Resolve a data race between concurrent sweeping and writing fillers by
the main thread.
Bug: v8:13554, v8:12612
Change-Id: I00bbceca92b4729b2d2bb32be0916a981cfde3e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4084762
Auto-Submit: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84747}
Rolling v8/build: e3833ca..2c6fbff
Rolling v8/buildtools: 71c674d..4fb9b31
Rolling v8/buildtools/third_party/libc++/trunk: a9779c1..e4e39ce
Rolling v8/buildtools/third_party/libc++abi/trunk: f46bba9..25a3d07
Rolling v8/third_party/fuchsia-sdk/sdk: version:10.20221207.2.1..version:10.20221207.3.1
Rolling v8/tools/clang: 72ab320..6d77ba2
Change-Id: Iad0f45ed412bfe0d201485218731eb4050281ba9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4091444
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#84746}
The last CL created an array with length zero and enough capacity, and let FastCreateDataProperty to append values. But, there are unnecessary checks in FastCreateDataProperty when appending values. Thus, it's more efficient to create an array filled with smi zero, and fill the values.
Bug: chromium:1395728
Change-Id: Ibe52c688c260637993983ab25f069ee80b212895
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4086126
Commit-Queue: Choongwoo Han <choongwoo.han@microsoft.com>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84745}
Iterating promoted pages uses a snapshot of the allocated pages to avoid
using locks (which locally resulted in regressions). Large pages may
have been freed between taking the snapshot and concurrent sweeping.
If that page is found by LookupChunkContainingAddress as the closest
page, we will try to access it and crash.
Fix by refresshing the snapshot after all pages have been freed.
Bug: v8:12612, chromium:1399331, chromium:1399328, chromium:1399330
Change-Id: I01a1dbcb9efde3a34a99d01260b0529dcf04c37a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4088363
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84740}
This was a slightly overzealous optimization that ended up being more
tricky than expected without measurable value on the benchmarks (as far
as we know). Let's try to remove it and see whether an important
benchmark notices.
Bug: chromium:1385941
Change-Id: If2e81f6cb6758f9c373e7c2c8beaa308ed323f93
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4088624
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84739}
Test ids would get an uniform format between different kinds of tests:
prefix//test_id//suffix
- prefix:
- empty for regular tests
- or 'special test' token, as in 'numfuzz'
- test_id is the full name of the test as generated by test runner:
- suite_name/path/to/actual/test_name
- suffix is anything a test runner processor might want to add to the name:
- numfuzz processor will add 'analysis' of a numeric value
- variant processor will add the variant name
Bug: v8:13316
Change-Id: Ied8f958173f82d8e26c62e39ccc21167ca2928ab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4084763
Commit-Queue: Liviu Rau <liviurau@google.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84736}
Adds new `br_on_cast_fail <branch depth> <heap type>` instruction
with opcode 0xfb43.
The instruction branches if the cast fails. `null` is treated as a cast
failure (meaning the branch is taken).
The heap type may be any concreate heap type index or an abstract
type like `(ref null eq)`.
Bug: v8:7748
Change-Id: I97a78d6d0872703ab825016cab4e737f8f79995f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4084981
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84733}
Wasm stack switching breaks the expectations of the unified V8/C++
heap by breaking the stack into multiple segments. To fix this:
- Store a list of interesting inactive stacks in the heap's Stack object
- When wasm switches stack, update this list, and also update the stack
start pointer
- Change {Stack::IteratePointers} to also visit pointers in the current
list of inactive stacks
R=nikolaos@chromium.org,jkummerow@chromium.org
CC=irezvov@chromium.org
Bug: v8:13493
Change-Id: Ieafeb89da31325e542e67403b6dc66c28d3be2fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4081126
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84731}
MinorMC needed to process pretenuring feedback both after sweeping and
at the end of the atomic pause, despite having no new feedback at the
end of the atomic pause, because the heuristics didn't hold after
sweeping. This CL adjusts the heuristics for MinorMC so that processing
twice is no longer needed.
Bug: v8:12612
Change-Id: I4d3ebaeaa6e7868bcdcae6fbdb3bcecb0ebcb8bf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4085983
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84730}
Specifically, the methods in {WasmJSFunction} and {WasmCapiFunction}.
