This adds a new [[WeakRefTarget]] internal property to
`Runtime.getProperties` results for `JSWeakRef` results
(also included in the preview), which will be used by
DevTools to show the target of the weak reference without
having to explicitly call `deref()` on them. As part of
this we also have (temporary) strong references to the
target, slightly changing behavior, but that's consistent
with how DevTools deals with `JSWeakMap` and `JSWeakSet`.
Bug: chromium:1267690
Change-Id: I2a9ef9261996fcdee20fbd0fc728d11208c82459
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3970598
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83844}
If the call target is a known constant, we don't need to check the value
stored in the feedback array dynamically. Either it matches, in which
case we just perform the call, or it's different, in which case we
unconditionally deopt so we can update the feedback.
Bug: v8:7700
Change-Id: Iacfdd9f358aac9c1d4e5cc748f323c3d90597d41
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3971077
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83843}
A bit of restructuring to reduce branching on RememberedSetUpdatingMode.
Bug: v8:12612
Change-Id: Ia578b2045e13698d1545d16e5a0df75ee599e24d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3966190
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83842}
VerifyRememberedSetsAfterEvacuation DCHECKs that OLD_TO_SHARED
invalidated set is null. MinorMC does not filter OLD_TO_SHARED
remembered set and thus the DCHECK fails.
Bug: chromium:1376860
Change-Id: I0f17687b3c1bc74c3b1c4afa462c99de5a05f78c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3968707
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83841}
When inlining a tail call node into a regular call, the tail call node
is transformed into a regular call. This new call node (or its
projections in the case of multi-return) has to be typed.
Bug: v8:13406, v8:12166
Change-Id: I39cc619e6ee4f0d16763699fe4facebe461a750f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3968715
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83839}
Rolling v8/build: 8d71aab..35a1478
Rolling v8/buildtools: f45ca77..be63ea5
Rolling v8/buildtools/linux64: git_revision:57c352b2b03461c24b19c678c61d7aeacc6981f4..git_revision:27b90626701a112217a9244022c729231ebcc3a0
Rolling v8/buildtools/third_party/libc++/trunk: 9c5e35a..9f512cf
Rolling v8/buildtools/third_party/libc++abi/trunk: 685c4ad..519e9ef
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/62b4c4e..981585a
Rolling v8/third_party/depot_tools: bd0cea6..3b95525
Rolling v8/third_party/fuchsia-sdk/sdk: version:10.20221019.3.1..version:10.20221020.1.1
Rolling v8/third_party/instrumented_libraries: 5104b7e..459048b
Rolling v8/third_party/zlib: 3cec057..cff7208
Rolling v8/tools/luci-go: git_revision:2673c9d7d4a38bce69415221fe721f807e909d85..git_revision:50ab33853a8b220162f851dcb74a1519e106b3df
Rolling v8/tools/luci-go: git_revision:2673c9d7d4a38bce69415221fe721f807e909d85..git_revision:50ab33853a8b220162f851dcb74a1519e106b3df
Change-Id: I8c10c836da728f400838364c8fc451b781c6f862
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3968513
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#83835}
This can certainly be optimized further, but we just check the value
inline rather than calling into Call_*WithFeedback
Bug: v8:7700
Change-Id: I19daf5eba86e1fb42e02e3e598135e5e9ff9dfd5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3967842
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83833}
Add a sanity check and a note to ensure that use of V8's trap handler
is not naively enabled for Android without seeing this note.
Using the trap handler on Android is potentially risky because V8 may
have to coexist in the same process with Android's Java
implementation, which may also use signal handling, and getting
different signal handlers to coexist safely is quite difficult.
Bug: v8:13383
Change-Id: I5caa52577bf0c74635171adac0dcaed32295d654
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3956130
Reviewed-by: Mark Mentovai <mark@chromium.org>
Commit-Queue: Mark Seaborn <mseaborn@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83830}
We were setting the interrupt budget before performing Maglev tier-up,
therefore ignoring that tiering state and resetting the interrupt budget
to the tier-to-maglev budget, not the tier-to-turbofan budget. Now, set
the interrupt budget
a) only after the optimisation decision is made, and
b) based on tiering state as well as the active tier -- in particular,
any tiering state that isn't "none" is treated as needing the
tier-to-turbofan budget.
