Dynamic maybe-context/maybe-global lookup can fast-path in the case
where there are no context extensions in the parent contexts. Add a
trampoline builtin for maglev which performs this fast path.
This is similar to Sparkplug, which calls a similar builtin (except one
which loads context and FBV from Sparkplug frame slots), and unlike
TurboFan, which creates local control flow to inline this operation
fully. Maglev avoids creating local control flow, so the builtin
approach seems more fitting.
Bug: v8:7700
Change-Id: I2f63694d9c1f907f91b8b7b8982adc9f9ba106ca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871210
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82985}
Contexts are not included into bytecode loop assignment
analysis. We follow TF and create a LoopPhi unconditionally.
Bug: v8:7700
Fixed: chromium:1359662
Change-Id: I1a589a4bae2bbbf14bf637f0c1e0439e66216aae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871209
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82984}
This reverts commit f388f96fdb.
Reason for revert: Crashes in canary (https://crbug.com/1360024)
Original change's description:
> Enable background merging of deserialized scripts
>
> This can save memory in cases where multiple frames in a process use the
> same script, with sufficient time between loads that the script's
> top-level SharedFunctionInfo is no longer present in the compilation
> cache. Merging is relatively fast; it generally takes about one tenth as
> long as deserialization.
>
> Bug: v8:12808
> Change-Id: I7366a51f1d2ca6a9f551cdf2bdbe0441450cf1bb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3868088
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82920}
Bug: v8:12808
Change-Id: If160173afaab351d995ddcf4b60d6efe656cf70b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871208
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82983}
This adds two flags to dump "type feedback" (call targets and
frequencies) to a local file, or load it from there. This is meant for
experimentation only.
Some implications are removed, as (speculative) inlining now does not
require Liftoff any more, but can also use information from PGO.
R=jkummerow@chromium.org
Bug: v8:13209
Change-Id: I2d34233ce4077db61f5c237b1941136ac61d3b73
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870470
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82979}
This CL implements ConcurrentMarking::RunMinor which uses
YoungGenerationConcurrentMarkingVisitor (go/YGCMV).
This CL also implements Teardown and FinishConcurrentMarking, and
schedules minor concurrent marking in
IncrementalMarking::StartMarkingMinor.
Additionally, this CL opts out of ConcurrentMarking::PauseScope in
Heap::MinorMarkCompact if concurrent MinorMC is active because
concurrent marking will be finalized in FinishConcurrentMarking
subsequentially.
Bug: v8:13012
Change-Id: I78fe18416e564565c6421243ff40dec7561fb20a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3850292
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82978}
This CL removes global handle marking barriers for MinorMC because
global handles should only be marked by MajorMC.
Bug: v8:13012
Change-Id: I23737f128c01eee75b2b1a19f47c4bcf6d043976
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872270
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Cr-Commit-Position: refs/heads/main@{#82976}
The test broke in
https://crrev.com/c/3865148
Bug: chromium:1352649
Change-Id: I9857fd359d73a4c1f7d202feba27a3dcf56e23c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872275
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82974}
The stack of an isolate's main thread is kept in the isolate's heap.
This CL sets the stack's start address when the isolate's heap is set
up; it can also be set explicitly from the embedder. The CL also fixes
threaded cctests, where an isolate is shared by many "main" threads.
Bug: v8:13257
Change-Id: Ie30bbbe4130882d94f23de946cbada748f32e22d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870923
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82973}
LdaLookupGlobal/ContextSlot loop over parent contexts to check for
context extensions. If there aren't any, they can do a fast
context/global load, otherwise they have to call a runtime slow path.
The bytecode graph builder didn't build a slow path in the case where no
context extensions are possible, by depth == 0 or static scope info
information that there are no possible context extensions. However, this
information is already known to the interpreter, so that should already
elide the lookup in these cases. So, get rid of the slow path being
optional in TurboFan, and consider such cases bytecode generation bugs.
Change-Id: Ib69f90e51b0f783306824fed56911d039f7e134e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872277
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82972}
This reverts commit d00c040547.
Reason for revert: Failing CI tests on Mac arm64
Original change's description:
> [strings] Support shared external strings
>
> With this CL shared strings can be externalized and external strings can
> be shared.
