Instead of throwing a fatal error when setting a value in an array with
index larger than FixedArray:kMaxLength, we now throw an exception.
This CL propagates the exception in StoreInArrayLiteralIC.
Bug: chromium:1235093, chromium:1201626
Change-Id: Iaffd4eff47ad689fce2fd641ce1beaddd02d1a48
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3067220
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76036}
This avoids having all code writable while compiling functions. We only
need it writable for copying the code to the NativeModule and for
updating the jump table(s).
R=jkummerow@chromium.org
Change-Id: Ifb212b1cd3f7702fac4b1eb9e7bc7d5b5bd5198a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3063221
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76035}
For large frames we are executing a special stack check that checks the
remaining stack space before allocating the new frame. Different
platforms used different limits for the frame size so far. Liftoff
already uses 4KB everywhere, hence use the same limit also for TurboFan.
Drive-by: Remove an outdated and misleading comment, and other minor
simplification.
R=ahaas@chromium.org
Bug: v8:12017
Change-Id: I6548b2293ec255349bf4e08c26fd05b7e0df0497
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3063501
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76034}
Regressed in crrev.com/152ecad8cd4d170e4091a79eaa8d70d10d94734d.
Fixed: chromium:1234931
Change-Id: I8f2b603a914fccaeaeb3dcffa63070cf8fb6f0e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3064604
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76033}
Also:
* Remove forward declare and As##Name for never serialized Data classes
* Remove the Data classes
* Refactor macro list to encode being background or never serialized
Bug: v8:7790
Change-Id: Ide29d89072b247311f29948f04c4147c5c1103cc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3056458
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76032}
A JSFunction object may count as 'ObjectMayBeUninitialized', yet still
be safe to read for other reasons (e.g. because it has been loaded
through a chain of acquire-loads and immutable-after-initialization
guarantees).
Bug: chromium:1235071,v8:7790
Change-Id: I18c81695f001fd67e69d98dde641b71ed7b7e53d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3064606
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76031}
Lookup the corresponding details on the given map instead of the
owner map.
Change-Id: I2dcd0b24216c2bdc5860518d34d710b771f74973
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3063234
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76030}
Change-Id: I0ba9c4bf13ff13e69d960fba44f93124be5a31a7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3063499
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76029}
wasm-code-manager.cc is no longer included if v8_enable_webassembly ==
false, so we can remove this guard.
Bug: v8:11879
Change-Id: Ide77e7e334d2711c1cbbbbedc34c2796ffaf793d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3061358
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76024}
Since recently, the WebAssembly instance gets cached in Liftoff code
to avoid reloading it from the stack whenever it is used. Typically the
cached instance gets invalidated at a function call and therefore does
not need to be recorded in safepoints.
However, when the DebugBreak builtin is called, the cached instance
was not invalidated. It is even incorrect to invalidate the cached
instance there because that would modify the CacheState of Liftoff.
Therefore this CL adds the register that caches the instance to the
safepoint of the call to the DebugBreak builtin.
R=clemensb@chromium.org
Bug: v8:11979
Change-Id: I7f9153e0c0e7e797b11b827111b4d61e29606071
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3063222
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76021}
With concurrent inlining, the TransitionDependency ctor can no
longer assume that the given map is not deprecated. This is not an
issue since IsValid will check it again.
Also remove some other outdated DCHECKs and turn a few DCHECKs into
CHECKs since the properties they check are not so obvious anymore with
concurrency.
Bug: v8:12033, v8:7790
Change-Id: I932f7f6440697d693b0c0e6472406329af29b46b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3062576
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76020}
Replace the hard-coded blocklist ("Response.body" and "Request.body") in
the V8 inspector with proper side-effect free debug evaluate. This is
otherwise a non-functional change and in particular preserves the
behavior of reporting accessors as (own) data properties. That will be
tackled in a follow-up CL.
This CL is possible because with https://crrev.com/c/3056879 Blink now
properly marks accessors as side-effect free consistently with what the
V8 inspector had done before.
