Make GetValueType to generate only function signatures
to avoid default values in new_object.
Bug: v8:11954
Change-Id: Ia6ebdde0a9c10c56afef29d6db3b3266816210e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3158222
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Rakhim Khismet <khismet@google.com>
Cr-Commit-Position: refs/heads/main@{#76934}
... and move methods that use XXX::cast() there.
This will untangle the include cycle that'll happen in a follow-up CLs.
Bug: v8:11880
Change-Id: Iba46bc9b0e0df9530197f57d0469456eb9006e66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3164456
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76932}
We add support for array.get, array.set and array.len operation to the fuzzed module.
Bug: v8:11954
Change-Id: Ic8fd89ec7f7f31e70a40bad831567e50ae49f668
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3168624
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Maria Tîmbur <mtimbur@google.com>
Cr-Commit-Position: refs/heads/main@{#76931}
This means we don't need to copy over properties, and accessors stay in
place similar to when we deserialize a custom snapshot.
This slightly changes the semantics of Context::New, so let's see
whether someone depends on this behaviour. We may need to revert if so
(hopefully until we can update the embedder).
Bug: v8:12113
Change-Id: I8325480a00bab5b2bb6ea42274e295b0d4dfc85c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162143
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76928}
The recent change in the delegate semantics was incorrectly implemented
in the interpreter. It only checked that the first opcode of the target
block is a 'try': we also need to skip try blocks when we are already in
their 'catch' or 'catch_all' sub-block.
Use the exception_stack instead, since it already only contains indices
of try blocks that haven't reached their handlers yet.
R=clemensb@chromium.org
Bug: chromium:1249306
Change-Id: I15746b4bfabf3dcf04cfe0f2ad438c573cce65e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3168622
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76919}
SIMD is now shipped, so we don't need to pass the experimental wasm simd
flag.
Change-Id: I54090cec575da5eecfd2bf9a455ac5d0ef3f146e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3169313
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76918}
When the input to F64x2PromoteLowF32x4 is a S128Load64Zero, we can skip
the load + promote, and promote directly with a memory operand. The
tricky bit here is that on systems that rely on OOB trap handling, the
load is not eliminatable, so we always visit the S128Load64Zero, even
though after instruction-selector pattern-matching, it is unused. We
mark it as defined to skip visiting it, only if we matched it.
Bug: v8:12189
Change-Id: I0a805a3fce65c56ec52082b3625e1712ea1ee7cf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3154347
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76917}
Change base::Optional to an alias of absl::optional. Eventually we
should remove it entirely.
Bug: v8:11006
Change-Id: I687d44cc7e7cd0a49a84bcc207231eb6808eef2d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2476318
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76913}
This fixes the first part of a failing spec test, the other WebAssembly
objects will follow in other CLs.
R=jkummerow@chromium.org
Bug: v8:12227
Change-Id: I7b57b0c518671f0614a88f0477b64e2507435aba
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3168272
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76907}
When checking for operand interference, if both operands are slots and
one of them is 128 bit wide, check that the slot ranges don't intersect.
R=nicohartmann@chromium.org
Bug: chromium:1248817
Change-Id: Ib18b6e596dbb23427508b7cc07947a0ab4665e85
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162141
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76904}
This ports the trap handler implementation for the arm64 simulator
from POSIX to Windows. Apart from different registers being used
for passing parameters, and different access to these register
values in the signal handler, the implementation is exactly the same.
The new logic is being used for sanitizer builds which automatically
target arm64 via the simulator, or if manually compiling an arm64
simulator build on x64. I manually tested the latter.
Also, the existing unit test is enabled for Mac (which was missing)
and Windows now.
R=ahaas@chromium.org, mseaborn@chromium.org
Bug: v8:11955
Cq-Include-Trybots: luci.v8.try:v8_win64_asan_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_mac64_asan_rel_ng
Change-Id: Ia62405b28808a3cc9f199e3f43a45ffc4bda491b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3163256
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76902}
Instead of explicitely splitting the cage into two separate regions, we
now just create a single BoundedPageAllocator to manage the entire
address range of the cage, then allocate the first 4GB for the pointer
compression cage.
Bug: chromium:1218005
Change-Id: I02c53ca8b6dda9074ae6caccc74c32bd6271d4d2
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162044
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76900}
Previously the internal `[[ArrayBufferData]]` property for `ArrayBuffer`
objects reported by the inspector (and used by the DevTools front-end to
identify `ArrayBuffer`s and `WebAssembly.Memory`s using the same backing
store) simply contained a hex string representation of the backing store
pointer. However that unnecessarily leaks internal addresses and more
importantly is not deterministic, which complicates tests (just blew up
on layout tests).
This CL introduces an automatically incremented `BackingStore::id()`,
which is used instead now and is deterministic.
Bug: chromium:1199701, chromium:1163802, chromium:1249961
Change-Id: I8ee47009cd825cfdbe00230f617c87c90508ab2a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162144
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76893}
The default value for table entries in WebAssembly tables is null when
the table gets allocated from WebAssembly, but when the table gets
allocated from JavaScript, the default value is undefined when the
table type is externref. With this CL V8 handles the JavaScript case
spec-compliant.
R=manoskouk@chromium.org
Bug: v8:12227
Change-Id: Ic8a1361629d8e5dfb59e2ee22a5e0ae0f6de936d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162045
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76892}
Behind the --wasm-inlining flag, we introduce speculative direct calls
as an alternative to invoking functions through references.
In pseudocode, call_ref(func_ref, args...) reduces to
if (func_ref == function_reference_at(expected_index)) {
call_direct(expected_index, args...)
} else call_ref(func_ref, args...)
The introduced direct call can later get inlined in WasmInliningPhase.
Currently, we always speculate that the reference is the function at
index 0. Proper heuristics, based on liftoff runtime feedback, will come
later.
Bug: v8:12166, v8:7748
Change-Id: Icd1319d3091b436e71906717fd8a2662bfbb8481
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162602
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76884}
JavascriptBuiltinContinuationFrame and BuiltinFrame didn't correctly
handle the receiver when it was included in the argument count.
Bug: v8:11112, chromium:1249941
Change-Id: I4d79bd152ea7e992fa3b87a4de2a509b79fcb37c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3165058
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76881}
... by adding atomic (relaxed) accessor's for a map's
constructor_or_backpointer field, and using them in the two functions.
Bug: chromium:1250216, v8:7790
Change-Id: I3416799cca73792ff5f8963685274ad9afdc6229
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162129
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76876}
Reason for revert: There was an out-dated wpt test in blink that
failed after this CL. I adjusted the test expectations in https://chromium-review.googlesource.com/c/chromium/src/+/3162980 so that I can land this CL.
Original change's description:
> Revert "[wasm][externref] Support default value for the table.set"
>
> This reverts commit 6b57898062.
>
> Reason for revert: Fails layout tests: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Blink%20Linux/13751/overview
>
> Original change's description:
> > [wasm][externref] Support default value for the table.set
> >
> > WebAssembly.Table.set allows a default value instead of the second
> > parameter, which was not supported by V8 so far.
> >
> > R=thibaudm@chromium.org
> >
> > Bug: v8:7581
> > Change-Id: I417790722b1cb4f854cd0056ecb8377c330c45fa
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3141574
> > Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
> > Commit-Queue: Andreas Haas <ahaas@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#76846}
>
> Bug: v8:7581
> Change-Id: I83d9be59c66ece3184b5708e5b8a3b401e4938ed
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3163257
> Auto-Submit: Clemens Backes <clemensb@chromium.org>
> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
> Cr-Commit-Position: refs/heads/main@{#76852}
Bug: v8:7581
Change-Id: I248f836ba4de2a4e3f3d80c00e6f1ac0b46a38d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162608
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76873}
Liftoff needs to be fully implemented for running this test.
Change-Id: Ia229d478fa22d4ce9a715d13b3d2b09a2634ad1c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3163016
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#76870}
This test is added in commit bc3b9332ac
Bug: v8:7748
Change-Id: I8bada39c6fc9ed22f7a25786697aed880738bc9e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3163286
Auto-Submit: Liu yu <liuyu@loongson.cn>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76868}
EphemeronHashTable does not trigger interrupts when accessed
(as opposed to calling the WeakMapGet builtin), so it avoids
the use-after-free problem when reading exception metadata
triggers session disconnect while holding a reference
to the session.
Bug: chromium:1241860
Change-Id: I29264b04b8daf682e7c33a97faedf50e323d57c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3158326
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76864}
This is a reland of 11045926ca
The first version of this CL uncovered a TSAN failure when not disabling
RCS anymore. The problem was that a background thread was still updating
RCS counters, while the main thread already dumped those values during
tear down. This CL fixes this by dumping counters only after all
background threads are stopped.
Original change's description:
> [test] Avoid disabling of RCS during runtime
>
> Test was flaky since disabling of RCS at runtime is unsafe. Some code
> (e.g. TRACE_GC) is run only in case RCS is enabled and such code paths
> might also DCHECK that RCS is enabled.
> A background thread (sweeping in this case) could've already
> entered such a code path right before RCS is disabled. In this case the
> guard at the entry still saw that RCS is enabled but subsequent DCHECKs
> that ensure that RCS is enabled might fail.
>
> We could fix this by completing the sweeper tasks before disabling RCS
> but there might be other similar tasks which might be run at that point
> in the future (e.g. memory unmapper).
>
> Disabling the flag doesn't even seem to be needed for the initial
> regression test, so it seems simpler to just not disable RCS anymore.
>
> Bug: v8:12026
> Change-Id: I878f7dd9a7a4abb6a501f7a7651a1240ef2082a6
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162043
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76845}
Bug: v8:12026, v8:12234
Change-Id: I5cb577051d188d17b02ca7da79a3f1d9aa646cae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162050
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76859}
These tests don't depend on initializing VM (for Context) or even an
isolate, so we can remove the setup code, and use UNINITIALIZED_TEST
(will not even set up an isolate).
Bug: v8:12207
Change-Id: I4b509b95cc8272db22892c32b53464678403dc7d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3160748
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76854}
This reverts commit 6b57898062.
Reason for revert: Fails layout tests: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Blink%20Linux/13751/overview
Original change's description:
> [wasm][externref] Support default value for the table.set
>
> WebAssembly.Table.set allows a default value instead of the second
> parameter, which was not supported by V8 so far.
>
> R=thibaudm@chromium.org
>
> Bug: v8:7581
> Change-Id: I417790722b1cb4f854cd0056ecb8377c330c45fa
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3141574
> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76846}
Bug: v8:7581
Change-Id: I83d9be59c66ece3184b5708e5b8a3b401e4938ed
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3163257
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#76852}
This reverts commit 16df1dfa13.
Reason for revert: Multiple failures, e.g. https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux/43844/overview
Original change's description:
> [arm64][wasm-simd] Use Cm(0) for integer comparison with 0
>
> Use an immediate zero operand for integer comparison when possible. This
> gives ~1% runtime performance improvement in some benchmarks on Neoverse
> N1.
