We are seeing rare crashes due to dereferencing a null pointer shortly after
calling NewNativeModule. The most likely cause is that we failed the allocation
and returned a null pointer. Now we will use V8::FatalProcessOutOfMemory so that
this gets handled correctly.
Bug: chromium:809002
Change-Id: I7e11897c4b93a1fb9eab3b5f16fb42c27e719f87
Reviewed-on: https://chromium-review.googlesource.com/905685
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51134}
It will record the time-to-schedule-after-job-start for different
task types to try to highlight use cases where contention might
be a problem (and show improvements to it later).
Also introducing AsyncTimedHistogram to support this use case whose
reported timings go beyond a single scope (i.e. the async version of
ScopedTimedHistogram).
Bug: chromium:807606
Change-Id: Ib4d581fa8b001723dfe8c91102280e9608b4fabb
Reviewed-on: https://chromium-review.googlesource.com/899365
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Gabriel Charette <gab@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51131}
Turns out this path is used in the wild for logs and counters.
We may eventually want to split TimedHistograms based on low resolution
clocks to avoid polluting metrics but for now just make it a warning
to raise awereness when debugging in such an environment.
R=hpayer@chromium.org
Bug: chromium:809016
Change-Id: I5f2dd511d5fce730256979d58212468f08a2d680
Reviewed-on: https://chromium-review.googlesource.com/904045
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Gabriel Charette <gab@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51130}
Cleans up the implementation of trapping/saturating operations to
use existing models of types, instead of defining new ones. That is,
it uses MachineType to represent the kind of integer/float value the
conversion is operating on.
It also removes the need to define NumericImplementation by using
the actual opcodes to determine if the instruction is trapping or
saturating.
Finally, it now defines a single method to implement the truncating
(that doesn't use a ccall) conversions. The previous code had two
methods, one for I32 and one for I64.
Bug: v8:7226
Change-Id: Ia869416c8bd1abe76d0583c28a3105102d130b46
Reviewed-on: https://chromium-review.googlesource.com/900558
Commit-Queue: Karl Schimpf <kschimpf@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51129}
The task count was reset after handling the first task, so the wait
loop would end after one iteration. As a result unmapping tasks might
have been left running even after waiting for the tasks to be
completed.
Bug: v8:7412
Change-Id: I869848477946589d0370ab038d135393e816a7c0
Reviewed-on: https://chromium-review.googlesource.com/903166
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51127}
In the contexts for the resolver closures used in Promise.all we can
save the "already visited" cell, by just setting the index slot to a
negative value, which then indicates that this element was already
done.
Bug: v8:7253
Change-Id: I1296a2216eac3b51368c1e7795dbcd2c80cc430a
Reviewed-on: https://chromium-review.googlesource.com/903928
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51125}
Port 47e272b206
Original Commit Message:
This is a reland of ef06feded6.
Original change's description:
> Reland "[builtins] Add .incbin cctest"
>
> This is a reland of b012816155.
>
> Original change's description:
> > [builtins] Add .incbin cctest
> >
> > Just to ensure this is portable across all platforms.
> >
> > Credits go to https://github.com/graphitemaster/incbin, bits of the
> > .incbin code were taken from there. Thanks!
> >
> > Reland of https://crrev.com/c/881181
> >
> > Bug: v8:6666
> > Change-Id: I5c0dbf56b1c987fd88607dca69b39d65b59cdefc
> > Reviewed-on: https://chromium-review.googlesource.com/895597
> > Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> > Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#51042}
>
> Cq-Include-Trybots: luci.v8.try:v8_win64_msvc_compile_rel
> Bug: v8:6666
> Change-Id: I8fc0963e28996a84ed56c2e740d895e26611abf0
> Reviewed-on: https://chromium-review.googlesource.com/897630
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51054}
R=jgruber@chromium.org, joransiu@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: I863d01a4a7d91f9f2128e4598f417efe49c43e7b
Reviewed-on: https://chromium-review.googlesource.com/902431
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#51124}
- Remove redundant instruction from I16x8Splat
- Force F32x4Splat to use movss, as using MacroAssembler can mix SSE/AVX
instructions
Bug: v8:6020
Change-Id: I781c22adecf892a79b6a38c3d83fc4022f9067de
Reviewed-on: https://chromium-review.googlesource.com/898429
Reviewed-by: Bill Budge <bbudge@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51123}
This is the last piece of the TypedArray constructors that was still
written in JS.
Bug: v8:7102
Change-Id: I7c4dc867b09408caa4eec2873ea7185b6c61a525
Reviewed-on: https://chromium-review.googlesource.com/888751
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51122}
The num_tasks computation has long been based on NumberOfAvailableBackgroundThreads()
We used to have one background worker per core, stealing cycles from
the main thread. I fixed that @ crrev.com/534414. But now this
computation is wrong and generates one less task than it should (one
per worker but the main thread takes task #0 in practice).
