MinorMC cannot shrink the space while concurrent sweeping is active.
This results in races between sweeping empty pages concurrently and
releasing them on the main thread.
Without concurrent sweeping, MinorMC sweeps all empty pages, then
preallocates more pages if needed, then shrinks by releasing some of
those empty/new pages.
MinorMC can instead shrink during sweeping/evacuation in the atomic
pause, before concurrent sweeping is active.
This resolves the conflict between concurrent sweeping and shrinking and
generally reduces the amount of work the GC has to do (i.e. don't
sweep/preallocate pages that will then be released by shrinking).
Bug: v8:12612
Change-Id: If898e5111c65b0b11d6ee9ee5dcd45751024650b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3933056
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83638}
AsyncGeneratorYieldNoAwait is equivalent to AsyncGeneratorResolve with
the constant false passed as the last argument. Remove it in favor of
calling AsyncGeneratorResolve directly.
Bug: v8:13275
Change-Id: Ie6a47e1f152285bccdc00ec1b7140e82460caf31
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3947530
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83637}
This is a reland of commit ed8953b695
Changes since revert:
- Work around recorded slot bug for external strings.
Original change's description:
> [strings] Fix dictionary forwarded string hash lookup
>
> Strings forwarded to external resources have their real hashes stored in
> the forwarding table. Dictionary mode lookups currently do not correctly
> load the hash for these tables, causing misses for properties that are
> in fact in the object.
>
> Bug: v8:12007
> Change-Id: I60ca4c084db7ddf6d2b7f7be8f63519c9cf3bc73
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3935218
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Patrick Thier <pthier@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83577}
Bug: v8:12007
Change-Id: Ifef5f99a46c239b2113aefa4efcdda1df1b4b6a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3940294
Reviewed-by: Patrick Thier <pthier@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83635}
Wait for TF optimisation to be requested (or to have happened) before
cranking up TF OSR urgency; this prevents us from getting into a
situation where we repeatedly call Maglev code which then OSRs into
TurboFan lots of times before finally tiering up to TurboFan properly.
Since we are waiting for TF optimisation to be requested, we also need a
mechanism to allow TF optimisation to be requested even when Maglev code
has been requested hasn't yet run (for direct Baseline->Turbofan tierup,
since Maglev can't OSR). Do so by re-trying the optimisation check if it
spits out Maglev but Maglev is already requested.
As a drive-by, clean up some naming around OSR code.
Bug: v8:7700
Change-Id: I483a412dd92fe13ee21f8aa46d86572bcf3f8a61
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3942385
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83630}
This reverts commit 4804c4de31.
Reason for revert: GC stress failure:
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20-%20gc%20stress/1075/overview
Original change's description:
> [wasm] Allocate feedback vectors on demand
>
> We previously allocated feedback vectors when instantiating the module,
> or when lazily compiling a function. That's not sufficient when there
> are multiple instances of the same NativeModule, or when we eagerly
> tier-down all code for debugging. This patch changes the "get vector from
> instance" sequence at the beginning of every Liftoff function to "get
> or allocate vector"; factored into a builtin call to avoid generating
> more code for every function.
>
> Bug: v8:12852
> Change-Id: I12ab96dc9575f5dff089147af1bf9b280616892d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3939667
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83610}
Bug: v8:12852
Change-Id: I200118185f265da7dd0956bbd5a45a4d40e4bbc0
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3943126
Owners-Override: Shu-yu Guo <syg@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83617}
We previously allocated feedback vectors when instantiating the module,
or when lazily compiling a function. That's not sufficient when there
are multiple instances of the same NativeModule, or when we eagerly
tier-down all code for debugging. This patch changes the "get vector from
instance" sequence at the beginning of every Liftoff function to "get
or allocate vector"; factored into a builtin call to avoid generating
more code for every function.
Bug: v8:12852
Change-Id: I12ab96dc9575f5dff089147af1bf9b280616892d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3939667
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83610}
This CL implements support for clamping floating point to integer
values when [Clamp] annotation is passed to a fast API call argument.
It uses min(max(value, lower_bound), upper_bound) as specified by
https://webidl.spec.whatwg.org/#es-integer-types-abstract-ops, step 7.
Bug: chromium:1052746
Change-Id: Ie12c0d98076863ac00aead9319f5770d7028773d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3749205
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83605}
This CL introduces statement positions before the right-hand side of
comma expressions, in order to align the stepping behavior (and also
generally the breakpoint behavior) around semicolon (;) and comma (,)
separated expressions.
The motivation here is that left-hand sides of comma expressions are
evaluated purely for their side-effects and as such, they aren't
really any different from statements from a developers perspective.
And more importantly, minifiers (like UglifyJS, terser, or esbuild)
by default turn statement expression lists into comma-separated
expressions, thus implicitly changing the stepping behavior in ways
that are difficult to understand for developers.
Doc: http://go/chrome-devtools:comma-stepping-proposal
Demo: https://devtools-dbg-stories.netlify.app/crbug-1370200.html
Video: https://i.imgur.com/5WC03wF.gif
Fixed: chromium:1370200
Change-Id: I38f288d964bc992d1de0dce2ed2becd4220793df
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3934288
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83599}
The process of checking a function body for validity is called
"validation" in the spec, hence also use this term in the code instead
of "verification".
R=jkummerow@chromium.org
Bug: v8:13371
Change-Id: Icef65282f829f600975ae4b10eb0847ba75e7ae3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3941887
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83598}
The CL makes Oilpan use the same data-structure (two-layer bitmap) as V8
uses for the remembered set.
Bug: chromium:1029379
Change-Id: I1213d3ae06da5e85466430875378e3b8dfdee16e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3701592
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83594}
This reverts commit ed8953b695.
Reason for revert: test fails under GC stress:
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/44191/overview
Original change's description:
> [strings] Fix dictionary forwarded string hash lookup
>
> Strings forwarded to external resources have their real hashes stored in
> the forwarding table. Dictionary mode lookups currently do not correctly
> load the hash for these tables, causing misses for properties that are
> in fact in the object.
>
> Bug: v8:12007
> Change-Id: I60ca4c084db7ddf6d2b7f7be8f63519c9cf3bc73
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3935218
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Patrick Thier <pthier@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83577}
Bug: v8:12007
Change-Id: Idcfb670e05a5434165c714b7f1e7f5b1619d28c6
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3938917
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Adam Klein <adamk@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#83580}
If the largest freelist block was at the end of the page, it was not
accounted for sweep-on-allocation.
Change-Id: Ia7cfc9543c9c448b580444b1ce96eb37f7738ece
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3938228
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83579}
REPL mode always returns a promise since we basically turn the
evaluated script in an async function. More-over, we stash the result
as a property on a plain JS object. This prevents promise chains to
resolve too far if the result of the evaluation is a promise itself.
Long story short, we don't need to wrap REPL mode results in
`Promise.resolve`, but can add the then/catch handlers directly.
This fixes the DevTools console when working with broken promise
polyfills or broken thenables.
R=bmeurer@chromium.org
Fixed: chromium:1371072
Change-Id: I96aa8eaf5939fdf6231712b047b50fee734efc0b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3929037
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83578}
Strings forwarded to external resources have their real hashes stored in
the forwarding table. Dictionary mode lookups currently do not correctly
load the hash for these tables, causing misses for properties that are
in fact in the object.