>
> Change-Id: I727a8104f8e6ca3d122d6b5b8b3d38d7bdd76c47
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3158327
> Reviewed-by: Zhi An Ng <zhin@chromium.org>
> Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
> Cr-Commit-Position: refs/heads/main@{#76847}
Tbr: zhin@chromium.org
Change-Id: I7039106d885c59aecad24dd8dda4d151b8e1f022
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162053
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76851}
Instead of trying to detect which sanitizer we run on, just allow the
output that any sanitizer would produce.
Note that the regular expression syntax is pretty limited, so we cannot
express this as a single regex.
This removes the single use of {V8_USE_UNDEFINED_BEHAVIOR_SANITIZER}
again, but for completeness I leave it in {macros.h} for now.
TBR=jkummerow@chromium.org
Bug: v8:12226
Cq-Include-Trybots: luci.v8.try:v8_linux64_msan_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_ubsan_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_cfi_rel_ng
Change-Id: I37a6d15ebb9fdafbdbee0158ba6c540582c31301
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162046
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76850}
This reverts commit 11045926ca.
Reason for revert: Uncovered TSAN failure
Original change's description:
> [test] Avoid disabling of RCS during runtime
>
> Test was flaky since disabling of RCS at runtime is unsafe. Some code
> (e.g. TRACE_GC) is run only in case RCS is enabled and such code paths
> might also DCHECK that RCS is enabled.
> A background thread (sweeping in this case) could've already
> entered such a code path right before RCS is disabled. In this case the
> guard at the entry still saw that RCS is enabled but subsequent DCHECKs
> that ensure that RCS is enabled might fail.
>
> We could fix this by completing the sweeper tasks before disabling RCS
> but there might be other similar tasks which might be run at that point
> in the future (e.g. memory unmapper).
>
> Disabling the flag doesn't even seem to be needed for the initial
> regression test, so it seems simpler to just not disable RCS anymore.
>
> Bug: v8:12026
> Change-Id: I878f7dd9a7a4abb6a501f7a7651a1240ef2082a6
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162043
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76845}
Bug: v8:12026
Change-Id: I154817fc5ddeab68c69c745d08f3d77c48896dc4
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162049
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#76848}
Use an immediate zero operand for integer comparison when possible. This
gives ~1% runtime performance improvement in some benchmarks on Neoverse
N1.
Change-Id: I727a8104f8e6ca3d122d6b5b8b3d38d7bdd76c47
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3158327
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/main@{#76847}
WebAssembly.Table.set allows a default value instead of the second
parameter, which was not supported by V8 so far.
R=thibaudm@chromium.org
Bug: v8:7581
Change-Id: I417790722b1cb4f854cd0056ecb8377c330c45fa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3141574
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76846}
Test was flaky since disabling of RCS at runtime is unsafe. Some code
(e.g. TRACE_GC) is run only in case RCS is enabled and such code paths
might also DCHECK that RCS is enabled.
A background thread (sweeping in this case) could've already
entered such a code path right before RCS is disabled. In this case the
guard at the entry still saw that RCS is enabled but subsequent DCHECKs
that ensure that RCS is enabled might fail.
We could fix this by completing the sweeper tasks before disabling RCS
but there might be other similar tasks which might be run at that point
in the future (e.g. memory unmapper).
Disabling the flag doesn't even seem to be needed for the initial
regression test, so it seems simpler to just not disable RCS anymore.
Bug: v8:12026
Change-Id: I878f7dd9a7a4abb6a501f7a7651a1240ef2082a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162043
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76845}
Per https://github.com/WebAssembly/gc/issues/234, this implements
"nominal" type definitions with explicit supertypes, and statically
typed RTT-less instructions for allocation and testing/casting.
This should be fully backwards compatible with existing Wasm modules.
Spec: https://bit.ly/3cWcm6Q ("version 4")
Bug: v8:7748
Change-Id: Id5a1399b368fdfad22036cfd66f1bef593e640f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3144916
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76844}
This is a reland of a55c82d46b, now also
fixed for UBSan.
Original change's description:
> Reland "[wasm][test] Fix test expectation"
>
> This is a reland of 6f9cde1ee6, with
> special handling for MSan as well.
>
> Original change's description:
> > [wasm][test] Fix test expectation
> >
> > In the mprotect case, there could be one or multiple succeeding writes
> > until we finally crash. Thus do not check that we never successfully
> > write, but just check that the last printed statement is *before* a
> > write.
> >
> > R=jkummerow@chromium.org
> >
> > Bug: v8:12226
> > Change-Id: I04209691a9320a9b29dd0ec364539e062ad2dc03
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3160343
> > Commit-Queue: Clemens Backes <clemensb@chromium.org>
> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#76829}
>
> Bug: v8:12226
> Cq-Include-Trybots: luci.v8.try:v8_linux64_msan_rel_ng
> Change-Id: I85ca98be43fc1d933d39a4602194e1771c33007c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162037
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76839}
Bug: v8:12226
Change-Id: I911295b73a385c899a993a729db3a499e58b7cb6
Cq-Include-Trybots: luci.v8.try:v8_linux64_msan_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_ubsan_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162041
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76841}
This reverts commit a55c82d46b.
Reason for revert: Fails on UBSan: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20-%20cfi/31712/overview
Original change's description:
> Reland "[wasm][test] Fix test expectation"
>
> This is a reland of 6f9cde1ee6, with
> special handling for MSan as well.
>
> Original change's description:
> > [wasm][test] Fix test expectation
> >
> > In the mprotect case, there could be one or multiple succeeding writes
> > until we finally crash. Thus do not check that we never successfully
> > write, but just check that the last printed statement is *before* a
> > write.
> >
> > R=jkummerow@chromium.org
> >
> > Bug: v8:12226
> > Change-Id: I04209691a9320a9b29dd0ec364539e062ad2dc03
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3160343
> > Commit-Queue: Clemens Backes <clemensb@chromium.org>
> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#76829}
>
> Bug: v8:12226
> Cq-Include-Trybots: luci.v8.try:v8_linux64_msan_rel_ng
> Change-Id: I85ca98be43fc1d933d39a4602194e1771c33007c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162037
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76839}
Bug: v8:12226
Change-Id: Ifb0f4b7e87c9c54271f7f3de29b1f1fc6e867f3f
Cq-Include-Trybots: luci.v8.try:v8_linux64_msan_rel_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162040
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#76840}
This is a reland of 6f9cde1ee6, with
special handling for MSan as well.
Original change's description:
> [wasm][test] Fix test expectation
>
> In the mprotect case, there could be one or multiple succeeding writes
> until we finally crash. Thus do not check that we never successfully
> write, but just check that the last printed statement is *before* a
> write.
>
> R=jkummerow@chromium.org
>
> Bug: v8:12226
> Change-Id: I04209691a9320a9b29dd0ec364539e062ad2dc03
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3160343
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76829}
Bug: v8:12226
Cq-Include-Trybots: luci.v8.try:v8_linux64_msan_rel_ng
Change-Id: I85ca98be43fc1d933d39a4602194e1771c33007c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162037
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76839}
This reverts commit 6f9cde1ee6.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/40332/overview
Original change's description:
> [wasm][test] Fix test expectation
>
> In the mprotect case, there could be one or multiple succeeding writes
> until we finally crash. Thus do not check that we never successfully
> write, but just check that the last printed statement is *before* a
> write.
>
> R=jkummerow@chromium.org
>
> Bug: v8:12226
> Change-Id: I04209691a9320a9b29dd0ec364539e062ad2dc03
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3160343
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76829}
Bug: v8:12226
Change-Id: I11ed00268db8dae5c773ed14fda9a343566f910a
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3161333
Auto-Submit: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#76831}
In the mprotect case, there could be one or multiple succeeding writes
until we finally crash. Thus do not check that we never successfully
write, but just check that the last printed statement is *before* a
write.
R=jkummerow@chromium.org
Bug: v8:12226
Change-Id: I04209691a9320a9b29dd0ec364539e062ad2dc03
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3160343
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76829}
Currently the main test for disassembly just checks that there is
disassembly support for a assembler function, it doesn't verify the
output is as expected.
Add a new test case that checks the disassembly output against an
expected string.
Right now we only check a single instruction, subsequent patches will
move more instructions into this test case.
Bug: v8:12207
Change-Id: Id183bb2fd625713d82239363ebce3f4c77155acd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3150145
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76828}
WPT and WebAssembly spec tests are not 100% in sync, which means that
there are aspects of the WebAssembly spec that get only tested by WPT.
Up until now WPT was only executed on the blink side, and failing tests
were just ignored. With this CL we add WPT to the existing wasm spec
test setup, so that we run both the spec tests, and WPT.
Bug: v8:12227
Change-Id: Iccbe696a6d9dd01f8bab1990736f1ed16e0cdf7b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3160347
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76823}
Avoid the usage of ASSERT_DEATH_IF_SUPPORTED with a matcher, as that's
not supported if death tests are not supported (e.g. on iOS).
R=jkummerow@chromium.org
Bug: v8:11974
Change-Id: Ieb33ac8605e82fde67bfcd0e81e85ac2d18e9b27
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3160341
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76822}
This reverts commit 0adc1410b1.
Reason for revert: Reverting due to fail on V8 Linux - noi18n - debug https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket/8836095186331011153/+/u/Check_-_default/function-exist
Original change's description:
> [Temporal] Part 1 - Skeleton
>
> 1. Expose all the functions to empty buildins.
> 2. Wire up basic structure of classes and internal slots.
>
> Design Doc: https://docs.google.com/document/d/1Huu2OUlmveBh4wjgx0D7ouC9O9vSdiZWaRK3OwkQZU0/
>
> This is just a CL to establish a skeleton for Temporal.
> The Temporal is very big. The prototype CL is in
> https://chromium-review.googlesource.com/c/v8/v8/+/2967755
> but too big to be reviewed so I break up the basic structure here first.
>
> Cq-Include-Trybots: luci.v8.try:v8_linux64_bazel
> Bug: v8:11544
> Change-Id: I10d09e3c2530e5b1a6ba60014a2294e138879ff3
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3092561
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Frank Tang <ftang@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76819}
Bug: v8:11544
Change-Id: I358f671452a986c8e87d1f831ab5eb1550a38441
Cq-Include-Trybots: luci.v8.try:v8_linux64_bazel
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3160467
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Auto-Submit: Deepti Gandluri <gdeepti@chromium.org>
Owners-Override: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76821}
1. Expose all the functions to empty buildins.
2. Wire up basic structure of classes and internal slots.
Design Doc: https://docs.google.com/document/d/1Huu2OUlmveBh4wjgx0D7ouC9O9vSdiZWaRK3OwkQZU0/
This is just a CL to establish a skeleton for Temporal.
