When pntr compression is enabled, `Pointer()` reads 8 bytes
whereas `TaggedPointer()` reads 4 bytes and decompresses.
TaggedPointer() in this case was causing an incorrect read
on big endian as the desired value was located on the high side
of memory.
Similar patches were also applied in this CL:
https://crrev.com/c/2057355
Change-Id: I77c449256ae1f56f2f8664f687985221badf819f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3314302
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78232}
This is in preparation for supporting concurrent access in
String::SlowEquals, which will need to compare character buffers with
relaxed ordering.
Bug: v8:12007
Change-Id: Ie8ac62c15df48ebd605985c35b843b510c7ad167
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3313467
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78231}
Previously, StoreStoreElimination handled allocations as
"can observe anything". This is pretty conservative and prohibits
elimination of repeated double stores to the same field.
With this CL allocations are changed to "observes initializing or
transitioning stores".
This way it is guaranteed that initializing stores to a freshly created
object or stores that are part of a map transition are not eliminated
before allocations (that can trigger GC), but allows elimination of
non-initializing, non-transitioning, unobservable stores in the
presence of allocations.
Bug: v8:12200
Change-Id: Ie1419696b9c8cb7c39aecf38d9f08102177b2c0f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3295449
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78230}
Rather than creating a ParseInfo when creating a BackgroundCompileTask
(and passing ownership across to the BG thread which deallocates it),
create one when running it.
This allows the ParseInfo Zone to be both allocated and deallocated on
the same thread, which will improve its allocator friendliness.
As a side-effect, we now use the on-heap PreparseData from the
SharedFunctionInfo, rather than cloning the in-Zone PreparseData. This
means that we don't have to copy the PreparseData across Zones, but we
do need to Unpark the LocalHeap when accessing preparse data.
Change-Id: I16d976c1ad54c1090180f2936f40a23a6dbb5904
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3312483
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78228}
Finalize other finalizable jobs in FinishNow, up to a time deadline.
This deadline is set to 1ms for now, because that seems like short
enough to not get in the way of user interaction but long enough to be
worth doing here rather than doing another runtime call for the
subsequent funtions.
Change-Id: I79f0780e9318e97efee03d2d25701009ca7069d1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3310801
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78227}
If multiple isolates are running concurrently and one of them calls
`quit`, we should not delete the counters map, because another isolate
might still access it.
R=mlippautz@chromium.orgCC=nikolaos@chromium.org
Bug: v8:12453
Change-Id: I6d41478f188f0043b7d6055b0872574c28fd3039
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3310807
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78226}
Debug build needs more scratch registers, since s0 is not added to
allocatable registers, we could use it as a scratch register.
Change-Id: I1453d78b18cd3abff83a2f0c084ed4dd92e92884
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3313967
Reviewed-by: Liu yu <liuyu@loongson.cn>
Commit-Queue: Liu yu <liuyu@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#78225}
This CL forwards the information that we are breaking because
of a ScheduleBreak runtime call.
Bug: chromium:1229541, chromium:1133307
Change-Id: I5eb9462c9df135bc3b3080c354e61e301d24e1ff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3310804
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78223}
Rolling v8/build: 99a1dc1..746224d
Rolling v8/buildtools/third_party/libc++abi/trunk: 665b74f..89f2e82
Rolling v8/buildtools/third_party/libunwind/trunk: c936d73..0f447a3
Rolling v8/third_party/android_platform: 72e09e9..abc362f
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/5695a84..dbf8536
Rolling v8/third_party/depot_tools: 5deb9c9..3e68015
Rolling v8/third_party/googletest/src: bb92160..1b26064
Rolling v8/third_party/zlib: e8c257c..efd9399
Rolling v8/tools/clang: 401e727..16279ec
Rolling v8/tools/luci-go: git_revision:e4c95e4e4cdc987f1860e4111589606bcd3a8f32..git_revision:d3f13de997dcae45d2af9210be74e7eb96a98268
Rolling v8/tools/luci-go: git_revision:e4c95e4e4cdc987f1860e4111589606bcd3a8f32..git_revision:d3f13de997dcae45d2af9210be74e7eb96a98268
R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com
Change-Id: I24c2e7dac871c7d80b719e7887489c1dcdb114b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3311316
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#78221}
Apparently std::make_unique is not a function under MSVC!
Change-Id: I2014e8779ae3434dc265e2a030181e78085beb57
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3313349
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78219}
This CL turns references to ArrayBuffer backing stores from
JSArrayBuffers, JSTypedArrays, and JSDataViews into CagedPointers
when those are enabled.
