This reverts commit 964edc251f.
Reason for revert: chromium:959190
Original change's description:
> [heap] Set read-only space's and its pages' heap_ to null.
>
> Various small changes are required to enable this.
>
> HeapObject::GetReadOnlyRoots no longer uses the Space's heap when
> possible (see comment in ReadOnlyHeap::GetReadOnlyRoots definition).
> This requires that ReadOnlyRoots be construct-able using a raw pointer
> to the read-only space's roots array.
>
> Global read-only heap state is now cleared by tests where appropriate
> and extra DCHECKs in ReadOnlyHeap::SetUp should make catching future
> issues easier.
>
> String padding is now always cleared just before read-only space is
> sealed when not deserializing.
>
> Change-Id: I7d1db1c11567be5df06ff7066f3a699125f8b372
> Bug: v8:7464
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1535830
> Commit-Queue: Maciej Goszczycki <goszczycki@google.com>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Dan Elphick <delphick@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61188}
TBR=ulan@chromium.org,hpayer@chromium.org,delphick@chromium.org,goszczycki@google.com
Change-Id: I53cecf3976dfeabae309040313351385f651f010
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7464, chromium:959190
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1591608
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61217}
This is a reland of b6fb27077d.
Unchanged reland, TSan issue were fixed in https://crrev.com/c/1593340
and https://crrev.com/c/1594553.
Original change's description:
> [wasm][gc] Free WasmCode objects
>
> This adds the next step to freeing code: We free the actual C++
> {WasmCode} objects. This will cause UAF if any C++ code uses stale
> references.
> The underlying machine code will still not be freed.
>
> For simplicity, this CL changes the vector of owned_code to an ordered
> set, such that lookup and removal is much simpler. The drawback is that
> insertion is now more expensive.
>
> R=mstarzinger@chromium.org
>
> Bug: v8:8217
> Change-Id: I07fc81167816637fbaad6c06ff79e3f952f2fde8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593080
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61165}
TBR=mstarzinger@chromium.org
Bug: v8:8217
Change-Id: I809832bb609663d794c7aafcf071823db7fb6212
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1594436
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61215}
Keep the existing method for compatibility, by converting
to json from CBOR using the inspector_protocol_encoding library,
via a v8 specific interface library that directs routines for
converting between strings and doubles to v8's implementations.
This change also brings in the encoding.h / encoding.cc files from the
upstream inspector_protocol project. The only modification here
are the header guards, and the namespace. I will fix roll.py to
make it so that we pick up future changes.
third_party/inspector_protocol/BUILD.gn is specific to v8, by necessity.
third_party/inspector_protocol/.clang-format is a copy of the upstream
file. If we don't put this, we'll find ourselves auto-formatting the roll,
which is annoying.
This is a reland of
https://chromium-review.googlesource.com/c/v8/v8/+/1590627 with the
only modification in the DEPS file; this time I'm including
third_party/inspector_protocol/encoding/encoding{.h,cc} in addition to
the relative include there. Not sure why this is needed but I'm hoping
it gets me past the presubmit which may resolve the include path
relative to the V8 base (the ../../third_party is needed for when V8 is
embedded into Chromium).
Change-Id: Ic76b2b5faa7e1cbdceb15aff3f369e9a303e3e85
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593646
Reviewed-by: Alexei Filippov <alph@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Johannes Henkel <johannes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61214}
CodeBuilder was calling AllocateRawWithLightRetry when it should have been
calling AllocateRawWithRetryOrFail (and vice versa).
Also improved variable naming.
Bug: chromium:957934
Change-Id: I03a95165f6d5b44c1f47d08d338d48bcc37c6d04
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1590075
Commit-Queue: Maciej Goszczycki <goszczycki@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61210}
Based on Primiano's prototype:
https://chromium-review.googlesource.com/c/v8/v8/+/1290549
This is still behind a build flag. I'll add functionality incrementally
rather than land everything in one giant CL.
This CL sets up the basic classes that will be used for the Perfetto
implementation, e.g. the producer, consumer, controller and task runner.
This implementation produces a binary proto file in the current
directory named v8_trace.proto. It doesn't yet produce JSON output,
that is coming in a following CL.
Currently the old tracing and perfetto tracing are both run alongside
each other if the build flag is enabled.
Cq-Include-Trybots: luci.v8.try:v8_linux64_perfetto_dbg_ng
Bug: v8:8339
Change-Id: I0eb9ecefa191ceead60aadd5b591d75c99395a6e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1408995
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61209}
TSan reports errors if one thread changes the ref count using relaxed
semantics, then another thread frees the code object. Acquire-release
semantics fix this, as they impose an ordering between the memory
accesses of different threads.
R=mstarzinger@chromium.org
Bug: v8:8217, v8:9200
Change-Id: I30ce150154e6459c2c64e16be603f29187af1dcd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1594553
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61205}
Between determining the set of wasm code objects to free, and actually
freeing them, we should not give up the mutex of the wasm engine.
Otherwise, a NativeModule can die in-between, and we would access a
stale pointer.
This fixes some flakes seen on the TSan bots with --stress-wasm-code-gc.
R=mstarzinger@chromium.org
Bug: v8:8217, v8:9200
Change-Id: Iad5b47379b5be6269180094cfeb2a2f2dfefb425
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593340
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61204}
Fix function name in error messages thrown by the streaming API. The API
functions {WebAssembly.compileStreaming} and
{WebAssembly.instantiateStreaming} are now mentioned where needed.
Bug: v8:9184
Change-Id: I70b27efe1c027d119fa7b5b9be27988a92304682
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588468
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Frederik Gossen <frgossen@google.com>
Cr-Commit-Position: refs/heads/master@{#61202}
... from JSNativeContextSpecialization.
Bug: v8:9197
Change-Id: I332ba27e78b0c10b3406cf39e9a2178c8c74fede
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593339
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61201}
Bug: v8:9197
Change-Id: If72dbf1507f68fa344db389c08ad8614bca6667e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593337
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61199}
This new function forwards to v8::Object::CreationContext but has
special handling for JSGlobalProxy objects to prevent the former from
crashing.
R=yangguo@chromium.org
Bug: chromium:952057
Change-Id: I5ade682976efd1724c13f52b468e4fb30bb9ade7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1569425
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61197}
This CL adds decoding and code generation for the table.size
instruction.
R=mstarzinger@chromium.org
Bug: v8:7581
Change-Id: I0e689a993d25db72281ebba0854454be12f4d350
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593302
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61195}
This reverts commit a87a971b7e.
Reason for revert: required for revert of
bbd740f038
Original change's description:
> [runtime] Inline SeqOneByteSubStringKey IsMatch and AsHandle
>
> The performance actually matters to JSON parsing and this improves it by a % or
> 2.
>
> In the longer run we should probably share the IsMatch implementation in
> StringTableKey directly and call a virtual GetBytes on the key implementation.
>
> Change-Id: I838a106f9c8c52f0385057a52a8c0b9141ae025b
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1589977
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Auto-Submit: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61183}
TBR=ishell@chromium.org,verwaest@chromium.org
Change-Id: I8797310ef7834c04b44c735ce60813e3fb596013
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1594440
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61193}
This CL add decoding and code generation for the table.grow
instruction. For code generation we just generate a runtime
call. The implementation is quite straight-forward. However,
I did several small cleanups along the way. I hope it's still
acceptable. I could also split out some cleanups into separate
CLs.
R=mstarzinger@chromium.org
Bug: v8:7581
Change-Id: Id885b7e70eb4f5bccfe779eb216f7cc9302ea3a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593078
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61192}
This reverts commit b7134d3af6.
Reason for revert: breaks presubmit
Original change's description:
> [DevTools] Add V8InspectorSession::state(), which returns binary (CBOR).
>
> Keep the existing method for compatibility, by converting
> to json from CBOR using the inspector_protocol_encoding library,
> via a v8 specific interface library that directs routines for
> converting between strings and doubles to v8's implementations.
>
> This change also brings in the encoding.h / encoding.cc files from the
> upstream inspector_protocol project. The only modification here
> are the header guards, and the namespace. I will fix roll.py to
> make it so that we pick up future changes.
>
> third_party/inspector_protocol/BUILD.gn is specific to v8, by necessity.
> third_party/inspector_protocol/.clang-format is a copy of the upstream
> file. If we don't put this, we'll find ourselves auto-formatting the roll,
> which is annoying.
>
> Change-Id: I20fa8759164e7a39f8a7c30e0d2a3f8a7e4be227
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1590627
> Reviewed-by: Alexei Filippov <alph@chromium.org>
> Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
> Commit-Queue: Johannes Henkel <johannes@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61187}
TBR=dgozman@chromium.org,alph@chromium.org,caseq@chromium.org,johannes@chromium.org
Change-Id: I67f297ef8454499036c94bf88e0d23657a579140
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1592130
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Johannes Henkel <johannes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61189}
Various small changes are required to enable this.
HeapObject::GetReadOnlyRoots no longer uses the Space's heap when
possible (see comment in ReadOnlyHeap::GetReadOnlyRoots definition).
This requires that ReadOnlyRoots be construct-able using a raw pointer
to the read-only space's roots array.
Global read-only heap state is now cleared by tests where appropriate
and extra DCHECKs in ReadOnlyHeap::SetUp should make catching future
issues easier.
String padding is now always cleared just before read-only space is
sealed when not deserializing.
Change-Id: I7d1db1c11567be5df06ff7066f3a699125f8b372
Bug: v8:7464
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1535830
Commit-Queue: Maciej Goszczycki <goszczycki@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61188}
Keep the existing method for compatibility, by converting
to json from CBOR using the inspector_protocol_encoding library,
via a v8 specific interface library that directs routines for
converting between strings and doubles to v8's implementations.
This change also brings in the encoding.h / encoding.cc files from the
upstream inspector_protocol project. The only modification here
are the header guards, and the namespace. I will fix roll.py to
make it so that we pick up future changes.
third_party/inspector_protocol/BUILD.gn is specific to v8, by necessity.
third_party/inspector_protocol/.clang-format is a copy of the upstream
file. If we don't put this, we'll find ourselves auto-formatting the roll,
which is annoying.
Change-Id: I20fa8759164e7a39f8a7c30e0d2a3f8a7e4be227
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1590627
Reviewed-by: Alexei Filippov <alph@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Johannes Henkel <johannes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61187}
On Windows, expanding the stack by more than 4 KB at a time can cause
access violations. This change fixes a few known cases (and includes
unit tests for those), and attempts to make stack expansion more
consistent overall by using the AllocateStackSpace helper method
everywhere we can, even when the offset is a small constant.
On arm64, there was already a consistent method for stack pointer
manipulation using the Claim and Drop methods, so Claim is updated to
touch every page.
Bug: v8:9017
Change-Id: I2dbbceeebbdefaf45803e9b621fe83f52234a395
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1570666
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61186}
Code relocation info is now always allocated in old-space. Before relocation
info allocated for placeholders and builtins (which get replaced with
trampolines in nosnap builds) would become unreachable. Since read-only space
is not GCed and ReadOnlyHeapIterator doesn't check for reachability,
ValidateSnapshot would fail finding unreachable objects returned by
ReadOnlyHeapIterator.
Because trampoline relocation info gets replaced with canonical one, this only
affects no-embdded-builtins nosnap builds, which don't get much benefit from
read-only relocation info anyway.
A new check has been added to the read-only deserializer to verify that every
read-only object is reachable at mksnapshot-time.
The CombinedHeapIterator iteration order was changed to iterate over
read-only space first, because that's how HeapIterator worked.
This is a reland of 3d1d8eae77
Original change's description:
> [heap] Skip ro-space from heap iterators, add CombinedHeapIterator.
>
> Read-only space sharing requires an iterator independent of heap. This
> also enables future removal of read-only space from heap.
>
> Bug: v8:7464
> Change-Id: Ia07a9369494ea2c547d12c01ffa1d7b8b6bbeabc
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552795
> Commit-Queue: Maciej Goszczycki <goszczycki@google.com>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Dan Elphick <delphick@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60819}
Bug: v8:7464
Change-Id: I49ae070955b77956962334a84f762ab29052d5ff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566513
Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Maciej Goszczycki <goszczycki@google.com>
Cr-Commit-Position: refs/heads/master@{#61185}
The registry right now has no users. In a follow-up CL I will
remove the skip list for code pages and make users of the skip
list use the registry.
Bug: v8:9093
Change-Id: I23a2b9e0d4158e2ffa89626e71f58d3bb5a41201
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593074
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61184}
The performance actually matters to JSON parsing and this improves it by a % or
2.
In the longer run we should probably share the IsMatch implementation in
StringTableKey directly and call a virtual GetBytes on the key implementation.
Change-Id: I838a106f9c8c52f0385057a52a8c0b9141ae025b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1589977
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61183}
This ensures that the parent class' field 'elements' is not shadowed.
Bug: v8:9194
Change-Id: Ibb53dedc0205cbb4c61e810e2d5822a94843c605
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593076
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61181}
This is the first CL that aims to eliminate the straggler tagged loads and
stores.
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:8977, v8:7703
Change-Id: If3782c0c7047d4c7d8669e12fb423cc0c74bc58a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587392
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61180}
This is a reland of b0c4a8764b
Original change's description:
> [json] Speed up json parsing
>
> - scan using raw data pointers + GC callback
> - scan using scanner tables
> - cap internalizing large string values
> - inline fast transitioning logic
>
> Fixes previous CL by moving AllowHeapAllocation to callers of
> ReportUnexpectedCharacter where needed to make it clear we need to exit.