The Temporal is very big. The prototype CL is in
https://chromium-review.googlesource.com/c/v8/v8/+/2967755
but too big to be reviewed so I break up the basic structure here first.
Cq-Include-Trybots: luci.v8.try:v8_linux64_bazel
Bug: v8:11544
Change-Id: I10d09e3c2530e5b1a6ba60014a2294e138879ff3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3092561
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76819}
DataView constructor, DataView.prototype.byteLength
and DataView.prototype.byteOffset should throw
TypeError when the buffer was detached.
Both SpiderMonkey and JSC passed the test262 suites.
Bug: v8:12162
Change-Id: I126d24213c00e4d26540519bce9b5388862eb32c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3140015
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76818}
The previous setup of the test was suboptimal and could easily hide
bugs. Since the whole test body was wrapped in an ASSERT_DEATH call
(without checking any message of the crash), any CHECK failure inside
the test body would make the test pass.
This CL leverages the fact that in our setup the "death test style" is
set to "threadsafe" anyway, so the process that is forked for the death
test just runs the whole test body including the single death test of
interest, and the parent checks that it indeed crashes. This allows us
to undo our previous setup and just include death test assertions
regularly in the test body. By checking that the child process fails
exactly between two print statements (around the write access) we ensure
that we observe the crash we intend to observe.
R=jkummerow@chromium.org
CC=mpdenton@chromium.org
Bug: v8:11974
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_dbg_ng
Change-Id: I293079ae2dbcbe154bef91314ed08cab567f4d18
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3151965
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76814}
This is a reland of deb66c84c0
Added missing cctest.status entries to disable the tests on
non-simd hardware.
Original change's description:
> [wasm] Add tests for NaN detection in Liftoff
>
> Check that the flag is also set if only one of the lanes is NaN for SIMD
> operations.
>
> R=clemensb@chromium.org
>
> Bug: v8:11856
> Change-Id: I3860ed1beac4faee1ade7180b67ca06762ca9b95
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3158322
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76801}
Bug: v8:11856
Change-Id: If45451703d80fe217eac8c610dac022dc778436f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3158329
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76812}
Move this from macro-assembler-x64 to shared-macro-assembler, and use
this implementation for ia32 (TurboFan and Liftoff).
Bug: v8:11589
Change-Id: If851560c8db1293924ca024725609c399c553a4a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3124099
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76803}
This reverts commit deb66c84c0.
Reason for revert: Fails in no-sse config: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20debug/36712
Original change's description:
> [wasm] Add tests for NaN detection in Liftoff
>
> Check that the flag is also set if only one of the lanes is NaN for SIMD
> operations.
>
> R=clemensb@chromium.org
>
> Bug: v8:11856
> Change-Id: I3860ed1beac4faee1ade7180b67ca06762ca9b95
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3158322
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76801}
Bug: v8:11856
Change-Id: I16c50b3d0c1831a6d61159bdcf29610fd5aed8a4
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3158328
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#76802}
Check that the flag is also set if only one of the lanes is NaN for SIMD
operations.
R=clemensb@chromium.org
Bug: v8:11856
Change-Id: I3860ed1beac4faee1ade7180b67ca06762ca9b95
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3158322
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76801}
This unblocks https://crrev.com/c/3099011 by speeding up the case for
the DebugPropertyIterator where only non-indexed properties (for large
arrays or typed arrays) are requested. Previously we'd walk through all
properties - including all indexed properties - and only filter out the
indexed properties in the end in `ValueMirror::getProperties()`.
Bug: chromium:1199701, chromium:1162229
Change-Id: I2555e3129fef29da347314eee400ea97ebf5e5b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114135
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76796}
The refactoring is triggered by https://crrev.com/c/3121905 where we
noticed that a bunch of tricky counter paths could be simplified,
making reasoning about corectness easier.
In this CL:
1. Use uniqe_ptr instead of Optional to allow moving SweepingJob away
from the header file.
2. sweeping_in_progress_ is replaced with simply checking for a job.
3. freed_bytes_ are moved to the job and the dependency is reversed,
avoiding the inside-out (Job->Sweeper) dependency completely.
4. Merge() and counter updates are merged into a Finalize() method.
5. FinishIfDone() allows for conditional finization.
6. young_bytes_ and old_bytes_ are removed as they were always updated
when the corresponding bytes in the ArrayBufferList was updated.
Change-Id: I56e5b04087166ce03d3a9195ac48359122a84c73
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3124776
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76795}
The "unreachable" state is usually reset in the first catch block.
Ensure that this is done for catchless tries too.
R=clemensb@chromium.org
Bug: chromium:1246712
Change-Id: If746a3fe3158b0bac4b9b02e4978ca444f8ce427
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3157949
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76791}
The bug was introduced in
https://chromium-review.googlesource.com/c/v8/v8/+/3147910 : We only
want the fast path when "start" is either missing or the number 0, not
when it's something which converts to 0.
Bug: chromium:1248704
Change-Id: I72bb8fa8a9b90a13aae216c6a8e16e7be54285fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3157948
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76789}
This is a follow-up on https://crrev.com/c/3131374 to support more
instructions, float32 sqrt, cmp, round, float64 cmp.
Rename the opcodes since they are no longer SSE specific.
Bug: v8:12148
Change-Id: Ie5f74bc1b4510092cbfbcb7e420ef82cb1c39a14
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3154983
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76777}
If background threads are tiering up, they could temporarily make code
writable (if using the mprotect based approach). This would make our
death tests fail (i.e. not crash).
This CL fixes that by repeatedly writing in that case. Eventually, the
code should be protected again, and then we would crash. Failure to
crash would manifest as a timeout of the tests.
R=jkummerow@chromium.org
CC=mpdenton@chromium.org
Bug: v8:11974
Change-Id: Ibe34af499da9b964ad260d58e9b4e390007898e9
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3151959
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76770}
StackCheck needs to be implemented on liftoff.
Change-Id: I29624d65b82cbba3ef640ab7ea0cc78c2d5f2c4f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3152745
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#76766}
In the case that {dst}, {lhs} and {rhs} all point to the same register,
we would emit wrong code (negating the register and adding it to
itself). This CL fixes this by checking if {lhs == rhs}, and just
clearing the {dst} register in that case.
R=thibaudm@chromium.org
Bug: chromium:1247659
Change-Id: I7913617850adb34a5ad812369f16a7422358454d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3151955
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76765}
With statically in-bounds memory accesses (implemented in
https://crrev.com/c/2919827) we would only have an offset but no index
register for {TraceMemoryOperation}. This CL fixes that situation.
R=thibaudm@chromium.org
Bug: chromium:1248024
Change-Id: I856b263a560cb71791c61e446e78dd99c9664190
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3149464
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76763}
value must be written to memory in LE order on BE machines
as they will be loaded in reverse when emitting S128Const.
Change-Id: Ia1d6c784505abe499fb71a6d86daea2721615da4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3151956
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#76758}
This is similar to what is already done in x64, define a macro list for
all the *sd instructions (prefix f2 0f), and use this macro list to
define assembler functions and disassembly.
Bug: v8:11879
Change-Id: Ia7fbd9fe7f07b72c04d82c81726b9673c40eb0de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3125774
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76756}
By delegating to the macro-assembler, emit AVX instructions for some
float opcodes (float sqrt, round, conversions to and from int,
extract/insert/load word).
Since they now support AVX, we rename the instruction ops to remove the
SSE prefix, changing it to be IA32.
Bug: v8:12148
Change-Id: Ib488f03928756e7d85ab78e6cb28eb869e0641f9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3131374
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76755}
Use an immediate zero operand for floating point comparison nodes when
possible. This results in up to 20-25% runtime improvement in some
microbenchmarks, as well as 1-1.5% runtime improvement in some
real-use benchmarks on Cortex-A55 and Neoverse N1.
Change-Id: I39d10871a08a037dbe8c0877d789d110476e1a58
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3133143
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/main@{#76749}
We add call_ref and return_call_ref to the fuzzed module.
We alter call function to generate call_ref in it.
Bug: v8:11954
Change-Id: I972b8e053d7eab758ac343d48f0c4631ef24b22b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3148011
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Rakhim Khismet <khismet@google.com>
Cr-Commit-Position: refs/heads/main@{#76748}
Test that also signal handlers cannot write to code, even if a
{CodeSpaceWriteScope} is open when the signal is triggered.
R=jkummerow@chromium.orgCC=mpdenton@chromium.org
Bug: v8:11974
Change-Id: I1e49e4b31ba196948f7f7adfdf88675816e0a58a
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3140607
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76747}
They need to agree about when to delegate to CloneFastJSArray, since it
produces arrays which are potentially COW. If they don't agree, TF
generates code which produces a COW array and then expects it to be
non-COW -> immediate deopt.
This CL gets rid of the discrepancy in the case when there's exactly
one argument and it's the number 0.
Some corner cases remain, e.g., 1st argument not a number but ToInteger
returns 0. These should be extremely rare in the real world.
Bug: v8:12194
Change-Id: I10230245c97f8997da4d79702f29ebff11297229
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3147910
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76745}
globals are no longer LE enforced after https://crrev.com/c/2944437.
LANE is used instead to pick the correct lane on BE machines.
Change-Id: I106bebda2633a4673ad4b5165c0440cc445d9475
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3148036
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#76730}
In addition to inputs consisting entirely of random bits, the
bigint test shell now also generates inputs that are powers of
two (i.e. have many 0-bits) and inputs with many 1-bits.
Empirically, these kinds of inputs are more likely to flush out
corner case bugs.
Bug: v8:11515
Change-Id: Ib69f12bf215055991b028196dc54ebbc00780bae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3055292
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76729}
No multiplications needed, just putting bits directly into
the right places.
Bug: v8:11515
Change-Id: I65e5658bb5ed12caec9325f414563526f8edbbf3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3055291
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76727}
This adds some basic tests for WebAssembly code protection, in four
different configurations:
- no protection
- mprotect-based protection
- PKU-based protection
- PKU with fallback to mprotect
If PKU is not supported by the OS or hardware, then PKU is identical to
no protection, and PKU with fallback is identical to mprotect. We always
execute all four configurations anyway.
If protection is effective, we expect code to be writable within a
{CodeSpaceWriteScope}, and not writable otherwise. When trying to write
to non-writable code, we expect a crash of the process (checked via
{ASSERT_DEATH_IF_SUPPORTED}).
R=jkummerow@chromium.org
CC=mpdenton@chromium.org
Bug: v8:11974
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_dbg_ng
Change-Id: I4ec0ce9426f70ff41a292b9ea25be1e8956a670e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3138210
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76726}
We should use pc relative branch instruction rather than loading
target address from memory for better performance.
Besides, just like arm64, currently we assume that none of our
relocation types are pc relative pointing outside the code buffer
nor pc absolute pointing inside the code buffer.
