Replace all usages of VectorSlotPair with FeedbackSource.
Bug: v8:7790
Change-Id: I0ac6e9cd8f5730154cc1842e267ca1ebfdebc874
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763536
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63378}
With this Cl, a function that has been marked for deoptimization will
not be reported as optimized. This protects against potential races
where an mjsunit tests assertUnoptimized, and the optimized code for
the function has been marked for deoptimization, but not been disposed
of yet.
The potential for this race has been discovered in the context of bug
v8:9563, but this CL is not a fix for that bug.
Change-Id: I89d8aa85f19033e6b823324b3307b95d61367147
Bug: v8:9563
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763543
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63377}
This reverts commit dc1cc2232b.
Revert "[regexp] Implement the match indices proposal"
This reverts commit 9460101cdb.
Reason for revert: Causes confusion on Blink side, as it introduces
an object with >=2 internal fields that is not a wrapper (see bug).
Bug: chromium:996681
Change-Id: I5c167e9e15bfbec2aa6b843e3063ead5d52fb26c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768897
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63376}
With no more MutableHeapNumber, we can make Double -> Tagged transitions
in-place, at the cost of an extra map check when accessing double fields
to make sure they are still doubles.
Bug: v8:9606
Change-Id: I74ff39ed6fba62ee223cd37dfe761f7d73020e1c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743973
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63374}
In order to reflect web reality, TC39 has made some slight changes to
name descriptors, see https://github.com/tc39/ecma262/pull/1490 for
details. V8 was mostly already in compliance with these changes, but
ThrowTypeError and anonymous classes needed some slight changes.
Bug: v8:9646
Change-Id: I163238954938f0c005e3adbc61b90498e01436da
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1764622
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63373}
Replace uses of WordEqual on two tagged representation nodes with a new
TaggedEqual helper, which on pointer compressed configs only compares
the bottom 32-bits of the word. We no longer allow using WordEqual on
anything not known to be a WordT (i.e. Node* or TNode<Object>).
In the future, this may allow us to ignore the top bits of an
uncompressed Smi, and have simpler decompression, though this patch is
not sufficient for such a change.
As a necessary drive-by, TNodify a bunch of stuff.
Bug: v8:8948
Change-Id: Ie11b70709e5d3073f12551b37b420a172a71bc99
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763531
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63372}
Introduce list of invalidated objects for old-to-new slots. Objects
are registered as invalidated in NotifyObjectLayoutChange, however
no slots are filtered right now. Slots are still deleted, so all
recorded slots are valid.
Bug: v8:9454
Change-Id: Ic0ea15283c4075f4051fae6a5b148721265339f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1765528
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63367}
This changes Compiler::CollectSourcePositions to skip finalization of
the BytecodeArray, constant table, handler table, ScopeInfos as well as
internalization of Ast values since only the source position table is
used and the others will be collected soon after by the GC.
It will also now avoid recompiling inner functions that would otherwise
be eagerly compiled.
BytecodeArrayWriter::ToBytecodeArray has been changed to never populate
the source_position_table.
Bug: v8:8510
Change-Id: I2db2f2da6b48fde11f17a20d017c1a54c0a34fc2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763538
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63365}
While we only need to check stability of the receiver map if its
inference was "unreliable", we must check stability of each prototype's
map unconditionally.
Bug: chromium:997100
Change-Id: I20071ac9eb74c810ad2ab1d78abfb54a1a006c29
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768576
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63364}
Avoid clearing the memory on the embedder-side of a TracedGlobal handle.
When using destructors in TracedGlobal this is safe as long as the embedder
reports the handle on tracing GCs. If the embedder does not report a handle it
is assumed that the containing object is dead as well.
Without using destructors the same argument holds for tracing GCs. In addition,
embedders using the optimization of clearing references on non-tracing GCs
are expected to clear the reference in ResetHandleInNonTracingGC.
It is suggested that only expert embedders make use of (a) no destructors and
(b) IsRootForNonTracingGC.
Change-Id: Ia417c0eb0860094fcaa554e7046d38abac905714
Bug: chromium:995684
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763539
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63362}
This change adds the indexed field for the characters in the definition
of sequential string types, and introduces support for recognizing the
various specific string types in v8_debug_helper. In an attempt to
avoid duplicating info about string instance types, it also refactors
String::Get so that StringShape (a simple class usable by postmortem
tools) can dispatch using a class that defines behaviors for each
concrete type.
Bug: v8:9376
Change-Id: Id0653040f6decddc004c73f8fe93d2187828c2c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1735795
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63352}
This reverts commit 5c59ba4fbc.
