We can skip write barriers when storing read only objects. This should
fix the linked bug where no v8::Isolate::Scope is set up during GC.
Bug: v8:13257, chromium:1386096
Change-Id: I2be9a38895e34bc7f6582c26d3c236dd23cf1f2b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4036570
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84358}
This will enable running the main gcmole script in different modes
in the future, full run (this CL), later suspect generation only and
analysis only.
Bug: v8:12660
Change-Id: Ica87366fb3c5b6e238f5a1efaf347ebbeb01003a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4026062
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84357}
We occasionally get a CHECK failure when trying to emit a (near) jump
table entry. This can happen if we are very close to the 26-bit limit
for near jumps, and emitting the `CodeEntry` brings us over this limit.
For the check whether a near jump can be used, or whether we need to
fall back to a far jump, we thus should consider the one instruction
that we (potentially) emit there.
This CL fixes that. This triggers very rarely, so we will have to watch
crash reports to see if this fixed the issue.
R=jkummerow@chromium.org
Bug: chromium:1383500
Change-Id: I703a24e76c2eeba4906989276c320f893095d77d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4034173
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84356}
- add --trace-maglev-inlining
- don't reregister lazy deopt info if we already have it (for return
values from inlined functions)
- don't deopt for OSR if OSR is disabled.
Bug: v8:7700
Change-Id: Idb73ff6f287e37cdafe1255afa7201a1f3618081
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4037781
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84355}
cppgc does not depend on v8 in general but only on `src/base/` and an
exception to implement tracing. Document this in the DEPS file to have
`git cl presubmit` complain properly.
Change-Id: I8240cca77816ccd4ca32fa2a69eef2e11c6a5ad5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4037705
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84354}
This reverts commit 7bf94d0336.
Reason for revert: https://crbug.com/v8/13509
Original change's description:
> [heap] Transition/Shortcut strings only during GCs without stack
>
> By limiting transitions of (shared) strings and shortcutting of
> Thin/Cons strings to GC withouts stacks, optimizing compilers can rely on
> the invariant that string maps do not change during a GC, allowing them
> to eliminate map checks and enable more aggressive optimizations.
>
> Change-Id: Ic9c9ed7b04b2ceed369484bf048965c083a9a693
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030578
> Commit-Queue: Patrick Thier <pthier@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84347}
Change-Id: If8a2050c1c52ee59c9aac1196c1436abc23b5b5c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4037921
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84353}
... instead of manually calculating index of the Context parameter.
Drive-by: follow correct parameter count pattern:
* CodeAssemblerTester with JS calling convention and fixed parameter
count expects that the count includes the receiver parameter.
* FunctionTester's parameter count doesn't include receiver.
* Use JSParameterCount(kNumParams) instead of (kNumParams+1) and
"Include receiver" comment.
Bug: v8:13312, v8:11112
Change-Id: I2cd25f596882e0bdf6b6254a0182a391ad7b73b5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4034174
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84352}
If entered, the debugger hangs on readline in fuzz test cases, which
makes differential fuzzing test cases harder to handle and repro.
Bug: chromium:1385995
Change-Id: Ib969f617831bca10421be125fdd3be846c803654
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4036567
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84351}
This CL switches the ReadOnlySpace verification to also use the
SpaceVerificationVisitor class.
This allows to move the VerifyPointersVisitor class out of heap.cc
into heap-verifier.cc.
The CL also introduces a virtual BaseSpace::Verify method which is
implement by each space kind.
Bug: v8:13257
Change-Id: I592344fee524f247d656085e898aad77663c33a0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030523
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84350}
Use argparse to make using subparsers possible in the future. Also
remove some dead code.
Bug: v8:12660
Change-Id: I26fbef0c8cc48ada6ca9f1072fbc3784893e5be9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4023079
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84349}
By limiting transitions of (shared) strings and shortcutting of
Thin/Cons strings to GC withouts stacks, optimizing compilers can rely on
the invariant that string maps do not change during a GC, allowing them
to eliminate map checks and enable more aggressive optimizations.
Change-Id: Ic9c9ed7b04b2ceed369484bf048965c083a9a693
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030578
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84347}
This reverts commit dbbccae19a.
