Document ownership with using std::unique_ptr<Space> for the space_
array.
Bug: v8:13267
Change-Id: I12861d97cd52d2a8cf9ceb43a2f90008be87b2a3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890913
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83187}
SimulateFullSpace starts with no LAB, iterates over pages and allocates
all free space on each page. After the first page, the LAB is empty but
is no longer null.
Bug: v8:12612
Change-Id: I2c00b9ba68fdd5f60eda086ea940cb6e211a986e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891294
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83186}
During a stack switch, the stack state is temporarily inconsistent when
the old stack is marked as "inactive" and the new stack is not yet
marked as "active".
Ensure that the WasmAllocateSuspender runtime function is not called in
an inconsistent state. It can trigger a GC, and we need a consistent
state to iterate the roots.
Wait until the end of the function to mark the current stack as
"inactive", so that it is still marked as "active" when it is
potentially visited.
R=clemensb@chromium.org
Bug: v8:13272
Change-Id: I65fe76c3d222d9fa47d17b66069443ceabba47ad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890919
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83184}
Before, import and export wrappers were cached based on their
signature. This change
- makes wrapper canonicalization consistent with that of types and
call_indirect signatures under --wasm-type-canonicalization,
- removes the last uses of signature maps, which will enable us to
remove them in a future CL.
Change-Id: I512bc234f0ae10e50bd94237e8e675ca47ed13c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891250
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83183}
Ignition remembers the correct context to restore when entering an
exception handler by moving the context to an interpreter register
when entering a try block, and restoring it from there when unwinding
the frame and entering the catch block.
Maglev code has to do the same by taking the context from the
appropriate register for the handler's frame state.
Bug: v8:7700
Change-Id: I294fcccc845c660b2289b6d7b40f49f1aa46283d
Fixed: chromium:1359928
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892352
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83181}
This error type is very common and deserves its own error message
instead of the generic "Unexpected value" one.
Change-Id: I07a0de8b190db58e97fae98d0f7347872efd9995
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892694
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83180}
Move the CompilationInfo out of the GraphProcessor and into the
individual NodeProcessors, allowing them to hold it as a field rather
than getting it passed in via the various process methods. This will
allow us to write graph processors that don't have/need access to the
compilation info.
Bug: v8:7700
Change-Id: I8b91cbeaf632f05ae8bbbe8783e5a7381b5c8e53
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892698
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83179}
This CL adds shared spaces for regular and large objects in the shared
space isolate. Spaces aren't used for allocation yet.
Bug: v8:13267
Change-Id: If508144530f4c9a1b3c0567570165955b64cc200
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876824
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83178}
Joining a queue-using process can deadlock if the child process is
about to write to the queue, but the parent process wants to join the
child. To fix this, we now drain elements from a separate thread of
the main process.
Bug: v8:13113
Change-Id: Ic279e66ab84eb89a4034ff1f2c025eb850b65013
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891116
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83177}
Trap if the suspender argument provided to the JSPI import
wrapper is invalid.
For now, the suspender argument is expected to be the active
suspender. In the future, it will also be possible to suspend
to a parent of the current suspender. This will only be possible
once wasm-to-wasm suspending wrappers are supported, or if and
when JSPI suspenders become compatible with their core
stack-switching counterpart (e.g. Fibers in the fiber proposal).
R=jkummerow@chromium.org
Bug: v8:12191
Change-Id: I650454ed076bd251b0aa18656774d4c4b2d3bfdc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892697
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83173}
1. Return null if the transition is out of bound.
2. Remove incorrect MAYBE_RETURN which is handled by the IsNothing check.
Bug: v8:11544
Change-Id: Ia54f68831120bd2460cb813464168b1a2c92da3d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893595
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83171}
Instead of having e.g. `string.new_wtf8` that takes an immediate
specifying the particular UTF-8 flavor to parse, make one instruction
per flavor.
See https://github.com/WebAssembly/stringref/pull/46.
Bug: v8:12868
Change-Id: I2e9f2735c557b2352b6e75314037e473710d87a9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892695
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andy Wingo <wingo@igalia.com>
Cr-Commit-Position: refs/heads/main@{#83170}
This also allows allocation folding to be tested in cctests.
