* Skip 8 tests that timeout due to the low-performance of current MMTk non-moving GC.
- This will be enabled after TPH performance issues are addressed.
* Skip 2 new tests that creates a second isolate -- TPH does not support it at the moment.
* Skip 1 test that expects concurrent sweeping behavior of cppgc.
Bug: v8:11641
Change-Id: If86cdcc303b01536d278368886bb30d91da5c5c1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2909692
Auto-Submit: Wenyu Zhao <wenyu.zhao@anu.edu.au>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75036}
This CL updates Realm.eval() to also handle reading source code as a
JavaScript function or from a file. To distinguish between different
argument types, an additional options bag needs to be provided. If no
options bag is provided, the behavior defaults to the current one,
which is reading source code from a string.
Bug: v8:11525, v8:11706
Change-Id: I68238335eb91171041dca2c83db211c40dd68359
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2944435
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Vicky Kontoura <vkont@google.com>
Cr-Commit-Position: refs/heads/master@{#75021}
Currently, the serializer and deserializer assume that all top-level
declarations to be serialized will be objects.
This CL removes this assumption.
Bug: v8:11525, v8:11706
Change-Id: I5acf5e7a3b73aba5ffc5b1d5eb9cb51b3804a4af
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2945178
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Vicky Kontoura <vkont@google.com>
Cr-Commit-Position: refs/heads/master@{#75020}
This is needed for JSCallReducer.
Bug: chromium:1217562
Change-Id: I1f06040a74c393598c134301ba0cf04a46380107
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2945184
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75019}
Predictable does not contradict --wasm-tier-up any more, hence unskip
the tests.
R=ahaas@chromium.org
Bug: v8:11319, v8:11848
Change-Id: Iaefcf6c80e65d27c527aa1a45b054ace1d85fe39
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2945171
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75013}
This is a reland of 79d63a5ef3. Some fixes
landed already, and two tests need to be skipped now (one with a tracking
bug).
Original change's description:
> [wasm] Remove all implications from --predictable
>
> In predictable mode, we want to execute the same code as otherwise,
> modulo timing. Hence remove any implications which change behaviour
> (like tier-up or asynchronous compilation).
> Note that --predictable is a debugging flag, so the configurations does
> not need to "make sense" in production.
>
> R=ahaas@chromium.org
>
> Bug: v8:11848
> Change-Id: If74fbacadeb087d977922c41f33fd18738b50ded
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2940898
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74973}
Bug: v8:11848
Change-Id: I3564e4351d6545bb9643d1ae44722eb2606b8961
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2944936
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75009}
Changes:
- Add struct.new_with_rtt as a new WasmInitExpr. Parse it in
consume_init_expr(). Add it to
InstanceBuilder::EvaluateInitExpression().
- Change WasmInitExpr::operand_ to vector operands_.
- In consume_init_expr(), use parsed over hard-coded opcode length.
- Improve WasmStruct::WasmStructPrint slightly.
- Add Factory::NewWasmStruct().
- Add WasmValue::CopyToWithSystemEndianness.
- In wasm-module-builder.js, generalize emit_init_expr for expressions
with operands. Add missing init. expression types.
- Add tests.
Bug: v8:7748
Change-Id: Ica12378d202730aff1b57c7d4240aa00ef124f8e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2940893
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75006}
The flag --trace-ignition-dispatches has been broken for a long time,
since it was not designed to work with bytecode handlers that are
generated ahead of time by mksnapshot. This splits the existing
--trace-ignition-dispatches logic into two separate parts:
1. A gn argument which instructs mksnapshot to include dispatch counting
in the bytecode handlers, and ensures that the Interpreter allocates
the array of counters, and
2. A runtime flag which enables the ignition-statistics extension which
implements the JS-accessible function getIgnitionDispatchCounters().
Change-Id: I89323425697f5641451f67b9ddcc0303b8ca209f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2937564
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#74992}
A spec test (wasm-js/global/value-get-set) requires
WebAssembly.Global.value.set to throw an exception if it is called with
0 arguments. The implementation in V8, however, just checked if the
first parameter is `undefined`. This implementation indeed threw an
exception if 0 arguments were provided, but it also threw an exception
when `undefined` is provided as a parameter. This, however, violates
the spec, because globals can be reset to `undefined`.
With this CL we replace the checking for `undefined` by checking the
length of the arguments that get provided.
R=ecmziegler@chromium.org
Bug: chromium:1211342
Change-Id: Ic87a0b369dea3e49eddb8f71f2c29dc6a8f5f558
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2940901
Reviewed-by: Emanuel Ziegler <ecmziegler@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74982}
When growing a memory without a maximum, we should still check against
the spec'ed limit, to avoid an overflow when computing the new number of
pages.
R=ahaas@chromium.org
Bug: chromium:1215808
Change-Id: I476b954268277e7dce1106a9b8c3c713b0d1a560
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2944433
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74980}
The tests are not compatible with the --stress-background-compile flag.
Bug: v8:11821
Change-Id: Iecef6a2838109fddc9f0ecc145a9f8971bc9bc3c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2918214
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#74959}
Tbr: nicohartmann@chromium.org
Bug: chromium:1198705, chromium:1199345, chromium:1200490
Change-Id: I4a486df636e084279423e6cd3b867137bfe3fd6f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2939984
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74945}
This CL fixes WebSnapshotDeserializer::DeserializeFunctions(), so that
the new Script is created after both the SharedFunctionInfoTable and
SharedFunctionInfo are allocated.
Also, this CL re-enables mjsunit tests for web snapshots (disabled in
https://chromium-review.googlesource.com/c/v8/v8/+/2931806).
Bug: v8:11842, v8:11525, v8:11706
Change-Id: I13503eab3fa70b128ba1faae75eed62b6c5bb636
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2933145
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Vicky Kontoura <vkont@google.com>
Cr-Commit-Position: refs/heads/master@{#74923}
This instruction is a non-standard V8-only experiment for now,
hidden behind the --experimental-wasm-gc-experiments flag.
The motivation is to provide a way to set up non-canonicalized
RTT hierarchies, to enable expressing the type system of Java-like
languages in terms of WasmGC constructs.
Bug: v8:7748
Change-Id: Idf1c18e9944c983f40f1e01b2032ee5fdc2fd81b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2930478
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74920}
Instead of compiling a function with baseline immediately when the
interrupt budget is hit, we compile functions in batches to save some
memory protection flips on code pages.
This CL introduces batch compilation behind --baseline-batch-compilation
(enabled on future) and adds a flag
--baseline-batch-compilation-threshold to control the size of batches.
Bug: v8:11790
Change-Id: I3efc360424a14e4b07c6570e48860509ae59e591
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2891656
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74913}
os.system seems to be flaky on certain bots. Disabling this until we
have a proper fix.
Change-Id: I075542772ba8eb968c96942923f76b87a2f18d47
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2931809
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74910}
This is a reland of ed7e4554db:
- fixing platform names for tickprocessor
- UnixCppEntriesProvider => LinuxCppEntriesProvider
- MacCppEntriesProvider => MacOSCppEntriesProvider
Original change's description:
> [mjsunit][tools][d8] Full roundtrip tickprocessor test
>
> - Add os.d8Path property
> - Add os.name property
> - Change tickprocssor test to use command line arguments for testing
> various configurations
> - Change tickprocessor test to create a temporary v8.log and read it
> back in on linux only
> - Rearrange code in tickprocessor.mjs to allow instantiating the
> CppEntriesProvider directly
> - Drop complete symbol-list for tickprocessor-test-large.log for better
> code searching in V8
>
> Change-Id: Ib56dd0a1ba5377282c84c4de6f17e2fd69ee8123
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2929120
> Reviewed-by: Patrick Thier <pthier@chromium.org>
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74892}
Change-Id: I5e121ba11f407af50108a2712d27c32867a22eb0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2929382
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74902}
These tests are too slow and we get enough coverage by running in
other configurations.
Change-Id: Ib07136b01ae1e5c57589ca97114c283258a958f6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2929385
Auto-Submit: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74898}
This reverts commit ed7e4554db.
Reason for revert: new test fails on Mac: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Mac64/40407/overview
Original change's description:
> [mjsunit][tools][d8] Full roundtrip tickprocessor test
>
> - Add os.d8Path property
> - Add os.name property
> - Change tickprocssor test to use command line arguments for testing
> various configurations
> - Change tickprocessor test to create a temporary v8.log and read it
> back in on linux only
> - Rearrange code in tickprocessor.mjs to allow instantiating the
> CppEntriesProvider directly
> - Drop complete symbol-list for tickprocessor-test-large.log for better
> code searching in V8
>
> Change-Id: Ib56dd0a1ba5377282c84c4de6f17e2fd69ee8123
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2929120
> Reviewed-by: Patrick Thier <pthier@chromium.org>
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74892}
Change-Id: I7d7506b370f96365552a21fa767b1c5c608ebb1c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2929380
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#74894}
- Add os.d8Path property
- Add os.name property
- Change tickprocssor test to use command line arguments for testing
various configurations
- Change tickprocessor test to create a temporary v8.log and read it
back in on linux only
- Rearrange code in tickprocessor.mjs to allow instantiating the
CppEntriesProvider directly
- Drop complete symbol-list for tickprocessor-test-large.log for better
code searching in V8
Change-Id: Ib56dd0a1ba5377282c84c4de6f17e2fd69ee8123
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2929120
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74892}
The upper 32 bits of the 64 bit offset register are not guaranteed to be
cleared, so a zero-extension is needed. We already do the zero-extension
in the case of explicit bounds checking, but this should also be done if
the trap handler is enabled.
