idiv throws a hardware divide exception if it overflows, so add some
manual overflow checks before it (mostly copied from TurboFan).
Bug: v8:7700
Change-Id: Ic3764ecb03d627e482d75b80e712d5ce4a16e9df
Fixed: chromium:1359864
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876182
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82999}
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.
R=ishell@chromium.org
Bug: v8:12887
Change-Id: I457fd781f13c37ffdaa19e29c8f998ee3eaa55a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3875085
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82996}
If collecting PGO information, keep all modules alive until the process
dies. This allows to run multiple tests / benchmarks and combining the
profile information for all of them. Otherwise the NativeModule might be
garbage-collected between runs, and previous information would be lost.
R=manoskouk@chromium.org
Bug: v8:13209
Change-Id: I96e3cda1a123c7a1f3fbc7f5369d2366acee80e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3875082
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82995}
The check for non-canonical address access must come before the check
for nullptr access as the faultaddr will be 0x0 in the former case.
Bug: v8:12878
Change-Id: I6f141d08862879ec9ccb13c081aa6c75a3707530
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3875904
Auto-Submit: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82994}
- i31s should not be packed in {WasmWrapperGraphBuilder::ToJS}.
- anyref should be able to hold any JS value (except null if non
nullable).
- Restructure TypeCheckJSObject.
Bug: v8:7748
Change-Id: I51ab6b84e89a70e565ce56de7a41f8693aa28e5b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871073
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82992}
Fixed a bug with Smis in the bytecode constant pool when running
with --trace-turbo
Bug: chromium:1356895
Change-Id: Idc8990c250c2c85f4755e45115d4c4bac167bfe3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870413
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Danylo Boiko <danielboyko02@gmail.com>
Cr-Commit-Position: refs/heads/main@{#82991}
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.
R=jgruber@chromium.org
Bug: v8:12887
Change-Id: Id293b260c1d84c2f9bd7f5c3c826f374ac6a68b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3875086
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82990}
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.
R=jgruber@chromium.org
Bug: v8:12887
Change-Id: Ide7272de6a59e8324f19d4f52053737b56a380d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3875083
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82989}
Dynamic maybe-context/maybe-global lookup can fast-path in the case
where there are no context extensions in the parent contexts. Add a
trampoline builtin for maglev which performs this fast path.
This is similar to Sparkplug, which calls a similar builtin (except one
which loads context and FBV from Sparkplug frame slots), and unlike
TurboFan, which creates local control flow to inline this operation
fully. Maglev avoids creating local control flow, so the builtin
approach seems more fitting.
Bug: v8:7700
Change-Id: I2f63694d9c1f907f91b8b7b8982adc9f9ba106ca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871210
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82985}
Contexts are not included into bytecode loop assignment
analysis. We follow TF and create a LoopPhi unconditionally.
Bug: v8:7700
Fixed: chromium:1359662
Change-Id: I1a589a4bae2bbbf14bf637f0c1e0439e66216aae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871209
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82984}
This reverts commit f388f96fdb.
Reason for revert: Crashes in canary (https://crbug.com/1360024)
Original change's description:
> Enable background merging of deserialized scripts
>
> This can save memory in cases where multiple frames in a process use the
> same script, with sufficient time between loads that the script's
> top-level SharedFunctionInfo is no longer present in the compilation
> cache. Merging is relatively fast; it generally takes about one tenth as
> long as deserialization.
>
> Bug: v8:12808
> Change-Id: I7366a51f1d2ca6a9f551cdf2bdbe0441450cf1bb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3868088
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82920}
Bug: v8:12808
Change-Id: If160173afaab351d995ddcf4b60d6efe656cf70b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871208
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82983}
This adds two flags to dump "type feedback" (call targets and
frequencies) to a local file, or load it from there. This is meant for
experimentation only.
Some implications are removed, as (speculative) inlining now does not
require Liftoff any more, but can also use information from PGO.
R=jkummerow@chromium.org
Bug: v8:13209
Change-Id: I2d34233ce4077db61f5c237b1941136ac61d3b73
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870470
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82979}
This CL implements ConcurrentMarking::RunMinor which uses
YoungGenerationConcurrentMarkingVisitor (go/YGCMV).
This CL also implements Teardown and FinishConcurrentMarking, and
schedules minor concurrent marking in
IncrementalMarking::StartMarkingMinor.
Additionally, this CL opts out of ConcurrentMarking::PauseScope in
Heap::MinorMarkCompact if concurrent MinorMC is active because
concurrent marking will be finalized in FinishConcurrentMarking
subsequentially.
Bug: v8:13012
Change-Id: I78fe18416e564565c6421243ff40dec7561fb20a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3850292
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82978}
This CL removes global handle marking barriers for MinorMC because
global handles should only be marked by MajorMC.
Bug: v8:13012
Change-Id: I23737f128c01eee75b2b1a19f47c4bcf6d043976
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872270
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Cr-Commit-Position: refs/heads/main@{#82976}
The test broke in
https://crrev.com/c/3865148
Bug: chromium:1352649
Change-Id: I9857fd359d73a4c1f7d202feba27a3dcf56e23c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872275
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82974}
The stack of an isolate's main thread is kept in the isolate's heap.
This CL sets the stack's start address when the isolate's heap is set
up; it can also be set explicitly from the embedder. The CL also fixes
threaded cctests, where an isolate is shared by many "main" threads.
