Errors in the callback were not correctly unlocking the mutex, oops.
Bug: v8:12547
Change-Id: If44ebc023b8192605c9f29bfd4099a197110f5c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3760986
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81708}
PPC Simd regs are already using separate set of register banks
on ppc, more details can be found here:
https://crrev.com/c/2718472
Here we are making use of this CL https://crrev.com/c/3005768
(fcd3ef4) and fully separating Simd regs during register allocation.
Member function `toSimd()` is also introduced which will be used
to cast FP regs to Simd regs in liftoff.
Change-Id: Ic5551fb04f37de7fc9501a2f1aba8fb44f622d95
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3755213
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81707}
The current compression scheme defines isomorphism with respect to
relational operations (i.e. the relational operators preserve their
results on the set of compressed pointers).
In addition, provide overloads for nullptr/sentinel.
Bug: chromium:1325007
Change-Id: I476a1c59e92f5210e26142320eb03802bd11ea51
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3758143
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81706}
The increase caused a significant PMF regression on Windows. Apparently,
leaving the table in reserved state didn't eliminate the regression. The
CL returns the age size back to 1MB. The followup is to investiage and
fix the regression.
Bug: chromium:1336420
Change-Id: I56542ba4efe0fc8d08d8c5febf758384559a8860
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3758146
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81705}
To prevent timeouts on arm64-sim debug and gc-stress builder. Also
skip a very slow test on the arm64-sim gc-stress builder.
No-Try: true
Change-Id: I7d275aa893dbe4942b4d41c6e83d9b9e6f861a33
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3760455
Reviewed-by: Adam Klein <adamk@chromium.org>
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81704}
The operator with raw pointer allows us to avoid Member decompression,
which is more expensive than compression. It's also quite frequently
called (e.g. in HeapHashSet::find()).
The existing operator
template <...>
bool operator==(const Member<T1>&, const Member<T2>&);
was not called for
GCed* raw = ...;
member == raw;
because the compiler wouldn't deduce `T2` in `const Member<T2>` as
`GCed` when the initializer expression `raw` is of different type
(`GCed*`).
Bug: chromium:1325007
Change-Id: Ie1ee12bad28081c66f4e08a146467fd7c040bb70
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757344
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81702}
Bug: chromium:1344014
Change-Id: I5009af963d95d96f70785593664a1145ad20c97d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3760975
Reviewed-by: Adam Klein <adamk@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81701}
When the control-flow aware type of a Node doesn't actually change,
then we shouldn't claim that it did (which causes later re-visiting
of the node).
Fixed: v8:13061
Change-Id: I064cedf3721a79844bfc36ad3142428bdfbaf891
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3760675
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81700}
Implements an initial prototype of the Wasm Trace proposal. A custom
section containing offsets to functions is decoded into trace
instructions that are inserted into the function. In Liftoff, these
are directly inserted. In TurboFan, these are added as StackEffect's,
this is a work in progress.
Traces will only be decoded and added when a flag is given to V8,
currently "--experimental-wasm-instruction-tracing". If a trace is ever
not valid or an error occurs, it is safe to just throw them away.
Code Metadata Tool Convention:
https://github.com/WebAssembly/tool-conventions/blob/main/CodeMetadata.md
Design Doc:
https://docs.google.com/document/d/1739a_LXbavBnek7pa0uqhHOCz8IJ56mn2C2Yvbssvkg/edit?usp=sharing
Wasm Trace Proposal:
https://github.com/WebAssembly/instrument-tracing
Bug: chromium:1090122, chromium:1252113
Change-Id: Id4690d8deca482ff0e863761668ffabca159bd29
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3386604
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81699}
V8 was compiled for Fuchsia with optimize_speed instead of optimize_max
used on most other platfroms. There is no reason Fuchsia needs to be
different, so it's better to use optimize_max. It also allows to save
about 1MB on the binary size.
Bug: chromium:1343990
Change-Id: Ie4a07fbbfd8100def61bf7709d2c4e6cb74209f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3759647
Commit-Queue: Sergey Ulanov <sergeyu@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Auto-Submit: Sergey Ulanov <sergeyu@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81698}
The exact method name is not interesting when looking at crash
statistics, and can easily be retrieved from stack traces. Instead,
print a consice string saying what we were trying to do when we ran OOM.
This is more consistent with other OOM location strings.
R=ahaas@chromium.org
Change-Id: Ic8cf70b40c304711e8b96391418019b3f697e977
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3760446
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81691}
It is not safe to allocate ExternalPointerTable entries while the table
is being swept. This property is currently ensured by the GC. To better
catch any potential future violation of this requirement, this CL now
changes the Sweep() method to first set the freelist head to a special
marker value, which is checked in Allocate() in debug builds and will
cause a recognizable crash in release builds.
Bug: v8:10391
Change-Id: Iab69c1e97afc23ae5b2b894b2d765b82a760cdd8
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3758211
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81690}
Avoid loading objects with 64-bit movq when they are only being used to
compare against another object with a 32-bit cmp_tagged under pointer
compression.
Change-Id: Ib8ccd093fb49caea3bf1b923b83825626ba0bffc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3760447
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81689}
Also changes CreateObjectLiteral to take the boilerplate as a constant
value, not a node.
Bug: v8:7700
Change-Id: I6852c7c4b8d361f903155c513e627ebc1af4d2f6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3758223
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81687}
TSAN may cause the sandbox to fail to obtain enough virtual address
space during initialization, thereby causing it to fall back to a
smaller backing reservation. This may then in turn cause future
WebAssembly.Memory allocations to fail.
Bug: v8:12980
Change-Id: I812ee02c5421153f1ea3b6bc371c72bc1da406a8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757897
Commit-Queue: Samuel Groß <saelo@chromium.org>
Auto-Submit: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81686}
This is a reland of commit 1ed7d0b8d1.