Other usage of NumberOfAvailableBackgroundThreads() in V8 seem correct
already so this is the only tweak required.
R=mlippautz@chromium.org
Bug: chromium:808028
Change-Id: I784ed9b764017f146931547d30be4a3b180b5a2c
Reviewed-on: https://chromium-review.googlesource.com/904662
Commit-Queue: Gabriel Charette <gab@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51121}
This merely re-uses the same ScopeId as the task. Tracing shows these
as a nested layer with the same name. This is not the cleanest way to
do this but it makes the trace clearer for a minimal diff.
R=mlippautz@chromium.org
Bug: chromium:651354
Change-Id: Ib30ec7d04a30657a63a49aba9698cacd9af950d3
Reviewed-on: https://chromium-review.googlesource.com/904164
Commit-Queue: Gabriel Charette <gab@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51120}
Removes the overhead of Zone allocating temporary space
that only slightly improved performance of the overlap
(less common) case.
Bug: chromium:808360
Change-Id: Ic92f20f15decb12b916ee23267debd9adc785ee0
Reviewed-on: https://chromium-review.googlesource.com/904462
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Cr-Commit-Position: refs/heads/master@{#51119}
The perf jit support assumes that if a code object has source position entries,
then it has a source file associated with them. However, the WasmToJS wrapper
stubs are exceptions to this rule which causes a crash when using `--perf-prof`
with asm.js or WASM code.
Change-Id: I047e229477844bf5357c8553ee50e22c089ab1c2
Reviewed-on: https://chromium-review.googlesource.com/897643
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/master@{#51118}
Break points are cleared to empty fixed array, not undefined.
R=jgruber@chromium.org
Change-Id: Id8dcd08ed0aebc5c4f7745982cde48d562af9772
Reviewed-on: https://chromium-review.googlesource.com/904202
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51117}
Add a fast-path to Promise#finally, which skips the "then" lookup of the
Promise#then lookup chain is intact, similar to what we already do for
Promise#catch.
Drive-by-fix: Also use the @@species protector to speed up the lookup
of the SpeciesConstructor in Promise#finally.
Bug: v8:7253
Change-Id: If77e779a0188904effc4528beffc8f0bdd7c2efe
Reviewed-on: https://chromium-review.googlesource.com/902283
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51116}
Use unique pointers in vectors of current and finished profiles.
Change-Id: Ifb78f7d3804e9883062741fd4e4e31109965d501
Reviewed-on: https://chromium-review.googlesource.com/898984
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51113}
Move the nexus.IsUninitialized() check into ExtractReceiverMaps so that
we don't need to duplicate the bailout.
Change-Id: I55bdb9baca22f25f681a7a32f4ec56d599c748c6
Reviewed-on: https://chromium-review.googlesource.com/903169
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51112}
The stack overflow boilerplate has been removed since the Error
refactoring in 2016. These explicit stack space checks can now be
removed in favor of standard Throw semantics.
Change-Id: I8b02b9641ebd01e12d12b8da2454d2d04b65df3d
Reviewed-on: https://chromium-review.googlesource.com/903168
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51111}
MIPS64 requires that each allocated page is aligned to 256 MB.
This is so because we use J instruction for long branches
that are withing a 256 MB block of code.
Change-Id: I1222842a5b8ecfacc0397a744ab464e9a747f8b7
Reviewed-on: https://chromium-review.googlesource.com/901611
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51110}
It turns out that .incbin can be problematic for build systems, in
that the included binary file is not detected as a build-time
dependency.
The alternative is .byte inclusion, which we test here.
Cq-Include-Trybots: luci.v8.try:v8_win64_msvc_compile_rel;master.tryserver.chromium.linux:linux_chromium_rel_ng
Bug: v8:6666
Change-Id: Ie24f4191db17c920c617987d1bee730208776b91
Reviewed-on: https://chromium-review.googlesource.com/901352
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51109}
The `simpleBind` function exposed by V8 Extras was initially added to
work around the terrible performance of `Function.prototype.bind` at
the time. Nowadays `Function.prototype.bind` is significantly faster
and fully optimized by TurboFan, however, so there’s no need for the
`simpleBind` helper anymore.
Bug: chromium:807522
Change-Id: I1a0456e2aa34f92a3c9a0234a812b660f969d016
Reviewed-on: https://chromium-review.googlesource.com/903164
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51108}
We want to be able to use this from other builtins as well, so move it
to somewhere common.