Bug: v8:7700
Change-Id: Ife353b32c580cac92c051eb40f58294069930786
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3968479
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83828}
Change-Id: I5760687fa9e8a7512d3946704f51f321ffa3676b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3963718
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83827}
... otherwise AllocateRaw can call the allocation builtin,
that can trigger a GC and read the character as a pointer.
Bug: v8:7700, v8:13397
Change-Id: If4e15fc8bfe0f94c53fe77022b18d5d4a6168702
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3964754
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83826}
When merging a newly deserialized script into an existing one from the
compilation cache, it is often the case that a SharedFunctionInfo from
the cached script ("old SFI") has been flushed and the corresponding
SharedFunctionInfo from the new script ("new SFI") is compiled. In that
case, it is sufficient to copy the bytecode array and feedback metadata
from the new SFI to the old SFI, as already implemented.
However, there is another case to consider: perhaps the new SFI is
compiled and the old SFI was never compiled. In that case, the old SFI
has no ScopeInfo and some of its flags may be incorrect.
To fix the problem, this CL updates CompleteMergeInForeground to copy
everything except script_or_debug_info from the new SFI to the old SFI.
This change implies some duplication of ScopeInfos, since each ScopeInfo
can point to its parent, so matching parent ScopeInfos from the new and
old scripts will coexist. However, this isn't a new problem: similar
duplication is already caused by the portion of the merge algorithm
which attaches new compiled SFIs into the old Script where the old
Script doesn't have a matching SFI. I don't see any way in which this
duplication would cause incorrect behavior. In fact, it is possible to
get duplicated ScopeInfos without any merging at all, which indicates to
me that such duplication is safe. Duplication occurs if a SFI is flushed
or removed while one of its descendant functions is still alive, and
subsequently the same function literal is compiled again.
Bug: v8:12808, chromium:1359773
Change-Id: I2a3a720021c797c62a87d10e999603ff5e29a027
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3965723
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#83825}
Use jcc where possible if using TailCallBuiltin with a condition (e.g.
in the BailoutIfDeoptimized call).
Change-Id: I160096919082b6535550c0e2053522a703c0c264
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3963994
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83823}
It makes it more difficult to navigate code.
Bug: v8:7700
Change-Id: I18175dfa9b05261e1646410b041c2efaa009d191
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3967899
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83821}
Removing the nowadays unused field `allocated_code_space_` from
`WasmCodeAllocator`. Formerly, it was used when setting the code space
of a `NativeModule` to writable, but nowadays we do that per-function.
Thus, `allocated_code_space_` is only written to, but never actually
used.
Change-Id: Ia57c377518ff177e72ec5e2945db34816bd02885
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3963993
Commit-Queue: Daniel Lehmann <dlehmann@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83820}
Since AssertNotNull is used for typing nodes correctly, we cannot skip
it during graph generation or further passes will fail. Instead, skip
null checks during wasm-gc lowering.
Bug: v8:7748
Change-Id: I8ebee1f2f26d8b7e761a13b2d9e31c1361875bbe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3967836
Auto-Submit: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83817}
When maglev is enabled, we can hold off a little with tiering up to
turbofan.
Bug: v8:7700
Change-Id: Ibf8bdbe3371be15434e3d1a11dd0cf4b7cf61a32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3963192
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83815}
Rolling v8/build: 2cf254f..8d71aab
Rolling v8/buildtools: ca6213a..f45ca77
Rolling v8/buildtools/linux64: git_revision:b9c6c19be95a3863e02f00f1fe403b2502e345b6..git_revision:57c352b2b03461c24b19c678c61d7aeacc6981f4
Rolling v8/buildtools/third_party/libc++/trunk: e6caea4..9c5e35a
Rolling v8/buildtools/third_party/libunwind/trunk: 1111799..1f633d4
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/98d333e..62b4c4e
Rolling v8/third_party/depot_tools: 77e64ae..bd0cea6
Rolling v8/third_party/fuchsia-sdk/sdk: version:10.20221017.2.1..version:10.20221019.3.1
Rolling v8/third_party/instrumented_libraries: 26f2d29..5104b7e
Rolling v8/third_party/zlib: d689fca..3cec057
Rolling v8/tools/luci-go: git_revision:9f65ffe719f73af390727d369b342c22fa37ea54..git_revision:2673c9d7d4a38bce69415221fe721f807e909d85
Rolling v8/tools/luci-go: git_revision:9f65ffe719f73af390727d369b342c22fa37ea54..git_revision:2673c9d7d4a38bce69415221fe721f807e909d85
Change-Id: I38ef91e236d7a501193cc845df1e140c58add032
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3965147
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#83812}
Turbofan generates bitcast nodes like BitcastWordToTaggedSigned to
ensure the value types of definitions and uses are matched. These
nodes can be elided after MachineGraphVerifier verifying the graph.