R=clemensb@chromium.orgCC=jkummerow@chromium.org
Bug: v8:11809
Change-Id: I21e2535c701041d11fa06c176fa683d82db0a3f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2917612
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74881}
This CL fixes the deserialization of the map for empty objects, so that
the initial empty map is used.
Bug: chromium:1213851, v8:11525, v8:11706
Change-Id: I37de0b147b9c89ead9c96f776e5fbf88da4630cc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2928192
Commit-Queue: Vicky Kontoura <vkont@google.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74880}
This CL adds a v8_allocation_site_tracking flag to control the allocation and
tracking of memento objects.
Disables FLAG_allocation_site_pretenuring if v8_allocation_site_tracking
is disabled.
v8_enable_single_generation implies !v8_allocation_site by default.
Change-Id: Ib07528bd37d91de6bb6ea0bfea1699be4e17fae9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2897326
Commit-Queue: Wenyu Zhao <wenyu.zhao@anu.edu.au>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74879}
Limit tests to release, linux and macos since they are mostly for
checking whether the tools work correctly rather than JS correctness.
Change-Id: I26e49fbda33a4dac8d774b2e03fa07ae1f2f142a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2930156
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74875}
Bug: chromium:1212583
Change-Id: I6cce7e419b108a0d30cf4d9d9bb0ba304fb0803e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2922249
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74864}
This CL refactors mjsunit tests, so that the common core of all tests is
abstracted away.
Bug: v8:11525, v8:11706
Change-Id: I24a1af4298380e21a64e4d17149422c32fbf8a4d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2914882
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Vicky Kontoura <vkont@google.com>
Cr-Commit-Position: refs/heads/master@{#74853}
To support Fast API calls with overloads, implement compile-time
function resolution based on the number of arguments passed to the JS
function.
Bug: v8:11739
Change-Id: I96839dc0b6fc540eff94573ac9e77f678908fc3a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2901249
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#74837}
This CL renames the --d8-web-snapshot-api flag to explicitly mark it as
experimental, so that it is ignored by fuzzers.
Bug: v8:11525, v8:11706
Change-Id: Iff8a9d5697b60d0ade841773d1f0b537fcb19b70
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2922109
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Vicky Kontoura <vkont@google.com>
Cr-Commit-Position: refs/heads/master@{#74820}
This is a reland of 916eb86952
Change compared to original:
Remove ternary operator from lambda, as this triggers a gcc bug.
Original change's description:
> Reland "[wasm][bug] Fix a couple of bugs in validation of unreachable code"
>
> This is a reland of 4a037f871e
>
> Changes compared to original change: None. This seems not to create
> problems after all.
>
> Original change's description:
> > [wasm][bug] Fix a couple of bugs in validation of unreachable code
> >
> > Changes:
> > - SetBlockType now instantiates the block's start merge with values of
> > the correct type in unreachable code.
> > - EnsureStackArguments now keeps the existing stack values and moves
> > them over the new bottom values.
> > - Drop stack size validation in Drop().
> > - Add new tests in unreachable-validation.js.
> >
> > Change-Id: Ie68b3d9abb0a41d1623d4a123fb526e71941c4e7
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2902733
> > Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#74650}
>
> Change-Id: Id620f7fb6677b772b0dcfd38108256384db44439
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2905598
> Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74677}
Bug: v8:11819
Change-Id: I9b8d915547ec9aee7cb5233937089d431db54c8f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2919833
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74797}
The new functionality is hidden behind the --wasm-gc-js-interop flag.
Bug: v8:11804
Change-Id: I9dd779efe3dbf3c773948b6fd8872e3aea8cd7a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2912784
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74790}
This CL adds support for testing web snapshots through mjsunit tests.
To allow for taking and using web snapshots from JavaScript, two
methods, Realm.takeWebSnapshot() and Realm.useWebSnapshot(), are
introduced in d8.
Both of these methods accept a Realm as a parameter, allowing for
mjsunit tests to create and use the snapshot in different realms.
To return the snapshot data, Realm.takeWebSnapshot() creates and
returns a snapshot object with the snapshot data stored as an embedder
field.
Bug: v8:11525, v8:11706
Change-Id: I6e514e10eabf5bdb96d81e2697d4ddc49d92de73
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2905610
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Vicky Kontoura <vkont@google.com>
Cr-Commit-Position: refs/heads/master@{#74783}
This reverts commit 916eb86952.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20gcc/11805/overview
Original change's description:
> Reland "[wasm][bug] Fix a couple of bugs in validation of unreachable code"
>
> This is a reland of 4a037f871e
>
> Changes compared to original change: None. This seems not to create
> problems after all.
>
> Original change's description:
> > [wasm][bug] Fix a couple of bugs in validation of unreachable code
> >
> > Changes:
> > - SetBlockType now instantiates the block's start merge with values of
> > the correct type in unreachable code.
> > - EnsureStackArguments now keeps the existing stack values and moves
> > them over the new bottom values.
> > - Drop stack size validation in Drop().
> > - Add new tests in unreachable-validation.js.
> >
> > Change-Id: Ie68b3d9abb0a41d1623d4a123fb526e71941c4e7
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2902733
> > Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#74650}
>
> Change-Id: Id620f7fb6677b772b0dcfd38108256384db44439
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2905598
> Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74677}
Tbr: manoskouk@chromium.org
Change-Id: Ia24aa453735464bdd3aafca4617beabb0cbf8823
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2917601
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74771}
Fixes an issue with tests mjsunit/compiler/call-with-arraylike-or-spread*
that fail when run with the fuzzer.
Bug: v8:11821
Change-Id: I6b75c065397d66062a7f552198ca92d151d89a4b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2917814
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#74764}
There are two different limits for the maximum memory size in
WebAssembly:
1) A 4GB limit which is the same on all platforms, and is observable for
JS programs. It is used to limit the allowed declared maximum size of a
wasm memory.
2) A potentially lower limit (2GB on 32-bit systems, 4GB otherwise)
which can be further limited using a command-line flag. This limit is
used whenever actually allocating or growing a wasm memory. This limit
is not directly observable, but we make sure that no wasm memory will
ever be bigger than this limit.
The second limit is the one we should check against when allocating or
growing memory, while the first limit should be used when validating
a module (or the parameters for WebAssembly.Memory). The compiler can
rely on no memory being bigger than the second limit, which again is
never bigger than the first limit.
This CL adds some more documentation to the two limits, and cleans up
all usages.
This also makes {kPlatformMaxPages} and {kMaxMemoryPagesAtRuntime}
obsolete.
R=jkummerow@chromium.org
Bug: chromium:1207263
Change-Id: I43541aafd3f497d1c368bd9400e9bc667bdfd3d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2910787
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74742}
Trimming is required before the Typer phase to ensure that all nodes
that might be reached via use links have been typed.
Add this phase back on the (background thread) OptimizeGraph
step instead of the (main-thread) CreateGraph phase since there
is no need to do it on the main thread.
BUG=chromium:1212244
Change-Id: I136aadb62d623c8f1898e4e9c0441266d5690be6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2912709
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74733}
CallWithArrayLike was optimized in TF only for 'arguments' in inlined
functions. Here we add logic to optimize also in non inlined functions,
enabling the rewriting of Function.prototype.apply(f, [1, 2, 3])
as f(1, 2, 3).
Bug: v8:9974
Change-Id: Icc9ccfc2276f75d06755176b55e7a02ddfdb04ed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2805623
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74723}
Bug: v8:11805
Change-Id: Ieb366a45ef0bdb69a64b4e3cc7b0715d7617141d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2912592
Auto-Submit: Georg Neis <neis@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74716}
This adds a new status file indicator "HEAVY" to mark tests with high
resource demands. There will be other tests running in parallel,
but only a limited number of other heavy tests. The limit is
controlled with a new parameter --max-heavy-tests and defaults to 1.
The change also marks a variety of tests as heavy that recently had
flaky timeouts. Heavy also implies slow, hence heavy tests are
executed at the beginning with a higher timeout like other slow tests.
The implementation is encapsulated in the test-processor chain. A
new processor buffers heavy tests in a queue and adds buffered tests
only if other heavy tests have ended their computation.
Bug: v8:5861
Change-Id: I89648ad0030271a3a5af588ecc9c43285b728d6d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2905767
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74712}
The old code was relying on identical alignment of both the source and
the destination of the Relaxed_Memcpy. This is not always given, thus
check for alignment of both.