Bug: v8:13070
Change-Id: I7b6991461dd7ad4423539b33f59a05d6b247c3e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891257
Auto-Submit: Teo Dutu <teodutu@google.com>
Commit-Queue: Teo Dutu <teodutu@google.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83169}
Double-representation field loads were DCHECKing that the entry in the
descriptor array for a double-representation IC is also double
representation. With in-place map updates, however, the IC may be out of
date, so weaken this DCHECK to take into account in-place updates, and
rely on compilation dependency commit making this lookup safe.
Bug: v8:7700
Change-Id: Iff3c80d396274d14034e010dbe98f5640c9e4495
Fixed: chromium:1358872
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892692
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83166}
ElementAccessFeedback transition groups can contain multiple maps in a
transition group if feedback is polymorphic on elements kind but not
otherwise the map kind. Maglev should treat this case as polymorphic.
Bug: v8:7700
Change-Id: I779299e4cf9d1c3a30e77f7a953d057ea5a69935
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892691
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83165}
For frame inspection (i.e. not deoptimization), no RegisterValues are
available to TranslatedState and thus any register-allocated value is
unavailable.
Stack trace collection require `function` and `receiver` values to be
available and thus stack-allocated. Both are immutable and have fixed
stack slots so this is not a problem; we just lost track of the receiver
inside Maglev when function parameters were wrapped inside exception Phi
nodes.
We solve this for now by special-casing the `receiver` to reuse the
InitialValue node instead of creating a new Phi.
Bug: v8:7700
Change-Id: I4f4de9a643b98e2fcbc7ee7a53688cc97a8d6f1d
Fixed: chromium:1359428
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893856
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83164}
BE machines use a 4 byte bias to spill/fill 32-bit values on
the stack. This is done so because TF always fills 64-bit values
even if the spilled value was 32-bits. To make sure this holds between
LO and TF we have added a 4 byte bias in this CL:
crrev.com/c/2756712
LoadSpillAddress needs to also take this into account and
add a bias if the spilled value was 4 bytes.
Change-Id: Ibd2b2071ce1fb11a9c5884611ae8edd1f17cb0c9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891196
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83163}
GetIterator on object o consists of two steps:
1) iter = load o[#Symbol.Iterator]
2) call iter
For null / undefined step (1) throws an exception, meaning
step (2) is never reached. Up to this change, turbofan
deopts if for either of the two steps there isn't enough
feedback, meaning that we have a deopt loop for null and
undefined.
Change-Id: Ie0eaf8e231a149313e10af9e95fd80bc77dc0beb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890980
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83159}
FillCurrentPage assumed that everything after top is empty, which
doesn't work with MinorMC and sweeping. Revise FillCurrentPage based
SimulateFullSpace for MinorMC.
I similar implementation is provided both in unittests and cctest.
Migrating affected cctest to unittests is left a future work.
Bug: v8:12612
Change-Id: Ie29be2fc7aaee25e1fd5f66b1c0959c2a45f007f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3885888
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83158}
During ExternalPointerTable::Grow, if we cross one of a handful of
predefined utilization thresholds, we now request a (major) GC to free
up entries that are no longer used in the table.
Bug: v8:10391
Change-Id: Id2d262f0f1d4dc37aec1e4978a8be2d223fb2b2b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890971
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83155}
v8_multi_arch_build toggles v8_enable_pointer_compression, but some
other flags are set depending on v8_enable_pointer_compression.
Previously the v8_multi_arch_build condition was resetting some of these
in its branch, but we can make this simpler by moving the pointer
compression toggle earlier, immediately after the default pointer
compression setting.
Change-Id: Ie5f4e73f947b693d4ba2abe4e1cf30009a2bbb2c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890918
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83154}
The way to determine whether a MaybeObject is a strong or weak
reference to the heap object is to check its lowest two bits.
However, if the MaybeObject is known to not be a smi, that is, the
lowest bit is known to be 1, we can check one bit instead. This
allows Turbofan to select better instructions:
x64:
Before:
movl r9,r11
andl r9,0x3
cmpb r9l,0x1
After:
testb r11,0x2
arm64:
Before:
and w8, w7, #0x3
cmp w8, #0x1 (1)
b.ne #+0x320
After:
tbnz w7, #1, #+0x320
Change-Id: I03623183406ad7d920c96a752651e0116a22832e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3861310
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Hao A Xu <hao.a.xu@intel.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83153}
.. Throw|LazyDeopt. Whether a builtin can Throw|LazyDeopt depends
on the implementation, so to be safe all builtin calls should be
marked as such - UNLESS we know for certain that one or the other
doesn't happen.