Bug: v8:12007
Change-Id: I60ca4c084db7ddf6d2b7f7be8f63519c9cf3bc73
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3935218
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83577}
Stack slots are uncompressed, so we must always write the full
64-bit pointer.
Fixed: v8:13363
Change-Id: Iac5375388dd877dff2ddb3d6ef23ed56943da704
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3938230
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83574}
This CL revises the conservative stack scanning visitor, to use the
implementation of inner pointer resolution based on the marking bits.
Bug: v8:13257
Change-Id: I97203e1f571d89912f91b3513cff24521c1df662
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3934342
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83573}
This CL exposes BigInt binary operation builtins to the interpreter and fixes the return type of the external c calls to avoid unexpected behavior on Windows. The original return type was bool which would marshal to Windows BOOL (of the same size as int) causing the return value always being true if there is garbage in upper bits. Changing bool to int32 solves the problem.
Bug: v8:9407
Change-Id: Ib56f5b163deb77566ef79166860e1921ef0065c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3932951
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#83572}
This CL implemented Int64MulWithOverflow on x64 and arm64
to support type feedback collection for BigInt64 multiplication.
Bug: v8:9407
Change-Id: I4a0354038e02d3304d17a115e4e144afd386b5d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3934824
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#83570}
Fix breakage from moving configs into a central place
(https://crrev.com/c/3911515).
Change-Id: Id68d5c104cffccb4793417eff3088d7748a179fc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3938068
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83569}
This CL fixes two bugs in the unit test for inner pointer resolution,
implemented using the marking bitmap. First, the tests would not compile
after crrev.com/c/3925548, which moved the marking state from the
collector to the heap. Second, some tests would fail in builds without
pointer compression, because the size of words in heap is different.
Bug: v8:13257
Change-Id: I8e6c9c70daa9ed9a8f0ebd5a06f7c017445400e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3937964
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83563}
The function-body-decoder-impl.h header is really heavy, and a comment
at its beginning says that it should only be included for new
implementations of WasmFullDecoder.
While there are other nice reasons to include it (e.g. for the Immediate
types), many includes were not needed.
This CL removes them, and adds other needed includes as needed instead.
R=jkummerow@chromium.org
Bug: v8:13312
Change-Id: I84efab0814fc1a38643960f49c7641c824b75f71
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3933055
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83561}
Input sizes are reduced from 64 to 60 to satisfy the requirement
of "small" without influencing the scores in some existing
benchmarks.
Bug: v8:9407
Change-Id: I51ca0b9a7a8c128c9fc863e4ff0587eeebdd7bac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3929031
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#83560}
- For suspending WebAssembly.Functions imported as table elements,
ensure that we compile the suspending variant of the wasm-to-js
wrapper
- Fix stub call mode for WasmSuspend builtin call
R=jkummerow@chromium.org
Bug: v8:12191
Change-Id: I8edd4e8a5c735909e5163e5a3700cd5567a6e27a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3937965
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83559}
This is needed to simplify concurrent sweeping for MinorMC.
Also: move evacuation verifiers to a separate file so that they can be
used from heap.cc as well.
Bug: v8:12612
Change-Id: I2a738a31e83a357f4fdded8a30ccb2ff6ba70553
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3932720
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83557}
The CL sligthly generalizes SlotSet by parameterizing it with slot size.
SlotSet is abstracted into BasicSlotSet, which is moved to heap::base::.
V8 GC related parts stay in slot-set.h
Bug: chromium:1029379
Change-Id: I093332b77682d2b31e61a91d4b0110fa95b5c908
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695595
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83553}
Implements the normative change
https://github.com/tc39/ecma262/pull/2819, which removes the await
inside async generator yield*. The delegating iterator result is already
awaited, and this effectively removes an extra tick and unwrapping.
The implementation of `yield` uses the existing AsyncGeneratorYield
builtin, which already performs an Await. It is renamed to
AsyncGeneratorYieldWithAwait.
The implementation of `yield*` uses a new builtin named
AsyncGeneratorYieldNoAwait, which does not perform an Await.
Bug: v8:13275
Change-Id: I88569f1e982edfb6a193c2fa07544fc59732f380
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3919916
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83545}
This reverts commit 20327d1599.
Reason for revert: The code for structref/dataref is in use in
combination with array types, so the change breaks their use cases.
Reverting to restore the previous semantics of dataref.
Original change's description:
> [wasm-gc] Ref types: Convert dataref to structref
>
> This change changes the type hierarchy in a non-backwards compatible
> way: dataref is replaced with structref meaning that arrayref is
> no longer a subtype of it.
>
> Bug: v8:7748
> Change-Id: I965267d9ed11ea7c7d7df133cc39ee63e6b5abc3
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3929041
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83515}
Bug: v8:7748
Change-Id: I2a0bcafafe6f67df87aac86813f74573b708cce4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3936156
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#83544}
Detach the marking state from the collectors and move them to heap.
Also update users to access via heap and reduce dependencies on the
collectors.
This is a prerequisite for moving sweeper to the heap, which is needed
for concurrent sweeping in MinorMC.
Bug: v8:12612
Change-Id: Ia0bb2b7566b24eeb0d75c911edbfd626f07dad0f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3925548
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83542}
Currently, LiveEdit updates the source positions of unchanged SFIs
in-place (the SFI could have moved due to other functions changing).
This interfere with our plans to re-use ScopeInfo-based blocklists
for debug-evaluate. Entries in the global block list cache are keyed
by ScopeInfo's source position. Any closure that escaped a
debug-evaluate will point to the old ScopeInfo in its context chain
and the block lists should stay in-place in case the escaped closure
is called again.
Rather than updating ScopeInfos in-place, this CL updates the
ScopeInfo object wholesale for unchanged SFIs. This is safe todo
given that the old and new ScopeInfo are identical modulo source
positions.
Drive-by: Take the source position of the function token from the
`FunctionLiteral` rather than doing a more expensive position
translation.
Bug: chromium:1363561
Change-Id: I2b8476edd8d7dc4c618e53551aa5692a21d6fb32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3932724
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83536}
This CL fixes the remaining test failures when running test with the
--shared-heap flag locally:
* Remove uses of shared_isolate()
* Fix slot recording in Mark-Compact and Scavenger
* Fixes DCHECKs in tests that do not hold with --shared-heap
Bug: v8:13267
Change-Id: I6869ece70f1e6156d9bb1281e6cd876cf8d471eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3918377
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83530}
Shared heap requires write barriers to keep track of old to shared
references.
This CL also disables all shared-memory/* mjsunit tests for single
generation configurations. These tests generally should not work
since the single generation bot also disables write barriers.
This should resolve the remaining single generation failures.
Bug: v8:11708, v8:13322
Change-Id: Ie0b0cbbc782afb607c1d13ccb4edcb2672ebf51b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3934770
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83528}
Source map urls can be parsed from the magic comments. Expose them with
public apis on the UnboundModuleScript, similar to the UnboundScript.
Change-Id: Ia5dfdc8ff25f825c9fa7d241d0d79ba20028586b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3917379
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Chengzhong Wu (legendecas) <legendecas@gmail.com>
Cr-Commit-Position: refs/heads/main@{#83527}
The Symbols-as-WeakMap-keys proposal allows non-Symbol.for Symbol values
in weak collections, which means it can show in EntryPreviews.
Also apparently Symbols in regular Maps and Sets were also unsupported.
Bug: v8:13350, v8:12947
Change-Id: Ib10476fa2f3c7f59af67933f0bf61640be1bbd97
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3930037
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83518}
This change changes the type hierarchy in a non-backwards compatible
way: dataref is replaced with structref meaning that arrayref is
no longer a subtype of it.
