This is a reland of commit 5b9401dde4
Now also skip tests that require large amounts of virtual address space
if tsan is enabled as tsan may cause V8 to create a smaller sandbox
which is then unable to allocate the required amount of memory.
Original change's description:
> [sandbox] Also enable the sandbox outside of Chromium builds
>
> Drive-by: include the right header in sandboxed-pointer-inl.h and fix
> missing sandbox initialization in generate-bytecode-expectations.cc.
>
> Bug: v8:10391
> Change-Id: Ic39ba04b7c98eaa58ea3943189c23b297f581f5a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3630082
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81216}
Bug: v8:10391
Change-Id: I141080fdf61a77ef48b22e353e3cfbc1ff816e5a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716474
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81277}
When picking an arbitrary register for an input, prefer picking a
register that's already used as input. If there's no such register,
block the newly picked register.
Bug: v8:7700
Change-Id: I5926ae33482aa615060fef3500c1d2d6079090a4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716476
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81276}
The spec uses "v128" (not "s128") as the vector type name.
Some conversion instructions have more specific names that we used to
print, e.g. "i32x4.trunc_sat_f32x4_s" instead of "...convert...".
Bug: v8:8460
Change-Id: I4e06f452de6ce8b06670a8c5e53142c36d5e6010
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3704497
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81274}
- block regs that already contained the value
- clear the blocklists (including double) in more places
- check that a ForceAllocated reg isn't blocked yet (when allocated
at start)
Bug: v8:7700
Change-Id: I17b58ff23e0558f962a5d798a39ebb7d9b0ae634
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716470
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81273}
Previously it was implemented in api.cc, therefore requiring an additional
function call when accessing external pointer fields from embedder code with
the sandbox enabled. Now ReadExternalPointerField can be inlined.
Bug: v8:10391
Change-Id: Ia8cb2df148ac96f979fd3e22989b0ff6177abcec
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714245
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Samuel Groß <saelo@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81271}
We factor out the path-state part of branch elimination, to reuse it for
wasm path-based type optimizations. The node state becomes a template
parameter for the {ControlPathState} and
{AdvancedReducerWithControlPathState} classes.
Change-Id: I5e9811ced0b71140ec73ba26fae358ac7d56c982
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714238
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81270}
By maintaining a separate list of registers that can't be freed we can
keep track of decisions already made for a node, and avoid creating
conflicts. This can be used to avoid freeing fixed input/temporary
requirements or other assigned registers.
Bug: v8:7700
Change-Id: I3c24e0502e66714cf5f68374811741bc9f5e8b21
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714242
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81268}
This reverts commit 15f372afaf.
Reason for revert: https://crbug.com/v8/12984
Original change's description:
> [wasm] Fix tier-up budget tracking for recursive calls
>
> In the previous implementation, functions overwrote any budget
> decrements caused by recursive invocations of themselves, which
> could cause tier-up decisions for certain unlucky functions to
> get delayed unreasonably long.
> This patch avoids this by working with the on-instance value
> directly instead of caching it in a stack slot. That generates
> the same amount of Liftoff code as the status quo, but handles
> recursive functions properly.
> The "barista3" benchmark's peak performance improves by almost 20%.
>
> Bug: v8:12281
> Change-Id: I8b487a88da99c2d22e132f2cc72bdf36aa5f6e63
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3693710
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81249}
Bug: v8:12281, v8:12984
Change-Id: Ie254236785628c07ac569de16ea82a67ed5bd221
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714247
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Owners-Override: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#81267}
Maintaining an AST class just for testing constant exressions does not
seem justified. This CL changes constant expressions in mjsunit tests
to be represented with bytes, like regular expressions.
Change-Id: If5ec5f4d863176952442b1a7e2fec8a61e385971
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714237
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81266}
This is a temporary change to get more detailed crash reports for
further investigations.
Bug: chromium:1330861
Change-Id: Ifdd8d61692577dffd54d07fadb65575a5c30dcd3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3707592
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81262}
This CL removes the the usage of custom byte reversing functions from
the simulator and uses the one provided by V8 utils under:
```
src/utils/utils.h
```
Change-Id: I9a334a10d659b8a3315c34563eb3e6f84644a9e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714898
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/main@{#81261}
Port commit b84c7dbd7f
Change-Id: I80ac3498e6cd21fffeb3988fa7341668e59593f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716150
Commit-Queue: ji qiu <qiuji@iscas.ac.cn>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#81260}
Before we assumed that no exception can be thrown when specifying a
function to be used as an async hook, but that's not the case when e.g.
the object passed to createHook is a proxy trapping on property access
and the trap throws an exception.