Reason for revert: requires more thinking
Original change's description:
> [ic] Fix KeyedLoadIC for ArrayIndex access
>
> Previously, without support for converting strings to numbers we'd
> switch to megamorphic state and go to the runtime always to do the
> conversion causing a performance cliff.
>
> This patch improves the following js-perf-test scores:
> Object-Lookup-String-Constant-BytecodeHandler: 4.25%
> Object-Lookup-Index-String-BytecodeHandler: 5.41%
>
> Bug: v8:9449
> Change-Id: I63787fa84373fc946f1304b0141e48a52a1b4bcb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1690953
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63293}
TBR=mythria@chromium.org,jyan@ca.ibm.com,gsathya@chromium.org,leszeks@chromium.org,ishell@chromium.org,verwaest@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:9449
Change-Id: I6b6ad5901175c2e6bbd7516b13e91471adb5776d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1765532
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63347}
This preserves the object identity of a {WebAssembly.Function} instance
that is being re-exported by a module. Such functions are considered to
have an internal [[FunctionAddress]] slot and hence require their object
identity to be preserved (similar to {WasmExportedFunction} already).
R=jkummerow@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742
Change-Id: I88ba75fcd91ce04440008467f3b218a1ac3047db
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763545
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63346}
This new FreeList should be a reasonable replacement for our old
FreeListLegacy: it is slightly less efficient (~1%), but uses much
less memory (often 5% less old_space size).
It is based on FreeListMany, with the following additions:
- A cache to waste less time iterating empty categories
- A fast path for allocations done in the runtime and generated code
- A slow path (the same as FreeListMany actually) for allocations
done in the GC.
Bug: v8:9329
Change-Id: Ifc10b88df7861266a721afd2c6e6d8357255ec4e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762292
Commit-Queue: Darius Mercadier <dmercadier@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63345}
For import wrappers, we add a special "callable" parameter as the last
parameter. This parameter is not set in the TurboFan graph but in the
code generator. Therefore this parameter has to be allocated in a
special register and cannot be lowered generically. With this CL we
detect in the CallDescriptor lowering if the last parameter is this
special "callable" parameter. If so, we preserve it in the lowered
CallDescriptor in the same register.
R=jkummerow@chromium.org
Bug: v8:7741
Change-Id: I884baa41813011c811612ec84f4e3cfe86a0e83a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762014
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63344}
This CL adds a mechanism that prevents the RuntimeProfiler from
triggering optimization of a function after
%PrepareFunctionForOptimization has been called. This is useful to
prevent flakiness in tests, as sometimes a function that already
got deoptimized would receive a new code object from a concurrent
compile that was triggered by a heuristic just in the right moment
for the assertUnoptimized test to fail. For example, the following
was happening:
PrepareFunctionForOptimization
[marking `testAdd` for optimized recompilation, reason: small function]
[concurrently compiling method `testAdd` using TurboFan]
[manually marking `testAdd` for non-concurrent optimization]
[synchonously compiling method `testAdd` using TurboFan]
[synchonously optimizing `testAdd` produced code object 0xAAAA - took 1.638 ms]
Runtime_GetOptimizationStatus OPTIMIZED `testAdd` (code object 0xAAAA)
DeoptimizeFunction `testAdd` with Code Object 0xAAAA
[concurrently optimizing `testAdd` produced code object 0xBBBB - took 3.377 ms]
Runtime_GetOptimizationStatus OPTIMIZED `testAdd` (code object 0xBBBB)
Bug: v8:9563
Change-Id: Ia4c846aba95281589317d43b82383e70fe0a35f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763546
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63343}
This reverts commit e66cee7e9e.
Reason for revert: Speculative revert for https://ci.chromium.org/p/chromium/builders/try/linux-rel/173349
Original change's description:
> [debug] only break on entry when immediately called from JS
>
> When we break on function entry, check whether the target function is being
> called from JS after entering V8 through V8's API. We implement this by
> keeping track of the stack height when we enter V8 through the API, and compare
> the caller JS frame's stack height with that.
>
> R=szuend@chromium.org
>
> Bug: chromium:991217, chromium:992406
> Change-Id: I258ad9cef11fe0ef48de6fd5055790792fd0ec0c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762298
> Commit-Queue: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63331}
TBR=yangguo@chromium.org,szuend@chromium.org
Change-Id: I4bfb42f7ce1484807696048a09609f14113d10f4
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:991217, chromium:992406
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762525
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63341}
Automated cleanup which finds patterns of `Node* a = foo` where `foo` is
a TNode expression, and replaces Node* with the appropriate TNode.