R=mlippautz@chromium.org
Bug: chromium:1208782, v8:11704
Change-Id: Ic5dca3a5f0ecaea0df6eb123105520bd7785853c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2905611
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74694}
Also make the output more helpful in the error case.
Bug: v8:11724
Change-Id: Ibb8bd328f936f3d4f847ba7e14adf9c30b9460f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2903158
Auto-Submit: Georg Neis <neis@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74691}
This is a reland of 8f39a58586
Changes compared to original:
Change the type of arguments of WASM_I32V from byte to int for MSVC
compatibility.
Original change's description:
> [wasm-gc] Implement br_on_cast_fail
>
> Bug: v8:7748
> Change-Id: I7894ad51ccf8ac41a5081c272a583a4ff25c1835
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2900225
> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74652}
Bug: v8:7748
Change-Id: I39f39ff6979382f5618683a8e7754f56df4ec9e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2905599
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74689}
This is a reland of 4a037f871e
Changes compared to original change: None. This seems not to create
problems after all.
Original change's description:
> [wasm][bug] Fix a couple of bugs in validation of unreachable code
>
> Changes:
> - SetBlockType now instantiates the block's start merge with values of
> the correct type in unreachable code.
> - EnsureStackArguments now keeps the existing stack values and moves
> them over the new bottom values.
> - Drop stack size validation in Drop().
> - Add new tests in unreachable-validation.js.
>
> Change-Id: Ie68b3d9abb0a41d1623d4a123fb526e71941c4e7
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2902733
> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74650}
Change-Id: Id620f7fb6677b772b0dcfd38108256384db44439
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2905598
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74677}
We compile with Sparkplug when we allocate the feedback vector with lazy
feedback vector allocation. --stress-concurrent-inlining implies
--no-lazy-feedback-allocation, so it doesn't make sense to run
baseline tests with this variant.
Change-Id: I7fd4c2b11cf2a9bb29d6f78c5973aed80abab85e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2903118
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Patrick Thier <pthier@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74669}
This reverts commit 4a037f871e.
Reason for revert: Bot failures, including MSVC compilation.
Original change's description:
> [wasm][bug] Fix a couple of bugs in validation of unreachable code
>
> Changes:
> - SetBlockType now instantiates the block's start merge with values of
> the correct type in unreachable code.
> - EnsureStackArguments now keeps the existing stack values and moves
> them over the new bottom values.
> - Drop stack size validation in Drop().
> - Add new tests in unreachable-validation.js.
>
> Change-Id: Ie68b3d9abb0a41d1623d4a123fb526e71941c4e7
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2902733
> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74650}
Change-Id: Icb16af9a8ed16e593fe345ab727b992d9c9b1500
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2905597
Auto-Submit: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#74657}
Changes:
- SetBlockType now instantiates the block's start merge with values of
the correct type in unreachable code.
- EnsureStackArguments now keeps the existing stack values and moves
them over the new bottom values.
- Drop stack size validation in Drop().
- Add new tests in unreachable-validation.js.
Change-Id: Ie68b3d9abb0a41d1623d4a123fb526e71941c4e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2902733
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74650}
This is the second reland of 4683d6fe52
Initial CL: crrev.com/c/2874663
First reland: crrev.com/c/2886861
The first reland fixes Ref construction failures in:
- MapRef::instance_descriptors
- NativeContext reads (see also crrev.com/c/2891575)
The second reland (this CL):
- Adds required infrastructure (e.g. kAssumeMemoryFence) but
without enabling the IsPendingAllocation check. Enabling the check
will be done separately to avoid further revert chains.
Original change's description:
> [compiler] Consider IsPendingAllocation in Ref construction
>
> The logic in JSHeapBroker::TryGetOrCreateData assumes that parts
> of the object are safe to read. In particular, the instance type
> must be readable for the chain of `Is##Name()` type checks.
>
> This is guaranteed if
>
> - a global memory fence happened after object initialization and
> prior to the read by the compiler; or
> - the object was published through a release store and read through
> an acquire read.
>
> The former is protected by the new call to ObjectMayBeUninitialized
> (which internally calls IsPendingAllocation) in TryGetOrCreateData.
>
> The latter must be marked explicitly by calling the new
> MakeRefAssumeMemoryFence variant.
>
> Note that support in this CL is expected to be incomplete and will
> have to be extended in the future as more cases show up in which
> MakeRef calls must be converted to MakeRefAssumeMemoryFence or to
> TryMakeRef.
>
> Bug: v8:7790,v8:11711
> Change-Id: Ic2f7d9fc46e4bfc3f6bbe42816f73fc5ec174337
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2874663
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74474}
Bug: v8:7790,v8:11711,chromium:1207680,chromium:1207679
Change-Id: I123b2962df724a13dd2c7334ae949234bc3bf27a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2902738
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74638}
We compile with Sparkplug when we allocate the feedback vector with lazy
feedback vector allocation.
With --no-lazy-feedback-allocation, it doesn't make sense to run
baseline tests.
Change-Id: Ib71e8624531ba927680e83c2e813c0886c460da4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2903148
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Patrick Thier <pthier@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74637}
This reverts commit 4683d6fe52.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN/36744/overview
Original change's description:
> Reland "[compiler] Consider IsPendingAllocation in Ref construction"
>
> This is a reland of 5f0ac36cc6
>
> Fixes Ref construction failures in:
> - MapRef::instance_descriptors
> - NativeContext reads (see also crrev.com/c/2891575)
>
> Original change's description:
> > [compiler] Consider IsPendingAllocation in Ref construction
> >
> > The logic in JSHeapBroker::TryGetOrCreateData assumes that parts
> > of the object are safe to read. In particular, the instance type
> > must be readable for the chain of `Is##Name()` type checks.
> >
> > This is guaranteed if
> >
> > - a global memory fence happened after object initialization and
> > prior to the read by the compiler; or
> > - the object was published through a release store and read through
> > an acquire read.
> >
> > The former is protected by the new call to ObjectMayBeUninitialized
> > (which internally calls IsPendingAllocation) in TryGetOrCreateData.
> >
> > The latter must be marked explicitly by calling the new
> > MakeRefAssumeMemoryFence variant.
> >
> > Note that support in this CL is expected to be incomplete and will
> > have to be extended in the future as more cases show up in which
> > MakeRef calls must be converted to MakeRefAssumeMemoryFence or to
> > TryMakeRef.
> >
> > Bug: v8:7790,v8:11711
> > Change-Id: Ic2f7d9fc46e4bfc3f6bbe42816f73fc5ec174337
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2874663
> > Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> > Reviewed-by: Georg Neis <neis@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#74474}
>
> Bug: v8:7790,v8:11711,chromium:1207680,chromium:1207679
> Change-Id: Ib3dbf59909e6982a3230dd6a67c9fb7d6ffb9ab4
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2886861
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74587}
Bug: v8:7790
Bug: v8:11711
Bug: chromium:1207680
Bug: chromium:1207679
Change-Id: I8cd45ac006b7b5f3d668d0df272bcba880c75926
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2901990
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74621}
Turns out std::sort() gets angry when various ranges of an array
alias each other in memory. We wouldn't like it when it's angry.
Fixed: chromium:1209152
Change-Id: Ic927b46c59d10f7d3856768628c773b344005979
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2897098
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74598}
This is a reland of 5f0ac36cc6
Fixes Ref construction failures in:
- MapRef::instance_descriptors
- NativeContext reads (see also crrev.com/c/2891575)
Original change's description:
> [compiler] Consider IsPendingAllocation in Ref construction
>
> The logic in JSHeapBroker::TryGetOrCreateData assumes that parts
> of the object are safe to read. In particular, the instance type
> must be readable for the chain of `Is##Name()` type checks.
>
> This is guaranteed if
>
> - a global memory fence happened after object initialization and
> prior to the read by the compiler; or
> - the object was published through a release store and read through
> an acquire read.
>
> The former is protected by the new call to ObjectMayBeUninitialized
> (which internally calls IsPendingAllocation) in TryGetOrCreateData.
>
> The latter must be marked explicitly by calling the new
> MakeRefAssumeMemoryFence variant.
>
> Note that support in this CL is expected to be incomplete and will
> have to be extended in the future as more cases show up in which
> MakeRef calls must be converted to MakeRefAssumeMemoryFence or to
> TryMakeRef.
>
> Bug: v8:7790,v8:11711
> Change-Id: Ic2f7d9fc46e4bfc3f6bbe42816f73fc5ec174337
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2874663
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74474}
Bug: v8:7790,v8:11711,chromium:1207680,chromium:1207679
Change-Id: Ib3dbf59909e6982a3230dd6a67c9fb7d6ffb9ab4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2886861
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74587}
This CL fixes a failed DCHECK due to incorrect heap capacity.
Also skips three new tests that create multiple isolates.
Bug: v8:11641
Change-Id: I1061b3370efbe2b272bd490705fc728d6bb26910
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2896644
Auto-Submit: Wenyu Zhao <wenyu.zhao@anu.edu.au>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74583}
Loop unrolling did not work properly with floating control. Seeing as
very few spots in the wasm compiler introduced floating control, we
decided to disallow it altogether.
