This is a reland of dbfdd4f9e9
Original change's description:
> [heap] Turn on v8_enable_csa_write_barrier
>
> With this commit, write barrier is switched to use CodeStubAssembler.
>
> Bug: chromium:749486
> Change-Id: I7e0914bee971e4f3a3257740ae7c83b31f791bd9
> Reviewed-on: https://chromium-review.googlesource.com/598088
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
> Cr-Commit-Position: refs/heads/master@{#48006}
Bug: chromium:749486
Change-Id: I00933d989568c82b5fbaf6203bb146c65f8e4282
Reviewed-on: https://chromium-review.googlesource.com/668636
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
Cr-Commit-Position: refs/heads/master@{#48045}
Since DeserializeLazy uses write barrier, deserializing write barrier
lazily would cause cyclic dependency. This commit changes RecordWrite to
be deserializd eagerly.
Bug: chromium:765301 chromium:749486
Change-Id: I363692baf9b742289c0443afac634662f0026922
Reviewed-on: https://chromium-review.googlesource.com/668454
Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48044}
The `SaveContext` operation in `AsyncCompileJob::CompileTask` allocates
a handle. However, the platform implementation may not be able
to provide a `HandleScope`, since it cannot tell whether the isolate
is disposed (and the task canceled) at the time it runs the task;
so it is an API requirement of `CancelableTask` is that `RunInternal()`
does not leak any handles into outside scopes.
Change-Id: I86db36ddc71f774a31d5bc13b7399ef961374d6f
Reviewed-on: https://chromium-review.googlesource.com/668397
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48042}
Empty slot set buckets can leak in the following scenarios.
Scenario 1 (large object space):
1) A large array is allocated in the large object space.
2) The array is filled with old->new references, which allocates new
slot set buckets.
3) The references are overwritten with smis or old space pointers, which
make the slots set buckets empty.
4) Garbage collection (scavenge or mark-compact) iterates the slots set
of the array and pre-frees the empty buckets.
5) Steps 2-4 repeated many times and leak arbitary many empty buckets.
The fix to free empty buckets for large object space in mark-compact.
Scenario 2 (no mark-compact):
1) A small array is allocated in the old space.
2) The array is filled with old->new references, which allocates new
slot set buckets.
3) The references are overwritten with smis or old space pointers, which
make the slots set buckets empty.
4) Scavenge iterates the slots set of the array and pre-frees the empty
buckets.
5) Steps 2-4 repeated many times and leak arbitary many empty buckets.
The fix to free empty buckets for swept pages in scavenger.
Bug: v8:6800
TBR: mlippautz@chromium.org
Change-Id: I48d94870f5acf4f6208858271886911c895a9126
Reviewed-on: https://chromium-review.googlesource.com/668442
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48041}
Support inlining of Array.prototype.filter in TurboFan.
Bug: v8:1956
Change-Id: Iba4d683aaa86c6104e8a1cf4d0f549a0c516576a
Reviewed-on: https://chromium-review.googlesource.com/657021
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48040}
Given that the index we use is checked to be in array index range there is no
need for a costly ToString conversion. All involved helpers for lookup up
properties directly support Smi/HeapNumber indices directly.
Cleanup: Rename GotoUnlessNumberLessThan => GotoIfNumberGreaterThanOrEqual
Change-Id: Iaddc4940f5d984572aa218d568ca71bf694cee74
Reviewed-on: https://chromium-review.googlesource.com/640388
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48039}
This reverts commit dbfdd4f9e9.
Reason for revert: https://clusterfuzz.com/v2/testcase-detail/5493096547876864?noredirect=1
Original change's description:
> [heap] Turn on v8_enable_csa_write_barrier
>
> With this commit, write barrier is switched to use CodeStubAssembler.
>
> Bug: chromium:749486
> Change-Id: I7e0914bee971e4f3a3257740ae7c83b31f791bd9
> Reviewed-on: https://chromium-review.googlesource.com/598088
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
> Cr-Commit-Position: refs/heads/master@{#48006}
TBR=ulan@chromium.org,albertnetymk@google.com
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: chromium:749486
Change-Id: I8cf6a3f1d2ea607a0160b37b797d743b88b004b5
Reviewed-on: https://chromium-review.googlesource.com/667018
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
Cr-Commit-Position: refs/heads/master@{#48036}
Currently transition array targets have conditional weakness depending
on the type of the target. Map targets are weak and all other targets
are strong. This patch wraps maps in transitions arrays in weak cells,
which allows us to treat all elements of transition arrays strongly.
Conditional weakness is unsafe for concurrent marking because the
condition can change during marking.
Bug: chromium:694255
Change-Id: I64e5d0699698fc7c1758f3fbc52da43014c247af
Reviewed-on: https://chromium-review.googlesource.com/641271
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48034}
When using Lockers and Unlockers it is possible to create a
scenario where multiple threads point to the same optimized
code object. When that happens, if one of the threads triggers
deoptimization, then the stack replacement needs to happen in
the stacks of all threads.