Bug: v8:9396
Change-Id: I8b0cd9baf10e74d6e2e336eae62eca6cfe6a9c11
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762515
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63335}
When we break on function entry, check whether the target function is being
called from JS after entering V8 through V8's API. We implement this by
keeping track of the stack height when we enter V8 through the API, and compare
the caller JS frame's stack height with that.
R=szuend@chromium.org
Bug: chromium:991217, chromium:992406
Change-Id: I258ad9cef11fe0ef48de6fd5055790792fd0ec0c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762298
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63331}
We have internal::TickSample which inherits from this, but we never
use the public version in the API despite defining it there.
Change-Id: I6f0ce7ee663ef821be57cfbad540c1660484a525
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1745472
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63329}
This CL was reviewed originally in https://crrev.com/c/1518181.
Bug: v8:7741
Change-Id: Iddb139a24c4b9aee6694e20cb5d04e9f9887160c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752859
Auto-Submit: Sven Sauleau <sven@cloudflare.com>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63321}
This CL implements the nullish operator in bytecode as defined by:
https://github.com/tc39/proposal-nullish-coalescing. It can be
enabled by passing '--harmony-nullish'.
Nullish is similar to logical operators, but instead of truthy/falsey
values, it short circuits when it evaluates a null or undefined value.
Bug: v8:9547
Change-Id: Ia0f55877fc2714482b5547942baef9733537d1b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1738568
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63317}
This CL consists of several preparatory steps for slices in Torque. Above all, it introduces a user-defined struct, torque_internal::Slice<T>, that performs bounds checking and returns references to elements in arrays. To enable this, several smaller changes were also made:
- Constructors of internal classes such as torque_internal::Reference<T> now require a special 'Unsafe' argument, making it clear that there be dragons.
- Struct methods are now declared during finalization. This allows instances of generic structs to have methods referring to the same struct. Previously, methods would be declared before the instance had been fully registered, leading to errors during type resolution. Furthermore, such methods were declared in a temporary namespace, that would then erroneously escape and lead to use-after-free issues.
- Instances of TypeArgumentInference were not running in the correct (Torque) scopes, leading to type resolution errors.
- The chain of ContextualVariable::Scope for any given ContextualVariable (such as CurrentScope) can now be walked, simplifying debugging.
R=jgruber@chromium.org, tebbi@chromium.org
Bug: v8:7793
Change-Id: I36f808f63cc3ce441062dfc56f511f24f1e3121e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758322
Commit-Queue: Georg Schmid <gsps@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63314}
The linkage should not have any knowledge about the existance of nodes.
R=mstarzinger@chromium.org
Bug: v8:9396
Change-Id: If10bf113c6ec19c434573a8d9bb7b736caef5dee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763532
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63313}
This adds type reflection support to the {WebAssembly.Module.exports} as
well as {WebAssembly.Module.imports} method. It also refactors existing
reflective code to use the internal instead of the public embedder API,
which is slightly more efficient anyways.
R=ahaas@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742
Change-Id: I88a6c7e9236a549808707c72e40a63302b7747a9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763527
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63312}
This just adds a test case checking against the current behavior, but
expectations might change once the proposal is clarified. For details
see: https://github.com/WebAssembly/js-types/issues/11R=ahaas@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742
Change-Id: I2fc502460c0a8094a414d138703b75497b2d1c6f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762517
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63311}
This CL fixes a bug where function proxies were reported as functions
instead as proxies to devtools, which caused dev-tools to call methods
on the function, possibly triggering side-effects.
Change-Id: I1d5d234b784601bd4b7ec91107e4b0cf0d877d07
Bug: chromium:995753
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762303
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63307}
The tests were assuming that the destructor leaves behind memory in a
defined state when the object was allocated with placement new. Turns
out gcc with no component builds optimizes away the resetting of the
memory.
There's a simpler way to test the functionality by inspecting global
handle counts.
Bug: v8:9639, chromium:995684
Change-Id: I253d84910414c62ca314507b20d2c819f925ea6e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762512
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63303}
When regexp match indices are enabled, we stash required data in the JSRegExpResult object,
and then build a JSRegExpResultIndices object lazily when the 'indices' property is
accessed.
This cl simply checks that fast and slow paths produce the same values for
result.indices and result.indices.groups.
Change-Id: I6322d8eaef4c6e5a0ed3a5aef8b2ff05ac2b2c7a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763249
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63301}
This set of macros was only used for one test, while another versions
exists in the header file that's used in the rest of the tests. Clean up
the duplication.
R=ahaas@chromium.org, titzer@chromium.org
Change-Id: I851c47a0748b5c78d9a966dfb59b95a3381e7cf7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1747179
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63300}
This adds type reflection support to the {WebAssembly.Module.exports} as
well as {WebAssembly.Module.imports} method. It also refactors existing
reflective code to use the internal instead of the public embedder API,
which is slightly more efficient anyways.