>
> Tbr: ulan@chromium.org
> Change-Id: Icfbb7cd536e0fbe153f34acca5d0fab6b5453d71
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1591778
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61159}
Tbr: verwaest@chromium.org
Cq-Include-Trybots: luci.v8.try:v8_linux64_msan_rel
Change-Id: Ic7d0057178c649fc45b8c8f4587ee9128e351515
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593292
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61179}
This reverts commit b6fb27077d.
Reason for revert: TSan issues, e.g. https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20TSAN/26177
Original change's description:
> [wasm][gc] Free WasmCode objects
>
> This adds the next step to freeing code: We free the actual C++
> {WasmCode} objects. This will cause UAF if any C++ code uses stale
> references.
> The underlying machine code will still not be freed.
>
> For simplicity, this CL changes the vector of owned_code to an ordered
> set, such that lookup and removal is much simpler. The drawback is that
> insertion is now more expensive.
>
> R=mstarzinger@chromium.org
>
> Bug: v8:8217
> Change-Id: I07fc81167816637fbaad6c06ff79e3f952f2fde8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593080
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61165}
TBR=mstarzinger@chromium.org,clemensh@chromium.org
Change-Id: I167a8d806a8c6ac1c90e0743cdf86d492389bbed
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8217, v8:9200
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593305
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61176}
This enables the embedder to check if the snapshot generated
from SnapshotCreator::CreateBlob() can be rehashed and the seed
can be recomputed during deserialization.
The lack of this functionality resulted in a temporary vunerability
in Node.js: https://github.com/nodejs/node/pull/27365
Change-Id: I88d52337217c40f79c26438be3c87d2db874d980
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578661
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61175}
When asked to start at the receiver and the receiver is a primitive, the
dependency should be taken on the primitive map (which is a no-op)
rather than the wrapper object's map.
Bug: chromium:958716
Change-Id: I9c8b2b56436d134b2f79dbe458c0c527fe6d17a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593086
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61174}
Port 381a7f9e76
Original Commit Message:
On Arm/64 the last return address is stored in a link register instead of
being pushed to the top-of-stack like on x64/ia32. Extend the support in the
tick sampler to check for samples in a frameless bytecode handler with support
for checking the link register if it exists instead of top-of-stack. In addition,
make the x64/ia32 check more robust by ensuring we only apply the change if the
pc is a bytecode handler and the top frame isn't a bytecode handler (stub) frame.
R=rmcilroy@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:9162
LOG=N
Change-Id: I893b45af40a48415fbbc2c9f5e9e5cd72ed8d9e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588888
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61173}
This reverts commit ad44c258d7.
Reason for revert: Missed some users: crbug.com/v8/9105
Original change's description:
> [typedarray] Make JSTypedArray::length authoritative.
>
> This is the first step towards full huge typed array support in V8.
> Before this change, the JSTypedArray::length and the elements backing
> store length (FixedTypedArrayBase::length) were used more or less
> interchangeably to determine the number of elements in a JSTypedArray.
>
> With this change we disentangle these two lengths, and instead make
> JSTypedArray::length authoritative. For on-heap typed arrays, the
> FixedTypedArrayBase::length will remain the number of elements in the
> backing store, but for the off-heap typed arrays, this length will be
> set to 0 (matching the fact that the FixedTypedArrayBase instance does
> not contain any elements itself).
>
> This also unifies the JSTypedArray::set_/length() and length_value()
> methods to only have JSTypedArray::set_/length() which returns/takes
> size_t values. Currently this still requires the values to be in Smi
> range, but later we will extend this to allow arbitrary size_t values
> (in the safe integer range).
>
> Bug: v8:4153, v8:7881
> Change-Id: Iff9089130bb31fa9e08e0cf913e7ab52c3dbf107
> Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
> Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1543729
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60648}
TBR=jarin@chromium.org,titzer@chromium.org,hpayer@chromium.org,petermarshall@chromium.org,bmeurer@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
TBR=jarin@chromium.org, szuend@chromium.org
Bug: v8:4153, v8:7881
Change-Id: I96992bff15b4a2765ae4a557d2c37e78269c927d
Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593294
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61172}
This is a reland of 7c42628676
Original change's description:
> [heap] Use normal marking write barrier for fixed array elements
>
> This simplifies the marking write barrier for elements to mark the
> values instead of revisiting the array.
>
> Bug: chromium:918485
>
> Change-Id: Id5da0d5b9ff8385a256fe14f4bf7171f9f6343e1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588459
> Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61125}
Bug: chromium:918485
Change-Id: I8075e0333b3a05bc6193eb4bc030bfdcd72e64d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593088
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61170}
This fixes a memory leak.
Bug: v8:9191, v8:7790
Change-Id: I0df49cd3a6791600638a67b4b7ad9687562e500b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588426
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61166}
This adds the next step to freeing code: We free the actual C++
{WasmCode} objects. This will cause UAF if any C++ code uses stale
references.
The underlying machine code will still not be freed.
For simplicity, this CL changes the vector of owned_code to an ordered
set, such that lookup and removal is much simpler. The drawback is that
insertion is now more expensive.
R=mstarzinger@chromium.org
Bug: v8:8217
Change-Id: I07fc81167816637fbaad6c06ff79e3f952f2fde8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593080
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61165}
This reverts commit b0c4a8764b.
Reason for revert:
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/26470
Original change's description:
> [json] Speed up json parsing
>
> - scan using raw data pointers + GC callback
> - scan using scanner tables
> - cap internalizing large string values
> - inline fast transitioning logic
>
> Fixes previous CL by moving AllowHeapAllocation to callers of
> ReportUnexpectedCharacter where needed to make it clear we need to exit.
>
> Tbr: ulan@chromium.org
> Change-Id: Icfbb7cd536e0fbe153f34acca5d0fab6b5453d71
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1591778
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61159}
TBR=ulan@chromium.org,ishell@google.com,ishell@chromium.org,verwaest@chromium.org
Change-Id: Ibe823e187d9ab999be7278140b0ed31868440e9e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593090
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61163}
Change-Id: I626e26fa2e1486365c858f3fc616422199242f5b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588422
Auto-Submit: Georg Neis <neis@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61162}
We won't remove the jump table for performance reasons. That would
complicate a lot of code and remove options for tiering and code
aging.
Thus remove the TODO.
R=titzer@chromium.org
No-Try: true
Change-Id: Ifbbfdeeeb17078feaea4f358169bc5943ba09ddb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593089
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61160}
- scan using raw data pointers + GC callback
- scan using scanner tables
- cap internalizing large string values
- inline fast transitioning logic
Fixes previous CL by moving AllowHeapAllocation to callers of
ReportUnexpectedCharacter where needed to make it clear we need to exit.
Tbr: ulan@chromium.org
Change-Id: Icfbb7cd536e0fbe153f34acca5d0fab6b5453d71
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1591778
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61159}
The problem is with element kinds transitions without going through
runtime (i.e., IC or optimizing compiler).
Bug: chromium:952682
Change-Id: I6fe2bb30a0ea6fecb8f6e0750427cc50cc50f9e1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593083
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61158}
- Add missing uses of MapInference::NoChange.
- Insert map checks even if inferred maps were reliable, because
they were inferred for an earlier effect input.
Bug: chromium:958420, chromium:958350, v8:9197
Change-Id: Id7677b1fc6f1e09dc12ae178f1155e4245b4e3e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593077
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61157}
Replace the unsafe function NodeProperties::HasInstanceTypeWitness
with a new safe method on MapInference.
Bug: v8:9197
Change-Id: I937433c7721946139dc761750ea34032e58e275c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1591612
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61156}
R=jarin
Change-Id: I36d4952f351cfa428532cfd56ecbb10c9fe3d39a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588469
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61154}
Fixes several warnings reported for internal repo by:
* using vector::empty instead of vector::size() == 0
* removing redundant return; at the end of a function
* making operator= return OriginalType&
Bug: v8:9183
Change-Id: I8c725bd7b0bc011557fb2bb68a561ee413ab38f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1589978
Auto-Submit: Dan Elphick <delphick@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61149}
The index is an {int} initially. We then store it as {intptr_t}, and
the accessor returns it as {size_t}.
This CL consolidates everything to {int}, fixes naming of
{HasTrapHandlerIndex} and defines the simple accessors inline.
R=titzer@chromium.org
Bug: v8:9183
Change-Id: I1afa792117201d4dda3fcc437a4e518489b9ff17
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1590079
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61146}
Port 18c29ab939
Original Commit Message:
Port ed319e841c
Original Commit Message:
Failure addressed by not exposing the new test to the jitless environment.
(jgruber@ on TBR).
New enum RelocInfo::COMPRESSED_EMBEDDED_OBJECT created to support
compressed pointers in generated code. Enum name EMBEDDED_OBJECT
changed to FULL_EMBEDDED_OBJECT.
RelocInfo::[set_]target_object() abstract away the difference between
FULL_EMBEDDED_OBJECT and COMPRESSED_EMBEDDED_OBJECT.
Compressed embedded objects can only be created at this time on
x64 with pointer compression turned on. Arm64 constant pools don't
support compressed objects at this time.
R=miladfar@ca.ibm.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: I97ef9b7394f384c2a1b97aab9fdac0eeb80eb734
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1591993
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#61143}
Port 0875682600
Original Commit Message:
Port 4b0f9c856e
Original Commit Message:
Our {Vector} template provides both {start} and {begin} methods. They
return exactly the same value. Since the {begin} method is needed for
iteration, and is also what standard containers provide, this CL
switches all uses of the {start} method to use {begin} instead.
Patchset 1 was auto-generated by using this clang AST matcher:
callExpr(
callee(
cxxMethodDecl(
hasName("start"),
ofClass(hasName("v8::internal::Vector")))
),
argumentCountIs(0))
Patchset 2 was created by running clang-format. Patchset 3 then
removes the now unused {Vector::start} method.
R=miladfar@ca.ibm.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: Ief052e7655ede161504cf058eddd81714e6e5929
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1590168
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61142}
This is a reland of 9284ad5731, after
adding a missing speculation mode check in ReduceCallApiFunction.
Original change's description:
> [turbofan] Avoid raw InferReceiverMaps in JSCallReducer
>
> Instead provide an abstraction that makes it hard to forget
> dealing with unreliable maps.
>
> This also fixes a deopt loop in Function.prototype.bind and
> one in Array.prototype.reduce.
>
> Bug: v8:9137
> Change-Id: If6a51182c8693a62e9fb6d302cec19b4d48e25cb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578501
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61106}
Tbr: jarin@chromium.org
Bug: v8:9137, v8:9197
Change-Id: I0db68d267055969553c0c1b85fad7b909075c062
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1589976
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61140}
Wasm compilation units got smaller and smaller with recent refactorings
(https://crrev.com/c/1587386, https://crrev.com/c/1587387,
https://crrev.com/c/1587388, plus previous CLs).
They now only store a function index and the requested compilation
tier. Hence there is no reason any more to heap-allocate them.
This CL changes the compilation unit queues and interfaces to store and
pass compilation units by value. Methods that could return an empty
{unique_ptr} before are now returning a {base::Optional}.
R=mstarzinger@chromium.org
Bug: v8:8343
Change-Id: I63037156b1a700095c13010450e5fedb51544401
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588456
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61133}
This is an extension of 138d2dfcb1.
Change-Id: Icb10aab6e6799ab4f45dcbd26fc69206dbef29bb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588430
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61131}
This reverts commit 7c42628676.
Reason for revert: Compile error on cfi: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20-%20cfi/20196
Original change's description:
> [heap] Use normal marking write barrier for fixed array elements
>
> This simplifies the marking write barrier for elements to mark the
> values instead of revisiting the array.
>
> Bug: chromium:918485
>
> Change-Id: Id5da0d5b9ff8385a256fe14f4bf7171f9f6343e1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588459
> Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61125}
TBR=ulan@chromium.org,hpayer@chromium.org,mlippautz@chromium.org
Change-Id: I8576fe00b19db906aa80ca9cb54c3b8cc95e3d97
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:918485
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1590076
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61128}
TraceIC always expects a valid feedback vector to check for state
transitions. With lazy feedback allocations, it is possible that we don't
have feedback vectors. This cl fixes TraceIC to also work when there is no
feedback vector.
Bug: v8:8394
Change-Id: If7e40a9f16de7415e04a812440ccc0cfcf1cbc07
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584322
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61126}
This simplifies the marking write barrier for elements to mark the
values instead of revisiting the array.
Bug: chromium:918485
Change-Id: Id5da0d5b9ff8385a256fe14f4bf7171f9f6343e1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588459
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61125}
Remove unused function {UseLazyStubs}. Lazy compile stubs are now set on
a per function basis. This made the function {UseLazyStubs} redundant.
Change-Id: I8e715d6a9774c39841219c04c42364fc2e964569
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588473
Commit-Queue: Frederik Gossen <frgossen@google.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61124}
Port ed319e841c
Original Commit Message:
Failure addressed by not exposing the new test to the jitless environment.
(jgruber@ on TBR).
New enum RelocInfo::COMPRESSED_EMBEDDED_OBJECT created to support
compressed pointers in generated code. Enum name EMBEDDED_OBJECT
changed to FULL_EMBEDDED_OBJECT.
RelocInfo::[set_]target_object() abstract away the difference between
FULL_EMBEDDED_OBJECT and COMPRESSED_EMBEDDED_OBJECT.
