With this change property accesses on WasmObject and WasmArray return
undefined instead of throwing.
Furthermore retrieving the prototype of a WasmObject/WasmArray returns
null.
Bug: v8:13523
Change-Id: I12e3b9fb6ac9a7305f001a3b3835854068c3064f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110995
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84957}
We add final types to wasm-gc.
- We introduce a `kWasmSubtypeFinalCode` as an alternative to
`kWasmSubtypeCode`.
- Behind a flag, we interpret types behind this code as final, as well
as types outside a subtype definition by default.
- For final types, type checks for call_indirect and ref.test etc. are
reduced to simple type identity checks.
Bug: v8:7748
Change-Id: Iabf147b2a15f43abc4c7d1c582f460dbdc645d66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096478
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84955}
Three issues were fixed:
* In debug state, only publish debug code.
* When entering debugging in an isolate, only delete the code of
those NativeModules that aren't in debug state already.
* When async compilation finishes, only throw away code if the debug
state changed during compilation.
Original message:
Currently V8 recompiles all functions of a WebAssembly module when a
debugging session starts. This is outdated behavior and
causes OOMs for developers. With this CL all compiled code just gets
removed when a debugging session starts, and debugging code gets
compiled lazily.
This behavior may lead to small delays whenever a new function gets
entered by the debugger. However, developers are used to debugging code
being slightly slower, and the small delays should be in the order of
few milliseconds. On the other hand, debug modules can be big,
sometimes even more than 1'000'000 functions, and developers reported
OOMs when debugging.
R=clemensb@chromium.org
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_isolates_rel
Bug: v8:13541, chromium:1372621, v8:13224
Change-Id: Ie27388a287cd16a67a483e14fc22c2ab4180962e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4079190
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84873}
Adds new `br_on_cast_fail null <branch depth> <heap type>` instruction
with opcode 0xfb4b.
The heap type may be any concreate heap type index or an abstract
type like `(ref null eq)`.
Bug: v8:7748
Change-Id: Ieb7322a31fd2b5f64a669193003a365149bef34e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4085008
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84868}
This is required to be spec-compliant.
The previously implemented behavior was more relaxed allowing one to use
`ref.cast null` on non-nullable inputs and still getting a non-nullable
result on cast success.
Bug: v8:7748
Change-Id: I1297314389b0445a7c8d5a74f37d07a723d7a133
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4091549
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84776}
Adds new `br_on_cast_fail <branch depth> <heap type>` instruction
with opcode 0xfb43.
The instruction branches if the cast fails. `null` is treated as a cast
failure (meaning the branch is taken).
The heap type may be any concreate heap type index or an abstract
type like `(ref null eq)`.
Bug: v8:7748
Change-Id: I97a78d6d0872703ab825016cab4e737f8f79995f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4084981
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84733}
Specifically, the methods in {WasmJSFunction} and {WasmCapiFunction}.
Drive-by:
- Fix a bug in {WasmCapiFunction::GetSignature}.
- Fix a bug in wasm-module-builder.js.
Bug: v8:7748
Change-Id: I7408d07766536ed37f23b97ad210212b986412bf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4079097
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84728}
Adds new `br_on_cast null <branch depth> <heap type>` instruction
with opcode 0xfb4a.
The instruction branches on null.
The heap type may be any concreate heap type index or an abstract
type like `(ref null eq)`.
Bug: v8:7748
Change-Id: I0f1debacc80a304f7cfc262fd2cde7f43fc804d3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4075086
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84703}
This reverts part of crrev.com/c/4020425, because it turns out that the
runtime call pays off for strings above a certain length.
Bug: v8:12868
Change-Id: I1c4d5a01bb0f1303c2385c7707b3e5fff6936b02
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4075728
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84668}
This reverts commit 7b138dd30d.
Reason for revert: Causes multiple flakes:
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20isolates/22932/overviewhttps://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20debug/41934/overview
Original change's description:
> [wasm] Compile debug code lazily
>
> Currently V8 recompiles all functions of a WebAssembly module when a
> debugging session starts. This is outdated behavior and
> causes OOMs for developers. With this CL all compiled code just gets
> removed when a debugging session starts, and debugging code gets
> compiled lazily.