Changes:
- When lowering 64-bit rol/ror/clz/ctz in 32-bit platforms, we use a
diamond operator, which used to introduce floating control. This CL
adds a control edge to these operators so that the diamond can be
chained to that control instead.
- During loop analysis, as an additional safety check, we check that the
explored loop does not have floating control. Exceptionally, floating
control pointing directly do start() is allowed.
- Change wasm-compiler so that generated floating projections point to
start() even after stack check patch-in.
Bug: chromium:1184929, v8:11298
Change-Id: I1ee063f5250037ae6c84d2f16b0bd8fff3923117
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2876851
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74527}
As a first step to support Fast API calls with overloads, adds a
new FunctionTemplate constructor that accepts a vector of CFunction*.
Bug: v8:11739
Change-Id: I112b1746768f52df52c893a4f1fb799b6bd90856
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2860838
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#74481}
* Set v8_enable_pointer_compression_shared_cage = false for TPH.
* Skip three more tests that creates multiple isolates (which is not supported by TPH at the moment).
Bug: v8:11641
Change-Id: Iefec0ea3e2ed51e8973546441f5daaa2ac02ab57
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2881510
Auto-Submit: Wenyu Zhao <wenyu.zhao@anu.edu.au>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74460}
It turns out that KeyAccumulator::GetKeys will fail if the object it is
operating on is a Proxy with an ownKeys() or getOwnPropertyDescriptor()
trap that throws. Handle this case in
Isolate::GetImportAssertionsFromArgument by bailing out early.
Bug: v8:11730
Change-Id: I363bf2d218f6ba7eeb2001cd644f5529901fdb3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2875541
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Dan Clark <daniec@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#74417}
When a function is invoked by prototype.apply, it may undergo following transformation in the JSCallReducer:
receiver.apply(this, args) ->
this.receiver(...args) Since the new target (also the receiver of apply()) is not collected to the feedback slot, further speculative optimization on the new target is not available if the new target
is not a heapconstant.
With this CL, the receiver will be collected to the feedback instead of the target if the target is a prototype.apply. It may improve the performance of the following usecase by ~80%.
function reduceArray(func, arr, r) {
for (var i = 0, len = arr.length; i < len; i++) {
r = func.apply(null, r, arr[i]);
}
return r;
}
var a = 0; for (var i = 0; i < 10000000; i++) {
a += reduceArray(Math.imul, [5,6,2,3,7,6,8,3,7,9,2,5,], 1);
}
console.log(a);
This CL also improves the runTime score of JetStream2/richards-wasm by ~45% in default, ~60% with --turbo-inline-js-wasm-calls.
Change-Id: I542eb8d3fcb592f4e0993af93ba1af70e89c3982
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2639813
Commit-Queue: Fanchen Kong <fanchen.kong@intel.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74413}
This also propagates the exception through all the users of
ConvertElementsWithCapacity.
Bug: chromium:1201626
Change-Id: Ie44ba4327a4c3a20f1376477f45d3cd95d0da3b3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2857961
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74412}
The test takes several minutes on slower bots, so speed it up a bit
without removing the ability to hit the data race.
R=ulan@chromium.org
Bug: chromium:1205290, v8:11741
Change-Id: I57e411bfa2ff2a22bef1a916b74f7684b2f0be17
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2876855
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74408}
For copying the SharedArrayBuffer content, we cannot use a simple
{memcpy} because that produces data races with thread concurrently
modifying the content. Instead, use a custom {Relaxed_Memcpy} that uses
proper relaxed atomics. The implementation is slightly optimized to do
word-sized loads and stores where possible. If we still get performance
regressions, we can optimize it further in follow-up CLs.
R=ulan@chromium.orgCC=mlippautz@chromium.org
Bug: v8:11704, chromium:1205290
Change-Id: Ie34afc5c22ec5496c0fe822d55d4788031f06c54
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2874652
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74403}
As per WebAssembly Web API[1], the engine should only consider names
from the name section to synthesize function names in the context of
call stacks. We previously also added support to harvest the exports
table here in an attempt to improve the DevTools debugging experience,
but that needs a separate fix specifically for the inspector (which
should also take into account the imports to harvest names).
[1]: https://webassembly.github.io/spec/web-api/index.html#conventions
Fixed: chromium:1164305
Change-Id: I4bde5c8398a5164f1d8ac9060ad3743ed494c41e
Bug: chromium:1159307, chromium:1164241, chromium:1071432
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2874464
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74382}
We potentially emitted the same gap move multiple times to satisfy slot
constraint of live ranges defined by a constant. Avoid this by keeping
track of already spilled ranges for a given instruction.
This is not expected to cause any regression because this case is rare.
If it does, a better approach to save allocations would be to re-use the
same vector by storing it somewhere that survives the function calls,
e.g. in the ConstraintBuilder.
Drive-by: Remove unused functions.
R=sigurds@chromium.orgCC=nicohartmann@chromium.org
Bug: chromium:1204748
Change-Id: I75a838a8b27775ecdeddb4c60cf72c56d5f1c2a4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2871462
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74375}
Main changes:
- Allow global.get in elements segments with expressions-as-elements.
- Allow element segments with types other than funcref.
Detailed changes:
- Move WasmInitExpr to its own file. Add stream opearator << support.
- Simplify type of PrintCollection.
- Make WasmElemSegment use an array of WasmInitExpr's over the previous
ad-hoc implementation. Move null_index to WasmModuleBuilder.
- Refactor consume_element_segment_header. Make it return a
WasmElemSegment.
- Refactor consume_element_expr. Make it return a WasmInitExpr.
- Refactor DecodeElementSection. Make it invoke
consume_element_segment_header, then populate its element array.
- Update module-instantiate.cc to handle global.get elements.
- Fix bug in wasm-objects.cc where the wrong type index was passed into
module()->has_signature()
- Adapt and add tests.
Change-Id: I5abfbe424dbb750ee2dca59f91c451ffcb79f95f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2857959
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74374}
WasmModules were not removed from the global type judgement cache when
they were deleted. This created problems if another module got allocated
in the same location as a previously deleted module, by creating false
positive cache hits. This CL fixes this issue by removing WasmModule
from the cache as part of its destructor.
Bug: v8:11700
Change-Id: I4948e361dd681040807f35d759b647d1bce585dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2859863
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74370}
Element segments and tables in tests used an ad-hoc mechanism to
describe the different types of initializer expressions, e.g. an number
which could denote either the value of a constant or the index of a
global. This CL tidies up and generalizes the test infrastructure by
directly using WasmInitExpr in those cases.
Additional changes:
- Introduce WasmElemSegment class.
- Remove obsolete --experimental-wasm-bulk-memory flag from tests.
- Rename WasmInitExpr.type -> kind.
- Remove dependency of wasm-module-builder from mjsunit.js (except in
assertTraps).
Change-Id: I716254a04ceea9ceb8ac6b848e12e1637f618f0d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2857638
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74368}
When fast deleting properties generalize all outgoing transitions
to mutable instead of generalizing when property is reconfigured.
Bug: chromium:1201938
Change-Id: I080f2f43de1691a742be2a2bec5cd20d02d78dbc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2859960
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74334}
We have to take the slow path in Promise.all if context promise hooks
are set. The fast-path doesn't create intermediate promises by default.
Bug: chromium:1204132, v8:11025
Change-Id: Ide92de00a4f6df05e0ddbc8814f6673bd667f426
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2866771
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74326}
Replacing a crash with a TypeError.
Bug: chromium:1203692
Change-Id: I6970f980b46f20033f29c1deb9bc5d49ea2014ae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2856842
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74266}
This CL factors out a CodeRange class out of MemoryAllocator.
When V8_COMPRESS_POINTERS_IN_SHARED_CAGE is defined, there is a single
CodeRange shared by all Isolates in the process. This also turns short
builtins back for both configurations of pointer compression. When
sharing a cage, there is a single copy of the re-embedded builtins.
Since a shared pointer cage is still experimental, to avoid API churn
this CodeRange's size is not configurable and is always the maximal size
depending on the underlying platform.
Change-Id: Ie94f52746f2c5450247a999cc6071e3914d4cf0c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2819206
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74261}
The exception concerning type None actually seems avoidable and
can cause issues with incomplete nodes remaining in the graph.
Bug: chromium:1202312, chromium:1202625
Change-Id: I89062715e7f640c66b3f7cdca249db8cde768f29
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2850917
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74250}
Changes:
- Add WasmInitExpr class which knows how to create initializer
expressions as pairs of {type, value}. Also define a default for every
type. Emit such pairs to a byte array with emit_init_expr().
- Add an initializer expression to every global (addGlobal() uses the
default if the argument is absent).
- Introduce wasmI64Const();
- Update tests as needed.
Change-Id: I75ffe96604891506ad78bd3677ce1efe5e0cee07
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2851892
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74231}
The previously added perf-context Promise-hooks take a v8::Function as
arguments. However, the builtin code was only accepting JSFunctions
which causes cast errors.
Drive-by-fix: Directly pass nativeContext in more places.