R=ahaas@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742
Change-Id: Ic51b7b4744f7b3ad056a778aecfc4614ca8d6e75
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762019
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63299}
private name was not found in the current scope. Outer private names
were sometimes coincidentally correctly resolved if the innermost
ClassScope does not need to allocate a context and does not have a
ScopeInfo.
ClassScope: :LookupPrivateName was not walking the scope chain when a
Change-Id: I18937e6cdf2ad4ae15825b11762fbec7a1358145
Bug: v8:9635
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1761547
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63295}
Since the mutability of HeapNumbers is determined by their owning
object's descriptor array, we can remove the MutableHeapNumber type
entirely, at the cost of a few fewer DCHECKs and a couple of TODOs
to use the descriptor array information.
This is a necessary step towards a follow-up which allows in-place
Double -> Tagged transitions
Design doc: https://docs.google.com/document/d/1VeKIskAakxQFnUBNkhBmVswgR7Vk6T1kAyKRLhqerb4/
Bug: v8:9606
Change-Id: I13209f9c86f1f204088f6fd80089e17d956b4a50
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743972
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63294}
Previously, without support for converting strings to numbers we'd
switch to megamorphic state and go to the runtime always to do the
conversion causing a performance cliff.
This patch improves the following js-perf-test scores:
Object-Lookup-String-Constant-BytecodeHandler: 4.25%
Object-Lookup-Index-String-BytecodeHandler: 5.41%
Bug: v8:9449
Change-Id: I63787fa84373fc946f1304b0141e48a52a1b4bcb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1690953
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63293}
TracedGlobal is already cleared by V8 during garbage collections. It's
the embedders responsibility to clear the reference if it destroys the
underlying reference through other means.
Allow embedders to specify whether they want TracedGlobal to execute
clear on destruction via TracedGlobalTrait.
Bug: chromium:995684
Change-Id: Ieb10cf21f95eb97e01eff15d4fbd83538f17cf7c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762007
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63289}
When deserializing from a code snapshot with logging enabled (e.g. when
profiling) then this ensures source positions are collected before
creating code events that need them.
Bug: chromium:994673, v8:9504
Change-Id: Iad7644e983d3004c4889615cf2104dc4ef40da46
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762023
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63286}
This patch implements the declaration of private accessors.
When iterating over the class properties, we track private
accessors associated with the same name in a ZoneHashMap.
Once we get to all the necessary components for a private name
(we know statically whether we should expect only a setter,
only a getter, or both), we emit a call to a runtime function
`CreatePrivateAccessors` that creates an AccessorPair, and
store the components in it. The AccessorPair is then associated
with the private name variable and stored in the context
for later retrieval when the private accessors are accessed.
Design doc: https://docs.google.com/document/d/10W4begYfs7lmldSqBoQBBt_BKamgT8igqxF9u50RGrI/edit
Bug: v8:8330
Change-Id: Ie6d3882507d143b1f645d7ae82b21b7358656e89
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1725670
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63284}
Fixes bytecode mismatch between lazy and non-lazy where "this" was
marked as maybe assigned in constructors that called the super
constructor. Since this will return the hole in cases where it was not
yet initialized by super (and the hole is explicitly handled by
JSContextSpecialization::ReduceJSLoadContext), it's safe to treat it as
a constant in all cases. In the case of lazy compilation case, "this"
is never added to the ScopeInfo so is never seen as mutable.
Bug: chromium:994719
Change-Id: I43478fbc626b19eb1533aa9dec61b7f276ae140b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762025
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63283}
Do not pass it as argument to CreateObjectFillerAt and remove the enum.
Bug: v8:9454
Change-Id: Iafa37acbfea73d3cabb1732dbec0944db859fac2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762017
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63282}
Before dd6f4d4f4c, this function was reading a single u8 and verifying
that it was 0x00. The referenced commit dropped this check as part of
implementing decoding for table.get, but neglected to change the read type
to u32v, which is the specified type of this immediate. Fix that.
R=ahaas@chromium.org, titzer@chromium.org
Change-Id: Ic2ce795023ec57be2c95aa79e62d3ccd1aa9c43c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1747178
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63281}
This just adds the upstream tests; our implementation already had support.
Change-Id: If8d340ebe79eae65d12164a01883482d521b8451
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762287
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63280}
This adds type reflection support to the {WebAssembly.Module.exports} as
well as {WebAssembly.Module.imports} method. It also refactors existing
reflective code to use the internal instead of the public embedder API,
which is slightly more efficient anyways.