Bug: v8:7748
Change-Id: I965267d9ed11ea7c7d7df133cc39ee63e6b5abc3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3929041
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83515}
Due to stack slot reuse, any of the moves that are part of the handler
trampoline may conflict and thus need parallel move resolution.
Materialisations (= calls to the NewHeapNumber builtin) add an addtl
complication since a) materialising moves can also be part of any
move conflict, b) the builtin call may clobber arbitrary registers,
and c) materialisation need a spot to store the NewHeapNumber result.
We resolve this by materialising into new temporary stack slots
before the main move sequence, and popping into the final target
locations after the main move sequence.
Bug: v8:7700
Change-Id: I1734faf189d02e38af07a817a9b647e2dce54f22
Fixed: chromium:1368046
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3921515
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83511}
This CL merely maintains concurrent marking in MinorMC in a stable
state, i.e. it builds and passes tests.
Bug: v8:13012
Change-Id: I866fdbdfcdcc9ae101b63323aa43ceeeab882b45
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3934271
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83510}
Provide dummies for performance methods that are irrelevant for
differential fuzzing.
Bug: chromium:1370405
Change-Id: I91dcadc446314dbfc97b09a95f054c867574e345
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3932722
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83509}
There are a few DCHECKs that weren't updated to allow for Symbols as
weak collection keys. This CL updates those DCHECKs and also does the
following refactors for clarity:
- Add Object::CanBeHeldWeakly
- Rename GotoIfCannotBeWeakKey -> GotoIfCannotBeHeldWeakly to align with
spec AO name
Bug: chromium:1370400, chromium:1370402, v8:12947
Change-Id: I380840c8377497feae97e3fca37555dae0dcc255
Fixed: chromium:1370400, chromium:1370402
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3928150
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83507}
This CL fixes a use-after-free bug where we try to access an
`InjectedScript` object after it died. This can happen when we
transition into JS and back and the context group dies in the mean
time (e.g. because of a navigation). Normally we check for this but
we missed a call to `Promise#then`.
The access that triggers the UaF is when we try to stash away the
protocol callback function after returning from `Promise#then`.
The callback function is responsible for sending the protocol
response back to DevTools containing the result of the evaluation.
There are two objects with different lifetimes involved:
- InjectedScript: Owns the `EvaluationCallback`. We keep a
a reference in case the context group dies. This allows us to
cancel any pending evaluate requests.
- ProtocolPromiseHandler: Has a reference to `EvaluationCallback`.
The handler itself is managed by the V8 GC via `v8::External`
and a weak `v8::Global`.
When the `ProtocolPromiseHandler` wants use the callback to send
a response, it needs to take ownership first.
We could invert the ownership but it's preferable for evaluation
callbacks to die together with execution contexts and not when the
GC feels like it.
We fix the UaF by using an `InjectedSript::ContextScope` and reloading
the `InjectedScript` after we return from `Promise#then`. Then
we can take proper ownership of the callback and use it in case the
call failed.
R=jarin@chormium.org
Fixed: chromium:1366843
Change-Id: I3a68e8609a9681d7343c71f43cc6e67064f41530
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3925937
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83506}
When incremental marking has started and the scavenger is triggered,
young generation pages that end up in the "from" space may contain
unclean markbits. In this case, inner pointer resolution may return
base pointers to the start of objects that are not on the page anymore.
This is problematic if the page contents have been zapped. This CL fixes
this and improves the corresponding unit test.
Bug: v8:13257
Change-Id: I9f4a05270a66e15e86519a2d6574b4afe100a48d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3925935
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83496}
This will be used for lowering 64bit division by a constant.
Change-Id: I79153b81fe58757feeffb6c6c170f6f62fdd2a60
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872268
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83493}
... when iteration over fast array is aborted. This change affects
JSCollection constructors.
According to the iteration protocol the iterator must be properly
closed in case the element can't be added to the collection.
Bug: chromium:1357318
Change-Id: I30cff249449dbb5ac0f48111a681caedcf37e326
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3928743
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83486}
With BigInt64 feedback, SpeculativeBigIntAdd can be lowered to
CheckedBigInt64Add with type checks for input. Deopt is triggered if
the result overflows or the input is out of range.
A unit test is added to make sure there is no deopt loop.
Bug: v8:9407
Change-Id: I61a25737208c81a9619d959961fc5ab10e069546
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3921521
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83485}
Add simple implementations of performance.mark/performance.measure --
these aren't fully to spec, and in particular don't have the right base
class or prototype, but they're similar enough for simple use.
Additionally, log trace events for performance.measure, similar to
Chromium -- this allows us to annotate traces collected with d8's
--enable-tracing.
Change-Id: Ib4d7104ba94a261493c57334b2008956e4d89dd1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3918092
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83478}
The new ref.test (opcode 0xfb40) takes an any reference (vs. data on
the old instruction) and expects a HeapType immediate.
The HeapType can be a concrete or an abstract type.
Bug: v8:7748
Change-Id: Iaa2010af21d3fee76e27a5f4476ae00f5ca837a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3913028
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83475}
assertThrows catches both early errors during parse time and exceptions
thrown during runtime.
To be able to test more specificially, add assertEarlyError to check for
syntax errors during parsing and assertThrowsAtRuntime to check that
code throws while executed.
Change-Id: I61ee78c4b2beec266dfbed3999cd4df1786d0c9a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3925198
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83472}
This reverts the following commits:
* [runtime] Clean up dead entries in the template cache"
8436c0059c.
* [runtime] Don't update template map for existing templates
e7b9604040.
* [runtime] Fix hash used in template cache
caa087bb18.
* [runtime] Hold cached template objects weakly
5d19e724d2.
* [runtime] Key template object cache on Script
f3a0e8bccf.
There are gerrit UI issues which appear to be template object caching
related.
For dashboard:
This reverts commit 8436c0059c.
This reverts commit e7b9604040.
This reverts commit caa087bb18.
This reverts commit 5d19e724d2.
This reverts commit f3a0e8bccf.
Bug: v8:13190
Bug: chromium:1366900
Change-Id: I9759771441a4dece2a5dbb47e462ce0c0c01b182
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3925696
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83471}
Following up on https://crrev.com/c/3916453, we also remove the
confusing breakable and steppable positions from spreads in array
literals. These positions provide no meaningful advdantage for
developers, but just makes it annoying to step through code that
contains spreads.
Drive-by: Add similar inspector tests to ensure that the positions in
the stack are correctly inferred when stopped in the Symbol.iterator or
the next methods.
Before: https://imgur.com/jVf2JeB.png
After: https://imgur.com/u8SfNhy.png
Fixed: chromium:1368971
Change-Id: Ibf791167936c1ed28ac3240acb7c0846b11ebecb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3925200
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83469}
Since JSPI doesn't work without type reflection, this ensures that
passing --experimental-wasm-stack-switching alone doesn't leave
developers (or users) in a broken state.
Bug: v8:12191
Change-Id: Idfabc39b7c9352dd20009924fda07504c4e5087b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3919913
Auto-Submit: Adam Klein <adamk@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83467}
This reverts commit 178148045f.
Reason for revert: regresses JetStream2 a lot.
Original change's description:
> [runtime] Invalidate XxxIteratorLookupChain protectors
>
> ... when "return" property is added to respective iterator or might be
> added somewhere up the prototype chain.