Compressed embedded objects can only be created at this time on
x64 with pointer compression turned on. Arm64 constant pools don't
support compressed objects at this time.
R=mvstanton@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: I8bdb5391fd2b2565d2fcaf6c806fcdbe1a1f27b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1589862
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#61123}
Relative code targets are emitted as pc-relative jumps. The
relocation delta must be subtracted (not added) from the branch
offset.
Before GC:
|-------- branch offset --->|
[host code object] [target code object]
After GC:
|- delta ->| |- new offset -->|
[host code object] [target code object]
See also the similar fix for mips in https://crrev.com/c/1581239.
Bug: v8:6666
Change-Id: Ie0867d98906d4a8daa7e335884f7a4d814333872
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581260
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61121}
This reverts commit 9284ad5731.
Reason for revert: breaks blink tests:
https://ci.chromium.org/p/v8/builders/ci/V8-Blink%20Win/16839
Original change's description:
> [turbofan] Avoid raw InferReceiverMaps in JSCallReducer
>
> Instead provide an abstraction that makes it hard to forget
> dealing with unreliable maps.
>
> This also fixes a deopt loop in Function.prototype.bind and
> one in Array.prototype.reduce.
>
> Bug: v8:9137
> Change-Id: If6a51182c8693a62e9fb6d302cec19b4d48e25cb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578501
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61106}
TBR=jarin@chromium.org,neis@chromium.org
Change-Id: I97e0f47fb82eda76656905a3f7cc494babd92be6
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9137
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588433
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61118}
Treat lazy functions the same no matter whether they are lazy due to
compilation hints or flags ({--wasm-lazy-compilation},
{--asm-wasm-lazy-compilation}). Test coverage is given by regression
tests 956771 and 956771b.
Bug: v8:9003
Change-Id: I123f83636f055fb142cd71f6cde88480f3c141bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585846
Commit-Queue: Frederik Gossen <frgossen@google.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61116}
Fix recognition of lazy functions when {--wasm-lazy-compilation} is
used.
Bug: chromium:956771
Change-Id: I3f9bb25ccf3920a6c3d266876faace8841dcdc61
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585843
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Frederik Gossen <frgossen@google.com>
Cr-Commit-Position: refs/heads/master@{#61114}
This CL refactors WasmTableObject::Grow to make it usable for the
table.grow instruction of WebAssembly.
The refactored version of WasmTableObject::Grow does additionally:
* Check if growing is possible
* Grow the FixedArray backing store of the table and initialize the new
fields.
* Calculate the return value of WasmTableObject::Grow.
R=jkummerow@chromium.org
Bug: v8:7581
Change-Id: Ic6c867b96c30bd987ea281d5b3515a04bc5a3900
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588136
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61112}
Instead, use std::sort and std::stable_sort at the 3 (!) call sites
directly. This also removes the weird comparer adaptors from Vector,
which are only used in ZoneList.
R=jkummerow@chromium.org
Bug: v8:9183
Change-Id: I4d0377976fb0a965cb68a21d4307df9ba09fd55d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587394
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61109}
Instead provide an abstraction that makes it hard to forget
dealing with unreliable maps.
This also fixes a deopt loop in Function.prototype.bind and
one in Array.prototype.reduce.
Bug: v8:9137
Change-Id: If6a51182c8693a62e9fb6d302cec19b4d48e25cb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578501
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61106}
Failure addressed by not exposing the new test to the jitless environment.
(jgruber@ on TBR).
New enum RelocInfo::COMPRESSED_EMBEDDED_OBJECT created to support
compressed pointers in generated code. Enum name EMBEDDED_OBJECT
changed to FULL_EMBEDDED_OBJECT.
RelocInfo::[set_]target_object() abstract away the difference between
FULL_EMBEDDED_OBJECT and COMPRESSED_EMBEDDED_OBJECT.
Compressed embedded objects can only be created at this time on
x64 with pointer compression turned on. Arm64 constant pools don't
support compressed objects at this time.
NOPRESUBMIT=true
Bug: v8:7703
TBR: jgruber@chromium.org
Change-Id: Ifff53b041bab09b4b8c3e16085e5df4aa2b99f4f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588461
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61104}
Port 4b0f9c856e
Original Commit Message:
Our {Vector} template provides both {start} and {begin} methods. They
return exactly the same value. Since the {begin} method is needed for
iteration, and is also what standard containers provide, this CL
switches all uses of the {start} method to use {begin} instead.
Patchset 1 was auto-generated by using this clang AST matcher:
callExpr(
callee(
cxxMethodDecl(
hasName("start"),
ofClass(hasName("v8::internal::Vector")))
),
argumentCountIs(0))
Patchset 2 was created by running clang-format. Patchset 3 then
removes the now unused {Vector::start} method.
R=clemensh@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: I119532691af31a3db1107c47de8b6f0c84697b5c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588226
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#61102}
This adds a new %_CopyDataProperties intrinsic, that reuses most of the
existing machinery that we already have in place for Object.assign() and
computed property names in object literals. This speeds up the general
case for object spread (where the spread is not the first item in an
object literal) and brings it on par with Object.assign() at least - in
most cases it's significantly faster than Object.assign().
In the test case [1] referenced from the bug, the performance goes from
objectSpreadLast: 3624 ms.
objectAssignLast: 1938 ms.
to
objectSpreadLast: 646 ms.
objectAssignLast: 1944 ms.
which corresponds to a **5-6x performance boost**, making object spread
faster than Object.assign() in general.
Drive-by-fix: This refactors the Object.assign() fast-path in a way that
it can be reused appropriately for object spread, and adds another new
builtin SetDataProperties, which does the core of the Object.assign()
work. We can teach TurboFan to inline Object.assign() based on the new
SetDataProperties builtin at some later point to further optimize
Object.assign().
[1]: https://gist.github.com/bmeurer/0dae4a6b0e23f43d5a22d7c91476b6c0
Bug: v8:9167
Change-Id: I57bea7a8781c4a1e8ff3d394873c3cd4c5d73834
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587376
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61100}
It was once widely used throughout v8 but now there is no need for it
anymore.
Bug: v8:9183
Change-Id: Id766987d468383cf459414eb5edfdee71b83a60b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585839
Commit-Queue: Maciej Goszczycki <goszczycki@google.com>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61098}
Switch all uses of NewCode and TryNewCode to CodeBuilder and remove these
methods.
NewCode and TryNewCode use a large number of default parameters, which makes
it difficult to use and add any new ones. Large chunks of code were also
duplicated across TryNewCode and NewCode. The previous CL
(https://chromium-review.googlesource.com/c/v8/v8/+/1585736) added a new
CodeBuilder class which allows much simpler building of Code objects.
Bug: v8:9183
Change-Id: I9f6884f35a3284cbd40746376f0f27e36f9051b5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585737
Commit-Queue: Maciej Goszczycki <goszczycki@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61096}
... to a separate file.
Bug: v8:9183
Change-Id: I87f98ed0fec84eb32403c3447bec7be50a79261d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588095
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61094}
... where the other set of similar macros live.
Bug: v8:9183
Change-Id: I114237a90c45205417b6d3fb0d939542c5c4fc76
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588096
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61093}
The {Vector} class does not use it any more. External uses should be
converted to {size_t} instead of {int}.
This CL removes the function from vector.h and updates all users to
either use {size_t}, or cast to {int} explicitly. In tests, no further
checks are needed if the string is a constant.
R=mstarzinger@chromium.org
Bug: v8:9183
Change-Id: I60f99302504c74d8a7c79b147ca01d8ba61b6879
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587393
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61092}
1) HAS_[STRONG|WEAK]_HEAP_OBJECT_TAG macros are to be used for
checking raw representations of tagged values (Address or Tagged_t)
2) HasWeakHeapObjectTag(Object) function is for overzealous checking of
Object tags
Bug: v8:9183
Tbr: jgruber@chromium.org
Change-Id: Iaa456dbcb21f43a8df0d9ca706c0fc3b2ede075d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588455
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61091}
Also const-ify and refactor a few things in BytecodeAnalysis.
Change-Id: Ibd261bb67d8c035b1f818e9114d09db08737000d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587384
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61088}
This reverts commit b5da9fcb51.
Reason for revert: Breaks pointer compression bot:
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20-%20pointer%20compression/3098
Original change's description:
> [ptr-compr] New RelocInfo for compressed pointers.
>
> New enum RelocInfo::COMPRESSED_EMBEDDED_OBJECT created to support
> compressed pointers in generated code. Enum name EMBEDDED_OBJECT
> changed to FULL_EMBEDDED_OBJECT.
>
> RelocInfo::[set_]target_object() abstract away the difference between
> FULL_EMBEDDED_OBJECT and COMPRESSED_EMBEDDED_OBJECT.
>
> Compressed embedded objects can only be created at this time on
> x64 with pointer compression turned on. Arm64 constant pools don't
> support compressed objects at this time.
>
> Bug: v8:7703
> Change-Id: I03bfd84effa33c65cf9bcefa5df680ab7eace9dd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1547661
> Commit-Queue: Michael Stanton <mvstanton@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61076}
TBR=ulan@chromium.org,mvstanton@chromium.org,mstarzinger@chromium.org,jgruber@chromium.org,ishell@chromium.org
Change-Id: I262b2b98315fa987c5a66b1050dc726563ccdb2d
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7703
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588135
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61087}
The method is only called from module-compiler.cc, hence we can call it
on {CompilationStateImpl} directly and do not need to expose it.
R=mstarzinger@chromium.orgCC=frgossen@google.com
Change-Id: I72dcd7b109cfdb0b3fd78be635c482289c69dd9e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587389
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61086}
{TurbofanWasmCompilationUnit} does not store any data except for a
pointer back to the {WasmCompilationUnit}, and has a single method only.
Thus remove it, and replace it by a static function.
This saves one field per compilation unit.
R=mstarzinger@chromium.org
Change-Id: I2bcb9246c65e6971aa747488ea631886ca3bc037
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587388
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61084}
{InterpreterCompilationUnit} does not store any data except for a
pointer back to the {WasmCompilationUnit}, and has a single method only.
Thus remove it, and replace it by a static function.
This saves one field per compilation unit. We can probably also remove
{TurbofanWasmCompilationUnit} in a similar way, which I will do in a
follow-up CL.
R=mstarzinger@chromium.org
Change-Id: I8fc2e18366757573499fd57f909ec8222c27be38
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587387
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61083}
Our {Vector} template provides both {start} and {begin} methods. They
return exactly the same value. Since the {begin} method is needed for
iteration, and is also what standard containers provide, this CL
switches all uses of the {start} method to use {begin} instead.
Patchset 1 was auto-generated by using this clang AST matcher:
callExpr(
callee(
cxxMethodDecl(
hasName("start"),
ofClass(hasName("v8::internal::Vector")))
),
argumentCountIs(0))
Patchset 2 was created by running clang-format. Patchset 3 then
removes the now unused {Vector::start} method.
R=jkummerow@chromium.orgTBR=mstarzinger@chromium.org,yangguo@chromium.org,verwaest@chromium.org
Bug: v8:9183
Change-Id: Id9f01c92870872556e2bb3f6d5667463b0e3e5c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587381
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61081}
{LiftoffCompilationUnit} does not store any data, and has a single
method only. Thus remove it, and replace it by a static function.
This saves one field per compilation unit. We can probably also remove
{TurbofanWasmCompilationUnit} and {InterpreterCompilationUnit} in a
similar way, which I will do in follow-up CLs.
R=mstarzinger@chromium.org
Change-Id: I5e1a7d4245fd8bce4862cc83c96f9dac8e0c635e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587386
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61080}
CodeBuilder allows much simpler building of Code objects. The current
approach uses a large number of default parameters, which makes it difficult
to use and add any new ones. Large chunks of code are also duplicated across
TryNewCode and NewCode. The follow up CL completely removes these methods.
Bug: v8:9183
Change-Id: I6e988fd00bb89b871346100fe56dd01a9bd46073
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585736
Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Maciej Goszczycki <goszczycki@google.com>
Cr-Commit-Position: refs/heads/master@{#61079}
This is a reland of 7a2651cbf5
x18 is not allocatable nor callee-saved in v8, so stop comparing
the before/after value in tests.
Presumably the Nexus failure was due to printf on that platform
clobbering x18.
This can be reproduced locally by modifying `CorruptAllCallerSavedCPURegister`
to also corrupt x18.
CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_android_arm64_n5x_rel_ng
Original change's description:
> [arm64] Cleanup TODO around handling of x18
>
> Use `padreg` instead of x18 to maintain alignment in the CPURegList.
>
> Also clean up some comments and tidy up RequiredStackSizeForCallerSaved
> and PushCallerSaved.
>
> Change-Id: I80a780e5649e69a1746c43f37c2d1d875120c7a0
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581609
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
> Cr-Commit-Position: refs/heads/master@{#60987}
Change-Id: I7c023a4706a98bcb9aa5acd37016a6d01e3979a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1583762
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/master@{#61078}
Allow for a third compilation strategy that compiles baseline code
lazily but initiates top tier compilation immediately. The strategy aims
at reducing startup time.
Bug: v8:9003
Change-Id: Ifd2060b25386c5221a45f6038c3849afeb956e69
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1571620
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Frederik Gossen <frgossen@google.com>
Cr-Commit-Position: refs/heads/master@{#61077}
New enum RelocInfo::COMPRESSED_EMBEDDED_OBJECT created to support
compressed pointers in generated code. Enum name EMBEDDED_OBJECT
changed to FULL_EMBEDDED_OBJECT.