Change-Id: I9cce2e79c0afb00af967638405469f65df1deda2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3147314
Reviewed-by: Liu yu <liuyu@loongson.cn>
Commit-Queue: Liu yu <liuyu@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#76721}
These tests require a certain stack-size as otherwise range errors show
up in the test expectations, which are compared verbatim.
Bug: v8:12197
Change-Id: I0e420fe6b03965241003ac69fd7d96fa61682c1d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3147592
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76719}
We add an option to BuildTFGraph to not emit stack checks and call
tracing and use it in inlined functions.
Also, we add tests for zero/multiple return values, as well as infinite
loops in the inlined function.
Bug: v8:12166
Change-Id: I5f34c57d9870592085804853ff23ba94897cc8d5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3141589
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76718}
This is a reland of 65515ddd3e
Fix is to use AddWithWraparound for signed additions to avoid UB.
Original change's description:
> [wasm-simd][arm64] Fuse add and extmul
>
> We can select a better instruction for add+extmul, using one of the
> multiply-long-accumulate instruction.
>
> Define a helper struct to pattern match Add(x, OP(y, z)) and
> Add(OP(x, y) z), and ensure that the matched OP is always on the
> LHS, to simplify checking for matches.
>
> Bug: v8:11548
> Change-Id: I7ab488b262aa9f749785f973549ccd9fad72f4c8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2826725
> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76708}
Bug: v8:11548
Change-Id: I675ab8b78d9c6c30b82a8c96c8e7098a548c6a60
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3144379
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76712}
A previous change (see ref) added a subset of 256-bit instructions to
the x64 assembler--this change adds a disassembly test for the added
instructions.
ref: https://chromium-review.googlesource.com/c/v8/v8/+/3123648
Change-Id: Ia56be7a7df636b8bf6c04f044912e914d949d19f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3133956
Auto-Submit: Andrew Brown <andrew.brown@intel.com>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76711}
This reverts commit 65515ddd3e.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20UBSan/18117/overview
Original change's description:
> [wasm-simd][arm64] Fuse add and extmul
>
> We can select a better instruction for add+extmul, using one of the
> multiply-long-accumulate instruction.
>
> Define a helper struct to pattern match Add(x, OP(y, z)) and
> Add(OP(x, y) z), and ensure that the matched OP is always on the
> LHS, to simplify checking for matches.
>
> Bug: v8:11548
> Change-Id: I7ab488b262aa9f749785f973549ccd9fad72f4c8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2826725
> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76708}
Bug: v8:11548
Change-Id: Ic1560616e7ee6df917fcedbb6ad139a1a9773d68
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3144377
Auto-Submit: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#76709}
We can select a better instruction for add+extmul, using one of the
multiply-long-accumulate instruction.
Define a helper struct to pattern match Add(x, OP(y, z)) and
Add(OP(x, y) z), and ensure that the matched OP is always on the
LHS, to simplify checking for matches.
Bug: v8:11548
Change-Id: I7ab488b262aa9f749785f973549ccd9fad72f4c8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2826725
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76708}
Simply putting all features behind --experimental-wasm-gc.
The intent is to simplify command lines.
Bug: v8:7748
Change-Id: Ibfaa4dc720087a490b177a2b95841620a4d25d89
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3141583
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76703}
- Add vsetivli/I8x16Add/vl/vse8
- In Rvv, Vector regs is different from Float Regs. But in this cl, in order to facilitate modification, it is assumed that the vector register and float register share a set of register codes.
- Because v0 is mask reg, we can't allocate it . And transfer float into vector reg, so i delete ft0 from AllocateReg.
Bug: v8:11976
Change-Id: I66185d1f5ead985489bcbdf671b131f02a6bd7c2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3005768
Commit-Queue: Ji Qiu <qiuji@iscas.ac.cn>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Ji Qiu <qiuji@iscas.ac.cn>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76700}
The receiver is now always included in the actual argument count and
the formal parameter count.
kDontAdaptArgumentsSentinel is changed from UINT16_MAX to 0 to preserve
the maximum allowed declared parameters.
The build flag activating the changes is not set for any architecture
yet.
Bug: v8:11112
Change-Id: I48a4969137949a1b4d1f47545209bb22b64e7e05
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3140608
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76699}
This is a reland of 1786f8d770. It turned
out that also x64 is broken, and only for TurboFan. Both is fixed now.
Original change's description:
> [arm64][liftoff] Fix trap handling on load lane
>
> This fixes the registered {protected_load_pc} to (always) point to the
> actual load instruction. If {dst != src} we would emit a register move
> before the load, and the trap handler would then not recognize the PC
> where the signal occurs, leading to a segfault.
>
> R=thibaudm@chromium.org
>
> Bug: chromium:1242300, v8:12018
> Change-Id: I3ed2a8307e353fd85a7ddedf6ecb73e90a112d32
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3136454
> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76642}
Bug: chromium:1242300, v8:12018
Change-Id: I79284ab9815f5363f759569d98c8c4b52d48e738
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3140609
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76698}
We add table operations to the fuzzed module.
GetTableType function is added in WasmModuleBuilder.
Alter alternatives array in GenerateOptRef to generate
less default values.
Bug: v8:11954
Change-Id: I433a6fac0ab10307aeede505b7d0c1d625d27477
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3137493
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Rakhim Khismet <khismet@google.com>
Cr-Commit-Position: refs/heads/main@{#76697}
We introduce basic wasm inlining infrastructure behind a flag. The
implementation is currently incomplete. Additionally, we always inline
the function at index 0; proper inlining heuristics will be added later.
Changes:
- Rename WasmInliningPhase -> JSWasmInliningPhase
- Introduce WasmInliningPhase and WasmInliner.
- Pass additional parameters as needed to GenerateCodeForWasmFunction.
- Remove EnsureEnd in WasmGraphAssembler. Create end node at the start
of compilation.
- Add a simple test.
Bug: v8:12166
Change-Id: Ifd7006ba378e9f74cd248b71e16869fbbb8a82be
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3141575
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76689}
Remove the BaselineData intermediate structure for baseline code, and
write the baseline Code object into the SharedFunctionInfo directly. We
still need a pointer to the BytecodeArray/InterpreterData, so re-use the
Code object's deoptimization data slot for this (baseline code doesn't
have deoptimization data).
A consequence of this is that the BytecodeArray pointer becomes
immutable when there is baseline code. This means that we cannot install
a debug BytecodeArray while baseline code is active (we have to flush it
first), and we can't tier-up code with debug BytecodeArray to baseline.
Change-Id: I53b93ec4d4c64b833603d7992f246982fcd97596
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3118548
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76675}
The test should be enabled once reentrancy is supported.
Bug: v8:11382
Change-Id: Ifb90d8a6fd8bf9f05e9ca2405d4e04e013ce7ee3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3138201
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76667}
We use BuildCCall over CallBuiltin. This improves the performance of
array.copy by up to 2x for small arrays.
Bug: v8:7748
Change-Id: Ibbd6a69267edb229beda1f6de4ff1c48eb38b729
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3135580
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76661}
The WebAssembly.Table constructor supports a second parameter that was
not supported by V8 so far.
R=thibaudm@chromium.org
Bug: v8:7581
Change-Id: Id74c53a6b1bde7f49a4edea8397d1cab253e1a0e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3141571
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76660}
HeapBase::Terminate must consider newly created CrossThreadPersistent
when evaluating whether to conitnue the loop. This allows for catching
one off creations in destructors but will still crash for
>kMaxTerminationGCs chains.
Bug: chromium:1245519
Change-Id: I264f1b8f0de9f0bfeb66ca6b14c41faf15e4340c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3140606
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76659}
After concurrent inlining is true by default we keep testing the
negated version on the main linux bots and drop testing the
variant on FYI, which is a no-op now.
Bug: v8:7790
Change-Id: I604838a45f3de242db82b42b93afdb56804152b5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3140599
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76655}
ParserBase::ParseClassLiteral and BaseConsumedPreparseData::RestoreDataForScope
both declare the class variable, but the logic is so complex
that they sometimes ended up both declaring it.
This is further complicated by some of the variable values (esp.
inner_scope_calls_eval_) potentially changing in between, so we can't
just redo the same logic any more.
Forcefully make it work by making RestoreDataForScope declare the variable
iff ParseClassLiteral didn't.
Bug: chromium:1245870
Change-Id: I777fd9d78145240448fc25709d2b118977d91056
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3140596
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76654}
Fixed issue were using the `arguments` object as a shorthand for a class
field initializer was not producing an early error.
Bug: chromium:1216261
Change-Id: I7d8f5a85c6881f7ca12a0e8450954de15bdd6033
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3095017
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Luis Fernando Pardo Sixtos <lpardosixtos@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#76646}
This reverts commit 1786f8d770.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64/44442/overview
Original change's description:
> [arm64][liftoff] Fix trap handling on load lane
>
> This fixes the registered {protected_load_pc} to (always) point to the
> actual load instruction. If {dst != src} we would emit a register move
> before the load, and the trap handler would then not recognize the PC
> where the signal occurs, leading to a segfault.
>
> R=thibaudm@chromium.org
>
> Bug: chromium:1242300, v8:12018
> Change-Id: I3ed2a8307e353fd85a7ddedf6ecb73e90a112d32
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3136454
> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76642}
Bug: chromium:1242300, v8:12018
Change-Id: I7bc9d00a4fba3101e7ee68695961d1b543268c4e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3138202
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76644}
This fixes the registered {protected_load_pc} to (always) point to the
actual load instruction. If {dst != src} we would emit a register move
before the load, and the trap handler would then not recognize the PC
where the signal occurs, leading to a segfault.
R=thibaudm@chromium.org
Bug: chromium:1242300, v8:12018
Change-Id: I3ed2a8307e353fd85a7ddedf6ecb73e90a112d32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3136454
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76642}
Removes outdated type-error throwing on TypedArray.prototype.set
when the first argument is a number.
Bug: v8:11294
Change-Id: Ida3a46dec154b645620e2b064ded7a18de238649
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3136773
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76631}
This is a reland of 6ae18c2d3c, with
{CompileWasmCapiCallWrapper} fixed to also contain a
{CodeSpaceWriteScope}.
Original change's description:
> [wasm] Move write scope out of NativeModule::AddCode
>
> {NativeModule::AddCode} is a central method that should usually be
> called in batches, where the caller holds a {CodeSpaceWriteScope} for a
> longer time (over several compilations).
> This CL moves us closer to that by removing the scope from that central
> method and instead putting it in callers where it becomes more visible.
> There are already TODOs to introduce caching or batching to avoid some
> switching, and one more TODO is added.
>
> Drive-by: Remove an unneeded {CodeSpaceMemoryModificationScope}.
>
> R=jkummerow@chromium.org
>
> Bug: v8:11974
> Change-Id: Ia13c601abc766e5fca6ca053bf1fc4d647b53ed0
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3098186
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#76344}
Bug: v8:11974
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_dbg_ng
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_rel_ng
Change-Id: I6367bbd9dc52c403513eb1a168aa1f6eb4044ca1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3129703
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76626}
This is needed so tables are available for table operations.
