This CL changes debug breaks that are triggered via interrupts (i.e.
via stack check). One client of this behavior is the `Debugger.pause`
CDP method.
The problem is that when we pause so early, the JSFunction didn't have
time yet to create and push it's context. This requires special
handling in the ScopeIterator and makes an upcoming change unnecessary
complex.
Another (minor) problem is that local debug-evaluate can't change
context-allocated local variables (see changed regression bug). Since
the context is not yet created and pushed, variables are written to
the DebugEvaluateContext that goes away after the evaluation.
The solution is to mirror what `BreakOnNextFunction` does. Instead
of staying paused in the middle of the function entry, we trigger
a "step in" and pause at the first valid breakable position instead.
This ensures that the function context is already created and pushed.
Note that we do this only in case for JSFunctions. In all other cases
we keep the existing behavior and stay paused in the entry.
R=jgruber@chromium.org
Fixed: chromium:1246907
Change-Id: I0cd8ae6e049a3b55bdd44858e769682a1ca47064
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3854501
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82817}
This implementation sticks closely to what Ignition-to-Turbofan (and now
Sparkplug-to-TF) does. OSR is detected in the TieringManager by having
optimized code available, without having entered it. The osr_urgency is
increased to enable OSR for increasing loop depths. When a candidate
JumpLoop backedge is reached, we call into runtime to trigger OSR
compilation.
JumpLoop also detects the availability of cached OSR'd code. When a
matching OSR code object is available, Maglev 1) deoptimizes s.t. the
unoptimized frame layout is reconstructed, and 2) delegates the actual
OSR tierup to the unoptimized tier. For purposes of 1), we add a new
DeoptimizeReason that causes a one-time eager deopt without invalidating
any code.
Drive-by: Annotate OSR for more --trace-opt output.
Todo: Refactor non-Sparkplug-specific bits of the BaselineAssembler
into a generic spot that both SP and ML can use.
Bug: v8:7700
Change-Id: I6ebab2df8b87f9f70ffb78162a3c1226ec545468
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859850
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82816}
...to honor the {pinned} list under all circumstances.
Drive-by: DEBUG-mode helpers to print FunctionSig and LiftoffRegList
objects to stdout.
Fixed: chromium:1356718
Change-Id: I487db12294f687790cec1d658d7a7d754f3c2f99
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859752
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82815}
This class is only used for heap verification and doesn't need to be
public.
Bug: v8:11708
Change-Id: I9d1750a6f701ed0d9a106f8d93ab3ff82bbf4f3b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3862208
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82814}
Only Internalized and Thin strings should be accessed from the
background. My CL "[compiler] Remove map check in StringRef::length"
removed a check, and, while doing so, made it possible to read Cons
strings in the background, which is incorrect because such strings can
be mutated by the main threads.
Fixed: chromium:1357438
Change-Id: I3a5445f91d10e5ceab62ac208a04be5ed71798ff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3862007
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82813}
Adapted from https://crrev.com/c/3862264.
Add a new teardown trampoline for the case where a Sparkplug function is
deoptimized during its function entry stack check. In these cases, the
stack is in an incomplete setup state, so instead of forwarding to
interpreter re-entry, we undo the partial stack setup and forward to
the standard interpreter entry.
R=leszeks@chromium.org
Bug: chromium:1246907, chromium:1357554
Change-Id: I0795b20cdc60d3ba28bc32cd55bdf82d72f83aac
Also-by: leszeks@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865144
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82811}
Methods are now defined in heap-verifier.h in the HeapVerifier class.
Bug: v8:11708
Change-Id: I13e7f1760598f3659ad6aa31082840caf2e44038
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3857558
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82810}
This CL:
- Separates Wasm frame pointer iteration from TypedFrame iteration
- Introduces the frame StubWithContext that correspond to a TF-optimized
code without JS linkage
- Fixes WasmToJsFrame to be a WasmFrame
- Fixes the hack with JsToWasmFrame that calls TypedFrame when not
the right builtin
- Cleans up TypedFrame::Iterate
Change-Id: Ie238df5188f2e2f081f5353b4538b75b6e79f64a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859787
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82809}
... when deserializing.