>
> According to the iterator protocol the "return" callback must be
> called when iteration is aborted in the middle.
>
> Bug: chromium:1357318
> Change-Id: I36d81b90cfd40e417136ab97ec53ad7054f4df77
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3916630
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83427}
Bug: chromium:1357318, chromium:1368400, v8:13335
Change-Id: I8b14a2c47819a89d9b2c869a7bcb52e2c2457427
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3925199
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83466}
... exception.
Array#join depends array_join_stack to avoid infinite loop
and ensures symmetric pushes/pops through catch blocks to
correctly maintain the elements in the join stack.
However, the stack does not pop the elements and leaves in
an invalid state when throwing the uncatchable termination
exception. And the invalid join stack state will affect
subsequent Array#join calls. Because all the terminate
exception will be handled by Isolate::UnwindAndFindHandler,
we could clear the array join stack when unwinding the terminate
exception.
Bug: v8:13259
Change-Id: I23823e823c5fe0b089528c5cf654864cea78ebeb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878451
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#83465}
... after gc.
This CL also adds a runtime test function GetWeakCollectionSize
to get the weak collection size.
Bug: v8:12947
Change-Id: I4aff39165a54b63b3d690bfea71c2a439da01d00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905071
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#83464}
This CL moves the code for requesting a GC from a non-main thread from
LocalHeap to Heap into CollectGarbageBackground().
The CL then makes use of this method in CollectGarbageShared() to
request a GC with --shared-space.
Bug: v8:13267
Change-Id: I2946cf5068ef8eb9eb99f9d396ac466d68abc7ec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3916634
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83456}
This change removes the confusing statement positions that were
previously emitted for every binding identifier within both array
and object destructurings. These statement positions were reported as
breakable positions to the debugger front-end, and during stepping, the
debugger would also stop on them. This is confusing and very different
from how other expressions work (we don't emit statement positions
within expressions normally).
Instead we emit expression positions for the binding identifiers, which
are used to construct the source positions for stack traces. As a drive
by we also add the missing position (and test cases) for sub-patterns.
In particular this aligns the stepping and breakpoint behavior around
destructuring expressions with that of Firefox DevTools.
We also remove the original test cases, introduced with
https://codereview.chromium.org/1542813003 and
https://codereview.chromium.org/1533313002, which were written as
debugger tests, with new inspector tests that also ensure that the
call positions are correct.
Fixed: chromium:1368444
Bug: v8:811
Doc: http://go/chrome-devtools:destructuring-breakpoints-design
Change-Id: I4d53ad059b5eede73abd01d9bc9fdf8263c55c9d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3916453
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Kim-Anh Tran <kimanh@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83455}
Also drive-by adds a test for toSpliced on an empty array.
Bug: chromium:1367651, v8:12764
Change-Id: I59ff19ef73dd6c5ea972dc6f39f1968858099ef8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3919870
Commit-Queue: Adam Klein <adamk@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83441}
It is possible, though unlikely, that V8 will deserialize code cache
data, decide to merge that new data with an existing script from the
Isolate compilation cache, and subsequently do nothing in the background
portion of the merge (make no heap changes, and request no follow-up
changes on the main thread). In this case, the most optimal outcome is
to reuse the script from the Isolate compilation cache, not to use the
newly deserialized script.
CodeSerializer::FinishOffThreadDeserialize uses
BackgroundMergeTask::HasPendingForegroundWork to determine whether it
should complete the merge and use the Script from the compilation cache
or complete the deserialization and use the newly deserialized Script.
This change updates HasPendingForegroundWork so that it will return true
even if the merge was a no-op.
Bug: v8:12808
Change-Id: I08fcb814e797218e5be2b4ce4f45bd4e0637ec80
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3916270
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83439}
This CL decouples the Wasm GC JS interop from the experimental
string <-> array conversions as the interop is now enabled by
default, still there are some issues discovered with the
conversions.
The functions are fixed via https://chromium-review.googlesource.com/c/v8/v8/+/3916633.
Bug: chromium:1366881
Change-Id: I27730523a51d24a7ea18199e1668e8c76f0bcb4d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3916088
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83435}
ref.cast_nop is used for internal testing only.
0xfb48 will become ref.test null.
Bug: v8:7748
Change-Id: Iaee762dd97a993a361edddf656090210876178a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3913205
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83430}
... when "return" property is added to respective iterator or might be
added somewhere up the prototype chain.
According to the iterator protocol the "return" callback must be
called when iteration is aborted in the middle.
Bug: chromium:1357318
Change-Id: I36d81b90cfd40e417136ab97ec53ad7054f4df77
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3916630
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83427}
Collect feedback for BigInt64 in interpreter and change the runtime
for BigInt64 addition.
Bug: v8:9407
Change-Id: Ic69ba2c1f5ada998ac5ee3279e8296efe084d600
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3909809
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83419}
MSVC is confused by initializer list and default parameter, and reports
an ambiguous call.
test/cctest/test-assembler-arm64.cc(12208): error C2668: 'v8::internal::Clobber': ambiguous call to overloaded function
test-utils-arm64.h(251): note: could be 'void v8::internal::Clobber(v8::internal::MacroAssembler *,v8::internal::CPURegList)'
test-utils-arm64.h(241): note: or 'void v8::internal::Clobber(v8::internal::MacroAssembler *,v8::internal::RegList,const uint64_t)'
Solution is to construct with explicit type.
Bug: v8:13312
Change-Id: I66f5ba48bcdf6eb30035beaf7214a3d26fc9f18b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3913034
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83406}
Array#with and TypedArray#with adapt their arguments because they have a
fixed arity of 2. Builtins that adapt arguments shouldn't use
...arguments in Torque, which results in a "don't adapt" sentinel to be
generated, resulting in incorrect frame size computation.
Bug: v8:12764, chromium:1367133
Change-Id: I81c1ef2cdef25d049fa0b8effcb2a953c2a9846b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3915939
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83405}
clang/clang-cl compiled happily (probably included transitively this
header), but not MSVC.
Bug: v8:13312
Change-Id: I69b6c15f76d8ef13e4fac33f733717429ba96f71
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3913033
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83402}
This aligns the breakpoint behavior of YieldExpression and
AwaitExpression with the behavior of AssignmentExpression
in V8. It basically boils down to not reporting expression
positions on SuspendGenerator bytecodes as breakable
locations.
In particular the initial implicit yield of any generator
function is no longer a breakable position. In light of
this changes we also refine https://crrev.com/c/2949099
to not be able to step to the initial implicit yield
either, which would otherwise be really odd.
Before: https://imgur.com/KYy9F1S.png
After: https://imgur.com/gCnWU8J.png
Doc: https://goo.gle/devtools-reliable-await-breakpoints
Bug: chromium:901814, chromium:1319019, chromium:1246869
Fixed: chromium:1319019, chromium:1357501
Change-Id: I0c5f83e279918eb392d8f77a8a04c4c0285f938e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3909688
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83392}
This is a reland of commit 80fb281561
This CL fixes the signedness of rematerialized Numbers from immediates, which was introduced by the original change. Besides, BigInt truncation to zero bits is lowered to Int64Constant instead of NumberConstant of zero, which will flow into the state values directly.
Original change's description:
> [turbofan] Rematerialize BigInt64 in deopt
>
> This CL introduces two MachineTypes - SignedBigInt64 and UnsignedBigInt64, which are represented as Word64 but will be rematerialized to BigInt in deoptimization. This will avoid unnecessary conversions for BigInt64s when they are passed to StateValues.