Bug: v8:11954
Change-Id: If0cbb07ddf0852d2e2515aca3e1f54168c2e0ab8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3135576
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76625}
When an attempt to parse a huge string to a BigInt fails, then
including the entire string in it makes the exception's message
unwieldy, so this patch puts only the first 1000 characters of
such invalid strings into the exception message.
Bug: chromium:1245239
Change-Id: I2c62f0d34256653ba67da9666e8c5a1a4bbe0599
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3133142
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76619}
- Disable automatic module file extensions for the test
- Use uncommon name suffix to prevent accidental loading of an
existing file
Change-Id: I26c1092a1e559cbbebce442a8d5ff3fb6dd5aa84
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3122145
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76616}
%TypedArray.prototype% methods that receive a user callback
fn should not break in the mid-way of the iteration when the
backing array buffer was been detached. Instead, the iteration
should continue with the value set to undefined.
Notably, %TypedArray.prototype%.filter was throwing when the
backing buffer was detached during iteration. This should not
throw now.
Refs: https://github.com/tc39/ecma262/pull/2164
Bug: v8:4895
Change-Id: Ia7fab63264c8148a11f8f123b43c7b3ee0893300
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3066941
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76611}
Prefinalizers have long been forbidden to allocate.
This restriction often proved problematic and has caused several
issues in the past.
This CL adds support for allowing allocations in prefinalizers.
At the start of prefinalizer invocations we clear the linear
allocation buffers, such that all allocations go through the slow
path for allocation. The slow path checks whether prefinalizers
are currently being invoked and marks the newly allocated object
if they are (i.e. black allocation during prefinalizers).
The new behavior is disabled by default and can be enabled by
setting the cppgc_allow_allocations_in_prefinalizers gn arg to true.
Bug: chromium:1056170
Change-Id: Ib86e780dcff88fa7b0f762ac2ab83c42393d33af
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097877
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76606}
Instrument floating-point operations to set a flag if the result is NaN.
Port: e699762e06
Bug: v8:11856
Change-Id: Iae8121dd17ae8acf402ac74e41122cad77387db7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3099945
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/main@{#76605}
Bug: v8:7790,v8:12149
Change-Id: I0c23b2c1126b2a950efe848973618407f64afeb7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3132268
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76601}
WasmModuleBuilder is a class that is used to build Wasm modules in the
asm.js parser, in the fuzzer, as well as some tests. When it comes to
Wasm tables, WasmModuleBuilder currently supports only basic tables
(before the reftypes proposal) using an ad-hoc indirect-function index
vector.
This CL adds proper support for element sections and tables that use
them in the full potential of the reftypes extension. The new
functionality will only be used in the fuzzer and potentially some tests
in the future. Along this, we drop some functionality from
WasmModuleBuilder that was only used in tests and is redundant with the
new architecture.
Additionally, we remove tables other than externref and funcref from the
fuzzer (which were not supported properly or used anyway). We will
reintroduce them at a later time.
Bug: v8:11954
Change-Id: I0a4f6e7b63b6e3d9f7da03b5202fbf14d8678332
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3122162
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76597}
This change implements longer-width SIMD instructions in the x64
assembler by adding 256-bit versions to one of the conversion macros.
This emits mostly floating-point arithmetic and some boolean operations;
see `SSE_UNOP_INSTRUCTION_LIST` and `SSE_BINOP_INSTRUCTION_LIST`.
Design doc: https://docs.google.com/document/d/1VWZbkO5c_DdxlJObmSLN_9zQUZELVgXyudbpzv5WQM0
Change-Id: I36d56ee09d6b71f66734342cb37bfc9d4801d654
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3123648
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Shiyu Zhang <shiyu.zhang@intel.com>
Cr-Commit-Position: refs/heads/main@{#76593}
template specialisations must be defined
outside of class body to prevent the following compilation error:
error: explicit specialization in non-namespace scope
Change-Id: Ic4b74a28cd21d96991ad784fbd3c598668ffc476
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3129881
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#76591}
The wasm-compile fuzzer sometimes needs to generate a boolean flag from
the input bytes. Since the general {DataRange::get} method results in
undefined behaviour if instantiated with the {bool} type, we are getting
an 8-bit value instead and looking at the least significant bit only.
This CL improves this situation by implementing a template
specialization for {bool} which uses the same trick, and uses that
instead of hand-coding the modulo operation at the call sites.
R=manoskouk@chromium.org
Bug: v8:11879
Change-Id: I6f9ce02dd8d9cd0998b83e081e4c6ca773e6cb53
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3129429
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76588}
Most Torque-defined extern classes already use CPP class generation. As
Nico pointed out in [1], it would be nice to convert the remaining
classes and remove this option. This change converts most of those
remaining classes. I know that the future of Torque-defined classes is a
subject of some debate right now, but I think that it's worth doing a
few mechanical changes to reduce the existing variety of options. A
couple of minor fixes in the Torque compiler were required so that it
generates correct code for shapes.
[1] https://docs.google.com/document/d/1q_gZLnXd4bGnCx3IUfbln46K3bSs9UHBGasy9McQtHI/edit#
Bug: v8:8952
Change-Id: I7e6087153a18d6ee80e67926793e8ba8e01d501e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3015666
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#76586}
Bug: chromium:1209444
Change-Id: I4ec16a718061063dc01ec0d7c4a397c220e684c0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3127718
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76585}
The log test checks for log positions, which may change when background
serialization / background compilation are enabled.
Fixed: v8:12117
Change-Id: I193c9c23e016fad1e3f06a9f377bb53db84a6988
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3129421
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76573}
If a stack overflow occurs inside the regexp parser, propagate that
information to the parser.
Bug: v8:896,chromium:1243989
Change-Id: I5ced27ff968ad97764e156643e1980b3a722af1a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3127717
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76568}
Land some of the tests for Temporal.PlainDate
All marked as FAIL at this stage.
Bug: v8:11544
Change-Id: I004b7cb34effe1de1735b61c7ac749ae3c8e9bf7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3085624
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76551}
Land some of the tests for Temporal.Instant
All marked as FAIL at this stage.
Bug: v8:11544
Change-Id: I79d14df47248c708e5d73a0e00e3f7973c521d16
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3086903
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76550}
Handle all 4 selects that wasm-compiler generates.
Also modify unittest to allow optional operations (select
operations are not supported on all archs).
Bug: v8:12136
Change-Id: Ia54d7a71cffaa1c5cc8203520a1f3d812997bbb1
Fixed: v8:12136
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3119991
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76539}
Port 732f394c5d
Original Commit Message:
StaGlobal didn't write the accumulator, but the baseline implementation
assumed that it could preserve the accumulator by taking the return
value of the StoreGlobalIC. This almost always worked, except for
setters on the global object.
Fix this by marking StaGlobal as clobbering the accumulator, same as
StaNamedProperty (StaNamedProperty needs to do this anyway to avoid
inlined setters from needing to create accumulator-preserving frames;
StaGlobal would have needed the same thing if we'd ever inlined setters
for it).
Also, add a new debug scope, EnsureAccumulatorPreservedScope, to the
baseline compiler, which checks if the accumulator value is preserved
across non-accumulator-writing bytecodes. This found a (benign) bug with
ForInPrepare, so fix that too.
R=leszeks@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N
Change-Id: Id8ada05abeb1a9c7e8a16936c35be9d652c4e8b0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3124529
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#76537}
Given ref.func, we might need to wrap any function in the program, as
opposed to imported functions only.
Change-Id: I79942ef2dabf3b6da2d26b49167db6caff53745e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3122160
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76533}
We add br.on_null, ref.as_non_null and ref.eq to the fuzzed module.
They are called when liftoff is used. ref.is_null has been changed,
according to comments from the last CL. GetRefType has been removed.
Bug: v8:11954
Change-Id: If93f6e9911cbcd3001ab45da02ebc037af8bdc54
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3122171
Commit-Queue: Rakhim Khismet <khismet@google.com>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76531}
Optimisation affects both reachability and tier-up, so disable it for
the flushing tests.
This should de-flake the Numfuzz bots.
Change-Id: I87c479f216eae2d801e7a0dc665e7325bd1b6bd8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3123415
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76526}
StaGlobal didn't write the accumulator, but the baseline implementation
assumed that it could preserve the accumulator by taking the return
value of the StoreGlobalIC. This almost always worked, except for
setters on the global object.
Fix this by marking StaGlobal as clobbering the accumulator, same as
StaNamedProperty (StaNamedProperty needs to do this anyway to avoid
inlined setters from needing to create accumulator-preserving frames;
StaGlobal would have needed the same thing if we'd ever inlined setters
for it).
Also, add a new debug scope, EnsureAccumulatorPreservedScope, to the
baseline compiler, which checks if the accumulator value is preserved
across non-accumulator-writing bytecodes. This found a (benign) bug with
ForInPrepare, so fix that too.
Fixed: chromium:1242306
Change-Id: I220b5b1c41010c16ac9f944cbd55d2705c299434
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3122325
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76525}
Land some of the tests for Temporal.Duration
All marked as FAIL at this stage.
Bug: v8:11544
Change-Id: I4696edee7a2345133ed13c25aa720febe1f8fc69
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3087363
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76524}
1. Move Abspd, Negpd from MacroAssembler into TurboAssembler so that we
can use it in code-generator
2. Add Absps and Negps (float32 versions of the instructions in 1)
3. Refactor SSE/AVX float32/float64 abs/neg to use these macro-assembler
helpers.
4. Use these helpers in Liftoff too
This has the benefit of not requiring to set up the masks in a temporary
register, and loading the constants via an ExternalReference instead.
It does require (in ins-sel) to have the input be in a Register, since
the ExternalReference is an operand (and the instruction can only have 1
operand input).
Bug: v8:11589
Change-Id: I68fafaf31b19ab05ee391aa3d54c45d547a85b34
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3123635
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76520}
This CL introduces a d8-only flag --expose-fast-api which enables the
test FastCAPI object if the --turbo-fast-api-calls flag is enabled. It
also disables --stress-snapshot, which is incompatible with fast calls.
Bug: v8:12137
Change-Id: I01e8321726b78be660fd6554225999bfc94006c3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3117485
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76505}
This reverts commit 810d34dfe6.
Reason for revert: The stricter host checks prevent
certain security issues. We will have to live with regressions
until we have a more flexible caching solution in place.
Original change's description:
> [codegen] Disable host-defined options checks in cache
>
> We see too many regressions for now in M94 (~10% more misses in
> some cases).
>
> This CL reverts the logic to the state before landing
> https://crrev.com/c/3069152 without having to revert the several
> refactoring CLs that landed on top of it.
