On 64bit we guarantee that object alignment and sizes are multiple of
the default shadow memory granularity (8 bytes). The CL also introduces
CHECKs that the assumption holds.
Having kObjectAlignment be multiple of this granularity allows us to
check poisoness of each byte of an object. On 32bit we can not do that,
since the object alignment requirement is 4 bytes.
Bug: chromium:1241514
Change-Id: Ib19667724adaa7bc791ffa054eea618c365d65cb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3118552
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Auto-Submit: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76499}
'volatile Address' is a volatile pointer to non-volatile memory, which
means that writes to dereferenced memory may still be omitted. The CL
fixes it by treating dereferenced memory as volatile.
Change-Id: Ide4949c317467cb4440f98a1114991a102577e00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3118946
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76497}
This should be the last remaining thing that fails the
-Wunreachable-code-aggressive warning.
Currently V8 DEPS update is failing due to the update containing
https://crrev.com/c/3115354, with this, the update should then be fine.
Bug: chromium:1066980
Change-Id: Ic74b3a95f90204333b0724d30463c6953047e5f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3119999
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Auto-Submit: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Owners-Override: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76496}
Bug: v8:11589
Change-Id: I7b55efa76f60eacf31700a544f54042eec963f57
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3115545
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76495}
We create a ExternalReferenceAsOperand helper function in
SharedTurboAssemblerBase that delegates to the actual arch specific
implementation of TurboAssembler, because the ia32 and x64
ExternalReferenceAsOperand differs slightly in their implementation.
Bug: v8:11589
Change-Id: I378ea6b72fb2bba1a37482cc31cd58db0ba35721
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114604
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76494}
This avoids a benign race in setting the raw pointer inside CTP
destructor by not emitting the write at all. The handle is destructed
which means that we only need to destroy any backing node but may
leave the handle untouched.
Drive-by:
- Add a few more docs.
- Make Clear() thread-safe.
- Make assignment of a sentinel pointer thread-safe.
- Make assignment of a nullptr thread-safe.
Depends on the Blink change: https://crrev.com/c/3116259
Bug: chromium:1242795, chromium:1243350
Change-Id: I8d76da30893c165e3946322b6d02f6ea2c8e529e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114064
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76493}
Disable the system instrumentation tracing feature when Perfetto is
used as a tracing mechanism. This is because with Perfetto, trace events
no longer flow through the legacy TRACE_EVENT macro mechanism and thus
can't be intercepted by v8::platform::tracing::Recorder.
Perfetto has an interceptor API[1] for this purpose, but the existing
Recorders first need to be ported to it.
[1] https://perfetto.dev/docs/instrumentation/interceptors
Change-Id: I3d10b3470ae45a4c8aedd8e128369508a462cd27
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3118546
Commit-Queue: Sami Kyöstilä <skyostil@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Auto-Submit: Sami Kyöstilä <skyostil@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76491}
This CL takes advantage of the z15 `load reverse and replicate`
instruction to optimize Simd LoadSplat opcodes.
On the simulator we only run `load replicate` as reversing is
not required.
We will need to implement the rest of the `load transform` ops
before enabling this from wasm-compiler on BE machines.
Change-Id: I81ffedf51c3d35dbbc2a6455a2756cad25434127
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3115142
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#76490}
This introduces a new flag, --experimental-wasm-unsafe-nn-locals, which
allows arbitrary unvalidated local.get operations on non-nullable
locals.
For invalid accesses, this will crash. The intention is to allow module
producers to experiment; if they find these locals particularly useful,
we will add engine-side validation later.
Bug: v8:7748
Change-Id: I9a05747eaff312448ce0acf57a412e76679ff061
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3110192
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76489}
In a follow-up CL, the backing stores will, when the sandbox is enabled,
be referenced from V8 objects through offsets rather than raw pointers.
For that to work, all backing stores must be located inside the virtual
memory cage. This CL prepares for that.
Bug: chromium:1218005
Change-Id: Ibb989626ed7094bd4f02ca15464539f4e2bda90f
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114136
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76486}
Make the GetDispatchCountersObject function return an internal Handle
rather than an API Local. Also, port its implementation to use internal
methods rather than API methods.
Change-Id: I191e0483263009c835c801462822e4fc7e78680e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3110198
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76485}
In order to make loop header aligned at 64 byte (relative to memory address), code start should also be aligned at 64 byte.