Also adds typing and cleans up the coding style to match newer CSA code
a bit more. GrowableFixedArray is now a subclass of CodeStubAssembler
to make things easier and cleaner. The growing strategy has also been
slightly changed so that empty arrays can be produced.
Change-Id: I20cbd1069d489a6875804736d3e5abab80d0f777
Reviewed-on: https://chromium-review.googlesource.com/901324
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51107}
The catch prediction logic got confused when we merged the reactions and
result fields of JSPromise, because for settled promises it would start
to treat the result as reactions list, leading to a crash most likely or
memory corruption in the worst case (only if break on uncaught exception
is enabled). We can only inspect reactions when the promise is still in
"pending" state.
Bug: chromium:808973, v8:7253
Change-Id: I15162c96fce959a052fbc628addd9418da39327c
Reviewed-on: https://chromium-review.googlesource.com/903163
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51106}
This adds support for the {i64.const} opcode. Since this makes i64
values show up on the wasm stack, quite some code paths need to handle
them. The {CheckSupportedType} method still returns false for kWasmI64,
which will be changed in a follow-up CL. That requires more changes
since it unlocks more uses of i64, e.g. in loads and stores.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: Ie012d0cd3db001f8693573fd16a3cfafe187009b
Reviewed-on: https://chromium-review.googlesource.com/893319
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51105}
Previous implementation used delay slot the wrong way.
Also, trampoline pools were not generated as they should.
MIPS64 changed to be the same as MIPS since there is probably
same problem that is masked.
test=wasm-spec-tests/tests/br_table
Change-Id: I94786233714a4a2f5eb86e74e02b7e7a7328bf2b
Reviewed-on: https://chromium-review.googlesource.com/901883
Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Cr-Commit-Position: refs/heads/master@{#51100}
Modify "run_perf.py --filter Array/" so that it will let match "Array" but
not "ArrayLiteralSpread". Previously --filter Array/ would match nothing.
Change-Id: I1f9c677e3558fc2256a71306af5fc1a8394ac698
Reviewed-on: https://chromium-review.googlesource.com/895453
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51098}
Fixes float to I64 tests to not have duplicated tests.
Also changes the use of macro REQUIRE to only be needed when an opcode
(i.e. operation) is not supported on some architecture.
Bug: v8:7226
Change-Id: I6c18602bd836469077808c0b3c93732af7c8f0d8
Reviewed-on: https://chromium-review.googlesource.com/895408
Commit-Queue: Karl Schimpf <kschimpf@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51097}
The test required a special runtime function, which did not work in
general but only in the context of that one test. After an offline
discussion we decided that what the test is testing is not worth a
runtime function, since we would also see in other tests if something
goes wrong.
R=clemensh@chromium.org
Bug: v8:7403
Change-Id: I129a189a9df299d409a4a555eae28783e47b97d1
Reviewed-on: https://chromium-review.googlesource.com/901284
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51095}
Also slightly restructure if-chain for readability.
Bug:
Change-Id: I1903106f412e559536bac3369610f40fa6b58680
Reviewed-on: https://chromium-review.googlesource.com/901502
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51094}
A previous CL lowered NumberConstant nodes into IntPtrConstant nodes during
simplified lowering. It inadvertently disabled an optimization in TypeArray
accesses that relied on matching NumberConstant(0).
Bug: chromium:806727
Change-Id: If1938af057be66dea8edc588cc048a01410ca0ad
Reviewed-on: https://chromium-review.googlesource.com/897494
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/master@{#51092}
The multi-return fuzzer was able to generate more than 256 parameters of
the same type. However, the fuzzer itself could not deal with so many
parameters. With this change more than 256 parameters of the same type
can be handled and tested.
R=clemensh@chromium.org
Bug: chromium:807862
Change-Id: I6941eb0ff7e78a8feebc437624fa100adeda4e3d
Reviewed-on: https://chromium-review.googlesource.com/897673
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51089}
This adds a new isolate wide Promise#then protector, which guards the
"then" lookup for all JSPromise instances whose [[Prototype]] is the
initial %PromisePrototype%. Thus arbitrary mutations to the
Promise.prototype (i.e. monkey-patching other methods or installing
new functions) no longer sent you down the slow-path. Use this protector
in Promise.prototype.catch and in Promise.resolve.
Drive-by-fix: Restructure the resolve logic a bit and avoid the
expensive and large SameValue check, which can be turned into a simple
reference equal, as the promise in there is known to be a JSPromise
anyways.
Bug: v8:7253
Change-Id: If68b12c6bc6ca9c4d10552ae84854ebc3b5774f9
Reviewed-on: https://chromium-review.googlesource.com/899302
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51085}