RelocInfo::[set_]target_object() abstract away the difference between
FULL_EMBEDDED_OBJECT and COMPRESSED_EMBEDDED_OBJECT.
Compressed embedded objects can only be created at this time on
x64 with pointer compression turned on. Arm64 constant pools don't
support compressed objects at this time.
Bug: v8:7703
Change-Id: I03bfd84effa33c65cf9bcefa5df680ab7eace9dd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1547661
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61076}
This adds a flag to print a message on important GC events, like
triggering a GC, reporting live code per isolate, and finally deleting
dead code.
This helps debugging issues with wasm code gc.
R=mstarzinger@chromium.org
Bug: v8:8217
Change-Id: I901199bc19b2a8718728a9e4918c30e295e0e92a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585842
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61075}
One fundamental assumption of the wasm code GC is that code becomes
"potentially dead" at most once; if the ref counts drops to zero later,
it should be freed for real.
In the current implementation, it happens that code becomes potentially
dead, then becomes dead for real (it's removed from the set of
potentially dead code), and then we remove the last reference. At that
point, we re-add the code to the potentially dead code, considering it
for garbage collection again. This can lead to an endless loop.
This CL fixes that by remembering which code was already detected as
dead, and does not consider this code for another GC.
This requires freeing code via the {WasmEngine} such that the set of
dead code can be cleaned up.
R=mstarzinger@chromium.org
Bug: v8:8217
Change-Id: If6a95a7918db2ad82edfad5447c536593243db7d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585845
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61073}
- Rename (and negate) "stack_check" to the more descriptive
"skip_first_stack_check".
- Pass call frequency by value rather than mutable(!) reference.
- Embed some things directly into BytecodeGraphBuilder,
instead of stack-allocating them and then storing a pointer.
- Don't pass things to OsrIteratorState that it can already access via
the graph builder parameter.
Change-Id: Id852df1ce521a6eefb6047cf76a0882a4c6e95b3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587375
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61072}
Remove Isolate versions of
Value::ToNumber/ToString/ToObject/ToInteger/ToInt32 and Context versions
of ToBoolean and BooleanValue (which could never throw anyway).
Bug: v8:7279, v8:9183
Change-Id: Ib144f8894a2b37c44216ba2d0cb298e8f0c72a3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585735
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61071}
This CL removes the flag '--turbo-preprocess-ranges' and enables it by
default.
If FLAG_turbo_control_flow_aware_allocation is set,
--turbo-preprocess-ranges is disabled and control flow aware
allocation is enabled instead.
Bug: v8:9088
Change-Id: I81d56f15efc8f765e317aa828d27f415f8b7fd40
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585725
Auto-Submit: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61070}
All we really need to expose is a single function that builds the graph.
This change drastically simplifies the header file.
Change-Id: If185687b8220bdd253f967be9ab2ea3b088e5423
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585856
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61068}
Previously it was possible for this function to fall back to the
ArrayBuffer methods to free the memory in the cases where the
is_wasm_memory flag on the JSArrayBuffer is not propagated.
This is no longer the case, as we check for the actual allocation
so all memory allocated by the WasmMemoryTracker should be freed by
it as well. Rename the method to match the existing implementation.
Change-Id: I50c9844bfdae1c378812df5add2253752532d0ad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587795
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61066}
This is a reland of 4f9d7a94a1
Original change's description:
> [snapshot] Align internal snapshot data
>
> When the snapshot blob is not aligned properly, loading it can cause a
> crash on platforms such as arm.
>
> This was exposed by a SIGBUS/BUS_ADRALN crash on arm when accessing
> the blob_data symbol (declared as a byte array) through a reinterpret
> cast to uintptr_t in an internal snapshot build.
>
> Thanks to florian.dold@gmail.com for the initial patch.
>
> Bug: v8:9171
> Change-Id: I99b071dec3733416f2f01b58a770e30d8f2dcdf2
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1582402
> Commit-Queue: Dan Elphick <delphick@chromium.org>
> Auto-Submit: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Dan Elphick <delphick@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61000}
Tbr: delphick@chromium.org
Bug: v8:9171
Change-Id: I36f53647ff5c45bcc512147f082fdd069723175d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587377
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61062}
This CL just updates the map to its non-deprecated counterpart
before adding the integrity level transition.
Bug: chromium:956426
Change-Id: I0aaaeb0451aed28c8893968bbcd9f6eb327da18b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585858
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61057}
This enables constant field tracking unconditionally.
TBR=jgruber@chromium.org
Bug: v8:8361
Change-Id: I02f35827d860c3e0f18a3d55cb156c088d48bc94
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585730
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61055}
This is a reland of 2974a184fd
Added expectation for the case that caused the revert in:
https://chromium-review.googlesource.com/c/chromium/src/+/1585814
Original change's description:
> [Inspector] Adjust the length of some of the console functions.
>
> The function lengths on a number of the console methods was set to 1.
> The arguments to these functions are either variadic or optional so they
> should have length of 0.
>
> R=dgozman@chromium.org,ulan@chromium.org
> BUG=chromium:948678
>
> Change-Id: I183262e230145a565732396688a0541034931500
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1548948
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Pavel Feldman OOO <pfeldman@chromium.org>
> Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Commit-Queue: Dave Tapuska <dtapuska@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61021}
Bug: chromium:948678
Change-Id: I092139117ee2b08f40a7c0ee4df49603cf383579
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585533
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dave Tapuska <dtapuska@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61053}
For a few double value above the max float, we have to round down
to that max float rather than rounding up to infinity.
Bug: chromium:956564
Change-Id: I34be1def5330bd4c3352b792d20dd500f108d9e1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585852
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61052}
Instead of recording dependencies during ComputePropertyAccessInfo(s),
store off-the-record dependencies in the resulting PropertyAccessInfo(s)
and record them when the PropertyAccessInfo(s) are consumed. This will
enable us to do the ComputePropertyAccessInfo(s) during serialization.
Bug: v8:7790
Change-Id: I2a3918eb3bc2c795061ca7969c0053b68a53aea7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581610
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61051}
- Removes Utf8Iterator
- Replaces Utf8Decoder with something based on ValueOfIncremental +
NonAsciiStart and moves it into v8/internal.
- Internalizes utf8 strings by first converting them to one or two byte
- Removes IsUtf8EqualsTo and replaces current uses with IsOneByteEqualsTo
Tbr: jgruber@chromium.org
Change-Id: I16e08d910a745e78d6fd465718fc69ad731fd217
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585840
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61049}
Add a WasmCodeRefScope around _v8_internal_Print_Code() because that
is needed for debugging.
R=clemensh@chromium.org
Change-Id: Ifdb7a32695163e0a109567ec00a52196e79e03db
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585844
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61047}
I missed these cases when adding the branchful decompression on codegen.
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:7703
Change-Id: Idb3f5ca81e00bb17fa08ba2b2506b642ffbd7b4b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1571623
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61045}
If a {NativeModule} dies while a GC is running, we could leave behind
references to code of that deleted module. This CL fixes that.
This issue was found by running with --stress-wasm-code-gc.
R=mstarzinger@chromium.org
Bug: v8:8217
Change-Id: I7f0d98977e6510899170306952936c4a7f7d3c10
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585722
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61041}
The function {memory_copy_wrapper} is called directly from WebAssembly.
Before calling {memory_copy_wrapper} we do not reset the
tread-in-wasm flag. On asan builds on Windows this causes the problem
observed in the crash report.
My theory is the following: asan on Windows uses exceptions to allocate
shadow memory lazily. When {memory_copy_wrapper} accesses memory, asan
causes an exception to allocate shadow memory. This exception is first
caught by the WebAssembly trap handler, which resets the
thread-in-wasm flag but then does not handle the exception because it
cannot find a proper landing pad. Asan then handles the exception and
continues execution. However. the thread-in-wasm flag is not set
anymore. A later check of the thread-in-wasm flag then fails.
This CL disables asan for {memory_copy_wrapper} and thereby fixes the
problem. As indicated above, another solution would be to reset and set
the thread-in-wasm flag before and after the call to the C function,
respectively. However, we do not do that for other uses of direct calls
to C.
R=binji@chromium.org
Bug: chromium:952342
Change-Id: I2adb2eccf2ac25be58392d21f8f43a04414c7811
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584326
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61040}
Add a flag which causes wasm code gc to be triggered whenever any code
is found to be potentially dead. This mode found several bugs already,
and I plan to enable it in 'gc-stress' mode once all issues are fixed.
R=mstarzinger@chromium.org
Bug: v8:8217
Change-Id: If28d980ded98b77b9efe7446da74d857e3c5e1b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585720
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61039}
This reverts commit da7322c05f.
Reason for revert: Breaking the pointer compression bots, e.g.:
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20-%20pointer%20compression/3047
Original change's description:
> [csa] verify skipped write-barriers in MemoryOptimizer
>
> With very few exceptions, this verifies all skipped write-barriers in
> CSA and Torque, showing that the MemoryOptimizer together with some
> type information on the stored value are enough to avoid unsafe skipped
> write-barriers.
>
> Changes to CSA:
> SKIP_WRITE_BARRIER and Store*NoWriteBarrier are verified by the
> MemoryOptimizer by default.
> Type information about the stored values (TNode<Smi>) is exploited to
> safely skip write barriers for stored Smi values.
> In some cases, the code is re-structured to make it easier to consume
> for the MemoryOptimizer (manual branch and load elimination).
>
> Changes to the MemoryOptimizer:
> Improve the MemoryOptimizer to remove write barriers:
> - When the store happens to a CSA-generated InnerAllocate, by ignoring
> Bitcasts and additions.
> - When the stored value is the HeapConstant of an immortal immovable root.
> - When the stored value is a SmiConstant (recognized by BitcastToTaggedSigned).
> - Fast C-calls are treated as non-allocating.
> - Runtime calls can be white-listed as non-allocating.
>
> Remaining missing cases:
> - C++-style iterator loops with inner pointers.
> - Inner allocates that are reloaded from a field where they were just stored
> (for example an elements backing store). Load elimination would fix that.
> - Safe stored value types that cannot be expressed in CSA (e.g., Smi|Hole).
> We could handle that in Torque.
> - Double-aligned allocations, which are not lowered in the MemoryOptimizer
> but in CSA.
>
> Drive-by change: Avoid Smi suffix for StoreFixedArrayElement since this
> can be handled by overload resolution (in Torque and C++).
>
> R=jarin@chromium.org
> TBR=mvstanton@chromium.org
>
> Change-Id: I0af9b710673f350e0fe81c2e59f37da93c024b7c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1571414
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61016}
TBR=mvstanton@chromium.org,jarin@chromium.org,tebbi@chromium.org
Change-Id: I36877cd6d08761726ef8dce8a3e3f2ce3eebe6cf
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585732
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61038}
The `Script::InitLineEnds(Handle<Script>(script, isolate));` line
may lead to objects being moved around on the heap, so it’s necessary
to use a `Handle` to track that.
This was causing crashes in Node.js in Debug mode when using the
code cache in combination with the CPU profiler.
Refs: https://github.com/nodejs/node/issues/27307
Change-Id: I392b4c00c6ebad44753f87fcbf2e3278ea7799a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1575698
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61036}
Peeling away layers of indirection. More to follow.
Change-Id: Ide15b9ece926f51d957de8fdc37829f02d86ca49
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1573700
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61035}
This fixes a deadlock that was detected by layout tests executing with
--future (hence enabling wasm code gc). It did not fail anywhere in v8
because GC is only triggered once we have > 1MB potentially dead code.
I plan to add a '--stress-wasm-code-gc' flag, which lowers this limit
to zero, thereby triggering GC when finding a single potentially dead
code. This mode found this issue, but also finds more, so I need to fix
other issues before enabling these stress tests.
R=mstarzinger@chromium.org
Bug: v8:8217
Change-Id: I373955b90c8b79d7b9e16184729f45db947eeeab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1583728
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61034}
This reverts commit 2974a184fd.
Reason for revert: For this change to land, layout tests have to
be changed on the chromium side:
https://ci.chromium.org/p/v8/builders/ci/V8-Blink%20Linux%2064/31448https://test-results.appspot.com/data/layout_results/V8-Blink_Linux_64/31448/webkit_layout_tests%20%28with%20patch%29/layout-test-results/results.html
Original change's description:
> [Inspector] Adjust the length of some of the console functions.
>
> The function lengths on a number of the console methods was set to 1.
> The arguments to these functions are either variadic or optional so they
> should have length of 0.
>
> R=dgozman@chromium.org,ulan@chromium.org
> BUG=chromium:948678
>
> Change-Id: I183262e230145a565732396688a0541034931500
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1548948
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Pavel Feldman OOO <pfeldman@chromium.org>
> Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Commit-Queue: Dave Tapuska <dtapuska@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61021}
TBR=dgozman@chromium.org,ulan@chromium.org,pfeldman@chromium.org,yangguo@chromium.org,dtapuska@chromium.org,kozyatinskiy@chromium.org
Change-Id: Iba25e9351641c5d2730eb727f3da91f86d5b1203
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:948678
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585719
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61029}
Refactors logging suppression and profiling state tracking on isolates
to be tied to a RAII ProfilerScope. Fixes the case where multiple
concurrent profilers on the same isolate restore the wrong value of
is_logging.