R=ahaas@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742
Change-Id: I168741d382373ec47ebe0517ce7803732cbb3b24
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762011
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63276}
This adds type reflection support to the {WebAssembly.Module.exports} as
well as {WebAssembly.Module.imports} method. It also refactors existing
reflective code to use the internal instead of the public embedder API,
which is slightly more efficient anyways.
R=ahaas@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742
Change-Id: I5f20ea57261f6433b8d86f55054216bf96b41382
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1760826
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63273}
Implements match indices for regexp, as specified by
https://github.com/tc39/proposal-regexp-match-indices,
a stage 3 TC39 proposal. This implementation is hidden
behind the '--harmony-regexp-match-indices' flag.
Regexp match indices extends the JSRegExpResult object
with an array of indices of matches, as well as a
dictionary of capture names to match indices.
Bug: v8:9548
Change-Id: I9866a2d1f5af6a507de710357cb5e74c694e7558
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1734937
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63272}
This brings the graph builder in sync with the serializer (and
exponentiation in sync with the other binary operators).
Bug: chromium:995430, v8:7790
Change-Id: I809b6f3756f75392cdc6747f8bcee8cdf0ee0f74
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762013
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63269}
... by making the operator have a control output, since we could deopt
after my last change.
Bug: chromium:995562, v8:7790
Change-Id: Ibc8c44708b4d43c4b2c3dfab2fd8fdf79c7ea671
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762010
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63268}
This change is very mechanical:
own<Foo*> → own<Foo>
vec<Foo*> → ownvec<Foo>
As usual, everything in third_party/ is straight-up copied from upstream.
Change-Id: If5fabda99e2b281da6f2e71ce23a2f5b68aaac86
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1760815
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63263}
Adds support to the CPU profiler for scraping the incumbent contexts of
V8 stack frames. While it is generally unsafe to access heap objects
during a profiling interrupt, the native context is uniquely usable due
to being guaranteed an alive root on the stack, as well as its slots
being immutable after context creation.
Change-Id: I2c3149c1302b74d2f13aa99d1fdd0cf006e0f9d1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1580020
Commit-Queue: Andrew Comminos <acomminos@fb.com>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63258}
This reverts commit 60843b426b.
Reason for revert: TSAN detected issue between Scavenge workers.
One task could invoke RefillFreeList(), while the other task iterates the remembered set of a swept page.
Original change's description:
> Use list of invalidated objects for old-to-new refs
>
> Instead of inserting "deletion" entries into the store buffer, keep a
> list of invalidated objects to filter out invalid old-to-new slots.
>
> The first CL https://crrev.com/c/1704109 got reverted because both the
> sweeper and the main task were modifying the invalidated slots data
> structure concurrently. This CL changes this, such that the sweeper
> only modifies the invalidated slots during the final atomic pause when
> the main thread is not running. The sweeper does not need to clean this
> data structure after the pause, since the "update pointers" phase
> already removed all invalidated slots.
>
> The second CL https://crrev.com/c/1733081 got reverted because the
> sweeper might find more free space than the full GC before it. If an
> object shrinks after the pause but before the sweep, the invalidated
> object might span free memory and potentially new allocated objects.
> Therefore shrink invalidated objects when processing swept pages on
> the main thread. Also clean recorded slots in the gap.
>
> TBR=petermarshall@chromium.org
>
> Bug: v8:9454
> Change-Id: I80d1fa3bbc24e97f7c97a373aaad66f105456f12
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751795
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63239}
TBR=ulan@chromium.org,hpayer@chromium.org,dinfuehr@chromium.org
Change-Id: I9c6a371ebe36a1873acbe0d6c6a75dd2f5a55f4e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9454
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1760817
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63253}
The optional chaining bytecode in delete expressions was
unconditionally jumping if the receiver was nullish, instead
of just when the property was an actual optional chain link.
This change adds the missing check around the jump.
Change-Id: Ic7bed58be4ae62d157e63e4f77666b1abd1f802d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1755264
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63251}
This is a reland of 82111e2286
Relanding since we now have more shards:
https://chromium-review.googlesource.com/c/v8/v8/+/1760810
Original change's description:
> [CSA][cleanup] TNodify some methods related to prototype and property lookup
>
> This is a CL in a string of CLs that aims to TNodify CSA. In particular,
> there were some loads that were done in AnyTagged instead of
> TaggedPointer. TNode-ifying them brings improvement in pointer
> compression since we are able to decompress using the Pointer
> decompression.
