When running in single-process mode for Webview, the stack limit is
initialized from a point closer to the top of stack limit. This causes
can cause crashes since the stack limit might be higher than the actual
native stack limit (which is 1MB on Android). As such, use the same
slightly lower stack limit on Arm64 as we do on Arm to give more slack.
BUG=v8:10575
Change-Id: I0cdd0cb4b38aafcb4e158ed639ecf3bba2edb785
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2250241
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68405}
f89ea875..8d3dd2d
8d3dd2d Sync the test w/ changes in intl-datetime-style 43 by Frank Tang · 15 hours ago master
2dcdba9 Simplify tests by Alexey Shvayka · 15 hours ago
23417d9 Test %TypedArray%.prototype.set with primitives by Alexey Shvayka · 15 hours ago
Bug: v8:7834
Change-Id: I39b62aa1f4800349a009035e704bd4a93223174b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2251174
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68404}
Instead of having a loop with one big switch for handling the different
opcodes, split the decoding into one handler per opcode and call them
via an opcode handler table.
The compiler will generate similar code for this new approach (the big
switch is also compiled into a table lookup and an indirect jump). The
main difference is that it's now calls instead of jumps. This has a
slight performance impact, but allows to look at the decoding logic of
individual opcodes in isolation and see optimization opportunities much
easier. It also allows spot very easily in profilers on which opcodes
most time is spent.
The different opcode handlers are still implemented via the same switch
as before, but since the opcode is a template argument (hence static)
the compiler will eliminate the switch and generate the small handlers
we want.
I plan to actually remove the switch and break up the big generic
{DecodeOp} method into one method per opcode.
R=thibaudm@chromium.org
Bug: v8:10576
Change-Id: Ic2c1e2fe5e98df52a7079ace305cf77340dcbf35
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2249664
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68403}
This subsumes the old behavior of --allow-natives-for-fuzzing under
--fuzzing as well. Both flags are used in a redundant way in fuzz
configs. Only --allow-natives-for-fuzzing wasn't specified as a
required argument, leading to the bug below.
We still need the flag --allow-natives-for-differential-fuzzing
to allow different functions when using differential fuzzing.
Bug: chromium:1094866
Change-Id: I398791779e58ed4d80e896c1cfea343848159212
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2246568
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68401}
The {NextInstruction} method is quite hot, since it's called for every
since Wasm instruction. It currently does several checks to figure out
if
- a breakpoint needs to be emitted,
- extra source positions are needed, or
- tracing is active.
The first two can only happen if we are generating debug code, hence
check for that first. The last can only happen in debug mode, so it's
not an issue in production.
Finally, outline the emission of debug information. This leads to
inlining of the {NextInstruction} method into callers, where it is a
single check followed by a call to {EmitDebuggingInfo} (in release
mode).
R=thibaudm@chromium.org
Bug: v8:10576
Change-Id: I5047406f55cd14c6c639528ef6e3422af27d16b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2249671
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68399}
https://github.com/tc39/ecma262/pull/1776 is a normative change that
reached consensus in the November 2019 TC39. It changes
%AsyncFromSyncIteratorPrototype% methods to forward the absence of
arguments to the underlying sync iterator. This is observable via
`arguments.length` inside the underlying sync iterator.
For example, .next is changed to, roughly:
```
%AsyncFromSyncIteratorPrototype%.next = function(value) {
let res;
if (arguments.length < 1) {
res = [[SyncIteratorRecord]].[[Iterator]].next();
} else {
res = [[SyncIteratorRecord]].[[Iterator]].next(value);
}
// ...
};
```
Bug: v8:10395
Change-Id: Ib8127d08cd78b8d502e6510241f3f13fbbaba5c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2247041
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68398}
If mksnapshot fails then all that is printed is
"FAILED: gen/v8/embedded.S snapshot_blob.bin"
and the command line. That complicates the investigation. Printing the
error code in run.py can help. The printing code handles large negative
numbers specially so that special Windows failure codes like 0xC0000005
are recognizable.
This code was tested by adding this early-out to main in mksnapshot.cc.
if (argc < 1000)
return 0xc0000005;
Bug: Chromium:1095767
Change-Id: I5dc81d368beaa339f0c519ce1c01bd13cdb18d93
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2249518
Auto-Submit: Bruce Dawson <brucedawson@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68395}
The CL addresses two issues with (Weak)Persistent and WeakMember:
1. (Weak)Persistent pointers are cleared on heap teardown. Before this
CL the pointers would contain stale values which could lead to UAF.
2. WeakPersistent and WeakMember are cleared using a combination of
internal clearing methods and mutable fields which avoids the use
of const_cast<>.