>
> Bug: v8:9407
> Change-Id: I65fdee3e028ed8f9920b1c20ff78993c7784de48
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858238
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Commit-Queue: Qifan Pan <panq@google.com>
> Cr-Commit-Position: refs/heads/main@{#83230}
Bug: v8:9407, chromium:1364319, chromium:1364400
Change-Id: I0b4e077b52f64af46018b6c045893bbd56153f32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899258
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83384}
V8-side implementation for trusted types fromLiteral.
Create a separate JSArray root map for template literal objects to
clearly identify untampered template literals belonging to a given
context.
Given that template literals are frozen arrays with a 'raw' property,
we don't expect additional polymorphism.
Drive-by-fix:
Avoid ValidateElements call in NewJSArrayWithElements.
Bug: chromium:1271149
Change-Id: I327b0fd99a2db3b57d35efa9293ddf2f14e555ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3572044
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83383}
We set the JSArray's length to the elements's length before,
which is wrong when the elements have the slack part. We could
serialize the correct length and only the actual elements excluding
the slack part for JSArray's elements. And we do the same thing
for the objects to avoid serializing unnecessary elements.
Bug: v8:13304
Change-Id: Ib68e06f409bfcab5c57fb5532e188aa0099d1140
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905061
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83380}
We don't remove the code just yet in case we need to re-enable the
feature. This could be in case we discover workflows not covered by
the "Scope View" and the scopes we report on "Debugger.paused".
R=kimanh@chromium.org
Bug: chromium:1365858
Change-Id: I636cc861af932156944a3f6e0a149cce0f939329
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905185
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83379}
This reverts commit 2a7f86edcb.
Reason for revert: Blocking the roll (https://ci.chromium.org/ui/p/chromium/builders/try/mac-rel/b8802346196479466065/test-results?q=ExactID%3Aninja%3A%2F%2Fgin%3Agin_unittests%2FGinShellTest.HelloWorld+VHash%3A46648b293475ce2a&clean=)
Original change's description:
> Reland "[v8] Use |AllocateAtLeast| for resizing v8 zones."
>
> This is a reland of commit 4444874cdf
> This fixes a failure on the UBSan bots caused by assuming |Realloc| is always in-place if the new size is <= the value of |malloc_usable_size|.
>
> Original change's description:
> > [v8] Use |AllocateAtLeast| for resizing v8 zones.
> >
> > This is part of an ongoing effort to reduce fragmentation in Chrome. Partition alloc shows v8 zones are a large user of memory in Renderer processes, and that there is fragmentation from these allocations. This CL will reduce this fragmentation by allowing v8 to use all allocated memory for its zones.
> >
> > Bug: v8:13193, chromium:1238858
> > Change-Id: Ibeac8bdba9d0e7ff66b14a3dde10e7c87d3cf953
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3889361
> > Reviewed-by: Adam Klein <adamk@chromium.org>
> > Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
> > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#83235}
>
> Bug: v8:13193, chromium:1238858
> Change-Id: I923bcbce8403dd7d84642340fd7202087b8a4440
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3910268
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83372}
Bug: v8:13193, chromium:1238858
Change-Id: I32f9c4701a29c0516e3f587f1c6028e4d4158466
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3909358
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83378}
Blink has shipped import assertions since M91, so it is safe enough to
go straight to shipping here.
Bug: v8:10958
Change-Id: I3256172473a1ae8ce74e7fa63b14137e24568360
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3911378
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83373}
This is a reland of commit 4444874cdf
This fixes a failure on the UBSan bots caused by assuming |Realloc| is always in-place if the new size is <= the value of |malloc_usable_size|.
Original change's description:
> [v8] Use |AllocateAtLeast| for resizing v8 zones.
>
> This is part of an ongoing effort to reduce fragmentation in Chrome. Partition alloc shows v8 zones are a large user of memory in Renderer processes, and that there is fragmentation from these allocations. This CL will reduce this fragmentation by allowing v8 to use all allocated memory for its zones.
>
> Bug: v8:13193, chromium:1238858
> Change-Id: Ibeac8bdba9d0e7ff66b14a3dde10e7c87d3cf953
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3889361
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83235}
Bug: v8:13193, chromium:1238858
Change-Id: I923bcbce8403dd7d84642340fd7202087b8a4440
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3910268
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83372}
This CL implements collection of garbage in the shared spaces in
the shared heap isolate. GC on such an isolate should now work
correctly without worker isolates. Support for worker isolates will
be implemented in a subsequent CL.
Bug: v8:13267
Change-Id: I30125ce3b791e2faa0504d065f23639d6106e6b6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904647
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83371}
- Use non-idle tasks to be able to process finalizers on time.
- Only process finalizers while concurrent marking is still running.
Bug: v8:13294
Change-Id: I1a2812c3fc350ea679c4c916c230cf736f2aa3ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904648
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83367}
There is no -0n, and we'd therefore never serialize such a BigInt.
But we can't trust serialized data to not have gotten corrupted
(or be fuzzer-generated), so guard against this case when
deserializing.
Fixed: chromium:1359937
Change-Id: If11d9a364480bae51911cc4a0ce8a719853139fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904414
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83362}
This test breaks when interrupts occur with unfortunate timing. Maglev
increases flakiness of this test since finished Maglev compiles all
raise a new interrupt (and interrupts abort-and-retry regexp
execution).
Disable concurrent recompilation for this test, and drive-by fix the
--trace-regexp-tier-up flag.
Bug: v8:7700
Change-Id: I170c911fe2308b0b5ad9941e695f11f8925455f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904604
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83359}
Correct the test expect result as the spec specifies the accumulator is 2*SEW
bits. Fix the simulator implementation as well.
R=qiuji@iscas.ac.cn
Change-Id: Ia5d11b3214cf32635c3767df75992b2a50ee6980
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878452
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#83354}
Correct the arguments for std::fma() to double as the instruction expects
both addend and destination are 2*SEW bits wide. Addressed corresponding
implementation in the simulator as well.
R=qiuji@iscas.ac.cn
Change-Id: Ib3963a61c00ee9dc73af019574a1665de406cc32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878448
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#83353}
1. Correct the return type of RoundTowardsZero to fix issue with
double value > 2^64
2. In TemporalDurationToString:
a. Use std::fmod instead of % to get the remainder
b. Use extra xx_add variables to hold additional value which may
overflow the double during computation.
c. Use BigInt for days if the value is too large for double
to ensure the precision.
3. Add tests with Number.MAX_SAFE_INTEGER
and Number.MAX_VALUE in values for Duration toJSON in mjsunit
Bug: v8:11544
Change-Id: Icac4f669ed1c591e947b51c82dd48bdef7a6db6e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3900813
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83344}
This change allows to put Wasm structs / arrays into prototype
chains. While this isn't particularly useful (as any access lookup
on the wasm object will throw a TypeError), there isn't any reason
not to allow it.
Bug: v8:7748
Change-Id: I81cf709d2e8403b545bbba9ad9c538c1e9748c74
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3901979
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83329}
If a shift right is performed with a negative value <= -32,
it may not be reduced to a 32 bit shift.
The reduction optimization was introduced by commit
2298b35f7c.
Fixed: v8:13290
Change-Id: Ifb16ed85560ab54d211ebb407690abe2c156e3a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905143
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83324}
Array.prototype.group and Array.prototype.groupToMap have an optional
thisArg, which is currently not passed.