>
> TNodified:
> * LoadJSFunctionPrototype
> * TryPrototypeChainLookup
> * OrdinaryHasInstance
>
> Also TNodified loads regarding:
> * FeedbackCell::kValueOffset
> * HeapObject::kMapOffset
> * JSFunction::kSharedFunctionInfoOffset
> * JSFunction::kFeedbackCellOffset
> * Map::kInstanceTypeOffset
> * Map::kInstanceDescriptorsOffset
> * Map::kPrototypeOffset
>
> Drive-by cleanup: StoreJSArrayLength and StoreElements were unused.
>
> Bug: v8:6949, v8:9396
> Change-Id: I89697b5c02490906be1eee63cf3d9e60a1094d48
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1755844
> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63216}
Bug: v8:6949, v8:9396
Change-Id: I040aefcf8af60611f7b3c24f3bd5c661e03b6ada
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1760811
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63249}
Test mjsunit/regress/regress-992389 explicitly sets the jitless flag
when run.
Skip this test when run on builds without embedded-builtins.
Bug: v8:9632, chromium:992389
Change-Id: Ieb52a33006b1104080d8f5adb8c4f2c36e4413af
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758317
Commit-Queue: Patrick Thier <pthier@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63240}
Instead of inserting "deletion" entries into the store buffer, keep a
list of invalidated objects to filter out invalid old-to-new slots.
The first CL https://crrev.com/c/1704109 got reverted because both the
sweeper and the main task were modifying the invalidated slots data
structure concurrently. This CL changes this, such that the sweeper
only modifies the invalidated slots during the final atomic pause when
the main thread is not running. The sweeper does not need to clean this
data structure after the pause, since the "update pointers" phase
already removed all invalidated slots.
The second CL https://crrev.com/c/1733081 got reverted because the
sweeper might find more free space than the full GC before it. If an
object shrinks after the pause but before the sweep, the invalidated
object might span free memory and potentially new allocated objects.
Therefore shrink invalidated objects when processing swept pages on
the main thread. Also clean recorded slots in the gap.
TBR=petermarshall@chromium.org
Bug: v8:9454
Change-Id: I80d1fa3bbc24e97f7c97a373aaad66f105456f12
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751795
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63239}
This reverts commit 82111e2286.
Reason for revert: Speculative revert, could be causing timeouts - https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm%20-%20sim%20-%20debug/17567
Original change's description:
> [CSA][cleanup] TNodify some methods related to prototype and property lookup
>
> This is a CL in a string of CLs that aims to TNodify CSA. In particular,
> there were some loads that were done in AnyTagged instead of
> TaggedPointer. TNode-ifying them brings improvement in pointer
> compression since we are able to decompress using the Pointer
> decompression.
>
> TNodified:
> * LoadJSFunctionPrototype
> * TryPrototypeChainLookup
> * OrdinaryHasInstance
>
> Also TNodified loads regarding:
> * FeedbackCell::kValueOffset
> * HeapObject::kMapOffset
> * JSFunction::kSharedFunctionInfoOffset
> * JSFunction::kFeedbackCellOffset
> * Map::kInstanceTypeOffset
> * Map::kInstanceDescriptorsOffset
> * Map::kPrototypeOffset
>
> Drive-by cleanup: StoreJSArrayLength and StoreElements were unused.
>
> Bug: v8:6949, v8:9396
> Change-Id: I89697b5c02490906be1eee63cf3d9e60a1094d48
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1755844
> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63216}
TBR=rmcilroy@chromium.org,solanes@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:6949, v8:9396
Change-Id: Ib6ae8fe86a598ed1066894595565e1162cf7dd1f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758310
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63233}
- Move undef closer to end of usage
- Move I64x2ExtractWithF64x2 closer to Extract tests, and into ifdef
scope so it runs on arm64 builds
Change-Id: I7138c44097975d02e97f4b2b9bfcddd8eb9735c8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1754544
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63227}
This CL adds additional information in PropertyAccessInfos and FieldAccesses about the map that introduced the accessed field. We use this information to prevent load elimination from incorrectly optimizing certain accesses marked const.
Prior to this CL, load elimination simply stored information about eliminatable field accesses based on objects (identified by nodes in the graph) and offsets (i.e., statically known ones). In the presence of const stores and loads this is insufficient, since a single object (in the above sense) may contain distinct *const* properties at the same offset throughout its lifetime. As an example, consider the following piece of code:
let obj = {};
obj.a = 0;
obj[1024] = 1; // An offset of >=1024 forces an elements-kind transition
delete obj.a;
obj.b = 2;
assertEquals(obj.b, 2);
In this scenario, *both* the first ('obj.a = 0') and the second ('obj.b = 2') store to a field will be marked const by the runtime. The reason that storing to 'a' above ends up being marked const, is that 'a' before and after the elements-kind transition is encoded in separate transition trees. Removing 'a' ('delete obj.a') only invalidates const-ness in the dictionary-elements transition tree; not the holey-elements one used at the time of 'obj.a = 0'.