>
> Bug: v8:10284, chromium:1238312, chromium:1237242
> Change-Id: I57e66b9e0d58c36d2f1563b07720e3729c88ec94
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103006
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76362}
Bug: v8:10284, chromium:1238312, chromium:1237242
Change-Id: I4c662dd0ac16a4406f06fb2a62b9e4e65fa428ce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114057
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76504}
This CL implements early SyntaxErrors for regular expressions. Early
errors are thrown when a malformed pattern is parsed, rather than when
the code first runs.
We do this by having the JS parser call into the regexp parser when
a regexp pattern is found. Regexps are expected to be relatively
rare, small, and cheap to parse - that's why we currently accept that
the regexp parser does unnecessary work (e.g. creating the AST
structures).
If needed, we can optimize in the future. Ideas:
- Split up the regexp parser to avoid useless work for syntax validation.
- Preserve parser results to avoid reparsing later.
Bug: v8:896
Change-Id: I3d1ec18c980ba94439576ac3764138552418b85d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3106647
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76502}
Bug: v8:11589
Change-Id: I7b55efa76f60eacf31700a544f54042eec963f57
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3115545
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76495}
This introduces a new flag, --experimental-wasm-unsafe-nn-locals, which
allows arbitrary unvalidated local.get operations on non-nullable
locals.
For invalid accesses, this will crash. The intention is to allow module
producers to experiment; if they find these locals particularly useful,
we will add engine-side validation later.
Bug: v8:7748
Change-Id: I9a05747eaff312448ce0acf57a412e76679ff061
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3110192
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76489}
In a follow-up CL, the backing stores will, when the sandbox is enabled,
be referenced from V8 objects through offsets rather than raw pointers.
For that to work, all backing stores must be located inside the virtual
memory cage. This CL prepares for that.
Bug: chromium:1218005
Change-Id: Ibb989626ed7094bd4f02ca15464539f4e2bda90f
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114136
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76486}
stress-concurrent-inlining has a negative implication for
lazy-feedback-allocation. So add lazy-feedback-allocation as
incompatible flag with stress-concurrent-inlining.
Bug: v8:12088, v8:11947
Change-Id: Ia8ff66c595f6c6288b44f7a066729ace0d7ad9d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3113630
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76483}
The v8::internal::IsolateData class in test/inspector/isolate-data.h
collides with v8::internal::IsolateData defined in
src/execution/isolate-data.h. In some circumstances, this can lead to
compilation or runtime issues. To fix that, this CL renames the class in
test/inspector to InspectorIsolateData.
Change-Id: I4b62b2a9d141169480c5a0591c1bcb2f275f87f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3116248
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76481}
This removes 4 arch opcodes.
Bug: v8:11217
Change-Id: Idff04fb205c7d7d1577ce123cc2160d678dfe39a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114599
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76473}
Sets up custom OOM handling in cppgc and installs a handler that
redirects to V8's handler when running with unified heap.
Bug: chromium:1242180
Change-Id: I68b7038a3736cc0aa92207db2c3d129a9ff68091
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3116253
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76467}
We were overwriting the shift Register, instead, we should be using the
tmp_shift register.
Bug: chromium:1242689
Change-Id: I732c9c1f8a43401ce003b22893db9e39dfac3817
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3116115
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76466}
This is a reland of d1b27019d3
Fixes include:
Adding missing file to bazel build
Forward-declaring classing before friend-classing them to fix win/gcc
Add missing v8-isolate.h include for vtune builds
Original change's description:
> [include] Split out v8.h
>
> This moves every single class/function out of include/v8.h into a
> separate header in include/, which v8.h then includes so that
> externally nothing appears to have changed.
>
> Every include of v8.h from inside v8 has been changed to a more
> fine-grained include.
>
> Previously inline functions defined at the bottom of v8.h would call
> private non-inline functions in the V8 class. Since that class is now
> in v8-initialization.h and is rarely included (as that would create
> dependency cycles), this is not possible and so those methods have been
> moved out of the V8 class into the namespace v8::api_internal.
>
> None of the previous files in include/ now #include v8.h, which means
> if embedders were relying on this transitive dependency then it will
> give compile failures.
>
> v8-inspector.h does depend on v8-scripts.h for the time being to ensure
> that Chrome continue to compile but that change will be reverted once
> those transitive #includes in chrome are changed to include it directly.
>
> Full design:
> https://docs.google.com/document/d/1rTD--I8hCAr-Rho1WTumZzFKaDpEp0IJ8ejZtk4nJdA/edit?usp=sharing
>
> Bug: v8:11965
> Change-Id: I53b84b29581632710edc80eb11f819c2097a2877
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097448
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Dan Elphick <delphick@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76424}
Cq-Include-Trybots: luci.v8.try:v8_linux_vtunejit
Bug: v8:11965
Change-Id: I99f5d3a73bf8fe25b650adfaf9567dc4e44a09e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3113629
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76460}
Re-use the same check we already have in place for the
compilation cache for when we use CodeSerializer::Deserialize.
- Move HasOrigin to SharedFunctionInfo::HasMatchingOrigin
- HasMatchingOrigin no longer allocates
- Pass ScriptDetails in more places
Bug: v8:10284
Change-Id: I6e074bd1e7db9a35fdf7123d04a65841d9813e02
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3090968
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76451}
This test regularly fails due to my local language setting.
Change-Id: Ic4719ffbe49a8fc9d38d75b05b52ac550315a405
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114138
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76448}
As a first step toward generating longer-width SIMD (see design doc),
this change adds the ability to emit 256-bit instructions in the x64
assembler. The `YMMRegister` class indicates that a 256-bit instruction
should be emitted (versus a 128-bit instruction for `XMMRegister`). This
also includes a sample implementation for `vmovdqa` and `vmovdqu` and
the encoded bits are checked against known-good output from NASM.
Design doc: https://docs.google.com/document/d/1VWZbkO5c_DdxlJObmSLN_9zQUZELVgXyudbpzv5WQM0
Change-Id: I18a88565d731786c3a1cedc2293a3a2e78ae838a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3111269
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76443}
This removes 8 arch opcodes.
Bug: v8:11217
Change-Id: I2c7a73b032ba5fa21f9843ebb4325e226a22550a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114590
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76442}
ShiftAdd tests lane_size * len(test_arr)^2, which is a lot of cases. In
local runs of test-run-wasm-simd, I see I32x4ShiftAdd show up
consistently as taking up a lot of time. We reduce the number of cases
tested to lane_size * len(test_arr), which stills give us very good
coverage.
Change-Id: Ida99a378f0dd9b513e8c84a2da3beebf65f0f356
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3105374
Auto-Submit: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76441}
This patchset introduces instrumentation of the memory usage of the
datatructures maintained by the CPU profiler.
It captures:
* The total size of the strings held in StringsStorage for CodeEntries
* Estimated size held by CodeMap's entries.
The target is to surface that metric through telemetry to get better
visibility into the memory profile of CpuProfiler.
For now, STL containers overhead is ignored as it is implementation
specific.
Change-Id: I8c6a0cd4f14348fe8832dec1f24861befc67d700
Bug: chromium:1241491
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3101580
Auto-Submit: Corentin Pescheloche <cpescheloche@fb.com>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76438}
We are running out of encoding space for opcodes on arm64. This patch
merges some wasm simd opcodes of different simd types, encoding the lane
size in the instruction code using LaneSizeField instead. This reduces
the total number of opcodes on arm64 by 71.
Bug: v8:12093
Change-Id: Ib4d96d1db1ff9b08fafd665974f3494a507da770
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3109676
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/main@{#76434}
We add ref.func and ref.is_null to the fuzzed module.
ref.is_null returns i32, so it is added to i32 generator.
ref.func is added to GenerateOptRef.
GetRefType function is added to generate reftypes.
Bug: v8:11954
Change-Id: Ia1add950bed573a02b6bec1cba401273d401919e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3106925
Commit-Queue: Rakhim Khismet <khismet@google.com>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76431}
Abstract reference types in the fuzzer have only generated trivial
values. This CL adds the capability for them to generate values of their
subtypes in addition.
Drive-by: Fix emission of multiple tables in wasm-fuzzer-common.
Bug: v8:11954
Change-Id: Id434109c9ae6c1e1b799414c90f18180b8895755
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3109672
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76430}
This reverts commit d1b27019d3.
Reason for revert: Broke vtune build, tsan build and possibly others
Original change's description:
> [include] Split out v8.h
>
> This moves every single class/function out of include/v8.h into a
> separate header in include/, which v8.h then includes so that
> externally nothing appears to have changed.
>
> Every include of v8.h from inside v8 has been changed to a more
> fine-grained include.
>
> Previously inline functions defined at the bottom of v8.h would call
> private non-inline functions in the V8 class. Since that class is now
> in v8-initialization.h and is rarely included (as that would create
> dependency cycles), this is not possible and so those methods have been
> moved out of the V8 class into the namespace v8::api_internal.
>
> None of the previous files in include/ now #include v8.h, which means
> if embedders were relying on this transitive dependency then it will
> give compile failures.
>
> v8-inspector.h does depend on v8-scripts.h for the time being to ensure
> that Chrome continue to compile but that change will be reverted once
> those transitive #includes in chrome are changed to include it directly.
>
> Full design:
> https://docs.google.com/document/d/1rTD--I8hCAr-Rho1WTumZzFKaDpEp0IJ8ejZtk4nJdA/edit?usp=sharing
>
> Bug: v8:11965
> Change-Id: I53b84b29581632710edc80eb11f819c2097a2877
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097448
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Dan Elphick <delphick@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76424}
Bug: v8:11965
Change-Id: Id57313ae992e720c8b19abc975cd69729e1344aa
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3113627
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76428}
The fast_call_count getter in d8 was not properly initialised as
throwing when called as a constructor. As a result, it was possible
to pass a new object as its `this` and then attempt to "unwrap" it,
resulting in reading OOB in the new object. This CL also strenghtens
slow_call_count and reset_counts and adds a regression test.
Bug: chromium:1241464
Change-Id: I9b6e9a4e38a974dc111a53b911c73514c30de9df
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3110369
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76426}
This moves every single class/function out of include/v8.h into a
separate header in include/, which v8.h then includes so that
externally nothing appears to have changed.
Every include of v8.h from inside v8 has been changed to a more
fine-grained include.
Previously inline functions defined at the bottom of v8.h would call
private non-inline functions in the V8 class. Since that class is now
in v8-initialization.h and is rarely included (as that would create
dependency cycles), this is not possible and so those methods have been
moved out of the V8 class into the namespace v8::api_internal.
None of the previous files in include/ now #include v8.h, which means
if embedders were relying on this transitive dependency then it will
give compile failures.
v8-inspector.h does depend on v8-scripts.h for the time being to ensure
that Chrome continue to compile but that change will be reverted once
those transitive #includes in chrome are changed to include it directly.