>
> This behavior may lead to small delays whenever a new function gets
> entered by the debugger. However, developers are used to debugging code
> being slightly slower, and the small delays should be in the order of
> few milliseconds. On the other hand, debug modules can be big,
> sometimes even more than 1'000'000 functions, and developers reported
> OOMs when debugging.
>
> R=clemensb@chromium.org
>
> Bug: v8:13541, chromium:1372621, v8:13224
> Change-Id: Ia36d9b8743523b1c89221c59f989268e27f6ce98
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4067302
> Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84662}
Bug: v8:13541, chromium:1372621, v8:13224
Change-Id: Ic5442462d158618f2d43b8e0ebdfb90017ed378a
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4080034
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Owners-Override: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84665}
Currently V8 recompiles all functions of a WebAssembly module when a
debugging session starts. This is outdated behavior and
causes OOMs for developers. With this CL all compiled code just gets
removed when a debugging session starts, and debugging code gets
compiled lazily.
This behavior may lead to small delays whenever a new function gets
entered by the debugger. However, developers are used to debugging code
being slightly slower, and the small delays should be in the order of
few milliseconds. On the other hand, debug modules can be big,
sometimes even more than 1'000'000 functions, and developers reported
OOMs when debugging.
R=clemensb@chromium.org
Bug: v8:13541, chromium:1372621, v8:13224
Change-Id: Ia36d9b8743523b1c89221c59f989268e27f6ce98
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4067302
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84662}
By applying the same special-case that the Torque builtin already has
to the runtime function.
This is a quick fix pending discussion what the right long-term solution
should be.
Bug: v8:13523
Change-Id: I5303d5ac598d00189f7eb2d9d78b81ad11b919b3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4075527
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84654}
The OnProfileEndListener callback has to be reset before the isolate
dies to avoid a use-after-free when the Global which holds the callback
gets released.
Drive-by change: make the OnProfileEndListener callback
isolate-specific. At the moment a `profileEnd` call in IsolateA could
trigger the OnProfileEndListener callback of IsolateB, which could
cause all kinds of data races (the callback would access the isolate,
but the isolate is not supposed to get accessed by multiple threads
concurrently. With this CL there is one callback per isolate.
R=clemensb@chromium.org
Bug: chromium:1395237
Change-Id: Ifaa5b883a231f5519a3bfeb6187fb7d8faa02b02
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4076465
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84646}
The wasm export wrapper passes the expected type as a Smi parameter to
the {WasmJSToWasmObject} runtime function. However, since this wrapper
might be compiled by a different module that is currently running it,
it is not enough to pass the module-specific type index and the module
to reconstruct the type. Rather, we must pass the canonical type
index.
Bug: v8:7748
Change-Id: I84e34e855898477a135f213f07bca10e95ecf49a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4068123
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84641}
This refactors how we generate any decoding errors during streaming
compilation: Instead of generating an error message, we only remember
that decoding failed. After all bytes have been received, we then
synchronously re-validate the bytes. This ensures consistent error
messages between all decoding and compilation pipelines.
In order to achieve this, we now unconditionally store the full wire
bytes in the {StreamingDecoder}. This partially overlaps with the
section buffers that we already store, but we cannot continue filling
section buffers after a decoder error. This will be cleaned up in a
follow-up CL.
We can also remove most of the buffer-offset tracking, which will also
be done in a follow-up.
R=ahaas@chromium.org
Bug: v8:13447
Change-Id: I1d506356de6a0070c3bf2b26470dbf781f4f62e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4066922
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84636}
Adds new `br_on_cast <branch depth> <heap type>` instruction
with opcode 0xfb42.
The instruction does not branch on null.
The heap type may be any concreate heap type index or an abstract
type like `(ref null eq)`.