Bug: chromium:1201465
Change-Id: Ic8bed11253a1f18a84e71eb9ea809b1ec1c3f428
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2850162
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74223}
With --stress-scavenge it is possible that we don't have a memento for
the object we are interested in anymore, making the test useless.
Bug: v8:11701
Change-Id: I05984de33dc0c21d01023ebaa4ceebacfb63cc84
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2851889
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Patrick Thier <pthier@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74218}
* Failed tests that also trigger GCs are not filtered out. They are
expected to be fixed when TPH supports real garbage collection.
Bug: v8:11641
Change-Id: I30b8bcf48d5e3f32439eeffb39d28ee45db2a21c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2849822
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Wenyu Zhao <wenyu.zhao@anu.edu.au>
Cr-Commit-Position: refs/heads/master@{#74212}
We were inconsistent in handling offsets >= 2GB on 32-bit systems. The
code was still relying on this being detected as statically out of
bounds, but with the increase of {kV8MaxWasmMemoryPages} to support 4GB
memories, this is not the case any more.
This CL fixes this by again detecting such situations as statically OOB.
We do not expect to be able to allocate memories of size >2GB on such
systems. If this assumptions turns out to be wrong, we will erroneously
trap. If that happens, we will have to explicitly disallow memories of
such size on 32-bit systems.
R=jkummerow@chromium.org
Bug: v8:7881, chromium:1201340
Change-Id: Ic89a67d38fb860eb8a48a4ff51bc02c53f8a2c2a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2848467
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74175}
On a per-job basis, --turbo-direct-heap-access should be equal to
whether concurrent inlining is enabled. We simplify involved logic by
removing the flag, and replacing all access to
- FLAG_turbo_direct_heap_access, and
- FLAG_concurrent_inlining
inside compiler/ with
OptimizedCompilationInfo::is_concurrent_inlining() (or derived values).
Bug: v8:7790
Change-Id: I64818e0e1004dded08c784ef1c4bdfd2af990a59
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2843345
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74166}
Since WasmToJSWrappers are on-heap Code objects, they should use
the "kCallBuiltinPointer" mechanism to call builtins.
AFAICT this only affected the call_ref instruction.
Bug: v8:9495
Change-Id: I2d55e8f2504787a8a92410868ced8d5ce63a5376
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2846896
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74157}
The ToString intrinsic isn't used anymore, since there is now a ToString
bytecode, so we can remove it.
Change-Id: I5ed121ae4d117660e1ee8a64a2b30e1fb054a886
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2848465
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74151}
This CL applies the following changes:
- JSCallReducer no longer generates a CheckBigInt in front of the
generated BigIntAsUintN.
- This results in a slight change of the semantics of the latter, which
now includes the necessary type check. Typer and Verifier are changed
accordingly.
- The BigIntAsUintN operator is now effectful, since it can now deopt.
- IrOpcode::kBigIntAsUintN is now lowered in SimplifedLowering instead
of EffectControlLinearizer, the necessary type check is introduced
by the RepresentationChanger.
- Adds a small mjsunit test to check the correct deoptimization behavior
of optimized BigInt.asUintN.
==> Remove UseInfo::TruncatingWord64()!
Drive-by: Fix an issue in ChangeUnaryToPureBinaryOp when the new_input
is at index 1.
Drive-by: Introduce an %Is64Bit() intrinsic to allow tests to
distinguish 32 and 64 bit architectures.
Bug: v8:11682
Change-Id: I448f892d3bd2280d731ae5b248c833de8faf1bd5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2843816
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74147}
JS-to-Wasm wrappers embed heap constants (like the undefined value), and
those heap values are being accessed during compilation for tracing.
This is not a data race, since those values are read-only. But if the
isolate dies while we are compiling those wrappers, we might read from
the heap after it has been free'd.
Ideally we would not access the isolate or the heap at all during
compilation, but delaying all tracing until the "finalization" phase is
not feasible, and removing the heap value printing from tracing would
significantly regress quality of this tracing.
Hence this CL only fixes the actual issue: That we keep compiling
wrappers when the isolate is already gone. It does so by introducing an
{OperationsBarrier} per isolate that is being taken by each thread that
executes wrapper compilation, and is used for waiting for background
threads to finish before the isolate shuts down.
Additionally, we actually cancel all compilation if a module dies (or
the isolate shuts down) before it finished baseline compilation. In this
state, the module cannot be shared between isolates yet, so it's safe to
fully cancel all compilation. This cancellation is not strictly
necessary, but it will reduce the time we are blocked while waiting for
wrapper compilation to finish (because no new compilation will start).
R=thibaudm@chromium.orgCC=manoskouk@chromium.org
Bug: v8:11626, chromium:1200231
Change-Id: I5b19141d22bd0cb00ba84ffa53fb07cf001e13cc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2846881
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74142}
Until this CL, the JSHeapBroker::GetPropertyAccessInfo (GPAI) process
was as follows:
1. GPAI is called on the main thread (MT) during the serialization
phase to create and cache PAIs.
2. GPAI is called again from the background thread (BT); only cached
PAIs from step 1 are usable.
As part of concurrent inlining, the goal is to move GPAI fully to the
background thread. This CL takes a major step in that direction by
making GPAI itself callable from the BT without resorting solely to PAIs
that were previously cached on the MT.
There are two main reasons why GPAI previously had to run on the MT:
a) Concurrent access to Maps and other heap objects.
b) Serialization and creation of ObjectRefs for objects discovered
during GPAI.
This CL addresses only reason a) and leaves b) for future work. This
is done by keeping the two-pass approach, s.t. the initial call of
GPAI on the MT discovers and serializes objects. We then clear all
cached PAIs. The second call of GPAI on the BT thus runs full logic in a
concurrent setting.
Once all relevant objects (= maps and prototypes) no longer require
MT-serialization, reason b) is also addressed and the first pass can be
removed.
The new logic is implemented behind the runtime flag
--turbo-concurrent-get-property-access-info (default true), intended
to be removed in the future.
Bug: v8:7790
Change-Id: Idbdbfe091d7316529246a686bb6d71c2a0f06f8b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817793
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74120}
After appending 'unimplemented instruction' we need to increase the data
pointer to avoid an endless loop and to fulfill a later DCHECK.
R=jkummerow@chromium.org
Bug: chromium:1201114
Change-Id: I707809f81a4d9a6b3653b94b4836482c006b76ad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2843819
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74108}
This CL hardens the test function for unwrapping the C++ object to
only do so if the correct API object is passed from JS.
Bug: chromium:1201057
Change-Id: I81eb16efe2711bd788c775e3bcb712720bbe4782
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2843347
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74102}
Changes:
- Remove TypeCheckBranchResult. Change TypeCheckBranch() to return bool.
Refactor call sites to reflect this (decouple current code
reachability check from type check).
- Unify TypeCheckBranch(), TypeCheckFallthrough(), and the type-checking
part of Return() into TypeCheckStackAgainstMerge().
- Make sure all TypeCheck* functions are only called within VALIDATE.
- In graph-builder-interface, rename end_env -> merge_env to reflect
its function for loops.
- Change expected error messages in some tests.
Change-Id: I857edc18db9c2454ad12d539ffe7a10e96367710
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2839560
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74100}
- Add filter to skip baseline handlers
- Make profiler types more readable
- Refactor tickprocessor test to use serialized symbols
- Add large tickprocessor stress test with a complete V8 log
Change-Id: Icc09c2eb8ea63c1805d793d2d47f79b0d5080b5b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2784686
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74094}
This CL disables two more fast API calls tests that shouldn't be run
on stress_snapshot and jitless variants.
Change-Id: I2e3270ba7b93e598219b87195640675cfc4571ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2843362
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74091}
This CL hardens the test facility in d8 for interface types for
the fast C API.
Bug: chromium:1201011
Change-Id: Ibfe1bb242f86b4a5edd0d195e049852430f8a2fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2843344
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74079}
This is a reland of d5457f5fb7
after a speculative revert.
Additionally it fixes an issue with throwing promise hooks.
Original change's description:
> [api] JSFunction PromiseHook for v8::Context
>
> This will enable Node.js to get much better performance from async_hooks
> as currently PromiseHook delegates to C++ for the hook function and then
> Node.js delegates it right back to JavaScript, introducing several
> unnecessary barrier hops in code that gets called very, very frequently
> in modern, promise-heavy applications.
>
> This API mirrors the form of the original C++ function based PromiseHook
> API, however it is intentionally separate to allow it to use JSFunctions
> triggered within generated code to, as much as possible, avoid entering
> runtime functions entirely.
>
> Because PromiseHook has internal use also, beyond just the Node.js use,
> I have opted to leave the existing API intact and keep this separate to
> avoid conflicting with any possible behaviour expectations of other API
> users.