With this CL, the deoptimizer visits all threads to do so.
The CL also adds three tests where V8 used to crash.
Bug: v8:6563
Change-Id: Iea88f47af2f31181c0ef06d898faccde9ad14432
Reviewed-on: https://chromium-review.googlesource.com/657423
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Juliana Patricia Vicente Franco <jupvfranco@google.com>
Cr-Commit-Position: refs/heads/master@{#48033}
When accessing the buffer in 1 byte increments, the order should
be reversed for BE.
R=petermarshall@chromium.org, yangguo@chromium.org
BUG=
LOG=N
Change-Id: I27a57e12479d1c00488546a92428b9183d87f8bf
Reviewed-on: https://chromium-review.googlesource.com/667902
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jaideep Bajwa <bjaideep@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#48031}
Fixed issue with UseScratchRegisterScope that made test fail on r1
and wrong register usage on all arch variants.
Bug:
Change-Id: Id89ff84046d012dd0767b9031b2719f9a95a08b8
Reviewed-on: https://chromium-review.googlesource.com/667139
Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@imgtec.com>
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@imgtec.com>
Cr-Commit-Position: refs/heads/master@{#48030}
This patch ensures a `TypeError` is thrown when the argument passed to
`Array.prototype.sort` or `%TypedArray%.prototype.sort` is neither a
function nor `undefined`.
Every other major JavaScript engine already threw in this case. Making
V8’s behavior match increases interoperability.
https://github.com/tc39/ecma262/pull/785
BUG=v8:6542
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I412a59810abdd118217c8d8361389ec6c2f640bd
Reviewed-on: https://chromium-review.googlesource.com/668356
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48028}
This was supposedly a runtime flag, but we baked it into the snapshot
anyway.
Change-Id: I09d43183c4c2d59336c1077089119d6cb65dfd87
Reviewed-on: https://chromium-review.googlesource.com/664721
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48026}
It's quite possible for DebugInfos to exist without the presence of a
bytecode array, since DebugInfos are created for all functions for which
we have a CoverageInfo. Free such objects properly.
Also move the corresponding deletion of CoverageInfos on unload up
before the early exit.
Bug: v8:6000
Change-Id: Idde45b222290aa8b6828b61ff2251918b8ed2aed
Reviewed-on: https://chromium-review.googlesource.com/664811
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48024}
In this CL I implement streaming compilation for WebAssembly,
as described in the design doc I have sent out already.
In this implementation the decoding of sections other than the
code section is done immediately on the foreground thread.
Eventually all decoding should happen in the background. I
think it is acceptable to do the decoding on the foreground
thread for now because I have finished it already, and
decoding in the background would add even more complexity to
this CL.
Bug:v8:6785
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I285e1e5e1a5a243113c92571b25ee9bae551d0ed
Reviewed-on: https://chromium-review.googlesource.com/631721
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48022}
Other radixes require Divide/Remainder to be implemented first.
Bug: v8:6791
Change-Id: I95f1fad39a0a4df556a194094805ed93bd46d0db
Reviewed-on: https://chromium-review.googlesource.com/664037
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48020}
- Validate that atomic ops can only be called when shared memory is declared
- Throw Compile/Link erros on mismatch between declared, imported memory
- Test harness helpers for setting shared memory, tests
BUG=v8:6532
R=binji@chromium.org, bradnelson@chromium.org
Change-Id: I43fe3d04bb7e3e0a2cecca0528578f98844d2608
Reviewed-on: https://chromium-review.googlesource.com/665379
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48019}
The difference seems to matter at least in one benchmark.
R=jarin@chromium.org
Bug: chromium:764644
Change-Id: I6d74fbbd8026942637d2301da805b003a9e58af7
Reviewed-on: https://chromium-review.googlesource.com/666922
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48015}
If TypeProfile goes out of scope, ScriptData and Entry still rely on
TypeProfiles's type_profile_. Make type_profile_ a shared_ptr owned by all
three classes to prevent use after free.
Bug: v8:5933
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ida7d66dadc17a816cf4439a25e6f714edccffa2c
Reviewed-on: https://chromium-review.googlesource.com/659937
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48013}
This reverts commit 14b424c308.
Reason for revert: Regresses benchmarks, e.g., Octane/gameboy
Original change's description:
> [turbofan] Lower monomorphic loads during graph building.
>
> We introduce an explicit LoweringResult data structure. Until this change,
> the lowering result could be recovered from the node. However, lowering
> monomorphic loads requires wiring different value and effect, so we need
> a structure that can express such lowering result.
>
> Bug: v8:6357
> Change-Id: I92655800890b744d9203a778a1936a8dcd465ed3
> Reviewed-on: https://chromium-review.googlesource.com/637304
> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47992}
TBR=mstarzinger@chromium.org,jarin@chromium.org,bmeurer@chromium.org
Change-Id: I2b7db0278c13414e20c94a34d215ed92bd0d412b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6357
Reviewed-on: https://chromium-review.googlesource.com/667016
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48012}
The serializer performs two passes over the code. The first pass copies out the
code content verbatim, the second pass visits references recorded in the reloc
info.