Full design:
https://docs.google.com/document/d/1rTD--I8hCAr-Rho1WTumZzFKaDpEp0IJ8ejZtk4nJdA/edit?usp=sharing
Bug: v8:11965
Change-Id: I53b84b29581632710edc80eb11f819c2097a2877
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097448
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76424}
This reverts commit 6ae18c2d3c.
Reason for revert: breaks a bunch of tests on Mac arm64 bots:
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Mac%20-%20arm64%20-%20release/5754/overviewhttps://ci.chromium.org/ui/p/v8/builders/ci/V8%20Mac%20-%20arm64%20-%20debug/2421/overview
Original change's description:
> [wasm] Move write scope out of NativeModule::AddCode
>
> {NativeModule::AddCode} is a central method that should usually be
> called in batches, where the caller holds a {CodeSpaceWriteScope} for a
> longer time (over several compilations).
> This CL moves us closer to that by removing the scope from that central
> method and instead putting it in callers where it becomes more visible.
> There are already TODOs to introduce caching or batching to avoid some
> switching, and one more TODO is added.
>
> Drive-by: Remove an unneeded {CodeSpaceMemoryModificationScope}.
>
> R=jkummerow@chromium.org
>
> Bug: v8:11974
> Change-Id: Ia13c601abc766e5fca6ca053bf1fc4d647b53ed0
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3098186
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#76344}
Bug: v8:11974
Change-Id: Ia6a6814f153f7602d5d691bc5c930601ff4622a7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3111268
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76414}
Combining parts in a balanced-binary-tree like order allows us to
use fast multiplication algorithms.
Bug: v8:11515
Change-Id: I6829929671770f009f10f6f3b383501fede476ab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3049079
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76404}
The skipped tests have been flaking on the last
ten runs on V8 NumFuzz - debug.
Bug: v8:11826
Change-Id: I925c8e581b34c1b08fb295856278e506b8d62f26
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103305
Auto-Submit: Almothana Athamneh <almuthanna@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76403}
This is a reland of faf2208a0b
Changes since revert:
- Fix arm64 codegen for full pointer mode
Original change's description:
> [compiler] Support acq/rel accesses and atomic accesses on tagged
>
> This CL adds an AtomicMemoryOrder parameter to the various atomic load
> and store operators. Currently only acquire release (kAcqRel) and
> sequentially consistent (kSeqCst) orders are supported.
>
> Additionally, atomic loads and stores are extended to work with tagged
> values.
>
> This CL is a pre-requisite for supporting atomic accesses in Torque,
> which is in turn a pre-requisite for prototyping shared strings.
>
> Bug: v8:11995
> Change-Id: Ic77d2640e2dc7e5581b1211a054c93210c219355
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3101765
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Zhi An Ng <zhin@chromium.org>
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76393}
Bug: v8:11995
Change-Id: I23577486334fec6b08fb3a2f5be1f6e5e16db11b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3107220
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76399}
Whenever we are adding a new AddressRegion to the CodeMap, we first
remove all overlapping regions. The logic to check for overlapping
region is incomplete. For example, if all existing regions are less than
the region to be added, we incorrectly remove all regions, effectively
deleting all JITCodeEntry we have constructed.
We extract this overlapping check into a helper function, so that we can
unittest this without worrying about JITCodeEvent functionality, and also
without dealing with V8 internals (like Isolate and SFI).
The overlapping logic is rather hard to understand, has many special
cases, it will probably be much easier to just loop through all the
entries, rather than using lower_bound. Ideally, we can refactor this to
use some sort of sweep-line algorithm. Hopefully the unittests catch the
most obvious cases.
Bug: v8:11908
Change-Id: Id96975599ac59974185c3dbf64cdfceb17e98d18
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3105381
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76397}
This reverts commit faf2208a0b.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20-%20arm64%20-%20sim%20-%20pointer%20compression/10870/overview
Original change's description:
> [compiler] Support acq/rel accesses and atomic accesses on tagged
>
> This CL adds an AtomicMemoryOrder parameter to the various atomic load
> and store operators. Currently only acquire release (kAcqRel) and
> sequentially consistent (kSeqCst) orders are supported.
>
> Additionally, atomic loads and stores are extended to work with tagged
> values.
>
> This CL is a pre-requisite for supporting atomic accesses in Torque,
> which is in turn a pre-requisite for prototyping shared strings.
>
> Bug: v8:11995
> Change-Id: Ic77d2640e2dc7e5581b1211a054c93210c219355
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3101765
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Zhi An Ng <zhin@chromium.org>
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76393}
Bug: v8:11995
Change-Id: Id9936672f9e96c509b1cdf866de1ac5303996945
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3107229
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#76394}
This CL adds an AtomicMemoryOrder parameter to the various atomic load
and store operators. Currently only acquire release (kAcqRel) and
sequentially consistent (kSeqCst) orders are supported.
Additionally, atomic loads and stores are extended to work with tagged
values.
This CL is a pre-requisite for supporting atomic accesses in Torque,
which is in turn a pre-requisite for prototyping shared strings.
Bug: v8:11995
Change-Id: Ic77d2640e2dc7e5581b1211a054c93210c219355
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3101765
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76393}
Some of the Array benchmarks were unintentionally spending a lot of
time on Number-to-String conversions. This patch avoids that, by
computing the dynamically-created strings only once.
Bug: chromium:1240981
Change-Id: If10826813d555398b45c22c958dee27e17f35d3c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3106747
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76387}
.. and decrease the include-ball size.
Change-Id: Id35358a6882156f6684475b7f0b0193f8ca5eaf5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103313
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76386}
Operator::kEliminatable has the unfortunate consequence that depending
on surrounding code, the allocating builtin call could get scheduled
before the max length check, causing a crash instead of a trap.
Fixed: chromium:1239954
Change-Id: Ice2e3e4f67e8fce44a886c0079e0e31f124c02b0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103315
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76385}
This fix consists of 2 parts:
a) Fix async hooks:
- Allow initialising the promise hook properties
- Do not call async hooks if we're overflowing the stack
b) Avoid some more recursion when reporting the stack trace
Bug: chromium:1240723
Change-Id: Icedfc8b48655bacc3f79591944e3869b85f1c4de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103321
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76383}
HAS_PROGRESS_BAR is set after page initialization at which point all
flags are assumed to be immutable while a GC is running.
Separating out the progress bar from flags allows setting it lazily at
allocation time.
Bug: v8:11915
Change-Id: I48a877e0e80d583d7a0fadef2546fc70417806e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3085268
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76382}
The JSRegExp heap object should not be the source of truth for regexp
flags, which are also relevant in places that don't need or want to
care about the heap object layout (e.g.: the regexp parser).
Introduce RegExpFlags as a new source of truth, and base everything
else on these flags.
As a first change, remove the js-regexp.h dependency from the regexp
parser. Other files in src/regexp/ should be updated in follow-up
work.
Change-Id: Id9a6706c7f09e93f743b08b647b211d0cb0b9c76
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103306
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76379}
This reverts commit edcc8ff5b5.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Blink%20Linux%20Debug/10806/overview
A prefinalizer is creating a WeakMember from a raw pointer to a dead object for checking whether it is in a set.
Original change's description:
> cppgc: Enable checks for assignments in prefinalizers
>
> Bug: v8:11749
> Change-Id: Ic027f732030fb6a2befeffeca9db2eacfd0830a5
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3099953
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Omer Katz <omerkatz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76370}
Bug: v8:11749
Change-Id: I0c90f232df9ae363f05f8b9ba26c2a7eede8a269
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3106646
Auto-Submit: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#76377}
The NumFuzz fuzzers need to make use of this flag to ignore
Mjsunit exceptions and other exceptions. The flag ignores
the exit code 1.
R=clemensb@chromium.org
R=cbruni@chromium.org
Bug: v8:11826
Change-Id: Ic0878078edec7292e43cdb18dd6fb32f7bbad12c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103310
Commit-Queue: Almothana Athamneh <almuthanna@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76376}
S10 is a Callee save register and be used in scratch_list.
In cctest, could use scratch but not does't go through the JSEntry function that can save callee save reg. So cctest could be crashed due to using s10.
Bug: v8:12124
Change-Id: I62c3582ad490681d5efb24e8bfe0884006d42e66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103425
Reviewed-by: Ji Qiu <qiuji@iscas.ac.cn>
Commit-Queue: Ji Qiu <qiuji@iscas.ac.cn>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#76375}
After building V8 using Clang (./out/x64.release/v8_build_config.json
says that "is_clang" is true), I could reproduce the referenced bug
report locally. Replacing the getMinutes() calls with getUTCMinutes()
calls fixed the test failure.
Signed-off-by: Darshan Sen <raisinten@gmail.com>
Bug: v8:11200
Change-Id: Ia36be481f2c8728380d550ead856ef8e51b1069c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3093362
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76367}
.. instead of a FlatStringReader. This is in preparation for reusing
the regexp parser directly from the JS parser, which uses different
string types (AstRawString instead of heap Strings).
Drive-by: Hide parser internals in the .cc file.
Bug: v8:896
Change-Id: I06bd08f2ef5fd7a5e9812c123d88b89cacf5d864
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3101488
Commit-Queue: Patrick Thier <pthier@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76365}
We see too many regressions for now in M94 (~10% more misses in
some cases).
This CL reverts the logic to the state before landing
https://crrev.com/c/3069152 without having to revert the several
refactoring CLs that landed on top of it.
Bug: v8:10284, chromium:1238312, chromium:1237242
Change-Id: I57e66b9e0d58c36d2f1563b07720e3729c88ec94
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3103006
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76362}
This introduces a new, optional `nonIndexedPropertiesOnly` flag to the
`Runtime.getProperties` inspector request, which tells the inspector to
only report properties whose name is not an (typed) array index. This is
to support retrieving all properties except for the indexed ones when
the DevTools front-end decides to use the array bucketing mechanism.
Previously the DevTools front-end had some quite complicated logic in
place to simulate this via injected JavaScript, but that logic didn't
pick up internal properties and was also interfering with the inherited
accessor mechanism. With this new flag, it's straight-forward to
implement the correct behavior in the DevTools front-end.
The corresponding devtools-frontend CL is https://crrev.com/c/3099011.
Before: https://imgur.com/hMX6vaV.png
After: https://imgur.com/MGgiuJQ.png
Bug: chromium:1199701
Change-Id: Iacbe9756ed8a2e6982efaebe1e7c606d37c05379
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3099686
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Philip Pfaffe <pfaffe@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76360}
These tests test allocation failure and time out on MSAN.
TBR=adamk@chromium.org
Bug: v8:11852
Change-Id: Ie0b042ab6bc37028c41a4b12d4911aba7f9af375
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3101574
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76356}
Bug: v8:11852
Change-Id: I1d3c01b827e847bb7edcd2ebe7d3b340f7d53069
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097473
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76355}
The optimal implementation is in TurboFan x64 codegen, move it into
shared-macro-assembler, and have TurboFan ia32 and Liftoff use it. The
optimal implementation accounts for AVX2 support.