Reason for revert: Deadlock in TSAN with stress:
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN/44651/overview
Original change's description:
> Reland "[heap] Invoke allocation observers before limiting the LAB"
>
> This is a reland of commit 39d387bb72
>
> Original change's description:
> > [heap] Invoke allocation observers before limiting the LAB
> >
> > Currently whenever we reach a step we get a small LAB the same size as
> > the allocated object. This is becuase the remaining step size is smaller
> > then the current allocation.
> > Invoking observers before limiting the LAB, and thus updating step
> > sizes, should eliminate the small LAB we get whenever we reach a step.
> >
> > Drive-by: remove redundant method arguments.
> >
> > Bug: v8:12612
> > Change-Id: Ied92a947308368d3b289e246fdb4f40ac5e5981f
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4013683
> > Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> > Commit-Queue: Omer Katz <omerkatz@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#84157}
>
> Bug: v8:12612, v8:13465
> Change-Id: I40fb930a755cb5decccd932c4d25ed7d5d224da4
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4020177
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Omer Katz <omerkatz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84328}
Bug: v8:12612, v8:13465
Change-Id: I70df00448c7413999b91412343915c503baf0dd3
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4035252
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Owners-Override: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84345}
This reverts commit 00db0fff8c.
Reason for revert: Deoptimizer crash on Linux64 GC stress:
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20-%20gc%20stress/1642/overview
Original change's description:
> [maglev] Support call speculation disabling
>
> Add a FeedbackSource to DeoptInfo which allows the caller to specify
> that this deopt is part of call speculation, and that call speculation
> should be disabled for this call when the speculation fails. This is a
> mechanism to prevent deopt loops, also used by TurboFan.
>
> Bug: v8:7700
> Change-Id: I59b5db3956e074ec808b218c00ae85796455742e
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030438
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Auto-Submit: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84332}
Bug: v8:7700
Change-Id: I0552131cabb2e01351371d10849ec780bc160c00
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4035586
Owners-Override: Shu-yu Guo <syg@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84342}
This CL invokes Heap::SetIsMarkingFlag for all client isolates to
force the RecordWrite builtin into the marking barrier code path. That
way the RecordWrite builtin can run the marking barrier for objects
in the shared heap even when incremental marking in the that
particular client isolate isn't enabled at the moment.
The marking barrier then splits code path for shared vs. local
objects. Without a shared heap or when running on the shared space
isolate we know without checking page headers that all objects are
local. For client isolates it will also check whether incremental
marking is enabled for that particular space.
Bug: v8:13267
Change-Id: Iaa98d25c4c855769f95ee0ddf5540fb0ada55574
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4020176
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84339}
This CL introduces a new interface SpaceVerificationVisitor which
is used for verifying of spaces in the heap. SpaceVerificationVisitor
has methods for verifying objects and pages in the space. All space
kinds invoke these methods for verification.
This new interface is then used in HeapVerifier to introduce single
bottlenecks for objects and pages in the heap.
Bug: v8:13257
Change-Id: I6b39d60a30793ec3f04a88ad73e8be0e96627815
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030258
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84338}
This reverts commit 70e65f8961.
Reason for revert: Breaks roll (https://chromium-review.googlesource.com/c/chromium/src/+/4030636/6?checksPatchset=6&checksRunsSelected=chromeos-amd64-generic-rel&tab=checks)
Original change's description:
> [ext-code-space] Change compression scheme for Code pointers
>
> Unlike the default scheme the ExternalCodeCompressionScheme allows
> the cage to cross 4GB boundary at a price of making decompression
> slightly more complex. The former outweighs the latter because it
> gives us more flexibility in allocating the code range closer to
> the .text section in the process address space. At the same time
> decompression of the external code field happens relatively rarely
> during GC.
>
> Bug: v8:11880
> Change-Id: Ia62bedd318f88c2147534ff000ab9fad354777f3
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899307
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84269}
Bug: v8:11880
Change-Id: I65607590dd12e92c741ccedf84ac3c6b2fcf075e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031182
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84335}
Remove machinery from regexp parser that keeps track of the type of the
last added token. This is used only in one spot for a DCHECK that
doesn't really provide any benefit for stability or security, but
keeping track of the last added type is tedious and error-prone.
Bug: chromium:1385569
Change-Id: I98e239a03a4c7c9ff22c24fc42e12ae6b643a6d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030583
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84333}
Add a FeedbackSource to DeoptInfo which allows the caller to specify
that this deopt is part of call speculation, and that call speculation
should be disabled for this call when the speculation fails. This is a
mechanism to prevent deopt loops, also used by TurboFan.