Change-Id: I34b59422a4e6e077ae0abb46eb09d78a77870d46
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1575918
Commit-Queue: Andrew Comminos <acomminos@fb.com>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61027}
Bug: v8:9060
Change-Id: I37282dd362cfdd0a162a76b122870f643ef5c8eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1582483
Commit-Queue: Adam Klein <adamk@chromium.org>
Auto-Submit: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61024}
An additional wpt test (console-label-conversion.any.js) verifies that
calling toString will cause exception propagation.
Remove the TryCatch block.
BUG=chromium:948257
R=dgozman@chromium.org
Change-Id: Idaaf264b7675f7df8ead128c085ac4d4c044005d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1579541
Commit-Queue: Dave Tapuska <dtapuska@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61023}
The function lengths on a number of the console methods was set to 1.
The arguments to these functions are either variadic or optional so they
should have length of 0.
R=dgozman@chromium.org,ulan@chromium.org
BUG=chromium:948678
Change-Id: I183262e230145a565732396688a0541034931500
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1548948
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Pavel Feldman OOO <pfeldman@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Commit-Queue: Dave Tapuska <dtapuska@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61021}
The generation of unwind info to enable stack walking on Windows/x64
(https://chromium-review.googlesource.com/c/v8/v8/+/1469329) was implemented
behind a temporary flag, in order to coordinate these changes with the
corresponding changes in Chromium.
The required changes to Chromium
(https://chromium-review.googlesource.com/c/chromium/src/+/1474703) have also
been merged, so we can now remove the flag and enable the generation of stack
unwinding info by default on Windows/x64.
Bug: v8:3598
Change-Id: I88814aaeabecc007f5262227aa0681a1d16156d5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1573138
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#61020}
Simplify accounting for compilation progress. Instead of complicated
logic in {OnUnitsFinished} the compilation progress is initialized in
{InitializeCompilationProgress}. We now keep tack of
- the required baseline tier,
- the required top tier, and
- the currently reached tier.
With this information {OnUnitsFinished} determines whether baseline and
top tier compilation are completed.
Bug: v8:9003
Change-Id: I3d147613f30363aade9ad5bf65be6e4d105e561e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1583722
Commit-Queue: Frederik Gossen <frgossen@google.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61019}
This reverts commit 4f9d7a94a1.
Reason for revert: breaks roll:
https://chromium-review.googlesource.com/c/chromium/src/+/1583053
Original change's description:
> [snapshot] Align internal snapshot data
>
> When the snapshot blob is not aligned properly, loading it can cause a
> crash on platforms such as arm.
>
> This was exposed by a SIGBUS/BUS_ADRALN crash on arm when accessing
> the blob_data symbol (declared as a byte array) through a reinterpret
> cast to uintptr_t in an internal snapshot build.
>
> Thanks to florian.dold@gmail.com for the initial patch.
>
> Bug: v8:9171
> Change-Id: I99b071dec3733416f2f01b58a770e30d8f2dcdf2
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1582402
> Commit-Queue: Dan Elphick <delphick@chromium.org>
> Auto-Submit: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Dan Elphick <delphick@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61000}
TBR=jgruber@chromium.org,delphick@chromium.org
Change-Id: Ie329fa8948b46d5434a0db72d4bfb539bd25a967
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9171
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584324
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61017}
With very few exceptions, this verifies all skipped write-barriers in
CSA and Torque, showing that the MemoryOptimizer together with some
type information on the stored value are enough to avoid unsafe skipped
write-barriers.
Changes to CSA:
SKIP_WRITE_BARRIER and Store*NoWriteBarrier are verified by the
MemoryOptimizer by default.
Type information about the stored values (TNode<Smi>) is exploited to
safely skip write barriers for stored Smi values.
In some cases, the code is re-structured to make it easier to consume
for the MemoryOptimizer (manual branch and load elimination).
Changes to the MemoryOptimizer:
Improve the MemoryOptimizer to remove write barriers:
- When the store happens to a CSA-generated InnerAllocate, by ignoring
Bitcasts and additions.
- When the stored value is the HeapConstant of an immortal immovable root.
- When the stored value is a SmiConstant (recognized by BitcastToTaggedSigned).
- Fast C-calls are treated as non-allocating.
- Runtime calls can be white-listed as non-allocating.
Remaining missing cases:
- C++-style iterator loops with inner pointers.
- Inner allocates that are reloaded from a field where they were just stored
(for example an elements backing store). Load elimination would fix that.
- Safe stored value types that cannot be expressed in CSA (e.g., Smi|Hole).
We could handle that in Torque.
- Double-aligned allocations, which are not lowered in the MemoryOptimizer
but in CSA.
Drive-by change: Avoid Smi suffix for StoreFixedArrayElement since this
can be handled by overload resolution (in Torque and C++).
R=jarin@chromium.orgTBR=mvstanton@chromium.org
Change-Id: I0af9b710673f350e0fe81c2e59f37da93c024b7c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1571414
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61016}
Adds a new flag to CpuProfiler to control whether or not "debug" names
(potentially inferred from scope) are used for captured frames
associated with a SharedFunctionInfo instance.
Bug: v8:9135
Change-Id: Ia1db20e389f3d0beb60eb47798820fb11d501c88
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1583042
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61015}
The main change is the reduction of the number of declared classes by
four by using templatized 'using' declarations instead of subtypes.
This also uses 'constexpr' to define constants, uses the defined
constants consistently, and adds static asserts.
R=jkummerow@chromium.org
Bug: v8:8834
Change-Id: I3868c9069f25261d428ec0847dea46de2cbc7a44
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1583763
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61014}
Introduce {CompileStrategy} to determine whether functions or an entire
module is compiled lazily. This replaces the previously used function
{IsLazyCompilation} and allows to introduce other compile strategies in
the future.
Bug: v8:9003
Change-Id: I3b8a32f1ccb55530afba07a02ccd7a0c10be3fac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1583720
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Frederik Gossen <frgossen@google.com>
Cr-Commit-Position: refs/heads/master@{#61013}
This CL fixes a crash that happens on a goto definition lookup for a
file with no data attached to it.
Drive-by: Collect language server data even on compilation failures.
R=tebbi@chromium.org
Bug: v8:8880
Change-Id: Ia6323204391da3e64058e1fe47f87162186c15cd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1583721
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61012}
This is a reland of 3d846115d6
Reland changes mjsunit.status to skip the regression test on
all bots except ASAN.
Original change's description:
> [typedarray] Fix crash when sorting SharedArrayBuffers
>
> TypedArray#sort has a fast-path when the user does not provide a
> comparison function. This fast-path utilizes std::sort which operates
> directly on the raw data. Per spec, std::sort requires the "less than"
> operation to be anti-symmetric and transitive.
>
> When sorting SharedArrayBuffers (SAB) that are concurrently modified during
> sorting, the "less than" operator stops being consistent as the
> underlying data is constantly modified. This breaks some invariants
> in std::sort resulting in infinite loops or straight out segfaults.
>
> This CL fixes this by copying the data before sorting SABs and
> writing the sorted result back.
>
> Note: The added regression test is tailored for ASAN bots as a
> normal build would need too many iterations to consistently crash.
>
> R=neis@chromium.org, petermarshall@chromium.org
>
> Bug: v8:9161
> Change-Id: Ic089928652f75865bfdb11e7453806faa6ecb988
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581641
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61004}
Bug: v8:9161
Change-Id: Idffc3fbb5f28f4966c8f1ac6770d5b5d6003a7e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1583726
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61011}
Verify that baseline and top tier compilation are finished when
expected. Test cases will use the newly exposed functions
{baseline_compilation_finished} and {top_tier_compilation_finished} for
this.
Bug: v8:9003
Change-Id: I023af3390ed5e087a3b40efe7c340d7e93071a51
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581941
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Frederik Gossen <frgossen@google.com>
Cr-Commit-Position: refs/heads/master@{#61010}
This reverts commit 3d846115d6.
Reason for revert: The test hangs flakily on windows:
https://ci.chromium.org/p/v8/builders/ci/V8%20Win32/20612https://ci.chromium.org/p/v8/builders/ci/V8%20Win32%20-%20nosnap%20-%20shared/33147https://ci.chromium.org/p/v8/builders/ci/V8%20Win32%20-%20debug/19945
Original change's description:
> [typedarray] Fix crash when sorting SharedArrayBuffers
>
> TypedArray#sort has a fast-path when the user does not provide a
> comparison function. This fast-path utilizes std::sort which operates
> directly on the raw data. Per spec, std::sort requires the "less than"
> operation to be anti-symmetric and transitive.
>
> When sorting SharedArrayBuffers (SAB) that are concurrently modified during
> sorting, the "less than" operator stops being consistent as the
> underlying data is constantly modified. This breaks some invariants
> in std::sort resulting in infinite loops or straight out segfaults.
>
> This CL fixes this by copying the data before sorting SABs and
> writing the sorted result back.
>
> Note: The added regression test is tailored for ASAN bots as a
> normal build would need too many iterations to consistently crash.
>
> R=neis@chromium.org, petermarshall@chromium.org
>
> Bug: v8:9161
> Change-Id: Ic089928652f75865bfdb11e7453806faa6ecb988
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581641
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61004}
TBR=neis@chromium.org,petermarshall@chromium.org,szuend@chromium.org
Change-Id: I046da3e4228bb1a8a3aa89d9c9d8de11875a9273
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9161
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1583725
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61007}
It shipped in Chrome 73.
Bug: v8:6890
Change-Id: Idd8c98cf05a0d6e8fa58c5b0a34d079631f68b1b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1582879
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Cr-Commit-Position: refs/heads/master@{#61005}
TypedArray#sort has a fast-path when the user does not provide a
comparison function. This fast-path utilizes std::sort which operates
directly on the raw data. Per spec, std::sort requires the "less than"
operation to be anti-symmetric and transitive.
When sorting SharedArrayBuffers (SAB) that are concurrently modified during
sorting, the "less than" operator stops being consistent as the
underlying data is constantly modified. This breaks some invariants
in std::sort resulting in infinite loops or straight out segfaults.
This CL fixes this by copying the data before sorting SABs and
writing the sorted result back.
Note: The added regression test is tailored for ASAN bots as a
normal build would need too many iterations to consistently crash.
R=neis@chromium.org, petermarshall@chromium.org
Bug: v8:9161
Change-Id: Ic089928652f75865bfdb11e7453806faa6ecb988
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581641
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61004}
This CL refactors and extends the infrastructure around sending
diagnostic notifications. This enables publishing lint errors as
warnings after a compilation run.
R=sigurds@chromium.org, tebbi@chromium.org
Bug: v8:8880
Change-Id: Ia64d2d490c1449021c92f5dc45eb7f8dab21e60a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1582405
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61003}
When the snapshot blob is not aligned properly, loading it can cause a
crash on platforms such as arm.
This was exposed by a SIGBUS/BUS_ADRALN crash on arm when accessing
the blob_data symbol (declared as a byte array) through a reinterpret
cast to uintptr_t in an internal snapshot build.
Thanks to florian.dold@gmail.com for the initial patch.
Bug: v8:9171
Change-Id: I99b071dec3733416f2f01b58a770e30d8f2dcdf2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1582402
Commit-Queue: Dan Elphick <delphick@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61000}
This reverts commit 7a2651cbf5.
Reason for revert: https://ci.chromium.org/p/v8/builders/ci/V8%20Android%20Arm64%20-%20N5X/4126
Original change's description:
> [arm64] Cleanup TODO around handling of x18
>
> Use `padreg` instead of x18 to maintain alignment in the CPURegList.
>
> Also clean up some comments and tidy up RequiredStackSizeForCallerSaved
> and PushCallerSaved.
>
> Change-Id: I80a780e5649e69a1746c43f37c2d1d875120c7a0
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581609
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
> Cr-Commit-Position: refs/heads/master@{#60987}
TBR=jgruber@chromium.org,martyn.capewell@arm.com,joey.gouly@arm.com
Change-Id: Id95ac26142717f6503d284d20ca03b9de33a9122
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1582403
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60999}
Make sure to adapt the formal parameters for the Promise.allSettled
method.
Bug: v8:7834
Change-Id: I255fc695f5ac0d62ed18f5aad78665feb38c241a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1580239
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60996}
This is a reland of d6121fd1a3
Original change's description:
> [Interpreter] Ensure Test*Handler don't allocate a frame for fast-path.
>
> Avoids allocating a frame for the fast-path in TestEqual, TestEqualStrict and
> TestLess/GreaterThan bytecode handlers. Also changes how feedback is tracked
> to try and avoid needing to keep feedback to "combine" with if it's unecessary
> which reduces the liveranges of the registers holding this data.
>
> This reduces the time needed for a tight loop in Ignition (e.g.,
> while (i < 1000000000) ++i;) from 12.8s to 10.8s.
>
> BUG=v8:9133
>
> Change-Id: I686b9da89541d15d233635db3276de3dad2fa282
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1570020
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60906}
TBR=jgruber@chromium.org
Bug: v8:9133
Change-Id: Ie9940d029d412986e6713438630565a98fe3c51c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1582401
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60989}
Use `padreg` instead of x18 to maintain alignment in the CPURegList.
Also clean up some comments and tidy up RequiredStackSizeForCallerSaved
and PushCallerSaved.
Change-Id: I80a780e5649e69a1746c43f37c2d1d875120c7a0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581609
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/master@{#60987}
The order of the typeswitch branches causes repeated Smi-checks.