Bug: v8:13301, v8:12499
Change-Id: Ib927638401d39ed0cbcc0595ab41fde328ef43cc
Fixed: v8:13301
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905934
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83323}
This CL adds a test that checks the block list for outer functions is
also correctly calculated when pausing in inner functions.
R=kimanh@chromium.org
Bug: chromium:1363561
Change-Id: I2d7c1671475759b977e4e41c7e09856b3b2e7daf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904308
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83319}
We currently use 1 test case per file for tests that check that
debug-evaluate correctly blocks the lookup of stack-allocated
variables.
This CL adapts a similar approach to `debug-scopes.js`, making it
easier to add new test cases in the future.
R=kimanh@chromium.org
Bug: chromium:1363561
Change-Id: I8ff8cfe7d59f0b9808dc02c5579e058f490553eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904544
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83315}
Allow non-registered symbols as keys in weakmap and weakset.
Allow non-registered symbols as target and unregisterToken in
WeakRef and FinalizationRegistry.
Bug: v8:12947
Change-Id: Ieb63bda66e3cc378879ac651e23300b71caed627
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865056
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83313}
The hoursInDay could be fractional number on the date of changng
daylight saving time for time zone in half hours or some historical time
zone.
Ex: Australia/Lord_Howe on Sunday, April 3, 2022, 2:00:00 am clocks were
turned backward 0:30 hours to Sunday, April 3, 2022, 1:30:00 am local
standard time instead. so that day will have 24.5 hours.
On Sunday, October 2, 2022, 2:00:00 am clocks are turned forward 0:30
hours to Sunday, October 2, 2022, 2:30:00 am local daylight time
instead. So the hoursInDay for that day is only 23.5 hours.
Historically, Singapore from 1933 to 1941 moved clocks forward 20 minutes for daylight savings, resulting the day in 24.33333 and
23.66667 hours.
Test covered in https://github.com/tc39/test262/blob/main/test/staging/Temporal/ZonedDateTime/old/dst-properties.js
Change the return type from MaybeHandle<Smi> to MaybeHandle<Object> so
we can return non integer value. Also change the method of division by
first convert the value to second in BigInt, then divid 3600 (number of
seconds in a hour) in double.
Bug: v8:11544
Change-Id: Ia69d2606cd832e51f415a00440fb9cbc236883e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3901619
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83311}
Refactor the interface between intl and Temporal and pass
the nanosecond in BigInt to intl. Approximate the nanoseconds
to the correct close by millisecond depending on the usage
before calling ICU API and convert the result millisecond into
BigInt in nanosecond before return from intl.
Remove Maybe for function always complete.
Bug: v8:11544
Change-Id: Icc471b80312c513c9415b690804aa624df4a387d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3897165
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83310}
Test was using concurrent sweeper which could lead to the concurrent
sweeper holding onto memory until the allocation succeeded in rare
cases.
Bug: v8:13308
Change-Id: I0f9f93cc503cdc17d6962b3c31bc4ea698b4cb42
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905183
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83309}
Make sure both the fast and slow version return the same value in case
of wrong follow-bit values in the input.
Bug: chromium:1359230, chromium:1360735
Change-Id: Ic65f81109e5bbc288fa41a5540ec7e6cece10ffc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890998
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83307}
... which will contain all compression scheme related functions.
This will allow introducing custom compression schemes for certain
cases and use the compression scheme class as a template argument for
TaggedField or OffHeapCompressedObjectSlot implementations.
Bug: v8:7703, v8:11880
Change-Id: Ic78d36b7021110d6a4797a3150547a224d942b32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899262
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83302}
ArrayBuffers of length 0 may not have a BackingStore, so guard for that
case in ArrayBuffer.prototype.transfer.
Bug: v8:11111, chromium:1364738
Change-Id: I058d00f0f60183f9137c60682ad93973c7a6dcbb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3902517
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83301}
This change tests all JavaScript language constructs and builtins in
combination with the unwrapped Wasm objects.
For JavaScript, excluding some basic introspection (e.g.
`Object.isExtensible`) WebAssembly GC objects are treated opaque.
They can be passed around freely but don't allow any access to
properties, elements etc.
This behavior is currently exposed only if the `wasm-gc-js-interop`
flag is set.
Bug: v8:7748
Change-Id: If0dc368f99d4097e3eaf53edde4e244e3081e334
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879616
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83299}
Lazy deopts are always after calls, so force them to spill their inputs.
This would normally be the case anyway, except for deferred calls, which
don't tell the register allocator to spill like normal calls do.
This makes lazy deopt regalloc always spill its inputs and use their
spill slot, but unlike calls, this doesn't additionally clear the
register, so subsequent nodes can continue using the register cached
value without having to reload it.
As drive-bys, fix the Throw* opcodes to have the Throw property, and use
detail::DeepForEachInput in a couple of extra locations (including for
lazy deopts).
Bug: v8:7700
Change-Id: I89b04f17ca781d4f69ff0ed07566fa583aa677e6
Fixed: chromium:1364074
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899009
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83293}
1) Inlining functions that contain stringref operations require builtin
calls to be marked as kNoThrow appropriately (or have exception
handling support in the graph).
2) Some overly-large inputs for string creation hit DCHECKs before
getting to the places where they would have thrown an orderly
exception.
3) We still had a known issue that some exceptions thrown by JS-focused
code were erroneously catchable by Wasm.
4) When string.concat attempted to create a too-long string, it ran into
a DCHECK because we didn't clear the "thread in wasm" flag.
5) The builtin call for string.concat was erroneously marked as
kEliminatable, which could cause the trap get eliminated.
Bug: v8:12868
Change-Id: Iad3ada0e2465bfd8f3d00bb064c32049d6b19d87
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3902522
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andy Wingo <wingo@igalia.com>
Reviewed-by: Andy Wingo <wingo@igalia.com>
Cr-Commit-Position: refs/heads/main@{#83292}
Let jump threading phase be able to handle the jump with gap moves instructions.
Record the first occurrence of the gap jump instruction and forward
the same gap jump instructions into the recorded one.
For example:
In this case, we merge the second instruction into the first one,
because those two gap jump instructions have the same gap moves.
-- Before jump threading phase:
B0:
1. gap(rdx=rbx)
ArchJmp imm:3
B1:
2. gap(rdx=rbx)
ArchJmp imm:3
-- After jump threading phase:
B0:
1. gap(rdx=rbx)
ArchJmp imm:3
B1:
2. ArchNop
This can eliminate redundant jump and move instructions.
Design doc: https://docs.google.com/document/d/1SpO7Kw4e6CnCesFT118MUnCufUHZDy3QaVSymcci5jE/edit?usp=sharing
Change-Id: Ie94c8f63e2f758824619f6ed9513cbdff00186c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858528
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jialu Zhang <jialu.zhang@intel.com>
Cr-Commit-Position: refs/heads/main@{#83288}
We move js-to-wasm wrappers to a WeakFixedArray in the isolate,
indexed by their canonical type index. This ensures that they are
reused across instances, and get GC'd when no longer needed.
We also remove eager compilation of wrappers.
This CL fixes some issues that were caused by out-of-bounds accesses
to wrapper arrays attached to module objects.
Bug: chromium:1363859, chromium:1363895
Change-Id: Idec0925e775f51fdfa7cd380379b0d1798295a0c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893860
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83275}
The number of feedback vector slots is currently stored in the
{WasmFunction}, returned in the {WasmCompilationResult}, and implicitly
stored as the size of the {call_targets} vector in
{FunctionTypeFeedback}.