Bug: v8:13257
Change-Id: Ie30bbbe4130882d94f23de946cbada748f32e22d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870923
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82973}
LdaLookupGlobal/ContextSlot loop over parent contexts to check for
context extensions. If there aren't any, they can do a fast
context/global load, otherwise they have to call a runtime slow path.
The bytecode graph builder didn't build a slow path in the case where no
context extensions are possible, by depth == 0 or static scope info
information that there are no possible context extensions. However, this
information is already known to the interpreter, so that should already
elide the lookup in these cases. So, get rid of the slow path being
optional in TurboFan, and consider such cases bytecode generation bugs.
Change-Id: Ib69f90e51b0f783306824fed56911d039f7e134e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872277
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82972}
This reverts commit d00c040547.
Reason for revert: Failing CI tests on Mac arm64
Original change's description:
> [strings] Support shared external strings
>
> With this CL shared strings can be externalized and external strings can
> be shared.
> The StringForwardingTable is used to delay the real transition to the
> next full GC. On the API side strings marked for externalization will
> look like externalized strings.
>
> Bug: v8:12957
> Change-Id: I53b6509129bc5679c06bdf99421bdb41ea5d9082
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849643
> Reviewed-by: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Commit-Queue: Patrick Thier <pthier@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82966}
Bug: v8:12957
Change-Id: I13155fcc788d217db56cbfd1c9e4457a81a9dbd7
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870486
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82970}
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.
R=mlippautz@chromium.org
Bug: v8:12887
Change-Id: Id12f9d8270dd9fed651e1b3596c06e45aae9d6d1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3846151
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82969}
With PGO, I am hitting typer errors. Instead of just saying
"UNREACHABLE", do print an error message instead, which would previously
have required passing --trace-wasm-typer.
R=manoskouk@chromium.org
Bug: v8:13209
Change-Id: I75498782712b6adfeb1236f6882c49d015f9ef78
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870920
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82968}
With this CL shared strings can be externalized and external strings can
be shared.
The StringForwardingTable is used to delay the real transition to the
next full GC. On the API side strings marked for externalization will
look like externalized strings.
Bug: v8:12957
Change-Id: I53b6509129bc5679c06bdf99421bdb41ea5d9082
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849643
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82966}
This CL adds PKU support for V8 heap, but we will not enable
PKU by default before adding bots that are able to test the
PKU machinery.
Bug: v8:13023
Change-Id: I0465604d56900536ad63311f119ea0324ebe4f2f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3793944
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Wenqin Yang <wenqin.yang@intel.com>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82965}
Inline DependOnStablePrototypeChain to iterate only those maps which
share a validity cell with the receiver map. This resolves an issue
where maps after the holder object violate the stability invariants, but
doesn't require looking up what the actual holder is.
Bug: v8:7700
Change-Id: Id06f0d13660f547e14dd25085799c0e6223c34b9
Fixed: chromium:1359215
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871298
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82964}
There was a missing write barrier for the saved registers and context
in GeneratorStore. Add (deferred) write barriers for these, with some
careful register reshuffling to minimise moves.
Bug: v8:7700
Change-Id: Icf50e96adf3775785ce9b2c5a7566ecbbd1d63d9
Fixed: chromium:1359163
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870914
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82962}
This ignores one of --assert-types and --stress-concurrent-inlining if
used together. We already filter those from trials, but they also might
get picked from // Flags lines in test cases.
No-Try: true
Bug: chromium:1359829
Change-Id: I7e46afb53bdbb0a871c7443a5a66a339046eb3de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871195
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82961}
Rolling v8/build: 15f3aed..aebd733
Rolling v8/buildtools: 734683a..18d22db
Rolling v8/buildtools/third_party/libc++/trunk: 84f0693..369cbf3
Rolling v8/third_party/depot_tools: 8cdc635..eb16430
Rolling v8/third_party/fuchsia-sdk/sdk: version:9.20220831.2.1..version:9.20220902.0.1
Rolling v8/tools/clang: e0c2881..0a22859R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com
Change-Id: I01a1df8f6fe1db74fad773480edb5801f2851219
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872510
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82957}
This CL makes SelectGarbageCollector choose MinorMC to finalize
minor incremental marking if the allocation space is new space.
Bug: v8:13012
Change-Id: I0125d956842d83683cf3b1c5999de0e10a43dee5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871074
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82956}
This CL exclusively activates ScavengeTaskObserver, used by Scavenger
and atomic MinorMC, or MinorMCTaskObserver, used by concurrent
MinorMC.
Bug: v8:13012
Change-Id: I313b0cbe250828cc76d7d4b25e9abb457315112e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871295
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82955}
When internalizing cached external string that are not in-place
internalizable, there is an optimization that avoids copying the
contents of the string. This optimization doesn't work when the string
table is shared, as it leaves strings in a partly initialized state that
can be accessed in a concurrent environment.
Bug: v8:12007
Change-Id: I49fcbb232893c87d065af114546a6f1a15471016
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870469
Auto-Submit: Patrick Thier <pthier@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82953}
When aborting compaction on a page, slots need to be recorded in the
non-evacuated part. Now that maps might be recorded as well, slots
need to be recorded in the map word as well.
Bug: chromium:1359294, v8:12578
Change-Id: I91e4a98ae2951d814d4b50e527b34d8e54d55434
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871297
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82951}