>
> The design ideas for this new API stemmed from discussion with some V8
> team members at a previous Node.js Diagnostics Summit hosted by Google
> in Munich, and the relevant documentation of the discussion can be found
> here: https://docs.google.com/document/d/1g8OrG5lMIUhRn1zbkutgY83MiTSMx-0NHDs8Bf-nXxM/edit#heading=h.w1bavzz80l1e
>
> A summary of the reasons for why this new design is important can be
> found here: https://docs.google.com/document/d/1vtgoT4_kjgOr-Bl605HR2T6_SC-C8uWzYaOPDK5pmRo/edit?usp=sharing
>
> Bug: v8:11025
> Change-Id: I0b403b00c37d3020b5af07b654b860659d3a7697
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2759188
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Anton Bikineev <bikineev@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73858}
Bug: v8:11025
Bug: chromium:1197475
Change-Id: I73a71e97d9c3dff89a2b092c3fe4adff81ede8ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2823917
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74071}
Mistakenly had its set as non-atomic when it was modifying maps the
concurrent compiler could see. Since this accessor is set after map
initialization, but it is not necessary for synchronization we can set
it as relaxed write.
Bug: v8:7790, v8:11668
Change-Id: I605935e96b3da47ed6abfb6676bf14456feeeddd
Fixed: v8:11668
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2839548
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74066}
This is a reland of 6124a534b2
It fixes a UAF issue in the d8 test by moving the test API object
constructor to PerIsolateData. It also fixes a crash in Chromium
caused by current usage of v8::ApiObject, which should be migrated
to v8::Value*.
Original change's description:
> [fastcall] Add support for leaf interface type checks
>
> This CL adds an IsTemplateForApiObject method to FunctionTemplate
> allowing the embedder to check whether a given API object was
> instantiated by this template without including parent templates
> in the search. It also replaces the v8::ApiObject in the fast API
> with a raw v8::Value pointer to allow use of standard C++ casts.
>
> Bug: chromium:1052746
> Change-Id: I0812ec8b4daaa5f5005aabf10b63e1e84e0b8f03
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2595310
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73999}
Bug: chromium:1052746, chromium:1199900
Change-Id: I4b7f0c9e9152919dde4a1d0c48fbf5ac8c5b13d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2835711
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74064}
This is a reland of df52b65dba
Skip test with variant stress-concurrent-allocation.
The test manually triggers pretenuring for allocation sites, but with
--stress-concurrent-allocation these pretenuring decisions are reset
due to low survival rate in old generation.
Original change's description:
> [test] Rework Allocation Site Pretenruing Tests
>
> - Add %PretenureAllocationSite to manually force pretenuring for an
> allocation site during the next GC.
> - Replace cctest test-compiler/DecideToPretenureDuringCompilation, which
> was not triggering the tested behaviour anymore with mjsunit test
> - Add tests for deoptimizations due to pretenuring decision changes
> during OSR.
>
> Bug: chromium:1193094
> Change-Id: I5d6c35e2914b705bf96f27051a4a286413b6fe26
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2825593
> Commit-Queue: Patrick Thier <pthier@chromium.org>
> Reviewed-by: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74032}
Bug: chromium:1193094
Change-Id: I366a4a074435ebffcf2b3af84152067731cd2a5e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2839550
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74062}
This is a reland of c83c9590ba
Changes since revert: nothing, issue was crbug.com/v8/11666
Original change's description:
> [ic] Add a new MegaDOM IC
>
> This patch implements the MegaDOM IC setup and access. A new MegaDOM
> IC state indicates that we've seen only DOM accessors at this access
> site.
>
> This CL only adds support for DOM getters in LoadIC, other kinds of
> access will be added in follow on CLs.
>
> Still remaining TODO before shipping:
> 1. Have a mechanism to invalidate the protector
> 2. Have a mechanism to find the accessors that aren't overloaded
> 3. Use a new builtin to miss to runtime on access check failure
>
> Change-Id: Ie12efe5e9fa284f023043b996d61e7d74e710ee2
> Bug: v8:11321
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2618239
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Dan Elphick <delphick@chromium.org>
> Reviewed-by: Mythri Alle <mythria@chromium.org>
> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73733}
Bug: v8:11321
Change-Id: I2bec54465542b5b40c42adb6eb12b6ce72cce5bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2794439
Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74056}
This reverts commit df52b65dba.
Reason for revert: fails on TSan: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN/36351/overview
Original change's description:
> [test] Rework Allocation Site Pretenruing Tests
>
> - Add %PretenureAllocationSite to manually force pretenuring for an
> allocation site during the next GC.
> - Replace cctest test-compiler/DecideToPretenureDuringCompilation, which
> was not triggering the tested behaviour anymore with mjsunit test
> - Add tests for deoptimizations due to pretenuring decision changes
> during OSR.
>
> Bug: chromium:1193094
> Change-Id: I5d6c35e2914b705bf96f27051a4a286413b6fe26
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2825593
> Commit-Queue: Patrick Thier <pthier@chromium.org>
> Reviewed-by: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74032}
Bug: chromium:1193094
Change-Id: I0cd526984d467c4e1e3637ac642f630e3cffea41
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2835715
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#74039}
- Add %PretenureAllocationSite to manually force pretenuring for an
allocation site during the next GC.
- Replace cctest test-compiler/DecideToPretenureDuringCompilation, which
was not triggering the tested behaviour anymore with mjsunit test
- Add tests for deoptimizations due to pretenuring decision changes
during OSR.
Bug: chromium:1193094
Change-Id: I5d6c35e2914b705bf96f27051a4a286413b6fe26
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2825593
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74032}
This reverts commit 6124a534b2.
Reason for revert: On suspicion of blocking V8 roll: https://ci.chromium.org/ui/p/chromium/builders/try/win10_chromium_x64_rel_ng/839568/overview
Original change's description:
> [fastcall] Add support for leaf interface type checks
>
> This CL adds an IsTemplateForApiObject method to FunctionTemplate
> allowing the embedder to check whether a given API object was
> instantiated by this template without including parent templates
> in the search. It also replaces the v8::ApiObject in the fast API
> with a raw v8::Value pointer to allow use of standard C++ casts.
>
> Bug: chromium:1052746
> Change-Id: I0812ec8b4daaa5f5005aabf10b63e1e84e0b8f03
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2595310
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73999}
Bug: chromium:1052746
Change-Id: Ic99ec616310f0f75800c3dad393b5d2d685b76ab
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2829988
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#74016}
When the enumerability flag is flipped we need to invalidate the
prototype info.
Bug: chromium:1163499
Change-Id: Iceeaa5fc47eebfe7d333c9eb594bf0763e6cef92
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2831871
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74013}
This CL adds an IsTemplateForApiObject method to FunctionTemplate
allowing the embedder to check whether a given API object was
instantiated by this template without including parent templates
in the search. It also replaces the v8::ApiObject in the fast API
with a raw v8::Value pointer to allow use of standard C++ casts.
Bug: chromium:1052746
Change-Id: I0812ec8b4daaa5f5005aabf10b63e1e84e0b8f03
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2595310
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73999}
Instead, bail out of inline literal creation if a deprecated map is
found. This makes it easier to compile on the background thread.
Bug: v8:7790
Change-Id: I87941938d4f13dcf49230cf246c33bf2f49897f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2745134
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73988}
The typing of br_table was relaxed in
https://github.com/WebAssembly/spec/pull/1305. Before, we had to compute
the greatest lower bound of all branch types and make sure that stack
values are subtypes of that type. Now, we have to check that the stack
values are subtypes of each individual branch. This makes a difference
only in polymorphic stacks, but greatly simplifies the code, especially
with the upcoming introduction of a much more complex type system in
wasm-gc.
Change-Id: I6e3b410cfe0e71a97623b3030b3575ef707c4900
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2827897
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73982}
This test relies on non-concurrent optimizations to precisely test
transitions between the different tiers.
Disable flags that invalidate this test:
--no-always-opt to test transiation from Ignition to Sparkplug
--deopt-every-n-times=0 to test transition from Sparkplug to TF
Bug: v8:11656
Change-Id: I85047015d3f7cfdf00bddad59c9742d5d8f5d223
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2827902
Auto-Submit: Patrick Thier <pthier@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73978}
Changes:
- Implement function subtyping in wasm-subtyping.cc.
- Add Signature::Build(), which takes initializer lists for the return
and parameter types.
- Only throw kTrapFuncSigMismatch in call_indirect, change that trap's
message.
- Add a missing "return 0" in function-body-decoder-impl.h
- Fix a faulty check in wasm-objects.cc.
- Improve some comments.
- Write tests. Improve readability of subtyping-unittest.
Bug: v8:7748
Change-Id: I1caba09d5bd01cfd4d6125f300cd9c16af7aba99
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2822633
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73972}
Added a comparison to throw a TypeError when the "enumerable"
field of the new descriptor doesn't match the one of the old descriptor.
Bug: v8:10782
Change-Id: I2f1acf215e597b85be5d29e22c006cbd79afcb47
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2818067
Commit-Queue: Luis Fernando Pardo Sixtos <lpardosixtos@microsoft.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73941}
- Add %BaselineOsr to manually trigger OSR to Baseline.
- Add flags to %GetOptimizationStatus to check if the topmost frame is
an Interpreter/Baseline frame.
- Add mjsunit test.
