Check for the most commonly used wrong sentinel value (-1). Users
should use cppgc::kSentinelPointer instead.
Bug: chromium:1263009
Change-Id: I200954bcd70c6a100ffec24aece3e1843e1438a0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3242002
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77529}
ObjectSizeTrait::GetSize is used by Trace methods in Blink and may be
called while concurrent marking is active. The current version is
non-atmoic and therefore can race with marking on other threads.
Bug: chromium:1261860
Change-Id: Ia0b41ec496ac64ae3dd5a040b25f6972b21561c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3240832
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77527}
variable 'pushed_stack_space' set but not used.
Change-Id: I427f76448b9933f9c8f1169709e28eef4512241f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3241543
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#77526}
For the upcoming host_defined_options fixes we will have to explicitly
pass the host-defined options to Invoke so we will be able to install
it in the script context in the future.
Bug: chromium:1244145
Change-Id: I690cc774d6a17278db4381aba8c3408e979606c1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3222765
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77524}
Persistent node slots are dynamically allocated and their allocation
may fail. Delegate to the proper OOM handler in this case.
Bug: chromium:1243257
Change-Id: I985f5b0c940f7ac4996f3f3243123a07119005b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3240786
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77523}
This CL fixes an issue in EffectControlLinearizer, where the primitive
type of the argument of a fast C call was used to compute its
MachineType even when the argument was actually a TypedArray, which
should always be treated as a Tagged type. This resulted in Float32/64
typed arrays being passed in FP registers, leading to a crash in the
register allocator.
Drive-by fix: Fixed output from --trace-turbo-alloc so that all of its
sub-parts are printed with PrintF, avoiding interleaved log lines.
Bug: chromium:1260954
Change-Id: I249c8629daae3af437fb52f53f45211f3a214222
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3231341
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77521}
Marking verification should only process young generation objects when
verifying the marking state of a young generation garbage collection.
Bug: v8:12324
Change-Id: I01db261437ec5c42ddb6c79c44e31b5fe0e536d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3231343
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77518}
We introduce simple escape analysis for wasm-gc objects, where struct
allocations that are only assigned to are eliminated. Handling phi uses
of allocated objects is left for future work.
Bug: v8:11510
Change-Id: Ibd0b220466546e150b26b02890572a5174c6872d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3229744
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77515}
Character class handling in the irregexp pipeline is quite complex;
codepoints outside the BMP (basic multilingual plane) are only
translated into surrogate pairs when needed, e.g. when the subject
string is two-byte. If not needed, the codepoints simply stay part of
the list of CharacterRanges.
In EmitCharClass, we determine the valid subset of ranges through
ranges_length; until this CL, we forgot to pass that information on to
MakeRangeArray. Do that now by truncating the list of CharacterRanges.
Fixed: chromium:1262423
Change-Id: I5bb5b839e9935890ca2d10908ad66d72c3217178
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3240782
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77514}
Narrow down the list of owners to choose from in the gcmole auto-update CLs.
Bug: v8:11169
Change-Id: I9f553124c43dc9fc094a8f4a6e2bcc832fe27636
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3236993
Commit-Queue: Liviu Rau <liviurau@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77509}
Some variables are only used in DCHECKs, which leading to the
`unused-but-set-variable` check fail in release mode.
So we need to explicitly mark them as used.
Change-Id: I18dc8ec97ea5fbbaa081a52629b9572b863d901e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3237558
Reviewed-by: Liu yu <liuyu@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#77507}
https://github.com/google/benchmark/pull/1256 has been upstreamed.
Manually roll forward and immediately remove the build-time work
around.
Change-Id: I567dc0bdfda128656c874b6555dc6a89eeaa8100
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3236991
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Nico Weber <thakis@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77502}
This flag will force the usage of the mid-tier register allocator, which
is otherwise only used for huge functions, hence does not get much
fuzzer coverage.
R=machenbach@chromium.org
Bug: v8:12330
Change-Id: I30b602b54adf858a2a3aaf73d8828875c1f6df7a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3234492
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77500}
To get more details about the failure when it flakes.
Bug: v8:12332
Change-Id: I1bf5188efe13a75e34dd9832e6275fd985ee8dbd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3233974
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77498}
If an output operand has "same as input" policy, we cannot assume that
it's input 0. Instead we should look at the {input_index}.
The bug manifests on Wasm select instructions, where the input index is
actually 2 and not 0.
In order to test this better, we introduce the a new
--turbo-force-mid-tier-regalloc flag, which always uses the mid-tier
register allocator. Otherwise the bug would only manifest on huge
functions.
R=mslekova@chromium.org
CC=thibaudm@chromium.org
Bug: v8:12330
Change-Id: I6a005a48bbd2aba354dc99fed587bffce24c8839
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3234722
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77495}
Comments in interface-descriptors stated that the argument count is
without the receiver, which is no longer true (see [1]).