CagedPointers cannot generally represent nullptr, as NULL usually lies
outside the cage. As such, nullptr backing stores are replaced with a
special empty backing store value, which, in the current implementation,
points to the end of the cage, right in front of the trailing guard
regions. Due to this, it is no longer correct to compare a backing store
pointer against nullptr.
Bug: chromium:1218005
Change-Id: I4a6c7a82aabb4debcb6bb2babe4035ba2da8e79f
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3244419
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78218}
This reverts commit f68242bcb0.
Reason for revert: UBSan error: https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket/8828943333104509889/+/u/build/compile/stdout
Original change's description:
> [codegen] Reduce size of safepoint table fields
>
> Code objects are often small and do not use the full integer range of PC
> offsets and deoptimization indexes. Reducing the size of these fields to
> the required size per table reduces the overall size of safepoint tables
> by roughly 25%.
>
> R=jkummerow@chromium.org
>
> Bug: v8:12401
> Change-Id: Ie6889a70782f5510436a1d05d31d17aac0bfec6e
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306556
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#78216}
Bug: v8:12401
Change-Id: I53b574558305ac25fa8f38a843c98f653af201ba
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3312488
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#78217}
Code objects are often small and do not use the full integer range of PC
offsets and deoptimization indexes. Reducing the size of these fields to
the required size per table reduces the overall size of safepoint tables
by roughly 25%.
R=jkummerow@chromium.org
Bug: v8:12401
Change-Id: Ie6889a70782f5510436a1d05d31d17aac0bfec6e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306556
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78216}
The stack memory will be accessed through a global list later, so the
stack pointer should be accessible without the containing
WasmContinuationObject. This also saves some unnecessary allocations and
indirections already.
R=ahaas@chromium.org
Bug: v8:12191
Change-Id: Ic3d71ecadbb13b18f0440049527ba71d657589b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3312486
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78215}
Add a flag for controlling the maximum number of threads usable by the
LazyCompileDispatcher.
Change-Id: I87fc39d337a00cff0c3d152392630f48da050fff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3312482
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78214}
Set the JS limit at a 40KB offset from the actual limit, like on the
native stack. This is an estimate of the maximum stack space needed for
runtime calls.
R=ahaas@chromium.org
Bug: v8:12191
Change-Id: I709d5b25c5e47d2474cf4205ebcb8ee7fc8e794c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3312485
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78212}
The call to SyncStackLimit is already inlined in the previous runtime
call (WasmAllocateContinuation).
R=ahaas@chromium.org
Bug: v8:12191
Change-Id: Ie602f8317bc9ed5b5b5f9a0eb545a57602aeed42
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3312484
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78210}
This allows streamed sources to also trigger parallel compile tasks. The
chunk vectors are shared via std::shared_ptr.
Clone chunked streams are initialised with a null source, and are not
allowed to fetch any more data. Similarly, the original stream is not
allowed to fetch data if it has been cloned (since the vector is shared
and would mutate if we added more data to it).
This is ok for the purposes of cloning for parallel compile tasks, as we
fully parse before cloning for the task.
Change-Id: Ic268e4956e0894acb63111bf0aaf32eaad426066
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3310917
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78209}
Baseline compiler generates calls to builtin Bitwise_Baseline for
bitwise bytecodes with Smi rhs. The builtin still performs type check
for rhs even though it is known to be Smi.
This CL implements new builtins for bitwise operations which does not do
speculation for rhs.
Bug: v8:12442
Change-Id: Ia6e1b25a74d00db8c39600b4f81f6e9aa5d59253
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3310520
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Hao A Xu <hao.a.xu@intel.com>
Cr-Commit-Position: refs/heads/main@{#78206}
... as a prerequisite for adding InstructionStream heap object.
Bug: v8:11880
Change-Id: I22b4832cedd46bee4a4c5a0d7b5032eba10b2a7b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3310900
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78204}
This CL makes sure to forward the information that we are pausing
because of a debugger statement, and to encode it explicitly
as an 'other' reason when reporting the pause to the front-end.
Drive-by: refactoring the way break reasons are propagated by
introducing a new enum for break reasons
Bug: chromium:1229541, chromium:1133307
Change-Id: I9d2e8d8da54d96a231eff9d1f62b74507955b18f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306978
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78202}
We optimize away type upcasts for nominal types in WasmFullDecoder.
Upcasts trivially hold for nominal types, which is not the case for
structural types. Note that we already optimize away trivially-failing
checks (when types are unrelated) for both nominal and structural types.
Bug: v8:7748
Change-Id: I720c9803cb8b4071aa4bae112ce06d587b7a68fa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306984
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78201}
--wasm-speculative-inlining makes no sense if --liftoff-only or
--no-liftoff, since it needs type feedback from Liftoff and is appied
by Turbofan. Therefore, it should be disabled in these cases.
