This CL uses bits of the call count as flags according
to CallCountField and SpeculationModeField defined in
CallICNexus.
Bug: v8:7127
Change-Id: I3f64c1807d61410f9029b46b9a59a1fcaa5a0a3b
Reviewed-on: https://chromium-review.googlesource.com/808926
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49959}
This separates common logic that applies to both coverage/type profiling
(i.e. collecting feedback vectors into the list) from work that's only
required by coverage (resetting SFI::has_reported_binary_coverage and
FeedbackVector::invocation_count).
Bug: v8:6000
Change-Id: Icb36a8a6af34b3a425814d69653e331ca8f76cd5
Reviewed-on: https://chromium-review.googlesource.com/813922
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49956}
Add an element of padding to the frame constructed by the deoptimiser
when entering JSConstructStub, and update the non-arm64 backends such
that the frames agree for normal and deopt entry.
Bug: v8:6644
Change-Id: I99625e75760f0695b2389446c2ac3cac97c220f4
Reviewed-on: https://chromium-review.googlesource.com/814397
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/master@{#49954}
Bug: chromium:780819
Change-Id: I07c5ff3cf955edb087a175ea2d71a35e0f520ec3
Reviewed-on: https://chromium-review.googlesource.com/813839
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49953}
This CL prepares support for memory operations, where we will need to
call runtime functions for trapping, and hence need safepoint
information for iterating the frames correctly.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: I8c65d80cd69747d13d9084e7427253413fb4b808
Reviewed-on: https://chromium-review.googlesource.com/810784
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49952}
This upgrades binutils from 2.26 to 2.28.
BUG=chromium:761307
Change-Id: If556ca5912b4c06fdeb3f52b43a2530dfcabb624
Reviewed-on: https://chromium-review.googlesource.com/816017
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49951}
- in certain cases, we need both modification scopes because we may
mutate JS functions, even in the jit-to-native case - e.g. JS-to-wasm
wrappers
- added handling for wasm-to-wasm wrappers in the context of lazy
compilation.
Bug: v8:7105
Change-Id: I085c14e03ef0b08d040998f2207abf7bc3fff01c
Reviewed-on: https://chromium-review.googlesource.com/811285
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49947}
This is a reland of 0c2faa0633
Original change's description:
> [D8] Clean up ArrayBuffer Allocators in shell.
>
> - Reworks the class hierarchy in d8.cc to conform to the allocator API.
> In particular, allocators should malloc/free or equivalent unless
> v8::ArrayBuffer::Allocator::Reserve is called.
> - Modifies ExternalizedContents to remember the allocation mode.
> - ArrayAllocatorBase now tracks its allocations to make sure it doesn't
> call Free on externalized array buffers it didn't allocate.
>
> Bug: chromium:756050
> Change-Id: Ic2d07d36358f1b4fa542bea27f93d1d51a1757e1
> Reviewed-on: https://chromium-review.googlesource.com/807355
> Commit-Queue: Bill Budge <bbudge@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Eric Holk <eholk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49893}
Bug: chromium:756050,v8:7146
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I8fe3a9d9af43196e16d02342a47347a76c0a1341
Reviewed-on: https://chromium-review.googlesource.com/811724
Reviewed-by: Eric Holk <eholk@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49945}
Bring the two functions closer together in implementation. Avoid
unnecessary assignment to top_on_previous_step_.
Bug:
Change-Id: I0b6881b02ab08a48bc2051e6786e22a7b25a4948
Reviewed-on: https://chromium-review.googlesource.com/815196
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
Cr-Commit-Position: refs/heads/master@{#49944}
This reverts commit 59f221740c.
Reason for revert: android build issue (https://build.chromium.org/p/client.v8.fyi/builders/Android%20Release%20%28Nexus%205X%29/builds/3583)
Original change's description:
> [wasm] Fix wasm-to-wasm handling in 'native heap' lazy compile
>
> Wasm-to-wasm uses a tail call mechanism to reach the target
> function. This means there is no frame for it. This CL ports
> the fix for that for the WasmCodeManager case, akin the current
> fix for the GC case.
>
> Bug: v8:7140
> Change-Id: I04c8a8da1de9cb837a0423493216d2226c53e756
> Reviewed-on: https://chromium-review.googlesource.com/814498
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49942}
TBR=bradnelson@chromium.org,titzer@chromium.org,mtrofin@chromium.org,clemensh@chromium.org
Change-Id: Iae0e43b386f08d2d56aeef70e9fa0af141232023
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7140
Reviewed-on: https://chromium-review.googlesource.com/815180
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49943}
Wasm-to-wasm uses a tail call mechanism to reach the target
function. This means there is no frame for it. This CL ports
the fix for that for the WasmCodeManager case, akin the current
fix for the GC case.
Bug: v8:7140
Change-Id: I04c8a8da1de9cb837a0423493216d2226c53e756
Reviewed-on: https://chromium-review.googlesource.com/814498
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49942}
We might run into the situation that all fp registers are already in
use for holding parameters. Thus, use the {GetUnusedRegister()} method
which might spill to free one of the registers.
R=ahaas@chromium.org
Bug: v8:6600, chromium:792037
Change-Id: I44b279922e31ac4acaa07b6a36ba2e394100fde0
Reviewed-on: https://chromium-review.googlesource.com/813834
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49940}
While the affect values must be valid addresses & thus will not overflow
the IntPtr type, they need to be interpreted as unsigned in comparisons.