Drive-by:
- Fix a bug in {WasmCapiFunction::GetSignature}.
- Fix a bug in wasm-module-builder.js.
Bug: v8:7748
Change-Id: I7408d07766536ed37f23b97ad210212b986412bf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4079097
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84728}
TSLint has been deprecated and so the presubmit script will not
run because of tslint:recommended. Removing this allows the
explicit rules to be run but does not properly fix the use of
TSLint. Also fix the issues that do not pass the linter.
Bug: v8:7327
Change-Id: I9f463ba9520ee2caa4141b21b81fd15012afedff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4085145
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: George Wort <george.wort@arm.com>
Cr-Commit-Position: refs/heads/main@{#84725}
When reducing the apply() builtin, we should force the arguments
to be tagged.
Bug: v8:7700
Fixed: chromium:1394787
Change-Id: Ic62ea1dcf669a271f9ab20454b70dbb9374f166f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4086544
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84724}
When we split MaterialisedValueNodes to x64 and arm64, we
changed a bit the logic and we should return early in case
of a constant, otherwise we would fail in the DCHECK in line 269.
Bug: v8:7700
Fixed: chromium:1395603
Change-Id: I3ce6dcb5e4e8e0040ef16fb3b3065ef7b86c7c36
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4088362
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84723}
A scavenger GC can run on a client isolate while incremental marking
is enabled in the shared space isolate. While we pause black
allocation in the client's heap, we can't really pause it in the
shared heap isolate.
This CL solves that by marking ConcurrentAllocator instances created
for the GC. Black allocation is never enabled during GC. This will
probably also be useful when moving LABs out of the spaces.
Bug: v8:13267
Change-Id: Ie92848854c39229a8eca74cb07bd4be19a725ec8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4085503
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84722}
Add the option to swap what is displayed on which
axis and increase the density in the horizontal axis
when displaying live ranges in turbolizer.
Bug: v8:7327
Change-Id: I47ac94d93942bdf760ad330a19f8f567078fd531
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4085144
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: George Wort <george.wort@arm.com>
Cr-Commit-Position: refs/heads/main@{#84721}
Data added:
- subtest_id as it is generated by Processors
- processor_name to trace back the processors that generate subtests
- path of the test
- test_id suffixes introduced by processors:
- numfuzz will have
- an `analysis` suffix for analysis phase
- a number suffix for the variants generated after analysis
- variant processor adds a suffix for every variant
- subtests will inherit suffixes from the parent tests (origin)
V8-Recipe-Flags: resultdb
Cq-Include-Trybots: luci.v8.try:v8_numfuzz_dbg,v8_numfuzz_rel,v8_numfuzz_tsan_compile_rel,v8_numfuzz_tsan_rel
Bug: v8:13316
Change-Id: I67d8b92b575c31b201238cfbcfc76cd076a2f7af
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4081127
Commit-Queue: Liviu Rau <liviurau@google.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84720}
ForInPrepare should store the accumulator into the {cache_type}
register. Since this was not being done, we were extending
the lifetime of whatever was in this register (in this case
a CallRuntime coming from a catch block) to ForInNext.
So we were basically doing an uninitialized read in that node.
Bug: v8:7700
Fixed: chromium:1393547
Change-Id: If3fe4118bfffac089757170ae9ed5ccba9e4af86
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4084792
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84719}
Keep the ValueSerializer version number the same but add a separate
value type for resizable ArrayBuffers.
Bug: v8:11111
Change-Id: I895e9ffcc63cce2e83a09d4be81312fdcffa67f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4083067
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84718}
A SharedFunctionInfo might have AsmWasmData instead of BytecodeArray and
it would be considered compiled. Code using GetBytecodeArray should
check specifically for the presence of a bytecode array.
Bug: chromium:1397348
Change-Id: I1e376da8ac59204afdcc012e1cb068766be75eb7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4087502
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#84716}
Adds v8::[Shared]ArrayBuffer::MaxByteLength and
v8::BackingStore::IsResizableByUserJavaScript.
This is needed for embedders who need to check if a buffer is resizable
by user JS, like blink, to check for the [AllowResizable] WebIDL
extended attribute.