Specifically, --wasm-speculative-inlining implies
--wasm-dynamic-tiering, which contradicts --liftoff-only.
Bug: v8:12166
Change-Id: Idc5e0d7ceb7dbdf82ea6fd14ffc8386fe35a1257
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306554
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78200}
{V8::Dispose} calls {FlagList::ResetAllFlags()}, which resets all flag
values. Thus the values of FLAG_dump_counters and FLAG_dump_counters_nvp
need to be read before disposing v8.
Drive-by: Two unrelated code simplifications / unifications.
R=mlippautz@chromium.org
Bug: chromium:1275117
Change-Id: Ie2bbe0c844efaf3ed50a62533c5ec08b6b423379
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3310881
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78199}
This flag is not supported now.
Bug: chromium:1271841
Change-Id: I6a80ebed79a03164f58f1757b8ebaca74a681441
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306786
Auto-Submit: Junji Watanabe <jwata@google.com>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78198}
This fixes operators in wasm Turbofan that were mixing up integer sizes
and pointers with tagged pointers.
Additional changes:
- Remove unused (and non-compiling if V8_MAP_PACKING)
GraphAssembler::StoreMap.
- Factor out WasmGraphBuilder::IsNull.
Change-Id: I9d99827e35507adc0af391bd39975d55371b98cf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306981
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78196}
That code should be dead now that we compute the description in Blink
(see crbug.com/1048143).
Bug: chromium:1275591
Change-Id: I6e8c4dec27eb981807ab4eba75572635ee655a3b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3310837
Auto-Submit: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78195}
This CL removes the CallRefData data structure and accesses a funcref's
target and instance through the funcref.
Bug: v8:7748
Change-Id: Ic46b127f7775052d5df13b03c447e3b15328ad74
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306486
Commit-Queue: Richard Stotz <rstz@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78194}
Moved DEFINE_UINT after the #ifdef block, so it is also defined
for Mac arm64.
This is a reland of 6aadf0e0ff
Original change's description:
> [baseline] Add max threads flags for CSP
>
> Bug: v8:12054
> Change-Id: I49238fe673858b60c2a2a935ed1f45f465269216
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3308707
> Auto-Submit: Victor Gomes <victorgomes@chromium.org>
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#78187}
Bug: v8:12054
Change-Id: Ica352b2f099fff875411c0e1915bcddb4ca48061
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3310800
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78192}
This fixes data races when lazily creating counters (and populating the
{counter_map_}, and when concurrently adding samples to the counters.
It also ensures that the Wasm engine is stopped (via {V8::Dispose})
before printing and deleting counters, as background threads might still
try to update the counters otherwise.
R=mlippautz@chromium.org
CC=nikolaos@chromium.org
Bug: v8:12453, chromium:1275117
Change-Id: Ie6beea6cc74eea52143d12f9921597da4a250f2a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3308710
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78191}
The new flags enum had kReduceMemory as the first value, which means it
got the value 0 and thus was considered as never set.
Bug: v8:12407, chromium:1274954
Change-Id: Ifcce2316c1dcd09a12ad52ef391f513b014aea1c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3310609
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78189}
When emitting code, character ranges must only specify ranges which
the actual subject string (one- or two-byte) may contain.
This was not always the case, specifically for ranges with
`from <= kMaxUint8` and `to > kMaxUint8`.
The reason this is so tricky: 1. not all parts of the pipeline know
whether we are compiling for one- or two-byte subjects; 2. for
case-insensitive regexps, an out-of-bounds CharacterRange may have an
in-bounds case equivalent (e.g. /[Ÿ]/i also matches 'ÿ' == \u{ff}),
which only gets added somewhere in the middle of the pipeline.
Our current solution is to clamp immediately before code emission. We
also keep the existing handling/dchecks of the 0x10ffff marker value
which may occur in the two-byte subject case.
Bug: v8:11069
Change-Id: Ic7b34a13a900ea2aa3df032daac9236bf5682a42
Fixed: chromium:1275096
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306569
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78186}
Enable the prefinalizers scope and add a top level AtomicSweep scope
so that prefinalizers are accounted as part of sweeping.
Change-Id: I9dade6a2367d30d20395de30c3db84922fee5a49
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306567
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78185}
We sometimes use ReportError() inside of Torque parser actions.
The resulting exception prevented the ParseResultIterator from being
consumed completely, which in turn triggered a CHECK failure instead
of the correct error message.
Change-Id: Ie8dcdf67094e5ad5d68934e8a2921d5f52bd3092
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306973
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78184}