Bug: v8:7700
Change-Id: I59b5db3956e074ec808b218c00ae85796455742e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030438
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84332}
Since we don't do accurate type tracking in liftoff, we end up in
situation where we mix up ref and (ref null). This is safe and should
be allowed.
We merge {IsAssignable} into {CheckCompatibleStackSlotTypes}, and
rename and simplify it.
Bug: v8:13499
Change-Id: Ifaa2ff1e3f090a5d91219305ce4bb6f08bc5c00f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030512
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84330}
Some of the tests were accidentally disabled (TestCallBuiltinPCRelative
and TestCallBuiltinIndirect).
Also add tests for builtin tail calls.
Bug: v8:11527
Change-Id: I42c7249cde44ff055ff6cb0c908ec1611b24353c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031034
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84329}
This is a reland of commit 39d387bb72
Original change's description:
> [heap] Invoke allocation observers before limiting the LAB
>
> Currently whenever we reach a step we get a small LAB the same size as
> the allocated object. This is becuase the remaining step size is smaller
> then the current allocation.
> Invoking observers before limiting the LAB, and thus updating step
> sizes, should eliminate the small LAB we get whenever we reach a step.
>
> Drive-by: remove redundant method arguments.
>
> Bug: v8:12612
> Change-Id: Ied92a947308368d3b289e246fdb4f40ac5e5981f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4013683
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Omer Katz <omerkatz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84157}
Bug: v8:12612, v8:13465
Change-Id: I40fb930a755cb5decccd932c4d25ed7d5d224da4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4020177
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84328}
Scope: In practice, we don't need Scopes, so it'll be simpler to
access the table directly.
Predecessors: Phi inputs are often not mergeable (because they often
aren't defined in all predecessors). As a result, if we want to know
the value of a Phi input through the SnapshotTable, we need to lookup
its value in a predecessor, which is the feature that this CL
introduces.
Bug: v8:12783
Change-Id: I12a9e6abddd88ff1f3de172a387c9a502356f351
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030581
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84327}
The deoptimized code list is inserted into when walking a native context
to find Code objects marked for deoptimization, and is then only used
for two purposes:
1. Looking up lazy deoptimizing code objects by PC, and
2. Counting deoptimizing code that's not marked for deoptimization.
Point 1 is slow, as it is a linked list traversal, and is made slightly
slower by the CodeT refactoring which adds another layer of indirection
to the list. The existing Isolate::FindCodeObject approach is faster,
and is already used in the deoptimizer for Code objects not found in the
list, in particular all eager deopts.
The careful reader will notice that point 2 results in a count that's
always zero, since the count excludes exactly those code objects which
are added to the list (ones marked for deopt). Indeed, all uses (which
were all in tests) were verying only that it is equal to zero.
So, we can remove this deoptimized code list entirely.
Change-Id: I352e77b1df83260a30464dbac7f268484211b2e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030582
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84325}
This reverts commit bdf634f851.
The tsan race were fixed by
- removing unmodified wrapper reclamation with --cppgc-young-generation
- moving Oilpan's final pause after young trace handle marking
Original change's description:
> unified-young-gen: Trace cross-heap references
>
> The CL enables the marking visitor in CppGC to trace
> v8::TracedReferences (by just reusing the unified heap visitor from the
> full GC). In addition, it specifies VisitJSApiObject for
> NewSpaceVisitors to be able to trace wrappers from Minor MC in case
> --cppgc-young-generation is enabled.
>
> Bug: v8:13475
> Change-Id: I04ba1f2a22e05caebf53dc8d64f2488c42ab8579
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4026896
> Commit-Queue: Anton Bikineev <bikineev@chromium.org>
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84313}
Change-Id: I64d5bfabfa1b83337b1f11666495ccbd7e7e46c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030318
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84324}
With dynamic tiering, each WebAssembly function has a tiering budget,
and the function gets optimized once the tiering budget is reached. So
far the tiering budget exists per process, which means that whenever
a web application got loaded, it started with a full tiering budget.
As a result, functions that only get called few times during startup
and never reach the tiering budget would never get optimized.