Bug: chromium:1056170
Change-Id: Ibf2b0f0856771b4f6906608cde13a6d43ebf81f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2248190
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68394}
Clenaups:
* Encapsulated same code in methods
* Inlined trace prints
* Don't set as queued, we are going to visit it anyway
* Moved the phi check updwards
Bug: v8:10424
Change-Id: I82534399617d97d717c5c0dd1ca4bfef9df91e97
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2218037
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68393}
Inline TransferStackSlot and compare the slots first. This is redundant
if they are different, but in most cases they are the same and doing
this check is beneficial.
Other methods of StackTransferRecipe are not called as often, and
inlining them seems negligible.
R=clemensb@chromium.org
Bug: v8:10576
Change-Id: Ibdaa714e3e40c95a79a0da3ca3170d1da7b62cf3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2249677
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68392}
Since ReadOnlySpace pages will soon not be MemoryChunks, change most
uses of MemoryChunk::FromHeapObject and FromAddress to use the
BasicMemoryChunk variants and which use the new MemoryChunk::cast
function that takes a BasicMemoryChunk and DCHECKs !InReadOnlySpace().
To enable this, it also moves into BasicMemoryChunk several MemoryChunk
functions that just require a BasicMemoryChunk.
Bug: v8:10454
Change-Id: I80875b2c2446937ac2c2bc9287d36e71cc050c38
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2243216
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68390}
The SafeStackFrameIterator, used in the profiler, sometimes uses the
link register instead of a return address stored on the stack, to get
more accurate results. This happens in particular for bytecode handlers
that do not create a stack frame. Authentication of PC for those frames
would fail in the SafeStackFrameIterator, as the "PC address" would not
point to a stack location with a signed return address, but instead to
a member of the SafeStackFrameIterator class where the value of the link
register was stored. We address this by skipping authentication of PCs
in the profiler.
Bug: v8:10026
Change-Id: I331c6c68e703db766be1891efffa69c2f9794e8a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2242954
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Cr-Commit-Position: refs/heads/master@{#68388}
This is a reland of 539f0ed23b
The reland fixes creating TimeDelta from double which requires
saturated_cast<>. Improvements to this constructions are tracked
in v8:10620.
Original change's description:
> cppgc,heap: Implement atomic unified heap GC
>
> Add v8::CppHeap as an implementation of a cppgc heap that
> integrates with V8's existing EmbedderHeapTracer API. The
> current implementation only supports non-incremental marking.
>
> Bug: chromium:1056170
> Change-Id: I4a09eb5ae57f5c7defe35eb3fe346627eb492473
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2245610
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Anton Bikineev <bikineev@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#68374}
Bug: chromium:1056170,v8:10620
Change-Id: I39e15790e5cafe24da2a14d0bae6543391ebb536
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2248191
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68387}
This fixes a check in the code that recompiles Liftoff
if breakpoints were removed on isolate removal.
Change-Id: I969b1b027a393f48e92ef4df37f6e672d16866cc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2247648
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68386}
{std::ostream} was used without including either <ostream> or <iosfwd>.
R=ahaas@chromium.org
Change-Id: I92facf672c81a17e2ff24658bbefd961b4f4d445
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2248196
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68385}
This fixes a bug when an encoded character appears in the difference
string. Python3 doesn't require any encoding.
TBR=tmrts@chromium.org
No-Try: true
Bug: chromium:1095964
Change-Id: I49c66b5b9c105ad64d3a7839d0eb5df97ff5f404
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2249660
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68384}
- rename to ReplaceWithBuiltinCall (stubs are no longer a thing).
- add a convenience override that takes only the node and builtin id.
Bug: v8:8888
Change-Id: I7e19c3676c19c3f1b7c7f9a0cbbc3306fef8fc47
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2247651
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68383}
Bug: v8:8888
Change-Id: I0492385023fe01f1aacbd5eae9bb5930a5484062
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2247649
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68382}
... for nci code, in which several phases of the compiler are not
active:
LowerJSCreateCatchContext
LowerJSCreateEmptyLiteralObject
LowerJSCreateIterResultObject
LowerJSCreateWithContext
LowerJSGetIterator
LowerJSGetTemplateObject
With this change, the nci variant passes the test suite. Tests
relying on turbofan-specific behavior (e.g. deopts) are skipped.
Bug: v8:8888
Change-Id: I709178241e9b25e7480a39b4fb64bdcf576483be
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2245604
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68381}
The Isolate::context field doesn't track the context while JS is
executing. It's updated at boundary sites when entering runtime
through CEntry or returning to runtime in Invoke(). These set_context
calls are unnecessary.
Bug: v8:8888
Change-Id: Ifb9818b47699d2b1b37ebf0c19c2caf59fd17427
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2247772
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68380}
This adds the following things:
- age table for 4K regions;
- generational barrier for mixed 4K regions;
- unmarking for major collections;
- young generation flags.