Drive-by: For calls with two result registers, properly consider
the second register in a few spots.
Bug: v8:7700
Change-Id: Icbcffb51e9760761a2f4e32d79af33abccb8f1cb
Fixed: chromium:1361245
Fixed: chromium:1360800
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879617
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83152}
.. where we sometimes want to inspect Node contents. With this CL, for
a human-readable print in gdb:
print node->Print()
Note: Since we use an adhoc-created graph labeller, the output can't
properly identify input nodes and instead prints them as 'unregistered
node'.
Bug: v8:7700
Change-Id: Icba458ac1a5c43a09b815e12582443aca4e19380
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890914
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83151}
Add a fast path for keyed loads that are:
1. Monomorphic,
2. Fast elements accesses,
3. Not out-of-bounds (deopt on OOB),
4. Not holey
Bug: v8:7700
Change-Id: I4d46f4d0ce7065c93a9b092833fb16a8c9e9f94e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3882974
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83149}
The normative change in
https://github.com/tc39/proposal-resizablearraybuffer/pull/93 changed
the behavior of TypedArray.prototype.subarray(begin, end) such that if
the receiver is a length-tracking TA and end is undefined, the result
TypedArray is also length-tracking.
This change reached consensus in the March 2022 TC39.
Bug: v8:11111
Change-Id: If1a84cc3134f3ce8046196d6cc36683b6996dec0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3888382
Commit-Queue: Marja Hölttä <marja@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83147}
Loop used value lifetimes extension extends the lifetime of anything
used inside of a loop but defined outside of it, to make sure that it is
considered 'live' for the entire body of the loop (this is so that we
don't e.g. clobber their stack slots with stack slot reuse).
The implementation works on the principle that a) basic blocks are
topologically sorted by forward control flow, and b) loops are
irreducible. This means that basic blocks between a loop header and the
jump to that loop header are inside the loop, and nodes whose id
preceeds the loop header's id must be before the loop.
Generator resumes break this irreducibility by jumping into the middle
of loops. This is principally not a problem for the above lifetime
extension, it just means that the loop's used nodes will overapproximate
and include these generator nodes. However, there was an implicit
additional assumption that the node must be loadable by the loop end, to
extend its lifetime. This fails for the generator resume case, because
it's possible that the node didn't make it into any loop merge state,
e.g. because the resume would immediately deopt or return, e.g.
Start
/ \
/ GeneratorResume
| |
v |
.>Loop header |
| | |
| Branch |
| | | |
| | Suspend |
| | |
| | Resume <-'
| | |
| | Return
| v
`--JumpLoop
Here the Resume will get the accumulator from the generator and the
Return will use it, which will be seen as an out-of-loop use of the
generator, but the generator was never reachable from the "real" loop
body.
At the end of the day, since there are no actual uses of the generator
value in the loop body, the lifetime extension does no harm; all that
fails is a DCHECK that the values loop lifetime extension extends are
actually loadable. So, we can relax this DCHECK for this specific
generator edge case, by checking for whether the JumpLoop is reachable
from the generator resume.
Bug: v8:7700
Change-Id: Iec4db2aee5b8812de61c3afb9004c8be3982baa2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890975
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83144}
Allow distinguishing control nodes that do and don't allow continued
execution.
Bug: v8:7700
Change-Id: Ifa13b64821484584929bd62a0d8585aee160c19e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891255
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83143}
v8::String::MakeExternal is currently incorrectly using the shared
isolate of the shared string, which will race when setting VM state. In
general the shared Isolate shouldn't be used for anything, it's an
implementation detail to hold the shared heap space.
Bug: v8:12007, v8:13276
Fixed: v8:13276
Change-Id: I21ec57645ed4740a4c19c51b8fa1e2928a07a0f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3888384
Reviewed-by: Adam Klein <adamk@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83139}
