During marking, shared objects should not be marked when not
marking the shared heap (i.e. when not doing a shared GC).
Doing so is unsafe, as marking can race with sweeper threads
sweeping the shared heap. This CL adds the missing check on
weak object marking.
Bug: v8:12687
Change-Id: I1e0b8ba6b09bbcf665e5ff0f6242ed88f543c1fa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3583610
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79964}
Computing the length for variable-length TAs is a lot of code and was
regressing microbenchmarks.
Bug: v8:11111
Change-Id: Ia7c3c92bfb43938068aaf539b290f6a30b049c18
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3583898
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79961}
This reduces card granularity from 4096 to 512 bytes with the goal to
improve write barrier filtering.
Bug: chromium:1029379
Change-Id: I22e2a9c61ef4c36c3db65404370213d0a8048e08
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3582393
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79960}
For a while, we shipped a version which writes version 13 data with
JSArrayBufferView flags, and then fixed version 13 to not include the
flags.
This CL adds a compatibility mode for parsing the the version 13
data which includes the flags, since it still occurs in the wild.
Bug: chromium:1314833,chromium:1284506
Change-Id: I96cc432c8574a40b11ec0037394feb1853515760
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3583982
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79959}
Tracer scopes are used in numerous places in src/heap to track time
spent during various phases of the garbage collection. Usually, they
are introduced with the TRACE_GC* family of macros, taking the scope
identifier as a parameter. At most call sites, the scope identifier is
known at compile time.
This CL inlines the constructor and destructor of GCTracer::Scope, in
order to enable the C++ compiler to properly optimize the introduction
of such scopes when the scope identifier is known at compile time,
using constant propagation. This is expected to have a performance
impact for short-lived and frequently used scopes, e.g., in incremental
marking and sweeping steps.
Change-Id: I6f1a2954a437de1fa6dab5e464c20c952d84ffd4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3581774
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79957}
This makes the installation sequence of WebAssembly.Tag slightly
shorter, slightly faster, slightly cleaner in corner-case semantics,
and slightly better documented.
To allow testing this code, Isolate::InstallConditionalFeatures is
exposed as d8.test.installConditionalFeatures().
Fixed: chromium:1314616
Change-Id: I44285e398b8797e0e7d2d8c782cecec3ba68a503
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3582382
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79956}
NewSpace and PagedSpace both inherit from SpaceWithLinearArena and
implement allocation logic on top of it. The parts of the allocation
path that deal specifically with the linear allocation area are
equivalent (only minor syntactic differences between them).
This CL refactors the allocation from a linear allocation area out of
NewSpace and PagedSpace and moves it to SpaceWithLinearArea. This
eliminates code duplication and keeps everything generally still working
the same.
This is done as part of an effort to create a stable NewSpace interface
to allow introducing an alternative paged new space.
Bug: v8:12612
Change-Id: Ie24345a2d51f6e67ebe8a1d67e586038f7aec8de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3578547
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79955}
The code generator accesses the heap even without --code-comments set:
remove the related condition from the UnparkedScopeIfNeeded.
Fixed: v8:12794
Change-Id: I0099f22a9382373c4f75538615fbf431c4d71283
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3582389
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79953}
Unconditional eager deopts from lack of feedback (née soft deopts) mean
that the remainder of the basic block is dead. Avoid emitting this code
by fast forwarding the iterator until the next merge.
The EagerDeopt node becomes a Deopt control node which terminates its
own block (this is to avoid spurious control flow after the EagerDeopt,
or weirdness with liveness). A concept of "merging dead blocks" has to
be introduced so that the successors of the killed block still have the
right number of predecessors.
Bug: v8:7700
Change-Id: Id9c442c3b18d3f394dc2411604d0c8503d6aaae2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3578647
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79952}
Remove the "bad idea" of spilling whenever there's a deopt, and instead
use the deoptimizer's register support.
In addition, allow untagged int32 inputs into deopts -- if tagging these
overflows, then the deoptimizer will automagically create a HeapNumber
for us. Hooray for code reuse!
Drive-bys:
1. Print input locations for deopt checkpoints.
2. Fix ordering of UpdateUse(input)/UpdateUse(deopt) to match the
use marker.