The above situation on its own violates an invariant in load elimination. Namely, we assume that for the same object and offset, we will never encounter two const stores. One can extend the above snippet to coax load-elimination into producing incorrect results. For instance, by "hiding" 'obj.b = 2' in an unoptimized function call, the consecutive load from 'b' will incorrectly produce 0, violating the assert.
R=neis@chromium.org, tebbi@chromium.org
Bug: chromium:980183, chromium:983764
Change-Id: I576a9c7efd416fa9db6daff1f42d483e4bd369b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751346
Commit-Queue: Georg Schmid <gsps@google.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63226}
There are some accesses that we know that are pointers, and we can
specialize them to have Pointer as their Machine Type and Write Barrier.
Drive-by fix: ForJSGeneratorObjectParametersAndRegisters can be changed
to use Pointer.
Bug: v8:7703
Change-Id: I88e371746fc5f08c84795c95b1885264ef6c067c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1741658
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63223}
This is a CL in a string of CLs that aims to TNodify CSA. In particular,
there were some loads that were done in AnyTagged instead of
TaggedPointer. TNode-ifying them brings improvement in pointer
compression since we are able to decompress using the Pointer
decompression.
TNodified:
* LoadJSFunctionPrototype
* TryPrototypeChainLookup
* OrdinaryHasInstance
Also TNodified loads regarding:
* FeedbackCell::kValueOffset
* HeapObject::kMapOffset
* JSFunction::kSharedFunctionInfoOffset
* JSFunction::kFeedbackCellOffset
* Map::kInstanceTypeOffset
* Map::kInstanceDescriptorsOffset
* Map::kPrototypeOffset
Drive-by cleanup: StoreJSArrayLength and StoreElements were unused.
Bug: v8:6949, v8:9396
Change-Id: I89697b5c02490906be1eee63cf3d9e60a1094d48
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1755844
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63216}
Fixes DCHECK failure in DropStackFrameCacheCommon by returning early if
the source_position_table is Exception.
Bug: chromium:990582, v8:8510
Change-Id: I671f3e0cdc9f880dedf8ecd2fffb1083229dc6dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752856
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Auto-Submit: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63209}
This CL increases the maximum number of arguments for CallCFunction to
10 (was 9 previously).
All simulators also support up to 10 arguments now for host-calls.
Bug: v8:9621
Change-Id: Ib21cd39e965cdfcb0b04412261dc02e5fe106e47
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752852
Commit-Queue: Patrick Thier <pthier@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63208}
Otherwise there is a mismatch between eager parsing (where the reciever
is marked as MaybeAssigned) and lazy parsing (where the receiver is
deserialized and not marked MaybeAssigned) for arrow functions that
have an inner scope that calls eval.
BUG=chromium:989914
Change-Id: I8b8b78140858985a75a971b0e0a95bd61463457b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752851
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63206}
This is a reland of
https://chromium-review.googlesource.com/c/v8/v8/+/1749712 with a fix in
test-run-wasm-simd.cc to use base::Divide to work around C++ undefined
behavior when the denominator is 0.
Bug: v8:8460
Change-Id: Ia0a4ff621cccc6d9b7528717bf3fa7c79e42ba1a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1745819
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63198}
When GC triggered while an exception is pending, a read to
memory that was no longer valid could happen while backtracking in the
regexp interpreter (introduced with commit fb0df2c).
This CL prevents this dirty read, that could have been a security issue.
Bug: chromium:992389, v8:9575
Change-Id: Ie1acd6faa16665e211666c6a8dcf2a9d74e0c886
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751342
Commit-Queue: Patrick Thier <pthier@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63195}
When a RelocatingCharacterStream is Seeked, it's buffer_pos_ could be set a non-zero value.
However, UpdateBufferPointers was assuming the position was zero to relocate the buffer_start_
and buffer_end_, which would lead to the stream becoming misaligned. Fix this and add a
unittest and the clusterfuzz script which highlighted the issue.
BUG=chromium:991133
Change-Id: I20dd510b3dcc5df6df058b7e06d2c8a838aef855
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751782
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63190}
This makes sure that the above predicate is independent of any global
process-wide state. The state of enabled features is now passed in
explicitly.
R=thibaudm@chromium.org
Change-Id: I5d44e2b0c0843d2e4f26aaf0d58d23afd5943726
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751348
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63188}
Create canonical ScopeInfos for the global this binding and empty function in
the read only space, rather than creating them during bootstrapping for each
native context. This saves some memory, and also means we don't need to access
the native context to get the global this binding in when deserializing a
scope info, which is important since parsing should be native context independent.