> The StringForwardingTable is used to delay the real transition to the
> next full GC. On the API side strings marked for externalization will
> look like externalized strings.
>
> Bug: v8:12957
> Change-Id: I53b6509129bc5679c06bdf99421bdb41ea5d9082
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849643
> Reviewed-by: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Commit-Queue: Patrick Thier <pthier@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82966}
Bug: v8:12957
Change-Id: I13155fcc788d217db56cbfd1c9e4457a81a9dbd7
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870486
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82970}
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.
R=mlippautz@chromium.org
Bug: v8:12887
Change-Id: Id12f9d8270dd9fed651e1b3596c06e45aae9d6d1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3846151
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82969}
With PGO, I am hitting typer errors. Instead of just saying
"UNREACHABLE", do print an error message instead, which would previously
have required passing --trace-wasm-typer.
R=manoskouk@chromium.org
Bug: v8:13209
Change-Id: I75498782712b6adfeb1236f6882c49d015f9ef78
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870920
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82968}
With this CL shared strings can be externalized and external strings can
be shared.
The StringForwardingTable is used to delay the real transition to the
next full GC. On the API side strings marked for externalization will
look like externalized strings.
Bug: v8:12957
Change-Id: I53b6509129bc5679c06bdf99421bdb41ea5d9082
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849643
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82966}
This CL adds PKU support for V8 heap, but we will not enable
PKU by default before adding bots that are able to test the
PKU machinery.
Bug: v8:13023
Change-Id: I0465604d56900536ad63311f119ea0324ebe4f2f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3793944
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Wenqin Yang <wenqin.yang@intel.com>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82965}
Inline DependOnStablePrototypeChain to iterate only those maps which
share a validity cell with the receiver map. This resolves an issue
where maps after the holder object violate the stability invariants, but
doesn't require looking up what the actual holder is.
Bug: v8:7700
Change-Id: Id06f0d13660f547e14dd25085799c0e6223c34b9
Fixed: chromium:1359215
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871298
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82964}
There was a missing write barrier for the saved registers and context
in GeneratorStore. Add (deferred) write barriers for these, with some
careful register reshuffling to minimise moves.
Bug: v8:7700
Change-Id: Icf50e96adf3775785ce9b2c5a7566ecbbd1d63d9
Fixed: chromium:1359163
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870914
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82962}
This ignores one of --assert-types and --stress-concurrent-inlining if
used together. We already filter those from trials, but they also might
get picked from // Flags lines in test cases.
No-Try: true
Bug: chromium:1359829
Change-Id: I7e46afb53bdbb0a871c7443a5a66a339046eb3de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871195
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82961}
Rolling v8/build: 15f3aed..aebd733
Rolling v8/buildtools: 734683a..18d22db
Rolling v8/buildtools/third_party/libc++/trunk: 84f0693..369cbf3
Rolling v8/third_party/depot_tools: 8cdc635..eb16430
Rolling v8/third_party/fuchsia-sdk/sdk: version:9.20220831.2.1..version:9.20220902.0.1
Rolling v8/tools/clang: e0c2881..0a22859R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com
Change-Id: I01a1df8f6fe1db74fad773480edb5801f2851219
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872510
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82957}
This CL makes SelectGarbageCollector choose MinorMC to finalize
minor incremental marking if the allocation space is new space.
Bug: v8:13012
Change-Id: I0125d956842d83683cf3b1c5999de0e10a43dee5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871074
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82956}
This CL exclusively activates ScavengeTaskObserver, used by Scavenger
and atomic MinorMC, or MinorMCTaskObserver, used by concurrent
MinorMC.
Bug: v8:13012
Change-Id: I313b0cbe250828cc76d7d4b25e9abb457315112e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871295
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82955}
When internalizing cached external string that are not in-place
internalizable, there is an optimization that avoids copying the
contents of the string. This optimization doesn't work when the string
table is shared, as it leaves strings in a partly initialized state that
can be accessed in a concurrent environment.
Bug: v8:12007
Change-Id: I49fcbb232893c87d065af114546a6f1a15471016
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870469
Auto-Submit: Patrick Thier <pthier@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82953}
When aborting compaction on a page, slots need to be recorded in the
non-evacuated part. Now that maps might be recorded as well, slots
need to be recorded in the map word as well.