Bug: chromium:792549, v8:7123, v8:3590
Change-Id: I864b50c8dbdc297d70bf83c74a83cc466c5f3eb0
Reviewed-on: https://chromium-review.googlesource.com/814395
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49937}
The tests illustrate the use of v8::EmbedderHeapTracer.
Bug: v8:7176
Change-Id: Ic383c968691fddb0ec96d66cb33ee42b9c304a75
Reviewed-on: https://chromium-review.googlesource.com/811924
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49934}
When enabling any coverage mode (other than best-effort), we trigger
deoptimization of all functions on the heap.
Prior to the recent removal of the weak list of optimized functions [0],
we'd unlink optimized code from all relevant JSFunctions during the call
to DeoptimizeAll.
After the weak-list-removal, this was no longer the case, hence this [1]
change which attempts to reset the code object from the
SharedFunctionInfo for all found JSFunction objects.
But this can create a situation in which JSFunctions are set up
incorrectly s.t. they have unoptimized code but no feedback vector.
This CL fixes that by leaving JSFunction objects untouched and relying
on self-healing mechanisms (CompileLazyDeoptimizedCode) to fix up
JSFunction::code.
[0] https://crrev.com/f0acede9bb05155c25ee87e81b4b587e8a76f690
[1] https://crrev.com/c/647596/5/src/debug/debug-coverage.cc
Bug: chromium:786784, chromium:791940, v8:6637
Change-Id: I13191f4c8800a0d72894b959105189dc09ca693e
Reviewed-on: https://chromium-review.googlesource.com/813615
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49932}
This is a preparation for a larger CL that needs VectorSlotPair
throughtout the compilation chain (including deoptimizer.cc).
Bug: v8:7127
Change-Id: Ia746805ca3fa294eedba19d23656f858840cd501
Reviewed-on: https://chromium-review.googlesource.com/813934
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49928}
Introduce new flag for starting young generation collection early
based on the current new space size.
Bug: v8:6972
Change-Id: I73dd28b8ac7df873b5c3e6ca4b3e55bdec5295a1
Reviewed-on: https://chromium-review.googlesource.com/811304
Commit-Queue: Michał Majewski <majeski@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49927}
This is a reland of 8dd405e39a. The MSAN
failures were unrelated and should be fixed by 75c1c6c.
Original change's description:
> [heap] introduce SpaceWithLinearArea class
>
> NewSpace and OldSpace have linear allocation areas, but presently the
> implementation doesn't share any code and there are subtle differences.
> This CL introduces a superclass 'SpaceWithLinearArea' that will be used
> to refactor and share code.
>
> Change-Id: I741e6a6ebb9e75c111287214fd1f555fba62c452
> Reviewed-on: https://chromium-review.googlesource.com/809504
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
> Cr-Commit-Position: refs/heads/master@{#49890}
Change-Id: I275bdc881b1b81f3ae3c7d36e919981ac4331315
Reviewed-on: https://chromium-review.googlesource.com/812324
Reviewed-by: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49926}
Ensure that the type is always stored correctly.
R=titzer@chromium.org
Bug: v8:6600, chromium:791810
Change-Id: Id3a3c20b14f8730b9550c548dec49ac47121e691
Reviewed-on: https://chromium-review.googlesource.com/811188
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49924}
Observers may start incremental marking and thus black allocation. Since
the object was allocated before invocing the observer the invariant
might not hold anymore.
Bug: v8:7174
Change-Id: I74fe1816303bedb28b69ec5ac83fd19e588acace
Reviewed-on: https://chromium-review.googlesource.com/813714
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49923}
This saves ~80KB code size for each Deoptimizer.
Bug:
Change-Id: I9fc6744e6acebad1d6012017caf2b29832364530
Reviewed-on: https://chromium-review.googlesource.com/809820
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49919}
The previous code assumed that trap handling was a global concept, defined
by function trap_handler::UseTrapHandler(). This CL does the first step
in changing the decision to be specifiable at a module level.
Therefore trap_handler::UseTrapHandler() is replaced by
trap_handler::IsTrapHandlerEnabled(), and communicates if compilation
supports the use of trap handlers (but still allowing the use of
bounds checking on memory accesses).
It then refactors the classes ModuleEnv and WasmCompiledModule to have
a field "use_trap_handler" that specifies if traps should be used for
the memory accesses in the module being compiled.
Bug: v8:7143
Change-Id: I9844842d5721c86c2dd55e911b42bf8b9922cf63
Reviewed-on: https://chromium-review.googlesource.com/802322
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49915}
Performed manual testing as well by making 20 CPU profile recordings of
loading http://meduza.io page. Without the patch the page renderer memory size
grows beyond 300MB. With the patch it remains below 200MB.
BUG=v8:6623
Change-Id: Ifce541b84bb2aaaa5175520f8dd49dbc0cb5dd20
Reviewed-on: https://chromium-review.googlesource.com/798020
Commit-Queue: Alexei Filippov <alph@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49914}
It will help us to preserve some scripts for user.
R=alph@chromium.orgTBR=jgruber@chromium.org
Bug: chromium:655701
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I6d42434148c2d9eb41c3a2af906e8c14ccf8d9a9
Reviewed-on: https://chromium-review.googlesource.com/806741
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49913}
Exposing the existing Context::AllowCodeGenerationFromStrings(false) API
to the command line.
Bug: v8:7134
Change-Id: I062ccff0b03c5bcf6878c41c455c0ded37a1d743
Reviewed-on: https://chromium-review.googlesource.com/809631
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49911}