So far the first pass is implicit and happens as part of the second pass, when
we encounter a non-HeapObject reference when iterating the code object. That
however does not work for internal references. So we hit an assertion if the
first non-HeapObject reference we see is an internal reference.
This change explicitly triggers the first pass.
R=petermarshall@chromium.org
Bug: v8:6817
Change-Id: I1ee9949e10b7d9409986da83be22ac6287785f9f
Reviewed-on: https://chromium-review.googlesource.com/663867
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48010}
We have an absolute limit beyond which we don't inline small funcions as
well. The idea behind inlining small functions is that it is cheaper to
inline small functions rather than incurring the overhead due to the call.
Hence it is better not to have a hard limit on inlining small functions.
We have a limit on the number of levels of nesting to avoid really large
graphs in some corner cases.
Bug: v8:6682
Change-Id: If74f666996fe4a42bf266a4e87caabfd7c614b12
Reviewed-on: https://chromium-review.googlesource.com/648975
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48007}
With this commit, write barrier is switched to use CodeStubAssembler.
Bug: chromium:749486
Change-Id: I7e0914bee971e4f3a3257740ae7c83b31f791bd9
Reviewed-on: https://chromium-review.googlesource.com/598088
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
Cr-Commit-Position: refs/heads/master@{#48006}
This patch ensures that an object returned by AllocateRaw is marked
black if black allocation starts during the object allocation.
This fixes the following issue:
1) Generated code requests allocation of size N for folded allocation.
2) Runtime gets a free list node at address A of size N+M and sets up
a linear allocation area with top = A+N and limit = A+N+M.
3) Runtime invokes the allocation observer that starts incremental marking
and start black allocation. The area [A+N, A+N+M) is marked black.
4) Runtime returns a white object at address A as the allocation result.
5) Generated code moves the top pointer to A and does bump pointer
allocations of white objects from A to A+N+M.
6) Object allocated new A+N can have the impossible marbit pattern.
Bug: chromium:694255
Change-Id: I09ceebc97a510fa5fe4ff20706bc46a99f8b7cf4
Reviewed-on: https://chromium-review.googlesource.com/638338
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48005}
There are two places where RecordWrite code stub is called,
OutOfLineRecordWrite and RecordWriteField. With this commit, if
`v8_enable_csa_write_barrier` flag is turned on, no instances of the old
RecordWrite stub appear in the snapshot.
Bug: chromium:749486
Change-Id: I2bc3fa38c8831736303b46d153a79c034a450f16
Reviewed-on: https://chromium-review.googlesource.com/648983
Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48004}
Previously instructions-arm64.h was alternatively defining or declaring
some constants based on whether or not ARM64_DEFINE_FP_STATICS was defined,
and it was assumed that exactly one file would include this header with
the macro defined.
In jumbo builds, the header guards in instructions-arm64.h meant that the
resulting state of the header file would be whichever of the two cases
that appeared first in the compilation unit. This would cause multiple
definitions in some cases and no definitions in some other cases (or if
you were really lucky, it would work out ok).
Let's move these constants to a separate source file temporarily, to be
excluded from jumbo compilation units. This code should eventually be
replaced with a cleaner solution.
Bug: chromium:746958
Change-Id: I7edb1821ef408afd50c6b236d63d3c07f955b58f
Reviewed-on: https://chromium-review.googlesource.com/663898
Commit-Queue: Mostyn Bramley-Moore <mostynb@opera.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48003}
Bug: v8:6791
Change-Id: I2da258f7db6c74d764c674eb8d550418a566c5ea
Reviewed-on: https://chromium-review.googlesource.com/662138
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48002}
Extends the current implementation of WASM exceptions to be able to
throw exceptions with values (not just tags).
An JS typed array (uint_16) is used to hold thrown values, so that the
thrown values can be inspected in JS.
Bug: v8:6577
Change-Id: I1007e79ceaffd64386b62562919cfbb920fc10c5
Reviewed-on: https://chromium-review.googlesource.com/633866
Commit-Queue: Karl Schimpf <kschimpf@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48001}
SetForceInlineFlag is now only used in tests. Earlier, it was also used
in js builtins, because unless this flag was specified the js builtins
were not inlined. All the performance critical js builtins are moved
to turbofan builtins and SetForceInlineFlag is no longer used. We would
like to remove this flag completely to simplify inlining heuristics.
Also, this uses a bit on the SharedFuntionInfo.
Bug: v8:6682
Change-Id: I19afd27381afc212f29179f2c5477095c8174f39
Reviewed-on: https://chromium-review.googlesource.com/660739
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47997}
Moves ast printing out of codegen.cc and into interpreter.cc since this is
the only place which calls it.
BUG=v8:6409
Change-Id: I7b730f6b4da76247f57e3cb4fa7895e638ea0517
Reviewed-on: https://chromium-review.googlesource.com/664888
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47996}