This CL fixes this by putting the Number case first.
However, the generated code is still worse due to repeated Map and
InstanceType loads. This will be fixed by a future load elimination for
Torque/CSA.
Bug: chromium:955976
Change-Id: I0f59ef795878f65b3cb11246626738bc33f8aff5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581644
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60986}
Add suport for large object space allocations in Turbofan and use it
from CSA when young large objects are enabled. This maintains the
Turbofan invariant that the generation is statically predictable.
In principle, this enables write barrier elimination for large objects
allocated from Torque/CSA. But it doesn't seem to trigger much yet,
probably we have to improve the MemoryOptimizer.
Bug: v8:7793
Change-Id: I7ea7d0cb549573db65fafe5df5edf67e0ce90893
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565905
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60984}
This CL changes lint errors to not be printed directly to stderr.
Instead, they are collected in a list that gets surfaced via
the TorqueCompilerResult. This is done so they can be presented
to language server clients.
This change also removes the "abort_on_lint_errors" option.
API users can now decide for themselves what to do, depending on
the presence of lint errors in the returned list.
R=sigurds@chromium.org, tebbi@chromium.org
Bug: v8:8880
Change-Id: I44601010491aafcf4c8609fd8c115219317506a4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581608
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60983}
When collecting JS block coverage, we track block execution counts on
so-called CoverageInfo objects. Generated bytecode and native code
contains inlined snippets of code to increment the appropriate
counters.
These used to be implemented as calls to the IncBlockCounter runtime
function. Each call incurred the entire CEntry overhead.
This CL reduces that overhead by moving logic over into a new
IncBlockCounter TFS builtin. The builtin is called directly from
bytecode, and lowered to the same builtin call for optimized code.
Drive-by: Tweak CoverageInfo layout to generate faster code.
Tbr: jarin@chromium.org
Bug: v8:9149, v8:6000
Change-Id: I2d7cb0db649edf7c56b5ef5a4683d27b1c34605c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1571420
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60981}
Bug: v8:8976
Change-Id: Idc896770fd0f448c37d8d83b7970e3f8e16f5f2e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1572682
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60979}
This fixes the bounds check for the 'in' operator to handle the negative
index case properly (by using the same machinery as the potentially
out-of-bounds loads/stores use).
Bug: chromium:952586
Change-Id: I2225acae8be7dcedbcde745e8ef202e789085041
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581179
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60978}
This extends the existing test coverage of interactions between the
exception handling and the reference type proposal. Now "any-func" and
"except-ref" can both be encoded as an exception value. Missing switch
cases have been added.
R=clemensh@chromium.org
TEST=mjsunit/wasm/exceptions-anyref[-interpreter]
BUG=v8:8091,v8:7581
Change-Id: Ie2e9819fe66b4daab623390f27bb19007131f619
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581600
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60977}
On Arm/64 the last return address is stored in a link register instead of
being pushed to the top-of-stack like on x64/ia32. Extend the support in the
tick sampler to check for samples in a frameless bytecode handler with support
for checking the link register if it exists instead of top-of-stack. In addition,
make the x64/ia32 check more robust by ensuring we only apply the change if the
pc is a bytecode handler and the top frame isn't a bytecode handler (stub) frame.
BUG=v8:9162
Change-Id: I89d2e80ea8a0b84ff6a265d0e0e73f9fdd1daca8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578464
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60976}
Use the existing {ArrayVector} method for this, which reads nicer. In
some places, I replaced a stack-allocated array by {EmbeddedVector} to
avoid the {ArrayVector} call.
R=mstarzinger@chromium.org
Bug: v8:8834
Change-Id: I5560c07f2775338fefd11acf67a540e003428e74
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578899
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60975}
This is one step towards removing the {StrLength} helper and using
{size_t} consistently instead.
R=mstarzinger@chromium.org
Bug: v8:8834
Change-Id: Ibcdfd579531a259d490c39a8e8c96d469a5a4aac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578901
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60974}
This reverts commit fa6ec3cb08.
Reason for revert: v8:9169, v8:9170
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux/31457https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64/31417https://ci.chromium.org/p/v8/builders/ci/V8%20Win32%20-%20debug/19919
Original change's description:
> [cpu-profiler] Split out debug mode for CPU profiler naming
>
> Adds a new flag to CpuProfiler to control whether or not "debug" names
> (potentially inferred from scope) are used for captured frames
> associated with a SharedFunctionInfo instance.
>
> Bug: v8:9135
> Change-Id: I104f3246431dc6336de4e4688c0d98c86e0bb776
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566169
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Alexei Filippov <alph@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Commit-Queue: Peter Marshall <petermarshall@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60972}
TBR=ulan@chromium.org,alph@chromium.org,yangguo@chromium.org,petermarshall@chromium.org,acomminos@fb.com
Change-Id: I573194b5affd31fd0748b9ef3c45052e8ab420f5
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9135
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581639
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60973}
Adds a new flag to CpuProfiler to control whether or not "debug" names
(potentially inferred from scope) are used for captured frames
associated with a SharedFunctionInfo instance.
Bug: v8:9135
Change-Id: I104f3246431dc6336de4e4688c0d98c86e0bb776
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566169
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60972}
The current logic sometimes skips the request for a code logging stack
guard request, even though no such request is pending. This happens if
the previous stack guard already executed, but a foreground task is
still pending.
This CL fixes this by re-requesting a stack guard interrupt when the
first code is added to the vector of outstanding code to be logged.
Plus minor drive-by fix.
R=mstarzinger@chromium.org
Bug: v8:9163
Change-Id: I4937f3983f15e7122141b04ddb1432cd1f78828b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578461
Auto-Submit: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60970}
In the PerformPromise{All, Race, AllSettled} operations, the resolve
property of the constructor is looked up only once.
In the implementation, for the fast path, where the constructor's
resolve property is untainted, the resolve function is set to undefined.
Since undefined can't be a valid value for the resolve function,
we can switch on it (in CallResolve) to directly call the PromiseResolve
builtin. If the resolve property is tainted, we do an observable property
lookup, save this value, and call this property later (in CallResolve).
I ran this CL against the test262 tests locally and they all pass:
https://github.com/tc39/test262/pull/2131
Spec:
- https://github.com/tc39/ecma262/pull/1506
- https://github.com/tc39/proposal-promise-allSettled/pull/40
Bug: v8:9152
Change-Id: Icb36a90b5a244a67a729611c7b3315d2c29de6e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1574705
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60957}
The {Vector} class stores the size in a {size_t} since a while, but
many accessors and constructors still accept an {int}. This CL removes
all {int} uses except for the explicit {length()} accessor. It also
adds a comment to avoid this accessor if possible.
The {StrLength} function still has several users outside of vector.h,
which I plan to remove in a follow-up CL.
R=mstarzinger@chromium.org
Bug: v8:8834
Change-Id: I33c5b0e8b8b2cb3531716c1d99e4516a13d6ba1f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578480
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60950}
This CL fixes some issues with GC.
1) It removes dead code from the set of potentially dead code to avoid
considering the same code for GC again and again.
2) It resets the {new_potentially_dead_code_size_} counter to avoid
triggering too many GCs.
3) When code becomes dead after GC, do not unconditionally free it; just
decrement its ref count (there might still be {WasmCodeRefScope}s
holding the code alive).
4) Update the comment of the ref count to be more accurate.
R=titzer@chromium.org
Bug: v8:8217
Change-Id: I28e5a1fed74411b8473bb66ddbad3ffe7643f266
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1574518
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60949}
This adds two counters for collecting the absolute size of freed code,
and the percent of total generated code per module.
R=titzer@chromium.org
Bug: v8:8217
Change-Id: Ia065081104fbff6459791c919e0b18677ba45cc3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1573698
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60948}
This is the next step to test the GC better: We zap the code region of
{WasmCode} objects which are detected to be unused. This is tested in
the future variant, so ClusterFuzz has a chance to catch missing
references.
R=titzer@chromium.org
Bug: v8:8217
Change-Id: I75a63384a2a8e2ed68b9447e6ee4faa24037da93
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1571622
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60945}
The WebAssembly JavaScript Interface specifies[1] that exported
functions are not constructors, hence do not have the "prototype"
property. This is not true for asm.js exported functions which are
expected to look like normal functions (or constructors).
[1] https://webassembly.github.io/spec/js-api/index.html#exported-function-exotic-objectsR=clemensh@chromium.org
TEST=mjsunit/regress/regress-crbug-935800
BUG=chromium:935800
Change-Id: Idecacfb7f5d4668540589af95fd59872334c21a3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578499
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60943}
This CL implements the first set of diagnostic notifications.
When Torque compilation fails, the language server translates the
Torque error into a diagnostics notification and pushes it to the
client.
Note that per specification, the server is responsible to manage the
state of all published diagnostics. This means that the server is
also responsible for clearing out previous notifications if they
become stale.
Bug: v8:8880
Change-Id: Ief46dc1d94d1e5b7fa3e0048df494bfc05974031
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1569434
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60942}
EmbeddedVector lives on the stack only, and should not be implicitly
copied or assigned.
This also removes remaining uses of the removed Vector::set_start
method.
R=sigurds@chromium.org
Bug: v8:9142
Change-Id: I829e6ffad6b1a30baa6c874265e92d615dd0c981
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578458
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60940}
MicrotaskQueue associated to Context may be null after DetachGlobal,
and triggering FinalizationGroup clean up on the detached context
causes a crash.
This CL fixes the crash by cancelling the clean up on such a context.
Bug: chromium:937784
Change-Id: I57883ae0caf6c6bb35e482e441b6e09e921d9def
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552500
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Taiju Tsuiki <tzik@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60931}
Per suggestion, we put this behind runtime flag in the mean time.
Refactor some codes.
Bug: v8:6831
Change-Id: Ibeb2a62b2a132971f8bc51c045bf0d2594eec198
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566238
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60927}
We had one use of OS_CHROMEOS in mksnapshot. OS_CHROMEOS is defined if
gn's `is_chromeos` is true, which checks `current_os`. `current_os !=
target_os` can happen if we're building with a non-default toolchain,
which happens often on CrOS, since `mksnapshot` is a host binary.
Tested by manually verifying that .text.hot.embedded now shows up on
arm32/aarch64 builds of embedded.S.
Bug: v8:9103
Change-Id: I038b56f4c18c7dd9a651ce676a977697dad14ae6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1573041
Commit-Queue: George Burgess <gbiv@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60925}
This CL adds the representation changes from/to CompressedPointer to the other
data types (excluding Tagged, which was done in a previous CL).
Also adding missing write barriers for compressed values (WriteBarrierKindFor).
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:8977, v8:7703
Change-Id: Ieb4e6dd72371e858ba1da551f765e42581a51f90
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1571616
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60924}
There seems to be an issue where LTO inlines the icache flushing method
but removes the save and restore of the r7 register which is clobbered
for the icache flush syscall.
This CL tries to avoid the bug. It's purely speculative, as we cannot
reproduce the exact bug locally.
R=jkummerow@chromium.org
Bug: chromium:952759
Change-Id: I634fc4de3e8c4d1cb649384542c381d925b07a42
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1571619
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60922}
Add lazy validation for lazily compiled functions. The code is validated
only on first use. This applies to functions that are lazily compiled by
compilation hint as well as to entirely lazy modules.
Bug: v8:9003
Change-Id: If6a640db4bf4b846ac5e3805c138b8ac0a493cf9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1569427
Commit-Queue: Frederik Gossen <frgossen@google.com>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60921}
Block binary coverage currently also relies on invocation counts on
the feedback vector, which are not maintained in optimized code. This
fixes the SFI::IsInlineable predicate to also prevent inlining
functions when 1. binary coverage is enabled and 2. the function has
no reported binary coverage.
Drive-by: Add new predicates for binary/count modes.
Bug: v8:6000
Change-Id: I0039e43ebae880e3552e8349d20a144fe941ef3b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1571615
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60920}
We see crashes in the wild that we suspect are caused by these changes.
This is a manual revert because of conflicts.
Revert "[turbofan] Fix incorrect CheckNonEmptyString lowering."
This reverts commit b3b7011867.
Revert "[turbofan] Fix incorrect lowering of CheckNonEmptyString."
This reverts commit 5758209026.
Revert "[turbofan] Significantly improve ConsString creation performance."
This reverts commit d6a60a0ee1.
Bug: v8:9147
Change-Id: I262c21e5406a9c4c8ad0e0f995582c5802f0fa1e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1571613
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60919}
Add tests for tiering and lazy compilation with compilation hints. The
tests build modules and verify the {WasmCode}'s tier internally. The
module builder now supports compilation hints in CCTests.
Bug: v8:9003
Change-Id: I18d926c3b1ef3508835a51a9d1d86bfadcb5216e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566522
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Frederik Gossen <frgossen@google.com>
Cr-Commit-Position: refs/heads/master@{#60916}
We translate stores with TaggedXXX (XXX in {"", "Signed", "Pointer"})
representation in CSA into stores of CompressedXXX with a
ChangeTaggedXXXToCompressedXXX in the raw-machine-assembler.
This way, CSA doesn't need to know about Compressed values since we
are introducing an explicit "compress" node.
Also, on ARM64, removed CheckPageFlagSet and CheckPageFlagClear since
CheckPageFlag can be used for both cases.
Moved CheckPageFlag to the TurboAssembler (from MacroAssembler) since it
was needed on code-generator-arm64.cc.