Bug: v8:7748
Change-Id: Id1d238645c176b32b568249d67fa28517b435ad4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4069559
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84598}
When importing a WasmExportedFunction into a module, we checked that
its type is equivalent with the declared type of the import. Instead,
we should check that the imported function has an isorecursive subtype
of the declared type.
Change-Id: I2a5f68d4c4c8c65a0eed5b82e8e825affb832cfe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4061732
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84593}
For performance profiling in DevTools, LogWasmCode has to be called on
every isolate for a NativeModule. After receiving a NativeModule from
postMessage, the call to LogWasmCode was missing.
R=clemensb@chromium.org
Bug: chromium:1381182
Change-Id: Ibbb5129a848477c42ac2a8fbc04b0e61ec8900eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4051245
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84546}
Currently V8 recompiles all functions of a WebAssembly module with
TurboFan when a debugging session ends. This is outdated behavior and
causes OOMs for developers. With this CL all debugging code gets removed
when a debugging session ends, and functions get re-compiled lazily.
This behavior may lead to slightly worse performance for some time after
debugging finishes, but it avoids OOMs, and developers are used to
debugging code being not as performant as production code.
R=clemensb@chromium.org
Bug: chromium:1372621, v8:13224
Change-Id: I9fc97408ef92ad5564f2a9743213762226c2b25e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055923
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84509}
The WasmModuleBuilder is used in tests for creating Wasm modules. It can
be pretty slow for huge modules, in particular in simulator builds or in
slow variants like gc-stress.
This CL adds a fast path to the code section creation, for functions
without locals. This makes the wasm-max-functions test 1.45x faster in
the arm64 simulator (generation of the code section alone gets 2.2x
faster).
R=ahaas@chromium.org
Change-Id: I993542448fb4f0b5fdadca13c59691d86844e2a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4051606
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84465}
There exists a limit in the WebAssembly specification on the maximum
number of functions allowed in a module. For release builds the limit
seems high enough for now, but we got developer feedback that their
debug builds exceed this limit. To support these developers without
violating the specification this CL introduces a V8 flag that allows
to specify a custom limit. Developers can then increase this limit
locally for their debugging sessions.
R=clemensb@chromium.org
Bug: chromium:1380561
Change-Id: Ie65a47d49e9ca1d8b05617df0f46c187afef06e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4027963
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84417}
This adds a regression test for https://crrev.com/c/4025548.
Using {addBodyWithEnd(body)} makes the test a lot faster, and we just
skip it on known-to-be-slow variants.
In a default release build, the test takes ~0.3 seconds. In an x64 debug
build, it takes 17 seconds.
Bug: v8:13436
Change-Id: I63e2927774601b24d177b03cf075f9a8d287e934
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031206
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84371}
Additionally:
- Remove the early data-count section from module-decoder and
wasm-module-builder.js.
- Move a test from gc-nominal.js to array-init-from-segment.js.
- Comment-out relevant tests.
Bug: v8:7748
Change-Id: I5e038e0b6227c28ce79ffe39529ada59c34187eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4028144
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84301}
These tests were needed when missing features were implemented in
Liftoff, and the in-progress implementation was disabled by default.
Since the Liftoff code is enabled by default now, the test copy can be
deleted.
R=jkummerow@chromium.org
Bug: v8:12926
Change-Id: Iecdf02645a63e93a51f6ce297d168e149d68be26
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4027928
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84279}
This reverts commit 05a80427dc.
Reason for revert: Getting timeouts on some slow bots.
Original change's description:
> [wasm] Do not add too much code at once
>
> Especially on arm64 we have a rather low code space limit (128MB), so it
> can happen that a background thread generates more code in one batch
> than can be held in a single code space. This case is not implemented
> yet.
>
> This CL implements this by never batch-adding more than half of a code
> space.
>
> In order to test the implementation, we add a new flag called
> --wasm-max-code-space-size-mb which can be used to artificially lower
> the code space size limits in tests.