With this CL the tiering budget gets written to the cache. Given that
caching events are happening, this means that also startup functions get
optimized eventually as long as the web application gets visited often
enough.
R=clemensb@chromium.org
Bug: chromium:1384530
Change-Id: I5066bc8f3daf457159b6eb785d2e17eda43c8c4c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4026769
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84320}
Only validate that a supertype is in-bounds if it exists.
Also, fix format parameter for the respective error message.
Bug: v8:7748
Change-Id: I8891562a57e680ed7f6e65f83147cd8db3771607
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031207
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84319}
Simplify the checks in the C++ marking barrier that deal with
shared objects. The checks we now use here are the same we will be
using for the JS barrier in RecordWrite (see
https://crrev.com/c/4020176).
This CL also reworks WriteWithoutHost, the barrier used for traced
handles. It doesn't use MarkValue anymore since the logic is a
bit different to the regular marking barrier on objects.
Bug: v8:13267
Change-Id: If23b65ce5f06af99a5cea864ce28a68f8d5b37de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031028
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84317}
GenPCRelativeJumpAndLink doesn't use BlockTrampolinePoolScope.
It inserts a BlockTrampolinePool which causes this error.
And also alter debug info format.
Change-Id: I160f13f4261fdcf1f7978bfce9b5169d363e6a10
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4032016
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Commit-Queue: ji qiu <qiuji@iscas.ac.cn>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#84316}
We introduce {SignallingNanPropagation} in MachineOperatorReducer to
make the call-sites easier to read.
Change-Id: I61d46fda5f6156a87f8504c38cae6b014e4021ab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4026771
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84315}
This reverts commit 43f03448d3.
Reason for revert: Data race caught by TSAN:
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20isolates/22640/overview
Original change's description:
> unified-young-gen: Trace cross-heap references
>
> The CL enables the marking visitor in CppGC to trace
> v8::TracedReferences (by just reusing the unified heap visitor from the
> full GC). In addition, it specifies VisitJSApiObject for
> NewSpaceVisitors to be able to trace wrappers from Minor MC in case
> --cppgc-young-generation is enabled.
>
> Bug: v8:13475
> Change-Id: I04ba1f2a22e05caebf53dc8d64f2488c42ab8579
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4026896
> Commit-Queue: Anton Bikineev <bikineev@chromium.org>
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84313}
Bug: v8:13475
Change-Id: I8b8351774a121ca2296efa3c8d3a588fa7380d86
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4032053
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84314}
The CL enables the marking visitor in CppGC to trace
v8::TracedReferences (by just reusing the unified heap visitor from the
full GC). In addition, it specifies VisitJSApiObject for
NewSpaceVisitors to be able to trace wrappers from Minor MC in case
--cppgc-young-generation is enabled.
Bug: v8:13475
Change-Id: I04ba1f2a22e05caebf53dc8d64f2488c42ab8579
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4026896
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84313}
Cancel the unnecessary fix
https://chromium-review.googlesource.com/c/v8/v8/+/4028559
and fix the problem at its root, TypedArraySpeciesCreateByLength.
This fix also fixes other variants of this bug (see tests).
Drive by: harden by setting length = 0 (not only byte_length) for length
tracking TAs.
Bug: v8:11111,chromium:1384474
Change-Id: I3ba660f7f600c0b946c75e7f13276703394c7df2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030259
Auto-Submit: Marja Hölttä <marja@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84312}
This mirrors the following Chromium CL:
https://crrev.com/31c75523db83496571386484cc03510cef35038a
`instrumented_libraries_release` will be necessary while the
msan bots are upgraded from Xenial to Focal.
Bug: chromium:1260217
Change-Id: I116a9f516c695797433c7b719f2579c0bda95ec8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4029616
Commit-Queue: Thomas Anderson <thomasanderson@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84311}
This will make our generic fuzzers (wasm-fuzzer, wasm-code-fuzzer,
wasm-async-fuzzer, ...) fuzz wasm-gc opcodes.
We were already fuzzing specific instructions in the wasm-compile
fuzzer, but were missing fuzzer coverage for corner cases and
instructions not supported by that fuzzer.
R=jkummerow@chromium.orgCC=manoskouk@chromium.org
Bug: v8:13496
Change-Id: Iccca96e32a64d20c11bc425fb5b1e9a1e3aa7486
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030986
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84310}