Bug: v8:11420
Change-Id: Id80421ad97ee719a67ef299cc700da9c44f23bae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814567
Auto-Submit: Patrick Thier <pthier@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73937}
The CanAllocateArray used to be executed during JSCreateLowering,
leading to bailouts when large arrays are passed as arguments to
an async function or a bound function. This meant that
JSCreateAsyncFunctionObject or JSCreateBoundFunction will reach
JSGenericLowering, where they are not lowered. This CL moves
the checks earlier in the pipeline during JSNativeContextSpecialization
and JSCallReducer respectively, so that those operators are not
created at all in such cases and we bail out to the runtime instead.
Bug: v8:11564
Change-Id: I232ce7d9378730ae0cc8690e52fde840a484e069
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2807609
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73928}
The existing code assumes that the number of inputs is fixed to 4.
However, the fuzzer says that at least 5 inputs are also possible.
This CL makes the number of inputs more flexible.
CC=sam.parker@arm.com
Bug: chromium:1197393
Change-Id: I487ac96570b96f04b4d0a47065e7b383ba39016f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821435
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73917}
The pointer compression cage is the virtual memory reservation
that all compressed pointers fall within. This CL splits pointer
compression into two modes: a per-Isolate cage and a shared cage
among multiple Isolates.
When multiple Isolates are sharing a cage, they can decompress
each others' pointers and share the same virtual memory range.
Bug: v8:11460
Change-Id: I7b89b7413b8e7ca6b8b6faafd083dc387542a8b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2783674
Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73916}
We have to respect the TypeCheckKind.
Bug: chromium:1195777
Change-Id: If1eed719fef79b7c61d99c29ba869ddd7985c413
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817791
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73909}
If a loop is removed in dead code elimination, we may have a dead node
in the control chain. This wasn't expected, and endless recursion could
result.
Bug: chromium:1196185
Change-Id: Id6d69d0eaed11b0c6158b5643d3433b11611af59
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817792
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73906}
This CL makes more assumptions in the fast-api-call mjsunit test
explicit and specifies --deopt-every-n-times=0 for it, as it relies
on particular optimization/deoptimization sequences. It also fixes an
inconsistency between the fast/slow path results.
Bug: v8:11620
Change-Id: I385949a04534cd1658236878875efa6622936bc5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817607
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73905}
This CL enables the fast-api-calls mjsunit test again on gc_stress
with a fix for --stress-flush-bytecode.
Change-Id: I3a65f8cb4ec319945319d533ed92241b14f624c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817604
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73895}
This CL temporarily skips the fast-api-calls mjsunit test, as it
fails on GC stress bots for unrelated CLs (see
https://chromium-review.googlesource.com/c/v8/v8/+/2814740).
Change-Id: I884827a0a5fb030d676f9ded738f644cd4086ec6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814564
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73877}
This reverts commit d5457f5fb7.
Reason for revert:
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/32999
Original change's description:
> [api] JSFunction PromiseHook for v8::Context
>
> This will enable Node.js to get much better performance from async_hooks
> as currently PromiseHook delegates to C++ for the hook function and then
> Node.js delegates it right back to JavaScript, introducing several
> unnecessary barrier hops in code that gets called very, very frequently
> in modern, promise-heavy applications.
>
> This API mirrors the form of the original C++ function based PromiseHook
> API, however it is intentionally separate to allow it to use JSFunctions
> triggered within generated code to, as much as possible, avoid entering
> runtime functions entirely.
>
> Because PromiseHook has internal use also, beyond just the Node.js use,
> I have opted to leave the existing API intact and keep this separate to
> avoid conflicting with any possible behaviour expectations of other API
> users.
>
> The design ideas for this new API stemmed from discussion with some V8
> team members at a previous Node.js Diagnostics Summit hosted by Google
> in Munich, and the relevant documentation of the discussion can be found
> here: https://docs.google.com/document/d/1g8OrG5lMIUhRn1zbkutgY83MiTSMx-0NHDs8Bf-nXxM/edit#heading=h.w1bavzz80l1e
>
> A summary of the reasons for why this new design is important can be
> found here: https://docs.google.com/document/d/1vtgoT4_kjgOr-Bl605HR2T6_SC-C8uWzYaOPDK5pmRo/edit?usp=sharing
>
> Bug: v8:11025
> Change-Id: I0b403b00c37d3020b5af07b654b860659d3a7697
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2759188
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Anton Bikineev <bikineev@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73858}
Bug: v8:11025
Change-Id: Ie7345c4505f39c973f9f0dbca745b591cff63f3f
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814740
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#73862}
There are fives bytes total which are expected to be different from
zero. We were only handling one of them when checking random positions
in the array. This was leading to random failures.
R=manoskouk@chromium.org
Bug: v8:11621
Change-Id: Iac231d8b35fcbfbbc837c8e9134401cb8a2519ac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2810783
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73860}
This will enable Node.js to get much better performance from async_hooks
as currently PromiseHook delegates to C++ for the hook function and then
Node.js delegates it right back to JavaScript, introducing several
unnecessary barrier hops in code that gets called very, very frequently
in modern, promise-heavy applications.
This API mirrors the form of the original C++ function based PromiseHook
API, however it is intentionally separate to allow it to use JSFunctions
triggered within generated code to, as much as possible, avoid entering
runtime functions entirely.
Because PromiseHook has internal use also, beyond just the Node.js use,
I have opted to leave the existing API intact and keep this separate to
avoid conflicting with any possible behaviour expectations of other API
users.
The design ideas for this new API stemmed from discussion with some V8
team members at a previous Node.js Diagnostics Summit hosted by Google
in Munich, and the relevant documentation of the discussion can be found
here: https://docs.google.com/document/d/1g8OrG5lMIUhRn1zbkutgY83MiTSMx-0NHDs8Bf-nXxM/edit#heading=h.w1bavzz80l1e
A summary of the reasons for why this new design is important can be
found here: https://docs.google.com/document/d/1vtgoT4_kjgOr-Bl605HR2T6_SC-C8uWzYaOPDK5pmRo/edit?usp=sharing
Bug: v8:11025
Change-Id: I0b403b00c37d3020b5af07b654b860659d3a7697
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2759188
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73858}
Lookarounds rewind the position after matching, and thus don't play
well with eats_at_least (EAL). This CL disables EAL propagation from
lookarounds.
In the future we could be a bit smarter by skipping over lookarounds
instead of resetting to 0.
Bug: v8:11290
Change-Id: I935400a7f9cda96d9c5a80e412ba7d04de70a84f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2808944
Reviewed-by: Seth Brenith <seth.brenith@microsoft.com>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73849}
The eats_at_least (EAL) value is applied in forward-directions only.
Two reasons for that which are relevant to this CL:
- EAL's of neighboring nodes are combined additively, irrespective of
their read_backward value.
- EatsAtLeastPropagator::VisitText uses the successor's
eats_at_least_from_not_start value, which doesn't work properly for
read_backwards successors (which may end at the start).
A symptom of this bug was that we applied an incorrect EAL of 255
starting at the initial 'x' of /x(?<=^x{4})/); for subject strings
shorter than 255 chars, this would result in an incorrect failure
result.
Bug: v8:11616
Change-Id: I4b2b1b78f0cea8f59e4beb1037ee46035d83c927
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2807596
Reviewed-by: Seth Brenith <seth.brenith@microsoft.com>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73848}
This CL fixes the behaviour of the d8.test.fast_c_api constructor when
the global object has been modified by not allowing calls to it without
the `new` keyword.
Bug: chromium:1196597
Change-Id: I49b4a412d501f5c9adaa72b63beec1483ab4c449
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2808943
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73831}
This CL skips the fast-api-calls mjsunit test, as it relies
on particular optimization/deoptimization patterns.
Bug: v8:11620
Change-Id: I4c2fd3b1db8aff73935dd6525fd0ad3edc307dd1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2808935
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73819}
Explicitly check for JSFunction or JSBoundFunction and throw if any other
JS type is passed to d8.test.verifySourcePositions.
Bug: chromium:1195717
Change-Id: Id65875526d5d6b3f720850d41d0a8192ec407035
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2807607
Auto-Submit: Patrick Thier <pthier@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73811}
This is a reland of 9eba2d85f4.
The reland fixes a global state variable which was incompatible
with the --isolate flag in d8, which runs the same script in a
different isolate.
Original change's description:
> [fastcall] Add fast API testing facilities to d8
>
> This CL provides the minimum necessary functionality to expose fast API
> for testing in mjsunit, exposing the fast path for fuzzing. It exposes
> a d8.test.fast_c_api with an `add_all` method, which exercises primitive
> types. On x64, all integer and floating point types are supported. On
> other platforms currently only 32-bit integers are included in the test.
>
> Design doc:
> https://docs.google.com/document/d/1KUKPfXkSRZTA2gMwaWbpQKlYfw0C-T6AE3XzC4viHbo/
>
> Bug: chromium:1052746
> Change-Id: Icc824199a26dd2abd2b869f5483a39d38e4dce3e
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2749154
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73670}
Bug: chromium:1052746
Change-Id: I33b265b97bf7c797eee7d4cce5066999358a8c66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2790174
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73801}
We are overwriting rhs when dst == rhs && dst != lhs. This is not a
problem on TurboFan because we specify unique registers and dst == lhs
in the instruction-selector.