Bug: chromium:1231471
Change-Id: I95390babd9cc78492e0beb0f1b03901eb481d5d5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3094167
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Hao A Xu <hao.a.xu@intel.com>
Cr-Commit-Position: refs/heads/main@{#76484}
stress-concurrent-inlining has a negative implication for
lazy-feedback-allocation. So add lazy-feedback-allocation as
incompatible flag with stress-concurrent-inlining.
Bug: v8:12088, v8:11947
Change-Id: Ia8ff66c595f6c6288b44f7a066729ace0d7ad9d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3113630
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76483}
This reverts commit 5a6c7dee4e.
Reason for revert: Speculative: Lots of Chrome crashes:
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Blink%20Linux/13353/overview
Original change's description:
> cppgc: Fix CTP for destruction
>
> This avoids a benign race in setting the raw pointer inside CTP
> destructor by not emitting the write at all. The handle is destructed
> which means that we only need to destroy any backing node but may
> leave the handle untouched.
>
> Drive-by:
> - Add a few more docs.
> - Make Clear() thread-safe.
> - Make assignment of a sentinel pointer thread-safe.
> - Make assignment of a nullptr thread-safe.
>
> Bug: chromium:1242795
> Change-Id: I0d9dafa31c298053e87ba1eb75f99fa6e33fa10b
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114134
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Anton Bikineev <bikineev@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76455}
Bug: chromium:1242795
Change-Id: Ia96d66f4908894091a4e498116d9568bd7b0e0a3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114058
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76482}
The v8::internal::IsolateData class in test/inspector/isolate-data.h
collides with v8::internal::IsolateData defined in
src/execution/isolate-data.h. In some circumstances, this can lead to
compilation or runtime issues. To fix that, this CL renames the class in
test/inspector to InspectorIsolateData.
Change-Id: I4b62b2a9d141169480c5a0591c1bcb2f275f87f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3116248
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76481}
Until setup and general API direction are clear no C++ types should be
GCed.
Bug: chromium:1056170
Change-Id: I9d51e57065b22f025898114d20887166ef756319
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3116256
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76480}
These instructions are all single instruction lowering, so it's a matter
of changing the code-gen to call macro-assembler functions (that will do
the AVX check).
Bug: v8:11217
Change-Id: I472eacf74933f4b504299fc85f63fd07062db320
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114602
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76476}
Bug: v8:11589
Change-Id: Ie51cfd6cd6315f7f14f0c584f190a478ed565b0e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114603
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76475}
We also set these operations to explicitly require Register for the
second operand (rhs) even if AVX is supported. Although AVX instructions
support unaligned operands, there is potentially a performance hit,
especially on older hardware. This matches the x64 instruction selector
as well.
Bug: v8:11217
Change-Id: Iae11ec23cc607842a034250028f7667fb2fcb0d0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114601
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76474}
This removes 4 arch opcodes.
Bug: v8:11217
Change-Id: Idff04fb205c7d7d1577ce123cc2160d678dfe39a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114599
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76473}
This reverts commit 2a8e2a9b98.
Reason for revert: Linking error on UBSan https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Clusterfuzz%20Linux64%20UBSan%20-%20release%20builder/17755/overview
Original change's description:
> heap: Use generic flags for main-thread only flags
>
> BasicMemoryChunk flags should only be mutated from the main thread
> when no concurrent task can access them. For that purpose it is enough
> to use regular non-atomic flags as they are immutable while the GC is
> running.
>
> Change-Id: I0a9f8ecb2eb2aafaf17e77626ae27604abd1b618
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3107230
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76471}
Change-Id: I5da7dff91549fd4aadd0bc9ae0a29c52748d9dcb
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3116810
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Owners-Override: Shu-yu Guo <syg@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76472}
BasicMemoryChunk flags should only be mutated from the main thread
when no concurrent task can access them. For that purpose it is enough
to use regular non-atomic flags as they are immutable while the GC is
running.
Change-Id: I0a9f8ecb2eb2aafaf17e77626ae27604abd1b618
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3107230
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76471}
Previously SharedTurboAssembler was a base class for ia32 and x64
TurboAssembler. This made it easy to share code, only if the
implementation was the same. In some cases, like
ExternalReferenceAsOperand, the implementation defers slightly between
the two architectures.
We add a new class template SharedTurboAssemblerBase,
which derives from SharedTurboAssembler. Using the CRTP pattern, we
can call derived classes functions using the template parameter.
For any function that is exactly the same, we can declare them in
the header and define them in the cc file, instead of inlining
them all into the header.