Bug: v8:8977, v8:7703
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Change-Id: Ia3a41b09a4d715588a36461620be0432ed064d13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566517
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60915}
port https://crrev.com/c/1541476
Original Commit Message:
This CL adds handling for cleaning up weakmap (EphemeronHashTable)
keys during scavenge, even if the weakmap resides in oldspace.
Change-Id: If6e06ea8621fd6aff374c04247c3168b2cbb361a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1568712
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Yu Yin <xwafish@gmail.com>
Cr-Commit-Position: refs/heads/master@{#60912}
Imported from https://github.com/WebAssembly/wasm-c-api/ and
updated to work inside V8.
Tests will be added in an upcoming CL.
This is experimental; it is not yet recommended to rely on it.
Change-Id: I05914f4b63298bf7c848c4d4c8811f0f6eb882e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1516478
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60910}
This reverts commit d6121fd1a3.
Reason for revert: Fails cctest/test-cpu-profiler/Inlining2 on arm64-sim: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm64%20-%20sim/17702
Original change's description:
> [Interpreter] Ensure Test*Handler don't allocate a frame for fast-path.
>
> Avoids allocating a frame for the fast-path in TestEqual, TestEqualStrict and
> TestLess/GreaterThan bytecode handlers. Also changes how feedback is tracked
> to try and avoid needing to keep feedback to "combine" with if it's unecessary
> which reduces the liveranges of the registers holding this data.
>
> This reduces the time needed for a tight loop in Ignition (e.g.,
> while (i < 1000000000) ++i;) from 12.8s to 10.8s.
>
> BUG=v8:9133
>
> Change-Id: I686b9da89541d15d233635db3276de3dad2fa282
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1570020
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60906}
TBR=rmcilroy@chromium.org,jgruber@chromium.org
Change-Id: I5e53138929bf1fae9f57f9dd023d258bb7d557ac
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9133
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1571418
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60907}
Avoids allocating a frame for the fast-path in TestEqual, TestEqualStrict and
TestLess/GreaterThan bytecode handlers. Also changes how feedback is tracked
to try and avoid needing to keep feedback to "combine" with if it's unecessary
which reduces the liveranges of the registers holding this data.
This reduces the time needed for a tight loop in Ignition (e.g.,
while (i < 1000000000) ++i;) from 12.8s to 10.8s.
BUG=v8:9133
Change-Id: I686b9da89541d15d233635db3276de3dad2fa282
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1570020
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60906}
The trap handler fallback is flaky, and was never enabled since it
never worked reliably. This CL removes
a) the --wasm-trap-handler-fallback flag,
b) the distinction between soft and hard address space limit,
c) methods to check whether memory has guard regions (it will always
have them on 64 bit architectures),
d) associated runtime functions,
e) the trap handler fallback tests,
f) recompilation logic for the fallback.
R=titzer@chromium.org
Bug: v8:8746
Change-Id: I7f4682b8cd5470906dd8579ff1fdc9b1a3c0f0e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1570023
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60904}
This CL adds the representation changes from/to CompressedSigned to the other
data types (excluding Tagged, which was done in a previous CL).
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:8977, v8:7703
Change-Id: If967a1a0fc669c45a2764cf950cf02d8c06b08b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1547859
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60903}
We have very few tests for this currently, and it's hard to test
this, since code logging happens soon after scheduling the task and
stack guard. If the timing is just right, it can happen though that a
{NativeModule} dies while {WasmCode} objects of that {NativeModule} are
still part of the {code_to_log} vector. In that case, we need to remove
those code objects from the vector to avoid use after free.
R=mstarzinger@chromium.org
Change-Id: I16c7098bf11c54700cc650dad965106af2e39157
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566519
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60902}
This is a reland of 067ba2a0c6.
Unchanged reland, hence TBR.
Original change's description:
> [wasm] Add stack guard for logging code
>
> Benchmarks or worker threads might never return to the event queue,
> hence they will never execute the scheduled foreground task to log
> compiled and published wasm code.
> This CL adds a stack guard to log the code, to ensure that we also log
> it for wasm code that never returns to the event queue.
>
> R=mstarzinger@chromium.org
>
> Bug: v8:9104
> Change-Id: I176959cadb4ab3a60153d0717530c032272ad3e8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561073
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60879}
TBR=mstarzinger@chromium.org
Bug: v8:9104
Change-Id: I105b37ef8429d16ef5b983919ba8bca615e347c0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1570017
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60899}
This adds support for iOS builds in libsampler. Both iOS simulator
builds (target architecture x64) and iOS device builds (arm64) are
supported.
Note that this is mostly untested since we neither have iOS bots nor
an iOS test runner. This CL was thus only tested by compiling V8 for
both iOS simulator & device targets.
Bug: v8:9140
Change-Id: Ib618bf793771f4be84d1979a968d2b3ef9f6ff86
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1569436
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60898}
Realm.navigate hits a UAF when it's called after Realm.detachGlobal, and
that's hit a clusterfuzz test.
Bug: chromium:952749
Change-Id: Icf0f0d0b845bc5a2d1ddd80ab52756dae97b982f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1567583
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Taiju Tsuiki <tzik@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60896}
For some unknown reasons, the profiler starts seeing illegal source
positions (see referenced bug).
This CL quick-fixes that by just ignoring them for now. This might
regress profiling, and should be fixed mid-term.
R=mstarzinger@chromium.org
Bug: chromium:953309
Change-Id: I10db7e5ad24e8470e319fc9418cd3a684f614c26
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1569845
Auto-Submit: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60895}
Avoids allocating a frame for the fast-path in IncHandler by marking some calling
branches as Deferred. Also avoid loading feedback slot and vector until it's needed
to reduce live range.
This reduces the time needed for a tight loop in Ignition (e.g.,
while (i < 1000000000) ++i;) from 15.5s to 12.8s.
BUG=v8:9133
Change-Id: I0a62efdaefca7f3024b3ae05c61631a63cb01390
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1570005
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60893}
OS X has been a UNIX 03 registered product since version 10.5,
released in October 2007.
Bug: v8:8834
Change-Id: I64ca5512a9999b6eb7b4003a6758081a06eb6529
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1569437
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60891}
This is port for https://crrev.com/c/1524482
Original commit message:
This allows immediates to be encoded directly into instructions, rather than
mov-ing constants to registers first.
This patch only changes emit_{i64,i32}_add, other emit_ functions will be changed once
this approach has been approved.
Bug: v8:9038
Change-Id: I4f35498ccf89306f12601df5ce91e1748975b11b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1568710
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Yu Yin <xwafish@gmail.com>
Cr-Commit-Position: refs/heads/master@{#60886}
The bulk memory proposal changed behavior of segment initialization
during instantiation. Previously, all segments would be bounds-checked,
after which the segments would be initialized.
The bulk memory proposal removes the up-front check, and always
initializes active segments in order, starting with element segments and
then continuing with data segments. Each active segment is initialized
as-if they were being initialized with the `memory.init` and
`table.init` instructions, so an out-of-bounds initialization may still
modify the memory or table partially.
Bug: v8:8892
Change-Id: I472fca2401e07d60b288f0cc745629a451b31088
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565033
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60885}
Increase length of packed sealed array will create holes in packed array so transition to dictionary elements for now.
Later we can consider transitioning to holey sealed array.
Bug: chromium:952382
Change-Id: Ibe26ce56918859a114fccc1933f9c966c47c4112
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566968
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60884}
Currently v8 ignores class instance fields when determining how many
properties to preallocate for a given function. This cl changes v8's
behavior to start preallocating for instance fields in addition to
properties.
Bug: v8:8774
Change-Id: If598c2ba8a1b14bd0293f36bae7d35e2d85f7898
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1560216
Commit-Queue: Joshua Litt <joshualitt@google.com>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60882}
Just update merge conflict.
The reverted CL is https://chromium-review.googlesource.com/c/v8/v8/+/1565470.
Treat packed sealed, frozen element as packed element.
Also rename to IsPackedFrozenOrSealedElementsKind.
Bug: chromium:951988
Change-Id: I4e7cc0a0d43e1e1c109fa08231dd5396901f9614
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566235
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60881}
Benchmarks or worker threads might never return to the event queue,
hence they will never execute the scheduled foreground task to log
compiled and published wasm code.
This CL adds a stack guard to log the code, to ensure that we also log
it for wasm code that never returns to the event queue.
R=mstarzinger@chromium.org
Bug: v8:9104
Change-Id: I176959cadb4ab3a60153d0717530c032272ad3e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561073
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60879}
Extend test coverage for Wasm compilation with compilation hints. Tests
cover, in particular, error handling in streaming compilation and
asynchronous compilation.
Bug: v8:9003
Change-Id: Id46e02904a3a5df60c2617b11445bdc04c8b3b1d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566520
Commit-Queue: Frederik Gossen <frgossen@google.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60876}
This is a cleanup CL that stemmed from the CompressedSigned one
https://chromium-review.googlesource.com/c/v8/v8/+/1547859
Bug: v8:8977, v8:7703
Change-Id: Icd217c43cc3430579dd79387d680205ef4440962
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1569428
Auto-Submit: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60874}
We translate loads with TaggedXXX (XXX in {"", "Signed", "Pointer"})
representation in CSA into loads of CompressedXXX +
ChangeCompressedXXXToTaggedXXX in the raw-machine-assembler.
This way, CSA doesn't need to know about Compressed values since we
are introducing an explicit "decompress" node.
Also updating tests that were checking for the load nodes.
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:8977, v8:7703
Change-Id: Ie22ca8123a25ef005c1ff7383776f9355020fa42
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565897
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60873}
We'll eventually map each relevant map to a PropertyAccessInfo at
serialization time.
Bug: v8:7790
Change-Id: I739075af3629359f43acfdeb609112f355f1bd38
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565899
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60872}
The arm64 ABI defines x18 as a platform register, and as such
platforms may reserve it for their own purposes.
This CL unconditionally removes x18 from the allocatable register list
(previously it was only excluded from arm64 Windows). If, for some
reason, we want to keep x18 allocatable on some platforms, we can
explicitly enable it for specific platforms in the future.
Bug: v8:8940,v8:9140
Change-Id: I28c4f6aad714e21a0a54bab6041c13a1b28fd467
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564194
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60870}
This moves the vector of {WasmCode} to log (per isolate) from the
{LogCodesTask} to the {WasmEngine}, where lifetime is more clear.
This makes it harder to mess up the ref count of the stored {WasmCode}
objects.
R=mstarzinger@chromium.org
Bug: v8:8217
Change-Id: I07131f95391bfabee3c376378179d8bcdc1555b0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566518
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60869}
The Torque compiler makes heavy use of scoped globals (contextuals).
This created a problem for the design of the compiler interface:
- Either the compiler provides all the necessary scopes itself,
disallowing callers any access to the contextuals, which might
contain data the caller is interested in (such as the
compilation result).
- Or the caller provides all the necessary scopes.
This design was fine when the compiler executable was the only user.
With the recent addition of unit tests and the language server, this
interface became brittle, as missing scopes are only detected at
runtime.
This CL refactors the compiler interface to not leak contextual
scopes past the interface boundary. Content of contextuals is
collected and returned, providing access for the caller and freedom
to either use the data directly or move it into the callers own scopes.
R=sigurds@chromium.org
Bug: v8:7793
Change-Id: Ieb988522d08fc6026b3fb74d976008e566146770
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1529000
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60867}
Adds CpuProfiler::SetUsePreciseSampling, which provides a hint whether
to sacrifice CPU cycles to reduce the level of sampling interval
variance. On Windows, this controls whether or not busy waiting is
performed for sample rates < 100ms. Defaults to enabled (old behaviour).
Bug: v8:3967
Change-Id: Iee84c3ae8132541c78b1f78bf294ec7c718bb19b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1510577
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60866}
When a stack trace is captured, it is stored in a private symbol on
the respective Error object. The first access to "Error.stack" will
then format the stack trace, with a possible call into user JS via
the Error.prepareStackTrace callback.
Until now, the accessor converted ".stack" to a normal data
property containing the formatted stack trace. This causes a new Map
with a new DescriptorArray to be created, which will not be shared
with anything else (also not other error objects with formated
stack traces).
This CL changes the accessor to store the formatted stack trace in
the same symbol (stack_trace_symbol) as the structured data. The
result is that an error object will have the same Map before and
after "Error.stack" is accessed.
Bug: v8:9115
Change-Id: I7d6bf49be76d63b57fbbaf904cc6ed7dbdbfb96b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564061
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60865}
After this CL, MicrotasksScope allows null MicrotaskQueue parameter,
so that the user can migrate one-by-one from the default microtask
queue to the finer grained one.
Change-Id: Id519920a9d57e80e279026ad05a14422fb72b050
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1559678
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Taiju Tsuiki <tzik@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60864}
Previously when an unresolved private name is not found
in the current scope but found in an outer class scope,
we forget to push it to the outer class scope so the
name would never get bound.
This patch simplifies ClassScope::ResolvePrivateNamesPartially()
and removes the search in outer class scopes since they are incomplete
at this point. Instead just push any private name that can't be
resolved in the current scope to the outer class scope so that it
gets handled later when the outer class scope is complete.
Bug: chromium:952722
Change-Id: Ia0dda74cac57a0a1e25a9a09575f55633c6093b5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1567709
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/master@{#60863}
Blink used to use v8::MicrotasksScope::GetCurrentDepth() to get the
number of nested MicrotasksScope for the default microtask queue.
