And add a test to ensure we've caught them all and won't
forget any others in the future.
Change-Id: I9bed83ada1c8991eaf08af4b34d4ccda7dc0e600
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3724788
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81388}
The following flag combinations run into a CHECK in d8:
('--assert-types', '--stress-concurrent-inlining')
('--assert-types', '--stress-concurrent-inlining-attach-code')
All flags can be passed as clusterfuzz trials on d8 fuzzers and lead
to poor fuzzing outcomes. This lowers their probability as a
mitigation until a better solution is found.
No-Try: true
Bug: chromium:1336577
Change-Id: I63747bb0a466c01d2789fc76cb9232f7afe720f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3721382
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81387}
- Use the lowered 32-bit signature when linking the inlined and caller
graphs.
- Tolerate non-projection uses of Call nodes when linking the graphs.
These can be left over by Int64Lowering.
- Drive-by: Inline really small functions even if their call count is
low.
Bug: v8:12166
Change-Id: I5b472d3f617f2f23820a5d142102c0a6c5c769dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3720715
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81386}
It is no longer necessary to postpone the allocation of backing stores
to avoid triggering GC. As such, the logic around ArrayBuffer
deserialization can be simplified.
Bug: v8:10391, v8:11111
Change-Id: I7410392a6e658cd4be77e2192483c6d412b63412
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3717982
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81384}
Now you can use 3-letter alias for all modes: rel, opt, dbg
Example: gm.py x64.opt.d8
No-Try: True
Change-Id: I825ebbf4cc1c509599f4fd2ac5aa0ac6fab998c0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3723506
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81382}
The waiter queue node of JS Atomics.Mutex is now stored in the shared
external pointer table.
Bug: v8:12547
Change-Id: I2f4ce1c705d5e710b49872942702f60edf6c4043
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3721696
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81380}
Instead of creating smaller sandboxes when the allocation of the virtual
address space reservation fails, we now create partially-reserved
sandboxes and halve the reservation size until the initialization
succeeds. That way, the unreserved part of the sandbox can still be used
for allocating objects.
Bug: v8:10391
Change-Id: I89a7790ffcda87ab71cc7b7f1101c0a1c3c62829
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714241
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81379}
Previously, only root marking performed during the final pause
was accounted for in the tracing data.
This CL enables tracing of the initial root marking step of MajorMC.
Change-Id: I4aa8a52144d81a12e43a481518acbab118978992
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3724793
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81378}
Utf8Decoder used to use unibrow::Utf8::ValueOfIncremental, which had a
fast path to avoid the decoder for bytes less than 0x80 in the start
state. We had to switch away from ValueOfIncremental but it's probably
a good idea to keep the fast path.
Bug: v8:12868
Change-Id: I7d83d67f2c13a1c4f026dde04ef0a69b7de47dc3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3723498
Commit-Queue: Andy Wingo <wingo@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81377}
Quite embarassingly, the test that the WTF-8 decoder rejects surrogate
pairs was broken: the trailing surrogate was invalid. (The range of the
second byte for leading surrogates is [A0,AF], and for trailing is
[B0,BF]). Of course the actual functionality was broken, because the
code that detected surrogate pairs called IsSurrogatePair with swapped
arguments.
Bug: v8:12868
Change-Id: Icab5e2e4e200afb3d34f478ab4f98b739ada5645
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3723497
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andy Wingo <wingo@igalia.com>
Cr-Commit-Position: refs/heads/main@{#81376}
This CL adds control-path type-tracking for wasm-gc nodes in the
WasmGCOperatorReducer. Nodes now use the types assigned to their
argument nodes, as well as the additional information tracked along
control paths.
Drive-by: Add support for multiple instances of the same node to
appear in control-path-state.
Bug: v8:7748
Change-Id: I73e8f84595609b3a5fb61a2bffeb973182d17676
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3717994
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81373}
Changes for TF instruction selector will be pasted
in the CL comments and will get applied once all
relaxed opcodes have been implemented in codegen/liftoff.
Change-Id: If7250d97398fd99dc2dd59d5d7ce079b99feed43
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3721428
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/main@{#81362}
v8 have not rolled latest perfetto's since January 2021.
At the moment, this roll is blocked on b/236945541
Cq-Include-Trybots: luci.v8.try:v8_linux64_perfetto_dbg_ng
Change-Id: Ife1a56a3b1ded47d806394738943805b7989964e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3721615
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Mohit Saini <mohitms@google.com>
Cr-Commit-Position: refs/heads/main@{#81359}
Unaglined allocations are not fully supported in V8.
- Set USE_ALLOCATION_ALIGNMENT_BOOL to false for documentation
- Verify HeapObject address alignment requirements with --verify-heap
- Move address alignment to right after allocation in the deserializer
- Use object_size in the CheckAlignment helper to get a chance to
figure out which allocation path we took
Bug: chromium:1330861, v8:8875
Change-Id: Iffd02d869923ccec133618250dfefb0480b02741
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3717995
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81358}
The optimization of a trap inside a branch is being removed. Since it
does not speed-up non-trapping programs, and it is quite narrow, it is
not worth the maintenance cost.
Bug: chromium:1338947, chromium:1338950, chromium:1339153
Change-Id: I5b3f52e2b11d4c5113dd44fe23c14d74124a15f6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3721617
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81357}
|exclude_imports| flag is set in some of the perfetto's proto_library
targets to indicate that we don't need to generate the proto-descriptor
for the protos included in those `x.proto` files. In this CL we use that
flag to conditionally pass `--include_imports` argument to protoc.
This is similar to the CL (https://crrev.com/c/2632759)
Bug: b:236945541
Change-Id: I0689003978096798d1e966ec8485cd6af7237804
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3721616
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Mohit Saini <mohitms@google.com>
Cr-Commit-Position: refs/heads/main@{#81356}
This is a reland of commit 543acf345a
Original change's description:
> cppgc: Minor fix in cppgc efficiency calculation
>
> Efficiency calculation (freed bytes over GC duration) assumes that the
> duration of the GC is non zero. However, if the clock resolution is
> not small enough and the entire GC is very short, the timed value
> appears to be zero. This leads to NaN values showing in metrics and
> CHECKs failing. This CL fixes the issue.
>
> Bug: chromium:1338256
> Change-Id: I1dbc52072fcde3411aa38fa0c11da25afd107ca8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714356
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81329}
Bug: chromium:1338256
Bug: chromium:1339180
Change-Id: Ib2b2a6973a6d290adf01568f35a205b606dd99f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3723499
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81354}
There's no need to use the regular Scavenge visitor that would possibly
populate the worklists again as we already know that we merely want to
update the references at this point.
Bug: chromium:1336158
Change-Id: I137d0bc990473cd6bc23f3a8849d83314807f6a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3723500
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81353}
There were multiple bugs and no test coverage for br_on_cast and br_on_cast_fail, specifically for the paths in the decoder where those
checks get optimized away.
Bug: v8:7748
Change-Id: I6e5d6449152df0456b43938174f57055a4c63fdd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3723503
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81349}
When a detached JSDataView is deserialized, it's backing ArrayBuffer
backing store is empty (i.e. the EmptyBackingStoreBuffer() pointer).
Previously, the JSDataView's data_pointer would then be set to
EmptyBackingStoreBuffer() + byte_offset(), which is not a valid backing
store pointer as it points outside of the sandbox. Instead, which this
CL the data_pointer is now simply set to EmptyBackingStoreBuffer().
Bug: v8:10391
Change-Id: Ic7d144f2f20d5ec99438d2b3bf33735fbf8d5fc6
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3717987
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81348}