Bug: v8:7700
Change-Id: I8069f5bc1bdcd7746a516c7a5cc7e26a15d4e5cb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3578805
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79950}
Goal is to ensure that the JitLogger for ETW (on Windows) is more inline
with other CodeEventLoggers such as PerfJitLogger.
The new design ensures that initial Builtin and BytecodHandler events
are emitted to and received by the ETWJITInterface::EventHandler.
Bug: v8:11043
Change-Id: I5741053c387b9ac63a42de61c99f4ea4ae4bdb96
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3581769
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Henrik Andreasson <henrika@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79949}
Concurrrent marking for v8::TracedReference requires a single bit in
global handles to be written concurrently. While no other bits require
concurrent access, initialization still needs to properly publish the
bits.
Avoid this problem by just referring to a persistent marking bitmap
that's always present and accessed concurrently, similar to V8's
regular marking bitmap.
Bug: chromium:1315498, v8:12600
Change-Id: I49ba1af0f5a0a8c7fd2865c7178a9a956bbd953e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3582920
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79946}
It currently only checks if the node inputs are expected to be
tagged or untagged.
Bug: v8:7700
Change-Id: Ibf068098dfb08c28b2744cb321fa857572998948
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3578804
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79945}
The constant was updated in https://crrev.com/c/3328783 without updating
the comment, which brought them out of sync.
R=jkummerow@chromium.org
No-Try: true
Change-Id: I68b30aca878b5ed5a37ba39c36480d571c62f563
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3578806
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79944}
Most paths filter out empty reference on cppgc::Visitor or
v8::JSVisitor level. For v8::TracedReference we may end up with empty
reference in case of ephemeron tracing which cannot perfom the null
checks on the outer visitor.
Bug: chromium:1315550, v8:12600
Change-Id: I5ebb466100a6f2cf25a75585fc2267a632497548
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3582124
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79943}
This allows to easily introduce new nodes with untagged represenation.
It also speeds up the is_untagged_value check.
Bug: v8:7700
Change-Id: Ie391d32ae7742dbad481674de262050c0d564ee6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3581773
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79941}
We track untagged values through the InterpreterFrameState, that allows
us to re-use already emitted CheckedSmiUntag and elide CheckedSmiTag
whenever the next node wants the untagged value as input.
It uses LoadRegisterTaggedValue, LoadRegisterSmiUntaggedValue and
accumulator variants as helper in the graph builder.
Spilled values can now be untagged, since we currently do not
support stack slot re-use, we use a ZoneVector to keep track of
the stack slot representation.
We tag (lazily) any value that will be passed as input to a Phi node.
Bug: v8:7700
Change-Id: I34cb69c8f1fbeb6a8158a251a4dd2e114e894ea0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3574559
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79939}
Method GCTracer::UpdateStatistics was responsible for copying
incremental and background scopes to the current event, before
reporting. It was called, however, at the end of the atomic pause and,
as a result, some of these scopes would be prematurely copied to the
current event (e.g., incremental and background sweeping scopes) and
misreported.
This CL fixes this by splitting the update of statistics and the
copying of incremental and background scopes. It introduces the
method GCTracer::FinalizeCurrentEvent which does the latter, which
is called from GCTracer::StopCycle. It also introduces methods for
correctly accessing and updating scopes, before the current event is
finalized, and eliminates the distinction between
GCTracer::AddScopeSample and GCTracer::AddScopeSampleBackground.
Bug: chromium:1154636
Change-Id: I2a6d9abb3daa2c48b2dce12dc2685cfc84130abf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3576792
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79938}
For strict equal boolean literal like "a===true"
or "a===false", we could generate TestReferenceEqual
rather than TestStrictEqual. And in `execution_result()->IsTest()`
case, we could directly emit JumpIfTrue/JumpIfFalse.
E.g.
```
a === true
```
Generated Bytecode From:
```
LdaGlobal
Star1
LdaTrue
TestEqualStrict
```
To:
```
LdaGlobal
Star1
LdaTrue
TestReferenceEqual
```
E.g.
```
if (a === true)
```
Generated Bytecode From:
```
LdaGlobal
Star1
LdaTrue
TestEqualStrict
JumpIfFalse
```
To
```
LdaGlobal
JumpIfTrue
Jump
```
Bug: v8:6403
Change-Id: Ieaca147acd2d523ac0d2466e7861afb2d29a1310
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3568923
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#79935}
This patch makes sure that NearHeapLimitCallback can invoke
operations that trigger garbage collections. In addition
this adds code to make the tracers aware of NearHeapLimitCallback.
