakpoint locations, due to some
of the available information changing between the parser and bytecode
generator, however the new locations appear to be more consistent
between assignments and declarations.
Change-Id: I3a58dd0a387d2bfb8e5e9e22dde0acc5f440cb82
Reviewed-on: https://chromium-review.googlesource.com/c/1382462
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58670}
When adding the new heuristic to allocate registers that do not
take part in hinting first, I managed to break hinting for most
cases. This change makes hinting operational again.
Bug: chromium:920106
Change-Id: I0f460a66196087266dcb70a7a0e5569124bdd2ff
Reviewed-on: https://chromium-review.googlesource.com/c/1402791
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Stephan Herhut <herhut@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58669}
It's anyway only read in case of simple parameters. In that case pattern is
guaranteed to be a VariableProxy, from which we can read the name as well.
Change-Id: Ie340064453594ab4f84b1d0223506801635c289d
Reviewed-on: https://chromium-review.googlesource.com/c/1402782
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58668}
Ivica Bogosavljevic is no longer part of MIPS V8 team, and therefore his
name is removed from OWNERS.
TBR=mstarzinger@chromium.org
NOTRY=true
No-Presubmit: true
Change-Id: I1ea6745b795573a17362dfd869528ddf78b8ab41
Reviewed-on: https://chromium-review.googlesource.com/c/1402775
Commit-Queue: Predrag Rudic <prudic@wavecomp.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58667}
This is a leftover of the previous CL.
https://chromium-review.googlesource.com/c/v8/v8/+/1402305.
noexcept keyword needs to be consistent between the declaration and
implementation in C++17.
Bug: v8:8616, chromium:752720
Change-Id: I8a21426e550d666bd84c1a6e7bc36d1eec495333
Reviewed-on: https://chromium-review.googlesource.com/c/1402305
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Taiju Tsuiki <tzik@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58665}
This reverts commit 556ef4c387.
Reason for revert: Seems to cause hangs in tests.
Original change's description:
> [wasm] Inline CompileFailed step
>
> The {CompileFailed} just calls {AsyncCompileFailed}, which also does
> not do much. Thus just inline directly call a function instead of
> spawning a foreground task. This saves one instance of DeferredHandles.
>
> R=ahaas@chromium.org
>
> Bug: v8:7921, v8:8423
> Change-Id: Ia8fb72a3ce2efd1f9a069c1a3b0b670b15fd8bce
> Reviewed-on: https://chromium-review.googlesource.com/c/1402714
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#58662}
TBR=ahaas@chromium.org,clemensh@chromium.org
Change-Id: I3430fb304b8df72b93330d104c09b0a144bbd069
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7921, v8:8423
Reviewed-on: https://chromium-review.googlesource.com/c/1402786
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58663}
The {CompileFailed} just calls {AsyncCompileFailed}, which also does
not do much. Thus just inline directly call a function instead of
spawning a foreground task. This saves one instance of DeferredHandles.
R=ahaas@chromium.org
Bug: v8:7921, v8:8423
Change-Id: Ia8fb72a3ce2efd1f9a069c1a3b0b670b15fd8bce
Reviewed-on: https://chromium-review.googlesource.com/c/1402714
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58662}
The incremental migration required several pairs of functionally
equivalent macros. This patch consolidates everything onto the
respective new version and drops the obsolete versions.
Bug: v8:3770
Change-Id: I4fb05ff223e8250c83a13f46840810b0893f410b
Reviewed-on: https://chromium-review.googlesource.com/c/1398223
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58659}
For compilation we only need the NativeModule. Thus only create this
before compilation, create other runtime objects later.
This is a first step towards removing the deferred handles and
clustering all foreground work in one chunk after compilation.
R=ahaas@chromium.org
Bug: v8:7921, v8:8423
Change-Id: If62387d68ddf0f5e067adbaef5fbeca7178958a4
Reviewed-on: https://chromium-review.googlesource.com/c/1402544
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58656}
Port commit 4ab96a9a81
Original message:
> Remove the use of a jump table in the prologue of the deopt entries
> and instead pass the bailout id explicitly in a register when calling
> the deopt entry routine from optimized code. This unifies the logic
> with the way the Arm64 code works. It saves the following amount of
> memory in code stubs:
>
> - arm: 384KB
> - ia32: 480KB
> - x64: 240KB
>
> This could be offset by a slight increase in the size of optimized code
> for loading the immediate, however this impact should be minimal and
> will scale with the maximum number of bailout ids (e.g., the size of
> code will increase by one instruction per bailout id on Arm, therefore
> ~98,000 bailouts will be needed before the overhead is greater than
> the current fixed table size).
>
> Change-Id: I838604b48fa04cbd45320c7b9dac0de08fd8eb25
> Reviewed-on: https://chromium-review.googlesource.com/c/1398224
> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#58636}
Change-Id: I4d070b90ebd4f9d4e82eaa74fe6d41c3a39d93e8
Reviewed-on: https://chromium-review.googlesource.com/c/1400848
Reviewed-by: Sreten Kovacevic <skovacevic@wavecomp.com>
Commit-Queue: Sreten Kovacevic <skovacevic@wavecomp.com>
Cr-Commit-Position: refs/heads/master@{#58655}
OOMs in CSA code would trigger fairly arbitrary assertion failures on
some paths. This changes CSA::AllocateRaw to call
FatalProcessOutOfMemory (just like runtime methods).
CSA::AllocateFixedArray additionally checks for
FixedArray::kMaxLength.
This increases overall builtin code size on x64 release by 28K / 2.5%.
Bug: chromium:917561, chromium:848672
Change-Id: I757271264f396e0df8d8fe0570bad078075c27d5
Reviewed-on: https://chromium-review.googlesource.com/c/1400414
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58654}
.rodata usually hosts read only data. MSVC link.exe complains mismatch when
merging this read/write .rodata from embedded.S with .rodata from other object
file.
Bug: chromium:919180
Change-Id: I7789e42afe116cc4bf772e2cbb312d19e4ce7fe5
Reviewed-on: https://chromium-review.googlesource.com/c/1396361
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58653}