This CL uses the latter as the source of truth, encapsulated in a new
{NumFeedbackSlots} function. This can be updated when adding new kinds
of feedback that need additional slots.
For now, the implementation of {NumFeedbackSlots} requires taking a
mutex, which we can hopefully avoid when productionizing speculative
inlining. We also take the mutex on every Liftoff compilation, which
adds synchronization between concurrent compilation which we previously
tried very hard to avoid (because it introduced significant overhead for
eager compilation).
As a nice side-effect, this CL reduces the per-function overhead by 8
bytes, independent of enabled features.
R=jkummerow@chromium.org
Bug: v8:13209
Change-Id: I2fe5f7fe73154328032a3f0961e88d068c5d07ae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899299
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83253}
The cached template object weakmap shouldn't be updated when we update
an existing cached template object, because this update can truncate the
linked list of cached template objects.
Bug: v8:13190
Change-Id: Icea61fcbd5c05d4293a884d1872523ddcdfc3323
Fixed: chromium:1364429, chromium:1364471
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899256
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83248}
This is a reland of commit 0a1f0e335e
Changes since revert:
- Deferred label for loading from forwarding table.
- Check if hash is computed instead of checking if it is a forwarding index.
- Retreive hash from forwarding table only if hash is assumed to be computed.
Original change's description:
> [strings] Fix raw hash lookup for forwarded strings
>
> Raw hashes may need to be looked up via the forwarding table when
> internalized strings are forwarded to external resources. Notably, the
> megamorphic ICs were not correctly fetching the raw hash.
>
> Bug: v8:12007
> Change-Id: Ibbc75de57e707788f544fbd1a0f8f0041350e29d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3885379
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Patrick Thier <pthier@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83115}
Bug: v8:12007
Change-Id: Ia88ed51a49c62170bc960b8f69673bb1e59a6009
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3888057
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83246}
This reverts commit 80fb281561.
Reason for revert: https://bugs.chromium.org/p/chromium/issues/detail?id=1364400
Original change's description:
> [turbofan] Rematerialize BigInt64 in deopt
>
> This CL introduces two MachineTypes - SignedBigInt64 and UnsignedBigInt64, which are represented as Word64 but will be rematerialized to BigInt in deoptimization. This will avoid unnecessary conversions for BigInt64s when they are passed to StateValues.
>
> Bug: v8:9407
> Change-Id: I65fdee3e028ed8f9920b1c20ff78993c7784de48
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858238
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Commit-Queue: Qifan Pan <panq@google.com>
> Cr-Commit-Position: refs/heads/main@{#83230}
Bug: v8:9407
Change-Id: I77d278ce302621db03b787318641709780348cc8
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3901814
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#83245}
This reverts commit 4444874cdf.
Reason for revert: CHECK failure under UBSan
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20UBSan%20-%20builder/5103/overview
Original change's description:
> [v8] Use |AllocateAtLeast| for resizing v8 zones.
>
> This is part of an ongoing effort to reduce fragmentation in Chrome. Partition alloc shows v8 zones are a large user of memory in Renderer processes, and that there is fragmentation from these allocations. This CL will reduce this fragmentation by allowing v8 to use all allocated memory for its zones.
>
> Bug: v8:13193, chromium:1238858
> Change-Id: Ibeac8bdba9d0e7ff66b14a3dde10e7c87d3cf953
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3889361
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83235}
Bug: v8:13193, chromium:1238858
Change-Id: I03c8c1ad7bb1cd20770323bffe1c42a4be47c454
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3900814
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83237}
Need to reset tzi_xxx and calendar_xxx in parser state if the
post-condition of CalendarName and TimeZoneIdentifier is not met.
Bug: v8:11544
Change-Id: If2df6c8fc8cf2418ddd5443abab02066d423a0c3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893554
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83236}
This is part of an ongoing effort to reduce fragmentation in Chrome. Partition alloc shows v8 zones are a large user of memory in Renderer processes, and that there is fragmentation from these allocations. This CL will reduce this fragmentation by allowing v8 to use all allocated memory for its zones.
Bug: v8:13193, chromium:1238858
Change-Id: Ibeac8bdba9d0e7ff66b14a3dde10e7c87d3cf953
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3889361
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Thiabaud Engelbrecht <thiabaud@google.com>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83235}
This CL introduces a new LookupIterator state WASM_OBJECT, and updates
all switches that need to handle it.
Bug: v8:7748
Change-Id: Ie3359aed2d37f5a6854e5577fa3799f0464391e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865559
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83234}
The split is rudimental and now is not needed at all:
- as part of the shared-cage effort we added HeapHandle pointer to the
BasePageHandle class (on the API side);
- for the value-full barrier we get HeapHandle from bitmasking the
value;
- for the value-less barrier we get it from the callback provided by the
caller.
The CL entirely removes the split and uses the single
BoundedPageAllocator. A minor note: the conservative stack scanning can
become sligthly more expensive.
Bug: chromium:1361582, chromium:1325007
Change-Id: I2a8aded3dd12037998f36341c68af8e23b0dcd88
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899320
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83232}
Since enabling the sandbox is now required for example for mkgrokdump,
add it to the default gn args. Also treat non-sandbox builds as
"non-shipping" in mkgrokdump.cc
Bug: v8:13281
Change-Id: I08042aa53057e25c556e166c059373e2fdb9d2c1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899317
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83231}
This CL introduces two MachineTypes - SignedBigInt64 and UnsignedBigInt64, which are represented as Word64 but will be rematerialized to BigInt in deoptimization. This will avoid unnecessary conversions for BigInt64s when they are passed to StateValues.
Bug: v8:9407
Change-Id: I65fdee3e028ed8f9920b1c20ff78993c7784de48
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858238
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#83230}
Inner pointer resolution, to be used in conservative stack scanning,
assumes that all pages registered with the memory allocator are
iterable. Until this CL, this was not the case for pages that were
owned by the young generation semispaces but were unused. Such pages
are either in the "from" semispace, or in the "to" semispace but have
not yet been used.
This CL ensures that all pages owned by the young generation are iterable. It also adds tests to verify that inner pointer resolution
works correctly for unused young pages and for pointers above the
page area.
Bug: v8:13257
Change-Id: Ieff7cc216853403e01f83220b96bf8ff4cdea596
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3885893
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83226}
This test observes GC behavior and needs the garbage collector to work
in a somewhat predictable way.
Bug: v8:13286
Change-Id: I24e6a4f33a644b5f1845cd34558da03fc196f7e5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898721
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83218}
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.
R=szuend@chromium.org
Bug: v8:12887
Change-Id: I8123d18ae852807557bf26b1308e0061dc1ac123
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898937
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83216}
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.
R=jgruber@chromium.org
Bug: v8:12887
Change-Id: I0454426c664e54e9b8c8b39f903eeca1a80d4bc2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898933
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83214}
The kContextRegister can alias allocated registers - when setting it,
take care not to unintentionally clobber.
Bug: v8:7700
Change-Id: I0635d334fb14fa15540582a4873d4186fffa2199
Fixed: chromium:1363450
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3897634
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83212}
Running the libfuzzer fuzzers locally (with an experimental flag turned
on) found crashes, but did not produce crash files because we were
generating a software interrupt ("trap") instead of properly aborting.