Bug: chromium:1337629
Change-Id: I7bd7893cd274afb6e642ed18aacb9e203f7fdd96
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714233
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81258}
PopToModifiableRegister did not check the {pinned} list, so it could
return a register which was already used for another (temporary) value.
This CL fixes that, and adds a little optimization which gives more
freedom to the choice of spilling and has a chance to avoid a register
mode.
R=jkummerow@chromium.org
Bug: chromium:1337221
Change-Id: Ifc02321038713ff03e8f8e7db78dde33f70ec847
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3707287
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81255}
Previously, when embedders attempted to create ArrayBuffers backed by
memory outside the sandbox, V8 would simply crash with a failed CHECK
when converting the raw backing store pointer into a SandboxedPointer.
The new ApiCheck now provides a better error message in that case.
Bug: chromium:1218005
Change-Id: I7a1ad8cbf07fa346b1f09521850df9b18b428427
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3711882
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81254}
The original CL used Object::Set to create the result object of
WebAssembly instantiation. However, Object::Set is potentially
observable from JavaScript, and therefore required a MicrotasksScope.
This CL replaces the use of Object::Set with Object::CreateDataProperty.
Original message:
This CL switches resolving and rejecting the wasm result promise from
the V8-internal API to the external API added in
https://chromium-review.googlesource.com/c/v8/v8/+/3695584.
This CL can land once Chrome provided an implementation of the callback.
R=jkummerow@chromium.org
Bug: v8:12953
Change-Id: If1f252736fd3a13024d4b38adebf468530c59c03
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714234
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81253}
* Move fixed temporary allocation before arbitrary input allocation,
so that fixed temporaries don't accidentally clobber the arbitrary
input register. Now the input allocation will pick a different
register.
* For the above, make temporary allocation 'block' the register with a
sentinel value, rather than marking it free, so that the subsequent
input allocation knows not to use those registers (including
spilling into them).
* Similarly, move arbitrary input allocation after phi resolution when
allocating control nodes, since phis may have fixed requirements.
* Allow deopts to spill their inputs if they are not in registers and
not yet loadable. This is done during the equivalent of input
allocation for deopts.
* Allow there to be multiple targets for a single source during gap
move collection / cycle detection. There can still only be a single
source per target, therefore there can only be one cycle for each
connected component -- this is DCHECKed.
* Make register validation more complete -- also walk the entire
graph, and check whether value nodes' result register states match
the current register allocator state.
* Add much more printing to --trace-maglev-regalloc because these bugs
ain't easy to debug.
Bug: v8:7700
Change-Id: Id98259c2920d772ce168bf27497162e78b136f9f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714235
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81252}
This bug may lead to gc_stats tracing doesn't stop after chrome://tracing stop as expected.
Change-Id: Ibc2ece4c0ad536a99c4aece039ef546d152df10a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3709242
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jianxiao Lu <jianxiao.lu@intel.com>
Cr-Commit-Position: refs/heads/main@{#81251}
According to the style guide, the implicit conversion of any number of
registers to a LiftoffRegList should not be there. This CL removes it,
and fixes two subideal call sites to use SpillRegister (receiving a
single register) instead of SpillOneRegister (receiving a register list
to choose from).
Plus some semantics-preserving rewrites.
R=jkummerow@chromium.org
Bug: chromium:1337221
Change-Id: Id22043ac1c185bc794dbde7baa4b1d5ab7cce56e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3707286
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81250}
In the previous implementation, functions overwrote any budget
decrements caused by recursive invocations of themselves, which
could cause tier-up decisions for certain unlucky functions to
get delayed unreasonably long.
This patch avoids this by working with the on-instance value
directly instead of caching it in a stack slot. That generates
the same amount of Liftoff code as the status quo, but handles
recursive functions properly.
The "barista3" benchmark's peak performance improves by almost 20%.