The fix is to use the helper EmitSimdCommutativeBinOp, which will check
for dst == rhs (pmuludq is commutative).
Bug: v8:11612
Change-Id: I38c3a2b7f3c7bcf2d7e8faec1a67f0814d44ed20
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2798527
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73780}
This fixes a bug introduced in crrev.com/c/2660995.
String.prototype.indexOf must clamp the `position` argument as per
step:
7. Let start be the result of clamping pos between 0 and len.
Source: tc39.es/ecma262/#sec-string.prototype.indexof
Previously, this was done in the StringIndexOf builtin, but the recent
refactor changed builtin implementations to match the spec more
closely (i.e. to clamp in String.prototype.indexOf, not
StringIndexOf). This means we now have to clamp in
JSCallReducer::ReduceStringPrototypeIndexOf.
Tbr: neis@chromium.org
Bug: chromium:1194869
Change-Id: I5af8d41b50f4905453f03079e3ee6d46186536db
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2799359
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73772}
.. and enable it on fyi bots. Skip one test in this variant due to
incompatible flags.
Bug: v8:7790
Change-Id: I5b8fdd8572435c6f4474c505464ff1a22c830757
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2797287
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73770}
Bug: v8:11604
Change-Id: Ic4aa3ae64aa9c9a60aceade9072a5ead1c894b7d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2799356
Commit-Queue: Georg Neis <neis@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73767}
This is a reland of e70cbb83da
Moved the ConsString comparison logic out-of-line, both to make gcc
happy, and to reduce the size of the fast-path in IsEqualToImpl.
Original change's description:
> [string] Fix non-SeqStrings in IsEqualTo
>
> Bug: chromium:1193903
> Change-Id: I80704dd3cba5754779432356b20bd3ea99630291
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2794426
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Auto-Submit: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73746}
Bug: chromium:1193903
Change-Id: Iae6f078853438427e86d3ac68bcfed0712a85bf7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2797288
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73763}
This CL is part of a series that implements Turbofan support for
property accesses satisfying the following conditions:
1. The holder is a dictionary mode object.
2. The holder is a prototype.
3. The access is a load.
This feature will only be enabled if the build flag
v8_dict_property_const_tracking is set.
This particular CL modifies existing mjsunit tests whose assumptions
don't hold if v8_dict_property_const_tracking is enabled. This is
done by adding special handling for the case that
%IsDictPropertyConstTrackingEnabled() holds.
Bug: v8:11248
Change-Id: Ia36be73e4659a988b2471f0c8151b0442f3a98f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2780292
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73745}
This reverts commit c83c9590ba.
Reason for revert: Speculatively reverting for a failure on Arm GC stress bot - https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Arm%20GC%20Stress/b8851256837192083520/overview
Original change's description:
> [ic] Add a new MegaDOM IC
>
> This patch implements the MegaDOM IC setup and access. A new MegaDOM
> IC state indicates that we've seen only DOM accessors at this access
> site.
>
> This CL only adds support for DOM getters in LoadIC, other kinds of
> access will be added in follow on CLs.
>
> Still remaining TODO before shipping:
> 1. Have a mechanism to invalidate the protector
> 2. Have a mechanism to find the accessors that aren't overloaded
> 3. Use a new builtin to miss to runtime on access check failure
>
> Change-Id: Ie12efe5e9fa284f023043b996d61e7d74e710ee2
> Bug: v8:11321
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2618239
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Dan Elphick <delphick@chromium.org>
> Reviewed-by: Mythri Alle <mythria@chromium.org>
> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73733}
Bug: v8:11321
Change-Id: Ib6a55796f2a3c345d4923f9eaa215a6ff55ed15b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2794437
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#73734}
This patch implements the MegaDOM IC setup and access. A new MegaDOM
IC state indicates that we've seen only DOM accessors at this access
site.
This CL only adds support for DOM getters in LoadIC, other kinds of
access will be added in follow on CLs.
Still remaining TODO before shipping:
1. Have a mechanism to invalidate the protector
2. Have a mechanism to find the accessors that aren't overloaded
3. Use a new builtin to miss to runtime on access check failure
Change-Id: Ie12efe5e9fa284f023043b996d61e7d74e710ee2
Bug: v8:11321
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2618239
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73733}
Bug: v8:9337
Change-Id: Ic9b1072007ed19435b8ea669bee7c07c7eef8e2b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2795274
Auto-Submit: Adam Klein <adamk@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73731}
Changes:
- Wrap eqref and i31ref objects in the temporary wasm object wrapper
(in addition to dataref and anyref). Accept those types in
IsJSCompatibleSignature().
- Handle null correctly in all cases (i.e., do not wrap/unwrap it).
- Improve some error messages.
- Handle kRttWithDepth in one case where it was omitted.
- Some small structure improvements.
- Add an extensive test.
Bug: v8:7748, v8:11606
Change-Id: Ie519f2c87421664dd02cf29fe94f9a9d7510bae2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2794422
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73725}
The disabled regress-9017 test allocates too much memory and started
flakily failing on TSAN. CL that triggered the flake:
https://chromium-review.googlesource.com/c/v8/v8/+/2731528
Bug: v8:9337
Change-Id: Ia039e42a88c3665a9b9b4adc4a4b7c923afd5ba5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2791564
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73718}
Don't switch to the catch state if it is never reached.
Also steal the catch state instead of splitting it since it cannot be
used after a delegate instruction.
R=ahaas@chromium.org
Bug: chromium:1192313
Change-Id: I3967ac81e066d2146c8aa37b26a35a99ba88bdf6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2787488
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73703}
This reverts commit 9eba2d85f4.
Reason for revert: TSAN failures https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20isolates/14265/overview
Original change's description:
> [fastcall] Add fast API testing facilities to d8
>
> This CL provides the minimum necessary functionality to expose fast API
> for testing in mjsunit, exposing the fast path for fuzzing. It exposes
> a d8.test.fast_c_api with an `add_all` method, which exercises primitive
> types. On x64, all integer and floating point types are supported. On
> other platforms currently only 32-bit integers are included in the test.
>
> Design doc:
> https://docs.google.com/document/d/1KUKPfXkSRZTA2gMwaWbpQKlYfw0C-T6AE3XzC4viHbo/
>
> Bug: chromium:1052746
> Change-Id: Icc824199a26dd2abd2b869f5483a39d38e4dce3e
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2749154
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73670}
Bug: chromium:1052746
Change-Id: Iaf5083540ddfe882a747eaa9d1d2a2a8b4ba0ec0
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2787081
Auto-Submit: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#73673}
This CL provides the minimum necessary functionality to expose fast API
for testing in mjsunit, exposing the fast path for fuzzing. It exposes
a d8.test.fast_c_api with an `add_all` method, which exercises primitive
types. On x64, all integer and floating point types are supported. On
other platforms currently only 32-bit integers are included in the test.
Design doc:
https://docs.google.com/document/d/1KUKPfXkSRZTA2gMwaWbpQKlYfw0C-T6AE3XzC4viHbo/
Bug: chromium:1052746
Change-Id: Icc824199a26dd2abd2b869f5483a39d38e4dce3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2749154
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73670}
This is a reland of e3ccb53877
No changes for the reland.
This CL was speculatively reverted, but was not the cause of the problem.
TBR=jgruber@chromium.org
Original change's description:
> Reland "[sparkplug][deoptimizer] Deoptimize to baseline."
>
> This is a reland of bdcd7d79d3
>
> Handle lazy deopts when the current bytecode is JumpLoop.
> Instead of advancing to the next bytecode, re-execute the JumpLoop.
>
> TBR=jgruber@chromium.org, neis@chromium.org
>
> Original change's description:
> > [sparkplug][deoptimizer] Deoptimize to baseline.
> >
> > If we have baseline code, deoptimize to baseline instead of the
> > interpreter. The process is similar to deopting to the interpreter.
> > We just use different builtins
> > (BaselineEnterAtBytecode/BaselineEnterAtNextBytecode) instead of
> > InterpreterEnterBytecodeDispatch/InterpreterEnterBytecodeAdvance, that
> > patch an interpreter frame to a baseline frame and continue execution in
> > baseline code (based on the deopt type, at the current or next
> > bytecode).
> >
> > Bug: v8:11420
> > Change-Id: Iabaefb36c05155a435c7b380906a86d9b9d549fa
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2695591
> > Commit-Queue: Patrick Thier <pthier@chromium.org>
> > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> > Reviewed-by: Georg Neis <neis@chromium.org>
> > Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#73609}
>
> Bug: v8:11420
> Change-Id: Ib8cac028121188ddc23ff29377760ed684eb7392
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2783035
> Reviewed-by: Patrick Thier <pthier@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Patrick Thier <pthier@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73636}
Bug: v8:11420
Change-Id: I7fbbb73a4fdaeab8b294862ee6ae952928c57994
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2784695
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73656}