Bug: v8:11111
Change-Id: Ie7e03979ef3884123df8a3eeb5c3516c4a6967c2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4082276
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84715}
Since https://crrev.com/c/4044221, Projections are emitted fairly
eagerly in turboshaft, which prevented
BinopOverflow+Branch/DeoptimizeIf fusion in some cases. This CL
improves the InstructionSelector ability to fuse BinopOverflow with
their following branch-on-overflow instruction.
Bug: chromium:1393640
Change-Id: I12fb57f5080c99a1b16804bd3982a37b24b1cf6d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4068126
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84713}
With this CL, the context of stacks corresponding to all client isolates
are saved, so that conservative stack scanning can be used correctly
during a shared garbage collection. This happens:
1) in Heap::PerformSharedGarbageCollection, for the stacks of the shared
isolate and the initiator;
2) when an isolate's main thread is waiting in a safepoint; and
3) when an isolate's main thread is parked.
Bug: v8:13257
Change-Id: I9ff060f2c0c1ec12977c70d67d65d9c543e2d165
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4027210
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84712}
Inner pointer resolution should never return free space or filler
objects. In some tests, however, there is free space or filler objects
in large pages. This CL fixes this case.
Bug: v8:13257
Change-Id: Id5b4875052843184cbe1777e3324e5b09771af49
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4069704
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84709}
Client isolates only need to mark shared heap objects unlike the
shared space isolate. Introduce a separate visitor for them.
In addition MarkingVisitorBase::VisitMapPointer cannot just mark
an object unconditionally.
Bug: v8:13267
Change-Id: Id099d0beec3a4cb44ab803f5033bc06059f21942
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4085005
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84707}
Promoted pages are iterated to record slots containing old to new and
old to shared references. This takes a significant amount of time during
the atomic pause.
Instead we offload this task to the concurrent sweepers, record slots to
a local cache, and merge it when finalizing sweeping.
Array buffer sweeping depends on iteration of promoted pages, so it is
frozen until iteration is done.
See design doc at https://docs.google.com/document/d/1JzXZHguAnNAZUfS7kLeaPVXFfCYbf5bGCtyKgyiMDH4/edit?usp=sharing
Bug: v8:12612
Change-Id: Icdc79a7a70c53352e3a1b3961cfe369e8563b65b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4062041
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84706}
The test is failing due to a bug in dbghelp.dll. I don't think there's
anything we can do about that except disable the test until we've
upgraded to a fixed version.
Bug: v8:13484
Change-Id: I8017c3ad2c934701985adadc6ba3f68d2d53099d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4061543
Reviewed-by: Emanuel Ziegler <ecmziegler@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#84704}
Adds new `br_on_cast null <branch depth> <heap type>` instruction
with opcode 0xfb4a.
The instruction branches on null.
The heap type may be any concreate heap type index or an abstract
type like `(ref null eq)`.
Bug: v8:7748
Change-Id: I0f1debacc80a304f7cfc262fd2cde7f43fc804d3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4075086
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84703}
When a new space object is promoted into the shared heap during a
scavenger GC, client isolates need to drop that object from the
worklist. However, in the shared space isolate need to keep such
objects in the worklist since this isolate also marks the shared space.
Bug: v8:13267
Change-Id: Id644cb1153e3b330eb8308d18a49c864e2b5cd4d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4083704
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84701}
Rolling v8/build: 139c800..810e142
Rolling v8/buildtools/third_party/libunwind/trunk: 2b51e6f..fd5b3b5
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/d8be2db..8fd5368
Rolling v8/third_party/depot_tools: 25334bb..107142a
Rolling v8/tools/clang: 64ab83c..9f615fd
Rolling v8/tools/luci-go: git_revision:4814885a05fd7cc925933f614dc6fcc58bc83e4b..git_revision:bac571b5399502fa16ac48a1d3820e1117505085
Rolling v8/tools/luci-go: git_revision:4814885a05fd7cc925933f614dc6fcc58bc83e4b..git_revision:bac571b5399502fa16ac48a1d3820e1117505085
Change-Id: Ie9e3ff075a3b992bbae1c8f862365831aea3bf5c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4082193
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#84700}