Fixes:
- https://crrev.com/c/3745533
- https://crrev.com/c/3758064
- https://crrev.com/c/3757709
Original change's description:
> [flags] Enable freezing of flags
>
> This enables the --freeze-flags-after-init flag globally. Note that
> tests, fuzzers, Node and other still explicitly disable the flag. The
> chrome renderer process and default d8 execution will have it enabled
> though.
>
> R=cbruni@chromium.org
>
> Bug: v8:12887
> Change-Id: I9a15ef64227e5e6e04779d8d671a2c50d99c9097
> Cq-Include-Trybots: luci.v8.try:v8_linux_blink_rel
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695264
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81214}
Bug: v8:12887
Change-Id: Ibacb7b738a91f9a893a35a7b845ce4a6ff7bae3f
Cq-Include-Trybots: luci.v8.try:v8_linux_blink_rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3758224
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81685}
Just the generic path for now, the most valuable optimisation here would
be transitioning stores but we don't yet support these.
Bug: v8:7700
Change-Id: I95e3a77cccf43bc33607a50bab1eb89fca32af06
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3758144
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81684}
We don't even need any new IR nodes for it.
Bug: v8:7700
Change-Id: I8c2844f9bc6d21b09799395f817831685be21df7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757883
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81681}
If a tracing session starts after a script load has happened, then it is
not emitted, so the source information is not visible in ETW. This is
because we keep track of the loads already emitted, and we try to launch
traces even when recording is not happening.
To prevent this problem, this CS keeps track of when recording is
happening. So, when it starts, it will emit all the already generated
code immediately. This will add some overhead on tracing session start
if system instrumentation is enabled, but this is better than not
having instrumentation for previous symbols.
There is still one problem: for each active isolate, it calls for
replaying the event recording in an asynchronous task. So, for any
JS task that is already running when tracing start, symbols will not
be available. This makes this change less useful as, for a batch task
or any long JS code that is already running when tracing start, we
will not get symbols yet. Only after the foreground task runner runs
the task to emit the ETW events we will get the symbols resolved in
the trace.
An specific approach was required for d8 interactive shell. As, when
showing prompt, it is not processing the task runner queue, and it
is only processed when the next script is launched, it first checks
if it needs to generate ETW symbols information before running the
script.
Bug: v8:12932
Change-Id: I8b056c69cee0350f921a01c87beb9f2d51e10583
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3705541
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: José Dapena Paz <jdapena@igalia.com>
Cr-Commit-Position: refs/heads/main@{#81673}
This adds a new type 'none' as part of the WASM GC MVP.
The type can only be used in combination with a nullable reference, e.g.
'ref.null none'.
A 'nullref' is implicitly convertible to any nullable reference type.
Bug: v8:7748
Change-Id: Ic5ab6cc27094b3c9103ce3584452daa34633612f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3755136
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81670}
ReadOnlySpaceObjectIterator did not iterate through objects, because of
a bug in the initialization of `cur_addr_` and `cur_end_`. This CL also
merges methods `Next` and `FromCurrentPage`.
Change-Id: Id56bff279216c7a5982d984d80b649bd0c915959
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3758225
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81668}
This patch fixes machine detection on nodejs where the build
pipeline may not use gn and as a result certain macros
will not get set.
More details can be found in this comment:
https://github.com/nodejs/node-v8/issues/223#issuecomment-1180505313
Change-Id: I0cbfc736b28bc130acbdc2cf2e27bbf687be463c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757944
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#81667}
The fast path of Array#toSpliced currently does not correctly initialize
the elements range in the copy's FixedArray elements that will hold the
inserted items. A GC can occur between the initial allocation of the
elements before the inserted items are copied into it, which will fail
heap verification.
This CL also refactors CSA's FillFixedArrayWithSmiZero method to support
only zeroing a portion of a FixedArray instead of the entire thing.
Bug: v8:13035
Change-Id: I1bdb77d3b27f682620b45caa5a9c10ea0072a6ad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3750321
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81665}
Add a CreateFunctionContext implementation (which calls the same builtin
used by Sparkplug), and fix our deopt checkpoints to include the context
as a pseudo-register, so that Push/PopContext work with deopts.
Bug: v8:7700
Change-Id: Ia3efd105683f6922181b9f4c7db0bac6a3a5fcec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757683
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81664}
The wasm instance got pushed three times in the lazy-compile builtin:
1) as part of the parameters;
2) as a parameter for the runtime function;
3) to load the jump table address after the runtime function;
The third push can be avoided by loading the jump table address after
all parameters get loaded from the stack again.
R=clemensb@chromium.org
Bug: v8:13049, v8:12926
Change-Id: I6117cfbbabc6250bf40732b6921c0e629fd85fa6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3755138
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81663}
If we detect out-of-order sections, we should not enter the individual
decoding functions, because they might make assumptions that are not
true in the error case.
In this case, a DCHECK was firing if we call {DecodeFunctionSection}
twice.
R=ahaas@chromium.org
Bug: chromium:1342274
Change-Id: I3d9d8c8c604aeeb92b9766f07d4b5464f4c8d72c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3755112
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81662}
With the flag --always-use-forwarding-table we could end up turning a
String into a ThinString that had a forwarding index set.
This could happen when a String with a forwarding index is externalized.
Bug: chromium:1337469
Change-Id: Iea05586f61e2b78d83d04d5d2e94c4dca2892c1f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3735164
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81660}
... in order to prepare for smoother rollout via the finch flag.
Bug: v8:12054, chromium:1343515
Change-Id: I24f51b73daa35c8de6967e8eb088dd3bee95fc4f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3755120
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81659}