Disabling the "hard-abort" feature fixes that.
This will hopefully not flush out previously missed crashes. If so,
please do manually bisect across this CL, instead of assigning to me :)
Drive-by: Move more initialization logic from {InitializeFuzzerSupport}
to the {FuzzerSupport} constructor, where other similar work is
performed.
R=thibaudm@chromium.org, saelo@chromium.org
Bug: v8:13283
Change-Id: Id8d4e92f5ab6bb27676adeae6b3b1eb042b8ba3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892061
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Samuel Groß <saelo@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83208}
Temporaries and the allocated result register may alias, thus order is
important when setting the result value.
Fixed: TestUndetectable, LogicalNot, SetPendingMessage.
Drive-by: Pass Label::kNear in a few spots I passed by.
Bug: v8:7700
Change-Id: Ice3de1d1014ad05d8fa9fb18d967887386bfed0d
Fixed: chromium:1359723
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898530
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83207}
Correct the call the the one which take the UTC based time
instead of the one taking the local wall time.
Bug: v8:11544
Change-Id: Ib288617e8f98b21865c306ca36cd905a3e5315bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892639
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83205}
A couple of customers have asked about using devtools to get information
about temporary allocations, with the goal of reducing GC time and/or
peak memory usage. Currently, the sampling heap profiler reports only
objects which are still alive at the end of the profiling session. In
this change, I propose adding configuration options when starting the
sampling heap profiler so that it can optionally include information
about objects which were discarded by the GC before the end of the
profiling session. A user could run the sampling heap profiler in
several different modes depending on their goals:
1. To find memory leaks or determine which functions contribute most to
steady-state memory consumption, the current default mode is best.
2. To find functions which cause large temporary memory spikes or large
GC pauses, the user can request data about both live objects and
those collected by major GC.
3. To tune for minimal GC activity in latency-sensitive applications
like real-time audio processing, the user can request data about
every allocation, including objects collected by major or minor GC.
4. I'm not sure why anybody would want data about objects collected by
minor GC and not objects collected by major GC, but it's also a valid
flags combination.
Change-Id: If55d5965a1de04fed3ae640a02ca369723f64fdf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3868522
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#83202}
When regenerating v8heapconst.py, the v8 sandbox now has to be enabled
explicitly (using the v8_enabe_sandbox=true gn arg) as it is enabled by
default in Chromium builds, but not standalone v8 builds.
Bug: v8:13281
Change-Id: I1a0861b1d63f340465d7433e042b27eace706ca7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3895622
Commit-Queue: Adam Klein <adamk@chromium.org>
Auto-Submit: Samuel Groß <saelo@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83201}
Check whether the exception phi for the accumulator (i.e. the exception
message object) is dead, and don't assign rax to it if yes. Note that
maglev node liveness can differ from bytecode liveness, since the
bytecode accumulator could have been considered "live" just because of a
move to a (dead) register.
Bug: v8:7700
Change-Id: If1384284f6f55a565e2ae94e5e7a32455fdedb93
Fixed: chromium:1359382
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892353
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83197}
Use Script as the key for the template object cache, instead of the
SharedFunctionInfo. This is because SharedFunctionInfos can be garbage
collected and then later recompiled, which would mean that we break the
spec's expectation that the template object stays constant.
Now the association of cached template object with SharedFunctionInfo is
via the function_literal_id of the SharedFunctionInfo, stored on the
CachedTemplateObject. These are linearly searched, similar to the linear
search over slot ids.
Bug: v8:13190
Change-Id: I3f67811c16ea4cd39c99b2fa034aa7e1f03c171e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892787
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83195}
SimulateFullSpace starts with no LAB, iterates over pages and allocates
all free space on each page. After the first page, the LAB is empty but
is no longer null.
Bug: v8:12612
Change-Id: I2c00b9ba68fdd5f60eda086ea940cb6e211a986e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891294
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83186}
Before, import and export wrappers were cached based on their
signature. This change
- makes wrapper canonicalization consistent with that of types and
call_indirect signatures under --wasm-type-canonicalization,
- removes the last uses of signature maps, which will enable us to
remove them in a future CL.
Change-Id: I512bc234f0ae10e50bd94237e8e675ca47ed13c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891250
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83183}
Ignition remembers the correct context to restore when entering an
exception handler by moving the context to an interpreter register
when entering a try block, and restoring it from there when unwinding
the frame and entering the catch block.
Maglev code has to do the same by taking the context from the
appropriate register for the handler's frame state.
Bug: v8:7700
Change-Id: I294fcccc845c660b2289b6d7b40f49f1aa46283d
Fixed: chromium:1359928
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892352
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83181}
Trap if the suspender argument provided to the JSPI import
wrapper is invalid.
For now, the suspender argument is expected to be the active
suspender. In the future, it will also be possible to suspend
to a parent of the current suspender. This will only be possible
once wasm-to-wasm suspending wrappers are supported, or if and
when JSPI suspenders become compatible with their core
stack-switching counterpart (e.g. Fibers in the fiber proposal).
R=jkummerow@chromium.org
Bug: v8:12191
Change-Id: I650454ed076bd251b0aa18656774d4c4b2d3bfdc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892697
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83173}
1. Return null if the transition is out of bound.
2. Remove incorrect MAYBE_RETURN which is handled by the IsNothing check.
Bug: v8:11544
Change-Id: Ia54f68831120bd2460cb813464168b1a2c92da3d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893595
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83171}
Instead of having e.g. `string.new_wtf8` that takes an immediate
specifying the particular UTF-8 flavor to parse, make one instruction
per flavor.
See https://github.com/WebAssembly/stringref/pull/46.
Bug: v8:12868
Change-Id: I2e9f2735c557b2352b6e75314037e473710d87a9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892695
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andy Wingo <wingo@igalia.com>
Cr-Commit-Position: refs/heads/main@{#83170}
This also allows allocation folding to be tested in cctests.
Bug: v8:13070
Change-Id: I7b6991461dd7ad4423539b33f59a05d6b247c3e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891257
Auto-Submit: Teo Dutu <teodutu@google.com>
Commit-Queue: Teo Dutu <teodutu@google.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83169}
GetIterator on object o consists of two steps:
1) iter = load o[#Symbol.Iterator]
2) call iter
For null / undefined step (1) throws an exception, meaning
step (2) is never reached. Up to this change, turbofan
deopts if for either of the two steps there isn't enough
feedback, meaning that we have a deopt loop for null and
undefined.
Change-Id: Ie0eaf8e231a149313e10af9e95fd80bc77dc0beb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890980
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83159}
FillCurrentPage assumed that everything after top is empty, which
doesn't work with MinorMC and sweeping. Revise FillCurrentPage based
SimulateFullSpace for MinorMC.
I similar implementation is provided both in unittests and cctest.
Migrating affected cctest to unittests is left a future work.
Bug: v8:12612
Change-Id: Ie29be2fc7aaee25e1fd5f66b1c0959c2a45f007f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3885888
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83158}
The normative change in
https://github.com/tc39/proposal-resizablearraybuffer/pull/93 changed
the behavior of TypedArray.prototype.subarray(begin, end) such that if
the receiver is a length-tracking TA and end is undefined, the result
TypedArray is also length-tracking.
This change reached consensus in the March 2022 TC39.
Bug: v8:11111
Change-Id: If1a84cc3134f3ce8046196d6cc36683b6996dec0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3888382
Commit-Queue: Marja Hölttä <marja@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83147}