EphemeronHashTables require valid HeapObject keys, however
EphemeronHashTables are filled with Smi::uninitialized_deserialization_value
when deserializing. We could fill EphemeronHashTable's elements
with "the initial filler" which is undefined value to make sure
the elements are valid.
Bug: v8:13232
Change-Id: I268cdbd4303fbe9afa2f9a5d8aafcace397c8164
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3864185
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82808}
Add a flag for disabling FastForwardSchedule() during incremental
marking.
This CL disables "schedule fast forwarding" by default to experiment
with this setup for a few days and to see whether this causes
performance regressions.
Bug: v8:12775
Change-Id: Id2c0a62f4b67b3a2379816581800cfb62361b40c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865003
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82806}
This CL adjusts a DCHECK that verifies a bytecode offset when looking
for the closest breakpoint given that offset. When we pause on
function entry via interrupt, then the offset is
kFunctionEntryBytecodeOffset (-1), which is still a valid offset.
R=jarin@chromium.org
Fixed: chromium:1357554
Change-Id: I5b25b58f02be0e605191c38e9d1d93e334664c63
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3862265
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82805}
This is a reland of commit 40901824d7
The reason for revert was regressions in `blink_gc:effective_size`
buckets of `system_health.memory_desktop` benchmarks.
See http://crbug/1356329#c51.
Memory Perf Sheriffs: This CL shifts GC times which regresses
`blink_gc:effective_size` but improves `v8:effective_size` bucket by
a similar amount. The `private_footprint_size` metric stays neutral
for the majority of the stories and for certain load stories it even
improves.
Original change's description:
> [ext-code-space] Enable Code-less embedded builtins
>
> Bug: v8:11880, v8:12592
> Change-Id: I8d3d6ad0a4c26eb1fea2a998ffeddd1d96afa690
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3784593
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Jakob Linke <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82642}
Bug: v8:11880, v8:12592, chromium:1356329, chromium:1356763
Change-Id: Ia9150ecb1f16581e249e4e3e566be20ac4591e78
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3862503
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82803}
Subtract timeZone.[[OffsetNanoseconds]] from epochNanoseconds
before calling the IsValidEpochNanoseconds() for the case of
4. If timeZone.[[OffsetNanoseconds]] is not undefined
Bug: v8:11544
Change-Id: Icea2d8390a9db01054956f8c57b47dc5a88446d4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3855980
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82802}
Shared values need to be kept alive while being conveyed across threads (i.e. by
postMessage). Currently they are meant to be conveyed through the
serializer/deserializer by the embedder via API. This both clunky and
the embedder has no good choice for what to do, because the most natural
choice is v8::Global and it is not designed to be threadsafe.
This CL removes the API and transparently handles conveying shared
values by using a wrapper around PersistentHandles called
SharedValueConveyors. Any isolate can own the conveyor provided it
outlives the receipt of the message by the receiving isolate. For
simpler lifetime management, the shared isolate currently owns all
conveyors.
Bug: v8:12547
Change-Id: I8f71b2faa0f8a1973f8b97ffccf4f5ad230f4e16
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3857453
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82795}
Port c2d46fe966
Original Commit Message:
When a call_indirect fails because of a signature mismatch or a null
target, the value stack generated for debug doesn't contain the target
index anymore, which makes it hard for users to understand the error.
Keep the index on the stack, and ensure that the index is not modified
until we generate the debug info. Previously, the index was shifted
in-place to compute various offsets. Instead, use scaled loads to
compute the offset directly in the load instruction.
R=thibaudm@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N
Change-Id: I6ab0b5bfcac991f6e26a97bb2513556aa67dcf94
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858300
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/main@{#82793}
We follow Chromium and only download the image qemu.x64
Change-Id: I13e06c5646e889af2acfac8c8e9cb971a7a36c56
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858299
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82791}
Port 8a56da4459
Original Commit Message:
... so that the offset fits into the maximum offset for load byte
instruction for arm/arm64 (Ldrb) in order to produce smaller code.
Update code generation so that the loading of the flag value is
combined with the comparison operation where possible.
Additionally, this CL moves the Isolate::is_profiling flag to the
IsolateData so that it can be loaded directly via roots register which
removes one indirection.
The fields moved in the IsolateData:
- is_marking_flag and is_minor_marking_flag (checked by write barriers)
- is_profiling (checked on API callbacks/getter calls)
- stack_is_iterable (not super hot, checked during deoptimization).
the field size expectations clear.