Bug: v8:12777
Change-Id: I959a23a3e0224ba536cb18b14933813e56fc5292
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3575468
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/main@{#79934}
For stack-switching, we create a callable object from the
WasmResume builtin and pass that as the onFulfilled argument
of Promise#then. We don't need to create this callable object each time
we suspend. Instead, create it when we initialize the Suspender object
and store it there.
R=jkummerow@chromium.orgCC=fgm@chromium.org
Bug: v8:12191
Change-Id: If8495493a71794cddc81b21a17a821fed8f4ede7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3579162
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79930}
Simulator needs a way to check if a fp input is
a signalling NaN and `issignaling` doesn't seem to be
supported on the latest gclient update and causes link errors.
Change-Id: Id2a7200b6cf13bb6174b052728fc5a0d5436321c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3581768
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#79929}
The barrier is published in the atomic pause following the final step.
Bug: v8:12775
Change-Id: Ia77e1d213cc02a086d7a557999481b633e6b4df4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3582039
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79928}
We need to make sure that a node doesn't think it's still allocated in a
register (and doesn't need spilling) when it is freed to make space for
another allocation.
Bug: v8:7700
Change-Id: I6e35cd467bb7f17bb20dc6f4ab0a1df9efe78ffa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3582220
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79926}
We were doing this for synchronous compiles, but not for asynchronous
ones.
Bug: v8:7700
Change-Id: I10173ddc34bd8750051272c0ec065e21bbd20082
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3581767
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79925}
The external code space is required for the sandbox, so enable it on
Android to be able to enable the sandbox there as well in the future.
Bug: v8:11880
Change-Id: Ic7ba29c77affc3e0e83c8a93f2f6f53b3c72b8e8
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3578799
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79924}
1. Added `generateWebDriverValue` flag to `Runtime.evaluate` and `Runtime.callFunctionOn`.
2. Added `webDriverValue` field to `RemoteObject`, and set it in case of the `generateWebDriverValue` flag was set.
3. Added virtual method `bidiSerialize` to allow embedder-implemented serialization (like in https://crrev.com/c/3472491).
4. Implemented V8 serialization in a separate class `V8WebDriverSerializer`.
5. Hardcode `max_depth=1`.
6. Added tests.
Not implemented yet:
1. `objectId`.
2. Test of embedder-implemented serialization.
Tested automatically by:
```
python3 tools/run-tests.py --outdir out/foo inspector/runtime/add-web-driver-value
```
Naming to be discussed. Suggestions are very welcome.
Design doc: http://go/bidi-serialization
Change-Id: Ib35ed8ff58e40b3304423cc2139050136d844e2c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3472077
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Maksim Sadym <sadym@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79922}
This is a reland of commit 1f0d7d2072
The fix merges concurrent marking tasks when marking in the atomic
pause. Without the fix, Oilpan markers would continue running
concurrently, possibly discovering new V8 objects. This violates the
assumption that the final transitive closure runs on a single thread.
Original change's description:
> cppgc-js: Concurrently process v8::TracedReference
>
> Adds concurrent marking for reaching through v8::TracedReference.
> Before this CL, a v8::TracedReference would always be processed on the
> main thread by pushing a callback for each encountered reference.
>
> This CL now wires up concurrent handling for such references. In particular:
> - Global handles are already marked as well and not repurposed during
> the same GC cycle.
> - Since global handles are not repurposed, it is enough to
> double-deref to the V8 object, checking for possible null pointers.
> - The bitmap for global handle flags is mostly non-atomic, with the
> markbit being the exception.
> - Finally, all state is wired up in CppHeap. Concurrent markers keep
> their own local worklist while the mutator marker directly pushes to
> the worklist owned by V8.
>
> Bug: v8:12600
> Change-Id: Ia67dbd18a57dbcccf4dfb9ccfdb9ee438d27fe71
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3516255
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79736}
Bug: v8:12600
Change-Id: I8545041b2c7b3daf7ecea7e3a100e27534e9b8b5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3571887
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79919}