>
> R=jkummerow@chromium.org
>
> Bug: v8:13436
> Change-Id: I18a3457fda724129fb1bb8c44a9815df265b6b2c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4023072
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84245}
Bug: v8:13436
Change-Id: I0b2492eb7fee40b7d62b3b3a8fb19a4bc7fda26b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4025546
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#84248}
Especially on arm64 we have a rather low code space limit (128MB), so it
can happen that a background thread generates more code in one batch
than can be held in a single code space. This case is not implemented
yet.
This CL implements this by never batch-adding more than half of a code
space.
In order to test the implementation, we add a new flag called
--wasm-max-code-space-size-mb which can be used to artificially lower
the code space size limits in tests.
R=jkummerow@chromium.org
Bug: v8:13436
Change-Id: I18a3457fda724129fb1bb8c44a9815df265b6b2c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4023072
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84245}
Rename the '--wasm-max-code-space' flag to
'--wasm-max-committed-code-mb'. We will introduce a new flag to set the
maximum size of a wasm code space, so the old name would be misleadingly
close to the new flag.
R=jkummerow@chromium.org
Bug: v8:13436
Change-Id: I7a86300e4f25858add1a62f9989189035ea855ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4022709
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84242}
This is a reland of commit 936b61a209
Change compared to original: Fix parameter types for CallRuntimeStub
in Liftoff.
Original change's description:
> [wasm-gc] Canonicalize JS Numbers as i31ref at the boundary
>
> JS numbers flowing into Wasm as i31ref should be canonicalized at the
> boundary. In-range numbers get canonicalized to Smis, and out-of-range
> numbers to HeapNumbers. This way, casting to i31ref, or checking for
> i31ref when casting to other types, is reduced to a Smi check.
>
> Bug: v8:7748
> Change-Id: Icd2bbca7870c094f32ddc9cba1d2be16207e80d1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4008345
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84219}
Bug: v8:7748
Change-Id: I67737150252b844a296338db0c60f76b470aa43b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4022711
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84240}
This reverts commit 936b61a209.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20-%20no%20pointer%20compression/2000/overview
Original change's description:
> [wasm-gc] Canonicalize JS Numbers as i31ref at the boundary
>
> JS numbers flowing into Wasm as i31ref should be canonicalized at the
> boundary. In-range numbers get canonicalized to Smis, and out-of-range
> numbers to HeapNumbers. This way, casting to i31ref, or checking for
> i31ref when casting to other types, is reduced to a Smi check.
>
> Bug: v8:7748
> Change-Id: Icd2bbca7870c094f32ddc9cba1d2be16207e80d1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4008345
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84219}
Bug: v8:7748
Change-Id: Ia74e49147d230f9217ebeb2bf435d10d8f93126e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4020457
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84221}
JS numbers flowing into Wasm as i31ref should be canonicalized at the
boundary. In-range numbers get canonicalized to Smis, and out-of-range
numbers to HeapNumbers. This way, casting to i31ref, or checking for
i31ref when casting to other types, is reduced to a Smi check.
Bug: v8:7748
Change-Id: Icd2bbca7870c094f32ddc9cba1d2be16207e80d1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4008345
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84219}
Similar to atomics and numerics, also GC instructions can be invalid,
which would violate the encoded assumption.
R=ahaas@chromium.org
Change-Id: I76e236f112cf8bdb389b45890b26f73d1f460af0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4020415
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84180}
Similar to https://crrev.com/c/4008538, this fixes the assumption for
numeric opcodes. It previously failed on illegal numeric opcodes.
R=ahaas@chromium.org
Bug: chromium:1382816
Change-Id: I47dc0412c4c32b5fd766a9f9fd96b4b270da86c8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4020413
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84177}
When building the Turbofan graph for an inlined function, we should
record dangling exceptions (which will be connected to the callee's
handler) as we go, rather than try to recover them later. Apart from
making the code more maintainable, this fixes a bug where the handler
was not recovered correctly when memory start/size were reloaded.