Bug: chromium:1359294, v8:12578
Change-Id: I91e4a98ae2951d814d4b50e527b34d8e54d55434
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871297
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82951}
DoubleToInteger, which corresponds to the ToIntegerOrInfinity AO in
ecma262, never returns -0. Currently there's a bug as std::ceil can
return -0.
Bug: v8:10271
Change-Id: Id5e7d040ef9d186462022dc96052d7920be6ebed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869196
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82950}
A minor refactoring to call a static method instead of just creating an
instance in order to do the work.
This also makes it easier to later add methods to process all feedback
before dumping profile information.
R=jkummerow@chromium.org
Bug: v8:13209
Change-Id: I157357753b3a1cff83df426660501c43959937b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870468
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82949}
The `target` field of call feedback may be stored in the feedback
vector without protection by generated code (see
TryInitializeAsMonomorphic). We thus can't assume a memory fence
exists when creating the ref, switch to TryMakeRef instead.
Bug: v8:7790,v8:12876
Change-Id: I428b00b19a417e818c315f1cf9ee62d19f0747d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3867728
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82947}
Add BitcastWordToTagged and BitcastWordToTagged to
CannotObserveStoreField in StoreStoreElimination to
allow more stores to be eliminated.
Also add the use properties in CannotObserveStoreField
so that future nodes don't block opportunities.
Improves Speedometer2 by 0.16% and 0.12% on a Cortex-A55
and a Neoverse-N1 machine respectively, with Preact seeing
+0.8% on both.
Change-Id: I0cfe887ec4c0c435dbb0f9d8dc3da4bfcdabc265
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865560
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: George Wort <george.wort@arm.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82946}
Fixes the use of v8_enable_fast_mksnapshot on platforms that
aren't ia32 or x64. This was introduced by
https://chromium-review.googlesource.com/c/v8/v8/+/3863281
Change-Id: I0d18c2d16dae4937baa40ee336d8c246a8b77889
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3867408
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: George Wort <george.wort@arm.com>
Cr-Commit-Position: refs/heads/main@{#82945}
This makes it clear that the constructors are to be used for a basic block that starts a loop or a basic block that starts an exception handler.
Bug: v8:7700
Change-Id: Ic58dd80f223e45b4e5cf5da6e78e989ba18d55a3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870916
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82944}
Move the logic to negate a flag properly if the name starts with '!' to
the general {FlagName} helper. This fixes an otherwise weird formatting.
Before:
# Contradictory flag implications from --!liftoff and --wasm-speculative-inlining for flag --wasm-dynamic-tiering.
After:
# Contradictory flag implications from --no-liftoff and --wasm-speculative-inlining for flag --wasm-dynamic-tiering.
R=tebbi@chromium.org
Change-Id: I21236b4ff338aa4d2ddd0872f85e2362ef8dc813
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870915
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82943}
We used to scan the full heap of all clients for pointers into the
shared heap. Now that the OLD_TO_SHARED remembered set is considered
complete, we don't need to scan objects in the old generation anymore.
Instead we just need to check slots in the OLD_TO_SHARED remembered
set.
Since we don't have write barriers for objects guaranteed to be in
new space, we still need to scan objects in the young generation.
Bug: v8:11708
Change-Id: I1121f90ee63521c9141431f4cb31973796f1a67c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865561
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82941}
Add logic to drop cyclic contradictory flags from
correctness-fuzzing command lines. Add the currently known
biggest offenders.
Without this, the correctness fuzzing harness runs into a CHECK
failure during smoke testing, when attempting to pass cyclic flags
to d8. It fails fast, but uselessly burns fuzzing time.
This change drops one of the known cyclic flags instead to make the
test run still useful. The precedence is right to left like in the
V8 test framework.
Additionally on Clusterfuzz, all crashes during smoke testing are
deduped as one crash report. We don't know if there are other
problems before this one is fixed/hidden.
No-Try: true
Bug: chromium:1330303
Change-Id: I06cbb4655cd3cf467f5cce6f84dba653834ca72e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865562
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82939}