Doc: http://doc/1gLyyOlssS5zyCSEyybVC-5sp0UnNJj2hBoFyf6ryrTc
Bug: chromium:829571, chromium:1076820, chromium:1119900
Change-Id: Idb256accaf4cfb5db5982b3eb06ddcef588be635
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3062573
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Philip Pfaffe <pfaffe@chromium.org>
Reviewed-by: Philip Pfaffe <pfaffe@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76019}
The original CL was flaky because deserialization did not wait correctly
for the compilation of missing functions to finish. The baseline-finished
event was set even when there were still some functions missing. The
combination of deserialization and lazy compilation was also not handled
correctly.
Original change's description:
> [wasm] Support partial serialization of modules
>
> At the moment a WebAssembly module can be serialized successfully when
> all functions were compiled with TurboFan. However, for some functions
> it may not be necessary to be compiled with TurboFan, e.g. for functions
> where Liftoff code is as good as TurboFan code.
>
> With this CL we allow WebAssembly modules to get serialized even when
> not all functions are compiled with TurboFan. Missing functions are
> marked as missing in the serlialization. Upon deserialization, missing
> functions either get compiled by Liftoff, or initialized with a
> lazy-compilation stub, depending on the V8 configuration.
>
> Bug: v8:11862
Change-Id: I79a9e8e14199cff87fce6ae41a87087e047bbc65
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3060485
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76017}
Rename CopyAndConvertArrayToCppBuffer as
TryCopyAndConvertArrayToCppBuffer and implement type specialization for
int32_t and double in order to speed up V8 bindings with sequences.
This API is used by Blink code, for example see
https://chromium-review.googlesource.com/c/chromium/src/+/3027405.
Bug: v8:11739
Change-Id: I026a7f5e7833fb1afcc2ea9c296b66c7f733cbb1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3036407
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76016}
pthread_rwlock_t can deadlock on Mac if signals are sent to the process
in the wrong moment. Since we use processes e.g. for sampling profiling
(in both d8 and in Chrome), we hence cannot safely use pthread_rwlock_t
on Mac. Instead, fall back to a non-shared pthread_mutex_t.
Interestingly, this shows no measurable performance impact in Wasm
compilation on my MBP.
R=mlippautz@chromium.org
Bug: v8:11399
Change-Id: Ie8bfd5288bba8c4f3315ee4502b39b59d39c9bbd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3060480
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76015}
Traces calls to Heap::IsAllocationPending that return true. This is
useful when debugging concurrent Turbofan.
Bug: v8:7790
Change-Id: If10e6f40c3bf03c768ad8b74403007fe86f860fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3060488
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76012}
Cl also optimizes the usage on Power9 by using
mtvsrdd.
Change-Id: Ibd6b227111adc0c262c621be6ce4068d3de2e659
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3060493
Reviewed-by: Junliang Yan <junyan@redhat.com>
Reviewed-by: Milad Fa <mfarazma@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#76008}
Port 642a467338
Original Commit Message:
If a GC happens between Code object allocation and Code finalization,
we might have invalid embedded object references. We fallback and patch
the refernces back to handles, then unbox the handles and relocate.
R=victorgomes@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N
Change-Id: I680cc33fa9d06d7a00cc52c142599bb5536a9b88
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3060487
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#76004}
Introduce a flush_baseline_code flag to control if baseline code is
flushed or not. Currently flush_baseline_code implies flush_bytecode
as well. So if flush_baseline_code is enabled both bytecode and baseline
code are flushed. If the flag is disabled we only flush bytecode and
not baseline code.
In a follow-up CL we will add support to control baseline and bytecode
flushing independently i.e. we can flush only bytecode / only baseline
code / both.
Bug: v8:11947
Change-Id: I5a90ed38469de64ed1d736d1eaaeabc2985f0783
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3059684
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76003}
When calling the {Isolate::StackOverflow} method, we should not have
overflown the stack limit by too much. Otherwise there might not be
enough space on the stack for handling the stack overflow exception.
This DCHECK would have failed before landing https://crrev.com/c/3059074
and https://crrev.com/c/3059075. If it fails, we might need to add more
special stack checks also in other places. Such failures should not be
considered security issues per se, but we should try to fix them to
avoid potential issues.