Bug: v8:12166
Change-Id: Idbb71f0ba9f9d492f00115c516cbe5e61b6cd162
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4016876
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84165}
The assumption in {DecodeAtomicOpcode} (added in
https://crrev.com/c/3990654) is only true for valid opcodes. Since
Atomic opcodes are variable-length encoded, it's possible to create
out-of-bounds atomic opcodes which violate the assumption.
This CL fixes that by checking for such out-of-bounds opcodes early in
the method. This replaces the assumption, which the compiler can now
derive from the if-statement.
R=ahaas@chromium.org
Bug: chromium:1381330
Change-Id: Ifaaceb0c8a765811fe2f934be1920bcb14675f36
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4008538
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84091}
It's been enabled by default since Chromium M95.
Also removes duplicate setup code for WebAssembly.Tag JS API
from WasmJs::InstallConditionalFeatures, since we're guaranteed
to set it up via the non-conditional WasmJs::Install.
Bug: v8:8091
Change-Id: Ic500feb655ad4fc0703ed226504847ca6d940537
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3996810
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84074}
This extends crrev.com/c/3948663 (ref.cast) by adding the new
"ref.cast null" which only behaves different for null for which
it doesn't trap but instead casts the null value to the target
(null)type.
Bug: v8:7748
Change-Id: I3ac85d83cc06c95af8830c1c60ae2f28414e2570
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3960329
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83934}
Follow-up to commit 6168782925
With this change 0x14 now also consumes a sig index immediate.
This will allow users to switch from 0x17 back to 0x14 without
breaking changes. After another grace period, 0x17 can be removed.
Reland of commit I65fe8b5bceb70323dd5e6450ec7bcc02696b15fa adapted by the concurrent changes in 35cc93aa42.
(This reverts commit 01379ba6d65371b70908da8e8386a9d9993aa2f9.)
Change-Id: I699095afb85d460e1fef8bd88abfd4c748090eda
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3977828
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83900}
This reverts commit 8f3047531d.
Reason for revert: CL collision:
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20-%20builder/63710/overview
Original change's description:
> [wasm] ref.call: Consume sig index immediate
>
> Follow-up to commit 6168782925
> With this change 0x14 now also consumes a sig index immediate.
> This will allow users to switch from 0x17 back to 0x14 without
> breaking changes. After another grace period, 0x17 can be removed.
>
> Change-Id: I5d0039fd1ca9d62c3d42e5834fe7924de45ad7ef
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3974512
> Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83890}
Change-Id: I65fe8b5bceb70323dd5e6450ec7bcc02696b15fa
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3976029
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83894}
Follow-up to commit 6168782925
With this change 0x14 now also consumes a sig index immediate.
This will allow users to switch from 0x17 back to 0x14 without
breaking changes. After another grace period, 0x17 can be removed.
Change-Id: I5d0039fd1ca9d62c3d42e5834fe7924de45ad7ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3974512
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83890}
This removes the temporary option and sets its value to {true}
everywhere.
Bug: v8:7748
Change-Id: Icbc3071b531b130c0eb007758452d09b65491c04
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3974510
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83880}
It's been enabled by default since Chrome 91.
Bug: v8:6020
Change-Id: Id26b7fb0b7dffe19a88a6f0071dd59203b06415a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3957636
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83862}
For some reason we overlooked shared memory64 so far. Supporting it is
trivial, we just need to fix flag parsing.
To make parsing simpler, we replace the switch by a bit-decoding logic.
R=jkummerow@chromium.org
Bug: v8:10949, v8:13401
Change-Id: I1d884a174f901ed359c1d385055c9f2d24b0e2f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3967904
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83846}
When inlining a tail call node into a regular call, the tail call node
is transformed into a regular call. This new call node (or its
projections in the case of multi-return) has to be typed.
Bug: v8:13406, v8:12166
Change-Id: I39cc619e6ee4f0d16763699fe4facebe461a750f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3968715
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83839}
It's been enabled everywhere since Chrome 88, and the related
Chromium flag was removed in https://crrev.com/c/2886421.
Bug: v8:6532
Change-Id: I987a5761f9453d4e7d77d16199e8f0b3a659c70a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3956131
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Auto-Submit: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83809}