R=ishell@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N
Change-Id: Ibafb23e9a035caffe6921a304a3d318b54732167
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3862227
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#82790}
Accidentally tried to print the colour '-1' if there was no line colour
set yet but the current colour had changed.
Bug: v8:7700
Change-Id: Iba3cbe51fd0e31e389e614d0a42e59147a51b902
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859355
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82789}
System images are checked-out via the SDK update script, these fixed
images are outdated and not used anymore.
Change-Id: I4563e04bd252667a01470363f47bbae2ef17d5c0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859354
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Wez <wez@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82785}
This is a reland of commit c060af4db3
Use LoadFullTagged function instead to avoid test failing
with v8_enable_verify_csa=true.
Original change's description:
> Fix CSA_CHECK failure on BE
>
> The load for external reference should be a full pointer load
> instead of tagged size.
>
> Change-Id: I3460a26abea5053ba6daa5c6ed908cb93431654a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3842348
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Commit-Queue: Junliang Yan <junyan@redhat.com>
> Cr-Commit-Position: refs/heads/main@{#82625}
Change-Id: I85817634ce2de099a9fbd350defb57789cce9678
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3857442
Commit-Queue: Junliang Yan <junyan@redhat.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82782}
When a call_indirect fails because of a signature mismatch or a null
target, the value stack generated for debug doesn't contain the target
index anymore, which makes it hard for users to understand the error.
Keep the index on the stack, and ensure that the index is not modified
until we generate the debug info. Previously, the index was shifted
in-place to compute various offsets. Instead, use scaled loads to
compute the offset directly in the load instruction.
R=clemensb@chromium.org
Bug: chromium:1350384
Change-Id: Iad5359ec80deef25a69ac119119a0b5ca559a336
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3854309
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82780}
Bump the limit to give TF enough time to finish compiling. The
`keep_going` limit is fairly ugly, but it lets us test the real
(=concurrent) pipeline.
Bug: v8:7700
Fixed: v8:13176
Change-Id: Iba97111d752c8a4894e99ab57e8f42abcc8c29bb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3862204
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82778}
This CL adds lightweight checking to the ExternalPointerTable GC
algorithm to detect double initialization of external pointer fields.
These are forbidden as they interfere with the table compaction
algorithm.
Bug: v8:10391
Change-Id: Id69fdcce883aa86f8e2c456a0fe7a1f011719464
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858228
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82777}
For code pointers, the sandbox will require a custom, lightweight CFI
mechanism (likely based on the external pointer table). Simply turning
all code pointers into ExternalPointers is not sufficient.
This CL therefore turns code pointers back into raw pointers for now so
that they don't block the external pointer table rollout.
Bug: v8:10391
Change-Id: Ib2ba246be546bbf19fcd0f4ae20f4e9a2cf2e099
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859348
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82775}
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.
R=jkummerow@chromium.org
Bug: v8:12887
Change-Id: Ieccf35730f69bcefa3740227f15e05686080d122
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3843517
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82774}
This is the normal state on the main branch, let's not emit this warning
on every build.
Bug: v8:10470
Change-Id: I29744ea7f67881570fa12c249b12f00d2313289c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859851
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82773}
... so that the offset fits into the maximum offset for load byte
instruction for arm/arm64 (Ldrb) in order to produce smaller code.
Update code generation so that the loading of the flag value is
combined with the comparison operation where possible.
Additionally, this CL moves the Isolate::is_profiling flag to the
IsolateData so that it can be loaded directly via roots register which
removes one indirection.
The fields moved in the IsolateData:
- is_marking_flag and is_minor_marking_flag (checked by write barriers)
- is_profiling (checked on API callbacks/getter calls)
- stack_is_iterable (not super hot, checked during deoptimization).
Drive-by: this CL defines the bool fields as uint8_t in order to make
the field size expectations clear.
Bug: v8:11880
Change-Id: I80c292c6ec919861684152b6062225aa0fda2d3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856580
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82771}
This limits the number of DECHECK failures in fuzzing builds that have
no side-effects or security implications.
Bug: chromium:1355059
Change-Id: I909934c62711439f1edd95492b93ee0c582a495d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859751
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82770}