Bug: v8:11589
Change-Id: I9319bd0c26c76995cef43ae5ec3f69392b3f825b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097109
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76469}
Sets up custom OOM handling in cppgc and installs a handler that
redirects to V8's handler when running with unified heap.
Bug: chromium:1242180
Change-Id: I68b7038a3736cc0aa92207db2c3d129a9ff68091
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3116253
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76467}
We were overwriting the shift Register, instead, we should be using the
tmp_shift register.
Bug: chromium:1242689
Change-Id: I732c9c1f8a43401ce003b22893db9e39dfac3817
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3116115
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76466}
... when necessary and drop the now unused flag
ExtractFixedArrayFlag::kNewSpaceAllocationOnly.
Bug: chromium:1239922
Change-Id: Ic68d241ae7422df8e203ec12de800ded8862852e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3110371
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76463}
This is a reland of d1b27019d3
Fixes include:
Adding missing file to bazel build
Forward-declaring classing before friend-classing them to fix win/gcc
Add missing v8-isolate.h include for vtune builds
Original change's description:
> [include] Split out v8.h
>
> This moves every single class/function out of include/v8.h into a
> separate header in include/, which v8.h then includes so that
> externally nothing appears to have changed.
>
> Every include of v8.h from inside v8 has been changed to a more
> fine-grained include.
>
> Previously inline functions defined at the bottom of v8.h would call
> private non-inline functions in the V8 class. Since that class is now
> in v8-initialization.h and is rarely included (as that would create
> dependency cycles), this is not possible and so those methods have been
> moved out of the V8 class into the namespace v8::api_internal.
>
> None of the previous files in include/ now #include v8.h, which means
> if embedders were relying on this transitive dependency then it will
> give compile failures.
>
> v8-inspector.h does depend on v8-scripts.h for the time being to ensure
> that Chrome continue to compile but that change will be reverted once
> those transitive #includes in chrome are changed to include it directly.
>
> Full design:
> https://docs.google.com/document/d/1rTD--I8hCAr-Rho1WTumZzFKaDpEp0IJ8ejZtk4nJdA/edit?usp=sharing
>
> Bug: v8:11965
> Change-Id: I53b84b29581632710edc80eb11f819c2097a2877
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097448
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Dan Elphick <delphick@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76424}
Cq-Include-Trybots: luci.v8.try:v8_linux_vtunejit
Bug: v8:11965
Change-Id: I99f5d3a73bf8fe25b650adfaf9567dc4e44a09e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3113629
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76460}
Give a little bit of introduction to Oilpan and provide a few links to
navigate the project.
Bug: chromium:1056170
Change-Id: I4ef8c256c8de7932e3393017be6c58ba48ca45f2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114141
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76457}
This avoids a benign race in setting the raw pointer inside CTP
destructor by not emitting the write at all. The handle is destructed
which means that we only need to destroy any backing node but may
leave the handle untouched.
Drive-by:
- Add a few more docs.
- Make Clear() thread-safe.
- Make assignment of a sentinel pointer thread-safe.
- Make assignment of a nullptr thread-safe.
Bug: chromium:1242795
Change-Id: I0d9dafa31c298053e87ba1eb75f99fa6e33fa10b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114134
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76455}
Add copies of the NumFuzz CI builders with the infra
staging flag which in turn adds the no fail flag that
ignores exit code 1. We want to see if this catches bugs
with less noise.
Bug: v8:11826
Change-Id: Ide6ffa7475e464075e588df0eaed524503c8cf95
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114133
Commit-Queue: Almothana Athamneh <almuthanna@chromium.org>
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76454}
In Blink, WindowProxy may be referred from two diffrent JS wrapper
objects during page refresh (same site navigation reusing parts of the
DOM). In this intermediate state, the old frame state is not yet
reclaimed while the new state is already being added.
We would like to only merge nodes when there's a 1:1 relation between
C++ and JS objects. Unfortunately, WindowProxy breaks that assumption
in that the C++ object doesn't directly point to the wrapper. In
addition, merging this case is important as otherwise detachedness
would not be propagated to the Window object (JS wrapper) which is the
main user of detachedness.
The CL allows overriding merged nodes, picking a random merged state
during pageload while still resulting in the regular snapshot behavior
outside of reloading the same page.
The proper fix is addressing chromium:1218404 and only create merged
nodes when the back reference points to the same object.
Bug: chromium:1241610
Change-Id: Ie77b51a56ce90ef377124304bb025342a724c600
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114139
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76453}