BUG=chromium:992063
Change-Id: I800f576e8e9b95d46e043cba0c1a03ae19a683c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748690
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63174}
Now that all uses of LoadStackPointer have been removed, this CL cleans
up related code:
- Removed LoadStackPointer.
- Removed ArchStackPointer.
- Removed IA32StackCheck.
- Removed X64StackCheck.
- Removed StackCheckMatcher.
All stack checks now follow a simple path without matchers or special
register constraints: they load the limit and pass it to
StackPointerGreaterThan, which is finally handled by code generation.
Bug: v8:9534
Change-Id: Ib1d7be1502a471541d6441f3261aac0c949525fb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748737
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63166}
This removes LoadStackPointer and its last remaining use in the
interpreter assembler.
Bug: v8:9534
Change-Id: I19aafb12c5fd50248841a3d92448e64243c723ad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748729
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63164}
We assume that during bootstrapping, we won't create script contexts.
This is wrong, since JavaScript code in extensions may introduce
let/const variables.
R=jgruber@chromium.org
Change-Id: I02595abdbb65f41faffc90bde142849bbde6b554
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1666994
Auto-Submit: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63161}
This CL implements a naive tiering-up strategy where the interpreter
is used for the first execution for every regex, and the compiler is
used for every execution after that. The only exception is if a
global replace is being executed on a regex, we eagerly tier-up to
native code right away.
To use the tier-up logic --regexp-tier-up needs to be set. It is
currently disabled by default.
Bug v8:9566
Change-Id: Ib64ed77cbfcde10411161c0541dfa2501a0a93bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1710661
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Ana Pesko <anapesko@google.com>
Cr-Commit-Position: refs/heads/master@{#63150}
This reverts commit d1a4706af9.
Reason for revert: Experiment over.
Original change's description:
> Reland "[ptr-compr][arm64] Temporarily enable pointer compression on arm64"
>
> This is a reland of f5611402f7
>
> Original change's description:
> > [ptr-compr][arm64] Temporarily enable pointer compression on arm64
> >
> > ... and make sure that the arm64 ptr-compr bots proceed testing V8 without
> > pointer compression in order to keep testing the other config.
> >
> > Commented out the 'extra' variant since it was crashing. Opened a bug
> > regarding that: https://bugs.chromium.org/p/v8/issues/detail?id=9568
> >
> > Similar to x64's https://chromium-review.googlesource.com/c/v8/v8/+/1607654
> >
> > Bug: v8:7703
> > Change-Id: Ifd46b029bab34524f9f536dcdbd1574f2ddcbf37
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1724216
> > Reviewed-by: Tamer Tas <tmrts@chromium.org>
> > Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> > Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#63019}
>
> Cq-Include-Trybots: luci.v8.try:v8_android_arm64_n5x_rel_ng
> Bug: v8:7703
> Change-Id: I1a82b87bf6db4e6d100aeffc29dae60ba73d8119
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1730998
> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Tamer Tas <tmrts@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63043}
TBR=machenbach@chromium.org,tmrts@chromium.org,solanes@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:7703
Change-Id: I86a801d44ad4ea14b1388ad8ca6109cc8a57a7d7
Cq-Include-Trybots: luci.v8.try:v8_android_arm64_n5x_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1746470
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63148}
This contains the following upstream commits:
486d3fe: Rename DEBUG to WASM_API_DEBUG
8d8e37d: Explicitly number wasm_valkind_t
299ebe0: Fix underlying types for enums
70be7c6: Fix test
Change-Id: I692fb6c909e5211920438740d2c57ea7ee74ab12
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1745483
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63147}
- Adds regular native heap entries to the HeapObjectsMap.
- Adds a side map for keeping a mapping of native objects to their canonical
heap entry that they have been merged into.
Change-Id: Ida00628126ded1948ceb2a0cbe14da817af7f361
Bug: chromium:988350
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1720810
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63140}
This is the first in a series of changes to reduce the number of
bytecodes generated for the iteration protocol based operations.
The GetIterator bytecode introduced in this change currently loads the
@@iterator symbol from an object that was previously done using the
LdaNamedProperty bytecode. This change uses builtin-based mechanism
that would be extended to perform additional operations in the future
on absorbing the bytecodes associated with the GetIterator operation
from the iteration protocol.
Bug: v8:9489
Change-Id: I83b8b55c27bae8260bf227f355eeca1ba80cd8f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1701852
Commit-Queue: Swapnil Gaikwad <swapnilgaikwad@google.com>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63139}