We add a couple of AVX2 instruction to ia32 in sse-instr.h, not all of
them are used, but follow-up patches will use them, so we add support
(including diassembly and test) in this change.
Drive-by clean up to test-disasm-x64.cc to merge 2 AVX2 test sections.
Bug: v8:11589
Change-Id: I1c8d7deb0f8bb70b29e7a680e5dbcfb09ca5505b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3092555
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76352}
{NativeModule::AddCode} is a central method that should usually be
called in batches, where the caller holds a {CodeSpaceWriteScope} for a
longer time (over several compilations).
This CL moves us closer to that by removing the scope from that central
method and instead putting it in callers where it becomes more visible.
There are already TODOs to introduce caching or batching to avoid some
switching, and one more TODO is added.
Drive-by: Remove an unneeded {CodeSpaceMemoryModificationScope}.
R=jkummerow@chromium.org
Bug: v8:11974
Change-Id: Ia13c601abc766e5fca6ca053bf1fc4d647b53ed0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3098186
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76344}
Don't create DataField and FastDataConstant access infos with a kNone
field representation. Instead return Invalid.
Bug: chromium:1239601
Change-Id: I4df7aa298974f9dcd650ead50aaa349c84feb487
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097463
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76343}
Make off-thread deserialization play well with the Isolate compilation
cache, by moving the Finish call into GetSharedFunctionInfoForScript.
This means that
a) The isolate cache is checked before the Finish, allowing it to be
hit, and
b) Results of off-thread deserializations are written into the Isolate
cache.
Bug: chromium:1075999
Change-Id: I535935180bbe77f3e718253830e649bd62857634
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3094006
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76341}
This is a reland of 2261e05333
This patch can now be relanded as some space was made for more opcodes:
https://bugs.chromium.org/p/v8/issues/detail?id=12093
Original change's description:
> [arm64][wasm] Use NEON S/Usra for Wasm SIMD add(shr(x, imm), y)
>
> A single AArch64 SIMD signed/unsigned Shift Right and Accumulate can be
> used to implement Wasm SIMD add(shr(x, imm), y). This gives a 1-1.5%
> improvement on some compute intensive Wasm benchmarks on Neoverse-N1.
>
> Mla and Adalp optimisations were refactored to match the style of the
> added code.
>
> Change-Id: Id5959a31ca267e02b7d60e7ff6f942adb029b41e
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3089157
> Reviewed-by: Zhi An Ng <zhin@chromium.org>
> Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
> Cr-Commit-Position: refs/heads/master@{#76280}
Change-Id: Idd166b7d3c960af33049bbce6e7276763c28f286
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097284
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76340}
The validation was too strong in the case where the incrementation
produces type None.
Bug: chromium:1236716
Change-Id: I948b370594fa7dad1ba6e5b951f473855bf1346b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097865
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76338}
Change-Id: If641c8a4a466f6f9ea1dc9d8c15184fab17f52c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3098008
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76329}
This is a reland of a3b2c4ec81
The fix is in PS3, for UBSan. We use WriteUnalignedValue for
potentially unaligned memory writes.
Original change's description:
> [wasm][diagnostics] Support WasmCode in gdb JIT integration
>
> - Add new enum WASM_CODE to JitCodeEvent::CodeType
> - Use AddressRegion instead of AddressRange (remove the latter)
> - Change CodeDescription constructor to take an AddressRegion,
> both JIT_CODE and WASM_CODE use this
> - Add a simple mjsunit test that sets --gdbjit to check that
> we don't crash.
> - Add a api test for adding WASM_CODE
>
> Bug: v8:11908
> Change-Id: I6e87fadc2df67978144d78caf9800c3982bc3705
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3067754
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#76271}
Bug: v8:11908
Change-Id: I5ded6d01cff40803b2f70525163f760edcf97165
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3093506
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76327}
When the ToString Torque builtin has already found and called a
`toString` or `valueOf` method on a JSReceiver, and still needs
to call the runtime afterwards, it should do so with the result
of that first step, as opposed to the original input.
Fixed: v8:11689
Change-Id: I672249f9a6c230c3e61921b043f372c25a0178cf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097270
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76326}
Adds a heap verification GN arg to gate the marking verifier and live
bytes verification on. The flag may be used in future for other more
expensive checks as well.
Currently, the flag is automatically enabled in dcheck_is_on and debug
builds.
The change enables live bytes verification for the library in regular
debug builds which may flush out issues.
Bug: v8:11785
Change-Id: I0f41bc0d76ebea9f6a8c9315c947598015ee5d68
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097868
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76325}
In this particular case, a comment in the code provides sufficient
protection against regressions.
No-Try: true
Fixed: v8:12087
Change-Id: If9cad800bcc822b7b5ab91669ccda8b4314009f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3098185
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76320}
The {CodeSpaceWriteScope} in {InstanceBuilder::Build} was kept open
while processing imports, which could compile another wasm module via
{compiler::ResolveWasmImportCall} and
{WasmEngine::SyncCompileTranslatedAsmJs}. This leads to errors since
{CodeSpaceWriteScope}s for different modules cannot be held open at the
same time.
This CL fixes that by only opening the {CodeSpaceWriteScope} for the
actual compilation of import wrappers.
Drive-by: Only call {ProcessImports} if there are imports to be
processed, to avoid some of the overhead of {ProcessImports} and
{CompileImportWrappers}.
R=jkummerow@chromium.org
Bug: chromium:1239522
Change-Id: Ifbaf64a4be92088ae4a3fd7e9700a33397b2a967
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097283
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76311}
Bug: v8:12008
Change-Id: I2e1d918a1370dae1e15919fbf02d69cbe48f63bf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3089095
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76308}
The static limit didn't account for possible S128 elements.
This patch makes the limit element type specific.
Fixed: chromium:1237024
Change-Id: Ic1e37656e2882c0eb7ea6400c83e4094eb747e88
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097269
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76303}
This reverts commit a4a152ecc5.
Reason for revert: We haven't seen the flakes in a while, we can re-enable functionality
Original change's description:
> Reland "[debugger] Try to trigger pause-on-oom flakes with an extra printf"
>
> This is a reland of 8f7e915839
>
> Original change's description:
> > [debugger] Try to trigger pause-on-oom flakes with an extra printf
> >
> > We have an issue that we can't repro locally. Enable back the
> > pause-on-oom tests with an extra printf with DEBUG. We will be able to
> > better assess the failures when they appear on the bot.
> >
> > Bug: v8:10876
> > Change-Id: I066539c4b5865ecb6f2e589e9543e8c9ebd4830b
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2474782
> > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> > Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#70558}
>
> Bug: v8:10876
> Change-Id: Ice31c9455830da320ab057293c341f69e1f0c510
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2484799
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70643}
Bug: v8:10876
Change-Id: I901d31e1e92bfef0b2917ea611354618e5cda585
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3071404
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76302}
- Remove flag --block-concurrent-recompilation and its implementation,
including %UnblockConcurrentCompilation.
- Rewrite tests that used it in terms of the primitives introduced in
my previous CL:
https://chromium-review.googlesource.com/c/v8/v8/+/3071400/
- Remove "sync"/"no sync" arguments from %GetOptimizationStatus,
assertOptimized, etc. These are now always "no sync": they don't
do any magic.
- Remove "if %IsConcurrentRecompilationSupported then quit" from some
tests in favor of --concurrent-recompilation in their Flags line.
Bug: v8:12041, v8:7790
Change-Id: I966aae4fec85e6f9e7aeed2ba2c12e9198a3991f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3077149
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76298}
This reverts commit 91c8be9599.
RCS should not be exposed through the API or the inspector protocol as
they are meant as an internal debugging feature.
The only regularly tested and supported way is through chrome-tracing.
Given that this was used mostly for an experiment to analyse chrome's
performance, we can use pprof support as a replacement.
Original change's description:
> [DevTools] Implemented DevTools protocol API to retrieve V8 RunTime Call Stats.
>
> The new APIs are:
> enableRuntimeCallStats
> disableRuntimeCallStats
> getRuntimeCallStats
>
> The RunTime Call Stats are collected per isolate.
>
> Change-Id: I7e520e2c866288aa9f9dc74f12572abedf0d3ac8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1881601
> Commit-Queue: Peter Kvitek <kvitekp@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#64784}
Change-Id: Ia7575436e97d3420dd7e68414d89477e6a86bb05
Bug: v8:11395
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2998585
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76297}
We add multiple tables to the fuzzed module.
We only can use externref or function references
for tables.
Bug: v8:11954
Change-Id: Ibb7b34203169a3ca97514b87273fa4ea0f6ca99a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3093145
Commit-Queue: Rakhim Khismet <khismet@google.com>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76288}
This is identical to https://crrev.com/c/3094011, but for 16-bit values.
We introduce another instruction to differentiate between 16->32 bit
sign extensions and 16->64 bit sign extensions.
R=ahaas@chromium.org, mslekova@chromium.org
Bug: chromium:1239116
Change-Id: I2742e9d9c2b4a038fc7a0b1715faf8f25fa20b1f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3094012
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76284}
InstructionSelector::ZeroExtendsWord32ToWord64 assumes that a
Load[kRepWord8|kTypeInt32] generates a zero-extended value. This
assumption makes sense, but was not fulfilled by the instruction
selector which emitted an "ldrsb" instruction which sign-extended to the
full 64-bit register.
This CL fixes that by introducing a separate "LdrsbW" instruction which
is selected if we are sign-extending an 8-bit value to 32-bit.
R=ahaas@chromium.org, mslekova@chromium.orgCC=v8-arm-ports@googlegroups.com
Bug: chromium:1239116
Change-Id: I2da1ad6062805acf5558f3e66b8db9a50e830302
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3094011
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76283}
This reverts commit 2261e05333.
Reason for revert: No issues with the CL, but it is taking the
last two available opcodes on arm64 (we use 9 bits to encode it,
so we are limited to 512 opcodes). We need to land a security fix
which includes the addition of two opcodes. Before relanding this,
we need to figure out a strategy to either reduce opcodes, or use
one more bit to encode them.
Original change's description:
> [arm64][wasm] Use NEON S/Usra for Wasm SIMD add(shr(x, imm), y)
>
> A single AArch64 SIMD signed/unsigned Shift Right and Accumulate can be
> used to implement Wasm SIMD add(shr(x, imm), y). This gives a 1-1.5%
> improvement on some compute intensive Wasm benchmarks on Neoverse-N1.
>
> Mla and Adalp optimisations were refactored to match the style of the
> added code.
>
> Change-Id: Id5959a31ca267e02b7d60e7ff6f942adb029b41e
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3089157
> Reviewed-by: Zhi An Ng <zhin@chromium.org>
> Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
> Cr-Commit-Position: refs/heads/master@{#76280}
Change-Id: Ifad0625ed8a6b66e7a7a74da11ad7d60941207e5
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3094014
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#76282}