[1] https://crrev.com/c/3140608
Bug: v8:11112
Change-Id: I75277bd4044a49a5a668f602501ad229bc44720b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3234491
Commit-Queue: Patrick Thier <pthier@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Patrick Thier <pthier@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77494}
Calling class constructors without new is a spec violation and should
raise an exception.
In [1] calling class constructors with spread (without new) was handled
by reducing the node to a call to runtime to raise the exception.
However, arguments of the call have to be evaluated first ([2]).
This CL changes the reduction of JSCallWithSpread/JSCallWithArrayLike to
a no-op in JSCallReducer if the target is a class constructor, delaying
raising of the exception to the call builtin.
[1] https://crrev.com/c/3229369
[2] https://tc39.es/ecma262/#sec-evaluatecall
Bug: chromium:1262007
Change-Id: I2ef504d4ce6e51d582b5951beb6debb983cefba6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3236348
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77492}
This CL exposes the async stack traces instrumentation on the console
object, behind a --experimental-async-stack-tagging-api flag. It serves
as a prototype that aims to validate whether the debugging experience
can be improved for userland code that uses custom schedulers. The tests
are implemented as Blink web tests in the following CL:
https://chromium-review.googlesource.com/c/chromium/src/+/3226418
Bug: chromium:332624
Change-Id: Ib1ee71de68f7bb9aff5b944812ce681d8711d217
Signed-off-by: Victor Porof <victorporof@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3212506
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77491}
We use a mutex to avoid data race when reading/writing to the
code object registry.
Functions called only by the sweeper happens during safepoints and
do not need to be protected by the mutex.
Bug: v8:12054
Change-Id: Ie85bf0422622eee7f2836ecae132397a6aa4ed59
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3234721
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77490}
Rolling this manually because we have to update paths in sync with
instrumented_libraries due to https://crrev.com/c/3224627.
Rolling v8/third_party/instrumented_libraries:
6527a4e..3c149f5
Bug: chromium:1261909
Change-Id: Ibcb6ebefa287e0125e0cb75be8dc51dea392a502
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3233138
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77489}
This is a reland of 6cd14492aa
Additionally rolls buildtools to include https://crrev.com/c/3045960
Rolling v8/build: f78b0bd..110f470
Rolling v8/buildtools: a9bc3e2..f5750f5
Original change's description:
> [Fuchsia] Remove checkout_fuchsia_for_arm64_host
>
> Also roll /build to a version that contains the cl removing
> checkout_fuchsia_for_arm64_host
>
> Bug: chromium:1137662
> Change-Id: I72851e5ab4e1daabf6ea62fb7935dfd28d8dee25
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3232816
> Auto-Submit: Chong Gu <chonggu@google.com>
> Commit-Queue: Chong Gu <chonggu@google.com>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#77486}
Bug: chromium:1137662
Change-Id: Iaa142fd3e61ce14972381f309a83f45e1a0cb318
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3236347
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77488}
Also roll /build to a version that contains the cl removing
checkout_fuchsia_for_arm64_host
Bug: chromium:1137662
Change-Id: I72851e5ab4e1daabf6ea62fb7935dfd28d8dee25
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3232816
Auto-Submit: Chong Gu <chonggu@google.com>
Commit-Queue: Chong Gu <chonggu@google.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77486}
Port 8bbb44e537
Port 7c08633bf6
Change-Id: Iebc3e223a0a7bc5f31ef0f21d8589e60ccdc0833
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3233695
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Commit-Queue: ji qiu <qiuji@iscas.ac.cn>
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#77485}
Relaxed f32x4 and f64x2 min and max.
These instructions only guarantee results when the inputs are non nans,
and when the inputs are not 0s of opposite signs.
Reuse existing float binop testing harnesses and add special checks for
such constants when relaxed operations are being tested.
Drive-by rename of x64 instruction codes to be Minps/Maxps/Minpd/Maxpd
since they map down exactly to a single instruction.
Bug: v8:12284
Change-Id: I1449dbfa87935a96d7d260db22667ab7b9e86601
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3218196
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77484}
--no-stress-flush-bytecode doesn't exist and should be
--no-stress-flush-code. Not supressing it means a tester could pass
--stress-flush-code and --no-flush-bytecode, which are contradictory and
will assert.
Bug: v8:12331
Cq-Include-Trybots: luci.v8.try:v8_numfuzz_dbg_ng,v8_numfuzz_ng
Change-Id: I6490271bcb11f5ea925eb8b65fbe0455c2dafeaf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3233952
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77483}
Port e127f58410
Original Commit Message:
Handling of class constructors was moved from CallFunction to Call
in [1].
When reducing calls with spread we forward varargs directly to
CallFunction, if we are spreading to inlined arguments or arguments of
the outermost function.
In that case we didn't check for class constructors and therefore didn't
raise an exception.
This CL adds checks for class constructors to all JSCall* nodes in
JSCallReducer that missed them before.
[1] https://crrev.com/c/3186434R=pthier@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N
Change-Id: I02cba90369354f064201daa1bf8812e17cb2dc21
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3234040
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#77480}