Bug: v8:12281
Change-Id: I8b487a88da99c2d22e132f2cc72bdf36aa5f6e63
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3693710
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81249}
This is a reland of commit 538f2bc9ab
Changes compared to original: None. We think the problem that caused
the revert (https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20no-concurrent-marking/9377/overview) is unrelated.
Original change's description:
> [wasm-gc][cleanup] Remove wasm signature from CallDescriptor
>
> This field is no longer used, as the functionality it supported has been
> subsumed by wasm-gc typed-based optimizations.
>
> Bug: v8:7748
> Change-Id: I970514bb29e5f91bb5610cafde60ec3dbcfb07aa
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3705376
> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Maya Lekova <mslekova@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81244}
Bug: v8:7748
Change-Id: I8eacff98d265751fae55f244d40c0df94e35e6fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714231
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81248}
CHECKs were added / DCHECKs turned into CHECKs in
https://crrev.com/c/3707103 to help investigate crash reports.
Revert this changes (besides 1 CEHCK that prevents potential OOB reads
when the hash value is corrupted).
Bug: chromium:1336516
Change-Id: I84dd699b53c2006a1be4059940017c1277efa7ff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3711757
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81247}
Fix underflow in allocation timeout which is used by fuzzers to trigger
garabge collection.
Bug: chromium:1337646
Change-Id: Iffa70497c2945a26242e9e67820197bd5e61f04c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3711758
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81246}
This field is no longer used, as the functionality it supported has been
subsumed by wasm-gc typed-based optimizations.
Bug: v8:7748
Change-Id: I970514bb29e5f91bb5610cafde60ec3dbcfb07aa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3705376
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81244}
use_rbe has been deprecated and logic formerly checking it now checks for use_remoteexec first
Bug: chromium:1247781
Change-Id: I665e76345d5c1a64c2f5253799cee818a4b39129
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3707092
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Commit-Queue: Richard Wang <richardwa@google.com>
Cr-Commit-Position: refs/heads/main@{#81243}
Mostly in comments, again, not much to be said...
Bug: v8:12425
Change-Id: Id847447ade3100f13c5da8931fbb47d06ff1ce1f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3711883
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81242}
Mostly in comments, again, not much to be said...
One case of UNREACHABLE with return.
Bug: v8:12425
Change-Id: I295db355c4794e4205b9b70ebbf51e019ec14060
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695265
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81240}
... to avoid additional indirection on every access.
Drive-by: given that AccessorInfo class now has a custom body visitor
it's no longer necessary to encode flags field as Smi.
Bug: v8:12949
Change-Id: I30eabee3cbc5ded2bf3f050dfe22208713a764bf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3701590
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81237}
Remove finalization step of incremental marking. The step was
historically used to process embedder/weak work on the main thread
before invoking the atomic pause. Remove the infrastructure as the
step is not needed anymore and actually required a safepoint.
Change-Id: I208767bbac3d9a06a0b3c67aa9779f8a5fa07328
Bug: v8:12775
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3702801
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81234}
... in order to distinguish OOMs caused by code range exhaustion from
other OOMs.
Bug: v8:11880
Change-Id: Ic27242bee7dd7b68673ea478d5972a055ec58943
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3707289
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81232}
f8(fs0) is callee saved so that we should not use it to hold return value in the float_min_max test case.
Change-Id: I7039918cc434462dd956339d4263811543e23a94
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3711284
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Commit-Queue: ji qiu <qiuji@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#81230}
Rolling v8/build: 7e8d64b..5ee7989
Rolling v8/buildtools: 8b16338..34f9ff8
Rolling v8/buildtools/third_party/libc++/trunk: 1a63708..b126981
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/0eef537..b83d69f
Rolling v8/third_party/depot_tools: c5c4853..9a3c4bc
Rolling v8/tools/clang: aab5788..f68dc6b
Rolling v8/tools/luci-go: git_revision:de014227dd270df7c61bfab740eb4ae4b52ac2a7..git_revision:df39938896c4603fb2a214a2430450a85d9cca81
Rolling v8/tools/luci-go: git_revision:de014227dd270df7c61bfab740eb4ae4b52ac2a7..git_revision:df39938896c4603fb2a214a2430450a85d9cca81
R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com
Change-Id: I11e049b61608a0f43f04dfa4b88ca569dfc56d6e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3712646
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#81229}