R=jkummerow@chromium.orgCC=ahaas@chromium.org
Bug: v8:12017
Change-Id: I25e42a20d3fcc981c266ae998f52b3f090237297
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3059076
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75998}
This reverts commit bce81d6be0.
Reason for revert: Newly introduced test is flaking, e.g. https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20ASAN/41030/overview or https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux/43171/overview
Original change's description:
> [wasm] Support partial serialization of modules
>
> At the moment a WebAssembly module can be serialized successfully when
> all functions were compiled with TurboFan. However, for some functions
> it may not be necessary to be compiled with TurboFan, e.g. for functions
> where Liftoff code is as good as TurboFan code.
>
> With this CL we allow WebAssembly modules to get serialized even when
> not all functions are compiled with TurboFan. Missing functions are
> marked as missing in the serlialization. Upon deserialization, missing
> functions either get compiled by Liftoff, or initialized with a
> lazy-compilation stub, depending on the V8 configuration.
>
> Bug: v8:11862
> Change-Id: Ic833a17639bf841c5def6fe3c35173fe0376c246
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2960209
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75987}
Bug: v8:11862
Change-Id: I5445c097ec47f407e5f951d4cf6d2168113f80e8
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3060484
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#75997}
If a GC happens between Code object allocation and Code finalization,
we might have invalid embedded object references. We fallback and patch
the refernces back to handles, then unbox the handles and relocate.
Bug: v8:11872
Change-Id: I3a7b050c20179c1708eef343ec8266441ab5dca1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3059689
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75996}
This adds a code comment before the OOL code for the special stack check
for a large frame. Otherwise it is hard to see where it begins in the
code, and it might be unexpected to see that block of code at the end of
a Liftoff function.
Drive-by: Replace another "out of line: " comment by "OOL: ", which is
typically understood equally well.
R=ahaas@chromium.org
Bug: v8:12017
Change-Id: Ie8b243cedebe979ca46e0515a9fdd0695ab58304
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3059081
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75995}
The JS API constructor was renamed to "WebAssembly.Tag" to match the
spec:
https://github.com/WebAssembly/exception-handling/issues/159
Rename "exception" to "tag" throughout the codebase for consistency with
the JS API, and to match the spec terminology (e.g. "tag section").
R=clemensb@chromium.org,nicohartmann@chromium.org
Bug: v8:11992
Change-Id: I63f9f3101abfeefd49117461bd59c594ca5dab70
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3053583
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75994}
Clearing cached PropertyAccessInfos is used for stress-testing. Note
all this will soon be removed.
Bug: v8:7790,chromium:1234288
Change-Id: I4576563375b65830296cad295342823700d13b3a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3059696
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75992}
Add an explicit check for the available stack space before allocating a
large frame. Even though this typically does not cause problems on ia32,
we should do it to be consistent with other platforms and with TurboFan
code.
This follows the same structure as on x64: https://crrev.com/c/3059074
A follow-up CL will add a DCHECK to verify that we never overflow the
stack space by more than 4KB (https://crrev.com/c/3059076).
R=ahaas@chromium.org
Bug: v8:12017
Change-Id: Ifffe56f29feae14545e6f70e30a1c94c5eabad6f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3059075
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75991}
Add an explicit check for the available stack space before allocating a
large frame. Even though this typically does not cause problems on x64,
we should do it to be consistent with other platforms and with TurboFan
code.
After also fixing ia32 (https://crrev.com/c/3059075), we can add a
DCHECK to verify that we never overflow the stack space by more than
4KB (https://crrev.com/c/3059076).
R=ahaas@chromium.org
Bug: v8:12017
Change-Id: I4f407dc6a83d4a71636066777706f23d05002111
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3059074
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75990}
The comment is a left-over of the state before
https://crrev.com/c/3055302. It should have been removed as part of that
CL.
R=ahaas@chromium.org
Bug: v8:12017
Change-Id: Ic5234b230b3eda30e9a4a346e8c3b83c813a5dbf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3059078
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75989}
This will change the behavior of %TypedArray%.prototype.fill.
Bug: v8:11111
Change-Id: I66e7d3decf07663a6497c3c86374b3c77ab6a682
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3056977
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75988}