Bug: chromium:1029379
Change-Id: Ief1229f0dac5f90c5f06d3168c8ffb4b7d1f1b53
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2246566
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68379}
Add v8::CppHeap as an implementation of a cppgc heap that
integrates with V8's existing EmbedderHeapTracer API. The
current implementation only supports non-incremental marking.
Bug: chromium:1056170
Change-Id: I4a09eb5ae57f5c7defe35eb3fe346627eb492473
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2245610
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68374}
- Makes conversion::NonNumberToNumber, NonNumberToNumeric, and
ToNumeric transitioning builtins. Otherwise, these turn into
macro invocations, which made several math.tq builtins much
longer.
Bug: chromium:1094228
Change-Id: Iefb6821ee59f61c11029150c0de4a1bcbd18e721
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2243195
Commit-Queue: Bill Budge <bbudge@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68371}
This is in anticipation of more complex type names coming from the new
proposals.
Change-Id: I1e5b8bd8c5b3edb5b603d36f6c5e9a787ebad504
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2243215
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68370}
As a drive-by, change an if(...) else UNREACHABLE into a CHECK(...).
Change-Id: I6440191c690f36444faa89ac0f7f7dde51ebba3f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2237143
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68369}
Changes:
- Simplify and generalize ToValueTypeString.
- Fix some error messages in msjunit so that they reflect the underlying
error better.
- Change 'exn' -> 'exnref' to match exception-handling proposal.
Bug: v8:7581
Change-Id: I264f6c9aa598a57f39d5a4d01399af64db83a2b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2243214
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68364}
This is in anticipation of more reference types from various proposals
being implemented.
Change-Id: I740ceeb3b6d6fc484a61f9ebee2181dbd6694440
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2243213
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68363}
Avoid spawning low-priority tasks for tier-up, since low-priority tasks
map to the BEST_EFFORT priority in chrome, which will severly delay
execution of the tasks and not execute them even if background threads
are idle (see linked bug).
We should look into reverting this once the gin platform implementation
(or task scheduling) is adjusted to execute low-priority background
tasks more reliably.
R=ahaas@chromium.org
Bug: chromium:1094928
Change-Id: I9e84eeedc7b83bfd17edb1cd09a0084770b20eda
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2247645
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68362}
Rolling v8/build: 908ea81..a980f85
Rolling v8/buildtools: 574cbd5..3200e0f
Rolling v8/buildtools/linux64: git_revision:9a0496a74efd13c1bb2abd866d8a227404615068..git_revision:fbe7aec770944d17c9f3006f6cbb5c19e8cd43ea
Rolling v8/third_party/aemu-linux-x64: VTMne1aEixrBYfQxsfnRBgzudRPhjV-iUQeXgznyNqgC..T98d0T9VlsHV98PPahwzBa8kF94z5dghLKOTUDCTmwYC
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/b919b00..9253b25
Rolling v8/third_party/depot_tools: 03705f6..e364dd8
Rolling v8/tools/clang: 79a0420..0d67b22TBR=machenbach@chromium.org,tmrts@chromium.org,v8-waterfall-sheriff@grotations.appspotmail.com
Change-Id: Ibe96d7bb6c8b4b359698446a3087e4d9c1668704
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2246735
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#68361}
The C++ code uses the A instruction key for return address signing,
which is the default for Clang and GCC when the -mbranch-protection
option is used (although this can be configured to use the B key).
Using the B key for JS means that it's not possible to use an A key
signing gadget to replace a return address signed with the B key and
vice-versa. This should offer a degree of separation from the C++ side.
Bug: v8:10026
Change-Id: Ia9dcc7ae7096c96b4a271efbe25fc02940f6fc8e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2242953
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Cr-Commit-Position: refs/heads/master@{#68360}
The DCHECK is true in the current V8 / Chrome. However, an embedder
can create a snapshot where the object in question has dictionary
properties (by using the object as a prototype). When reading the
snapshot, in the object already has dictionary properties, and adding a
property to it won't change it.
The erroneous DCHECK was used to assert that adding a property to an
object won't turn it to dictionary mode. But now it's in the wrong
place, since this part of the code is executed after reading the
snapshot in.
The corresponding DCHECKs which are executed when setting up the objects
before snapshot creation are still valid.
Fixing the behavior wrt whether the object should turn dictionary
mode or whether it should turn back is beyond the scope of this CL.
See https://github.com/nodejs/node-v8/issues/160
Bug: v8:10479
Change-Id: Ie62c80495d4f4494eeb3a16b5bfe02305c0cac95
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2246577
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68357}