However, there was no corresponding one for non-default queues.
Change-Id: I1c2472ba19b1a11cb968f02119d91d92867c6e02
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1567705
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Taiju Tsuiki <tzik@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60862}
Bug: v8:8976
Change-Id: I2d5131c2a1d96e5d5e0114efac3b1b2c3497351d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566249
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Cr-Commit-Position: refs/heads/master@{#60861}
This is a reland of ffe6940fbc
The UBSan issue is fixed with https://crrev.com/c/1566511TBR=tebbi@chromium.org
Original change's description:
> Reland^2 "[torque] Throw exception instead of aborting if something goes wrong"
>
> This is a reland of 251d1623f3
>
> The reland fixes ASAN component builds by adding RTTI build config to both
> torque executables. Big thanks to sigurds for finding the fix.
>
> Original change's description:
> > Reland "[torque] Throw exception instead of aborting if something goes wrong"
> >
> > This is a reland of 3bd49f9b90
> >
> > The issue on the windows bot is apparently a compiler bug in MSVC related to
> > move construction. The fix seems to be to change the order of the fields in
> > "JsonParseResult" (go figure).
> >
> > Drive-by-change: Fix LS on windows by emitting correct line endings and
> > enabling exceptions for the LS executable as well.
> >
> > Original change's description:
> > > [torque] Throw exception instead of aborting if something goes wrong
> > >
> > > This CL enables exceptions for the Torque compiler and Torque language
> > > server. Instead of aborting when something goes wrong during
> > > compilation, a TorqueError is thrown, containing the error message
> > > and a source position. The compiler executable still prints the error
> > > and aborts, while the language server will pass this information
> > > along to the client (not included in this CL).
> > >
> > > R=danno@chromium.org
> > >
> > > Bug: v8:8880
> > > Change-Id: Iad83c46fb6a91c1babbc0ae7dbd94fbe4e7f1663
> > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1526003
> > > Reviewed-by: Daniel Clifford <danno@chromium.org>
> > > Commit-Queue: Simon Zünd <szuend@chromium.org>
> > > Cr-Commit-Position: refs/heads/master@{#60512}
> >
> > Bug: v8:8880
> > Change-Id: I00e6591bbb4c516dd7540a7e27196853bc637f11
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1545995
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Commit-Queue: Simon Zünd <szuend@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#60736}
>
> Bug: v8:8880
> Change-Id: Iba198d771169283e83e74324f27aa9e90b8d8975
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1563770
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60804}
Bug: v8:8880
Change-Id: I5b7e40ad27bff8f7bfa22240954c2cb75083ad82
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564065
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Auto-Submit: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60860}
MicrotasksPolicy was a missing functionality of MicrotaskQueue that
was available on the per-Isolate MicrotaskQueue.
This expose that as a construction time option.
Change-Id: I22bcc8082ca64552d107ee6db138011654047861
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1559677
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Taiju Tsuiki <tzik@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60858}
This is a reland of 656f57bd78, which
was reverted due to Blink test failures. Those failures have been
temporarily suppressed.
Original change's description:
> [wasm] Add off-by-default runtime flag for growing shared memory
>
> Grow memory isn't ready to ship in M75.
>
> Bug: v8:8564, chromium:951795
> Change-Id: I75602bce833653b7943f5606236a97ca6dbad5c9
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566239
> Reviewed-by: Ben Smith <binji@chromium.org>
> Commit-Queue: Adam Klein <adamk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60836}
Bug: v8:8564, chromium:951795
Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Change-Id: If096f76b4d5d1f5cbcb98e9c11a525a540e21f14
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1568125
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Ben Smith <binji@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60855}
This reverts commit f4a747b72d.
Reason for revert: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm%20-%20sim%20-%20lite%20-%20debug/3001
Original change's description:
> [parser] Skip TDZ Checks in more cases of let and const
>
> The parser can now skip TDZ checks for cases when a reference is in,
> or nested in, a scope that's both a sibling of the declaration and
> created by a function expression.
>
> Bug: v8:7331
> Change-Id: Ia9748b5a8faa3037873efe5081837f5d0aa74115
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1542042
> Commit-Queue: Suraj Sharma <surshar@microsoft.com>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60853}
TBR=adamk@chromium.org,verwaest@chromium.org,surshar@microsoft.com
Change-Id: Iaa34b1f7cafcc0e77cd7cc20372885b1904bd827
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7331
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1568078
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60854}
The parser can now skip TDZ checks for cases when a reference is in,
or nested in, a scope that's both a sibling of the declaration and
created by a function expression.
Bug: v8:7331
Change-Id: Ia9748b5a8faa3037873efe5081837f5d0aa74115
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1542042
Commit-Queue: Suraj Sharma <surshar@microsoft.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60853}
Check if storage for thread_local variables has been allocated before
attempting to access such variables, as exceptions may be raised in the
thread before this initializion is complete, causing an infinite loop.
Bug: v8:8966
Change-Id: Ifc6223b74999a55bfd0ed2d6ebf054bbffd7e809
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1507714
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60852}
libc++ will assert when indexing one element past the end of a vector, but V8
uses this as the end iterator for ScopedPtrList. Similarly, when there's no
elements in the vector, v[0] will also assert, so ScopedPtrList::begin() needs
to be updated too. This CL changes ScopedPtrList to use std::vector::data() to
get the iterators.
BUG=chromium:923166
TBR=machenbach
Change-Id: Ic6a5176611d52ed592da743ecce44287c452b379
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565543
Commit-Queue: Thomas Anderson <thomasanderson@chromium.org>
Reviewed-by: Nico Weber <thakis@chromium.org>
Auto-Submit: Thomas Anderson <thomasanderson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60851}
Edge names are not always string constants and have to be deleted at
some point. Copy them over to StringStorage to allow the embedder
freeing up their copy.
Bug: chromium:936797
Change-Id: I1c1a617c79c2016b3bd30c3460bb7a47edce1b95
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565903
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60849}
While crrev.com/c/1520721 tried to avoid collecting source positions
when throw exceptions, it failed because they were still collected in
Isolate::CaptureStackTrace.
This removes that collection point and lets SetStackFrameCacheCommon
bail out when trying to set the stack frame cache for a bytecode that
doesn't have source positions.
It also adds tests that ensure source positions are not collected when
an exception is thrown (although one is disabled as it does not yet
work).
Bug: v8:8510
Change-Id: Id5caf579dda549d637fa9b3129c419d524be5ff2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565898
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60847}
This CL introduces the first (and most important) place where we need
to decrement the ref count of wasm code. When installing new code in
the code table and jump table, the prior code becomes unreachable via
new function calls.
This change executes many code paths that were unreachable before,
since the ref count was never decremented.
R=mstarzinger@chromium.org
Bug: v8:8217
Change-Id: Ibe33df562f240f7cd5996f6061809e93838be425
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566512
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60845}
This makes sure that all overrides of {StackFrame::unchecked_code}
return a value, even if there is no {Code} object associated with the
frame. This ensures debug functions like {StackTraceFailureMessage}
continue working for all stack traces.
R=neis@chromium.org
BUG=chromium:952761
Change-Id: Ie42b301e4d43ebf67acc80e6c1b7bcb4cdc7c947
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566515
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60844}
Since {NativeModule::GetCode} returns a raw pointer to {WasmCode}, it
needs to increment the reference counter on that code object.
{HasCode} on the other hand does not return a code pointer, so it's
implemented separately now.
R=mstarzinger@chromium.org
Bug: v8:8217
Change-Id: I812981aaf89281fb0296682114f248079e57a5e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566514
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60843}
- Remove AllocationSpaceName() which was in SHOUTY_CASE and did not
actually handle CODE_LO_SPACE.
- Make GetSpaceName() static because it is.
- Change callers of old AllocationSpaceName() to use GetSpaceName().
- Change the input type to a AllocationSpace rather than int given the
function crashes on invalid values.
Space::name() now returns a lower case result but this is only used by
functions guarded by gc_verbose or trace_fragmentation so I don't think
this will break anything.
Change-Id: Ice9a955365d4a22233af7ba39126ad8e5cff2aab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565474
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Auto-Submit: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60842}
port https://crrev.com/c/1541476
Original Commit Message:
This CL adds handling for cleaning up weakmap (EphemeronHashTable)
keys during scavenge, even if the weakmap resides in oldspace.
Change-Id: If0598a499641ba502b00857204e32ca63e0712c3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564320
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Yu Yin <xwafish@gmail.com>
Cr-Commit-Position: refs/heads/master@{#60837}
Grow memory isn't ready to ship in M75.
Bug: v8:8564, chromium:951795
Change-Id: I75602bce833653b7943f5606236a97ca6dbad5c9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566239
Reviewed-by: Ben Smith <binji@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60836}
Basically, SetPropertyInternal is called without handling COW map.
Improve test coverage as well.
Bug: chromium:951438
Change-Id: Iea8c818ab6a8ddea204f86a9d676a1ea42fd07f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1562731
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60834}
For slow-path of array.includes, it should be able to handle if arguments is undefined for sealed/frozen object
Bug: chromium:951780
Change-Id: I42dcf1e23ab07bfcd87e7a5d27b52e66b2d1d2ae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565031
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#60829}
This CL can be used as a base for specialising CompressedSigned and
CompressedPointer.
B
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng,v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:8977, v8:7703
Change-Id: I43c8e7f57021ac506822aba5bbd4bdf6cc3159ba
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1543731
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60827}
This adds a new flag --modify-field-representation-inplace (enabled by
default), which lets the runtime perform field representation changes
for Smi to Tagged or for HeapObject to Tagged in-place instead of
creating new maps and marking the previous map tree as deprecated.
That means we create (a lot) fewer Maps and DescriptorArrays in the
beginning and also need to self-heal fewer objects later (migrating
off the deprecated maps). In TurboFan we just take the "field owner
dependency" whenever we use the field representation, which is very
similar to what we already do for the field types. That means if we
change the representation of a field that we used in optimized code,
we will simply deoptimize that code and have TurboFan potentially
later optimize it again with the new field representation.
On the Speedometer2/ElmJS-TodoMVC test, this reduces the total execution
time from around 415ms to around 352ms, which corresponds to a **15%**
improvement. The overall Speedometer2 score improves from around 74.1
to around 78.3 (on local runs with content_shell), corresponding to a
**5.6%** improvement here. 🎉
On the CNN desktop browsing story, it seems that we reduce map space
utilization/fragmentation by about 4-5%. But since we allocate a lot
less (fewer Maps and DescriptorArrays) we also significantly change
the GC timing, which heavily influences the results here. So take this
with a grain of salt. 🤷
Note: For Double fields, this doesn't change anything, meaning they
still create new maps and deprecate the previous map trees.
Bug: v8:8749, v8:8865, v8:9114
Change-Id: Ibd70efcb59be982863905663dbfaa89aa5b31e14
Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
Doc: http://bit.ly/v8-in-place-field-representation-changes
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565891
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60822}
When all units started compiling, but not all are finished yet, the
main thread waits in a busy loop.
This CL fixes that by introducing a semaphore which is signalled when
baseline compilation finishes or compilation fails. The foreground
thread waits on this semaphore if there are no more units to start.
R=mstarzinger@chromium.org
Bug: v8:8916
Change-Id: I7351c0b777f008fef3aa1d1d16089c4e6fd91106
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564055
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60821}
This reverts commit d14ed12e56.
Reason for revert: breaks mjsunit tests in lite mode: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm%20-%20sim%20-%20lite/3557
Original change's description:
> [ic] Remove the check for fast prototypes in LoadIC_Uninitialized
>
> When handling load named properties (without feedback vectors) we used
> to miss to runtimes if the prototypes aren't set. This was because we
> wanted to give the prototype a chance to become fast, since most prototypes
> start in slow mode but move to fast after the initial setup. Though this
> check is not really useful when we don't have feedback vectors, and once
> feedback vectors are allocated we will turn the prototypes fast anyway.
>
> Bug: v8:8394, v8:8860
> Change-Id: Ib2247e5e921f6375bda65310560ac832fd0339bf
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561316
> Commit-Queue: Mythri Alle <mythria@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60818}
TBR=mythria@chromium.org,verwaest@chromium.org
Change-Id: I28e420951483c93363e8a78621a247a7723d735f
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8394, v8:8860
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565893
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60820}
Read-only space sharing requires an iterator independent of heap. This
also enables future removal of read-only space from heap.
Bug: v8:7464
Change-Id: Ia07a9369494ea2c547d12c01ffa1d7b8b6bbeabc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552795
Commit-Queue: Maciej Goszczycki <goszczycki@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60819}
When handling load named properties (without feedback vectors) we used
to miss to runtimes if the prototypes aren't set. This was because we
wanted to give the prototype a chance to become fast, since most prototypes
start in slow mode but move to fast after the initial setup. Though this
check is not really useful when we don't have feedback vectors, and once
feedback vectors are allocated we will turn the prototypes fast anyway.
Bug: v8:8394, v8:8860
Change-Id: Ib2247e5e921f6375bda65310560ac832fd0339bf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561316
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60818}
... all of the kind that modifies the accumulator but no other
registers. Also move a few of that kind out of the IGNORED_BYTECODES
list, where they didn't belong.
R=mslekova@chromium.org
Bug: v8:7790
Change-Id: I67189750e5e01fc8a3b6b5117b61a0d21837693a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561320
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60817}