This can avoid generating redundant instructions:
Before:
xorl r15,r15
cmpl [rdx+0xb],r15
After:
cmpl [rdx+0xb],0x0
Change-Id: I84bc1b05d77ed9487001e34a93dfe14e45a7a678
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3837161
Commit-Queue: Hao A Xu <hao.a.xu@intel.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83811}
This change inline call to Math.min/Math.max like
Math.min.apply(this, arguments_list)
to avoid packing and unpacking doubles during the optimized code execution.
Change-Id: I674476f688213df8eb13ee8c876b280c8fa47263
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3799214
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Fanchen Kong <fanchen.kong@intel.com>
Cr-Commit-Position: refs/heads/main@{#83810}
It's been enabled everywhere since Chrome 88, and the related
Chromium flag was removed in https://crrev.com/c/2886421.
Bug: v8:6532
Change-Id: I987a5761f9453d4e7d77d16199e8f0b3a659c70a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3956131
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Auto-Submit: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83809}
In order to avoid races on updating page flags pause concurrent
marking in client for starting incrental marking and the final
atomic pause in a shared heap GC.
Bug: v8:13267
Change-Id: I592d21d3301b0bbc8551819236f3a4a12eaed756
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3966433
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83808}
This optimization is triggered a few times for Splay.
Bug: v8:12612
Change-Id: Iade5dbf829e1b13b9818264dda99cfd15b680ba6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3966191
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83805}
StringShape can check with a single test for representation type and
whether it's 1- or 2-byte.
Change-Id: Ic90fe052f1cfefafd2fb4fafeb86878d9a33a582
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3963711
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83804}
With a unique microtask queue possibly per context we need to pass
the microtask queue for the MicrotasksScope otherwise the default one
for the isolate will be used.
BUG=chromium:961186
Change-Id: Ib085f08e20185c69760aeea335d673d9c4c72999
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3950216
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Dave Tapuska <dtapuska@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83803}
For MinorMC it is sufficient to finalize new space sweeping.
Starting MinorMC will only ensure that background tasks are paused and
all new space pages are swept.
Accounting becomes more complicated since we can have minor sweeping
and full sweeping running at the same time. To support that, new space
sweeping is split to a separate sweeping scope. Also, the
Notify*SweepingCompleted methods are updated for the possibility of
nested sweeping. The distinction is that Notify*SweepingCompleted
knows what kind of sweeping we want to finalize, but not what kind
is currently running.
Bug: v8:12612
Change-Id: If46fa3bc036080d4231171e613fa3aefe7400246
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3945098
Reviewed-by: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83800}
Lowering the Clamp annotation relies on float rounding, which is
only supported with SSE4 enabled. Thus disabling generating the
fast call path if such arguments are present and SSE4 is disabled.
Bug: chromium:1374745
Change-Id: I14438902946d4744521dac8d8d314af51a722da5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3960410
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83799}
During background deserialization strings are inserted into the string
table. When a string was internalized already it needs to be
transitioned into a ThinString using String::MakeThin.
String::MakeThin invokes NotifyObjectSizeChange which will update
the object size cached in the invalidated_slots map. Since this
operation is unsynchronized this is only allowed on the main thread.
However deserialization may also happen on a background thread. In
this case we know that the just allocated object wasn't recorded in
invalidated_slots yet, so UpdateInvalidatedObjectSize can be skipped
for deserialization.
This CL adds an additional argument to String::MakeThin which enables
the caller to skip invoking UpdateInvalidatedObjectSize.
Bug: chromium:1375228
Change-Id: I6291e6844294dfdc5040da9af6486df6d4120888
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3966188
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83797}
Avoid performing BytecodeAnalysis on the main thread, by moving the
BytecodeAnalysis class and constructor to the graph builder.
To support this, remove CheckIsLoopPhiIfNeeded from the interpreter
frame state -- this was a DCHECK that is more awkward to wire up now
that the bytecode analysis is on the graph builder and not the
compilation unit, and the frame state stuff has been stable long enough
now that it's probably not worth re-wiring.
Bug: v8:7700
Change-Id: I210cb88f575ca34efb85a3bf88b9f0e2303d92ca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3963037
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83796}
