Commit Graph

76803 Commits

Author SHA1 Message Date
Carl Smith
b81b8d803e [fuzzilli] Exit with non-zero value on OOM
Exit with a non-zero exit code on OOM crashes such that Fuzzilli can discard
these samples. Otherwise Fuzzilli treats these as valid samples and adds them
to the corpus.

Bug: v8:10571
Change-Id: Ia450a86288d9c2e8ee1cf0eb57bd8808de2f7dd7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816665
Reviewed-by: Samuel Groß <saelo@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Carl Smith <cffsmith@google.com>
Cr-Commit-Position: refs/heads/main@{#82311}
2022-08-09 15:53:06 +00:00
Anton Bikineev
727e808fb2 cppgc: Enable 2GB cage to speed up compression/decompression
With only 2GB reservation we can make sure that the heap allocated in
such a way, that all the pointer to it have the most significant bit
in the low halfword set. This allows us to quickly distinguish between
normal pointers and nullptr/sentinel when performing sign-extension
inside decompression.

Bug: chromium:1325007
Change-Id: Ie3a653796bb9dc875ec50103e05cb9aaf55515cf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3793614
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82310}
2022-08-09 15:43:03 +00:00
Clemens Backes
61637d8240 [liftoff][x64] Remove redundant check for --debug-code
This check is not needed any more after https://crrev.com/c/3805887.

Plus minor drive-by reformatting.

R=tebbi@chromium.org

Change-Id: I4891b297b5c1a79e11338100a269e4682bc64085
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3805888
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82309}
2022-08-09 15:34:43 +00:00
jameslahm
7e95d21172 [message] Improve IteratorSymbolNonCallable error message
Add the receiver to the IteratorSymbolNonCallable error
message.

Bug: v8:12918
Change-Id: Ib863a357474282ec3723cc4e7e012052979ca2d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813069
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#82308}
2022-08-09 15:32:42 +00:00
Qifan Pan
78f8cb235a [TurboFan] Avoid temporary BigInt objects for wasm calls with i64 arguments
Bug: v8:9407
Change-Id: Id7a04bbdd795bd91a62f3984b760a7f42db96a7f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3803225
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#82307}
2022-08-09 15:08:41 +00:00
Michael Lippautz
6953b5550e [handles] Remove precise on-stack representation of global handles
Since https://crrev.com/c/3806439 on-stack traced handles are marked
conservatively when being used in combination with CppHeap.

This change removes the precise on-stack representation of the
internal traced nodes as they nodes would anyways be marked
conservatively. The effects are:
- cheaper representation (just a single node space);
- uniform handling: no checks to distinguish on-stack vs on-heap;
- no brittleness around cleaning on-stack handles when the event loop
 is empty;

Change-Id: Id859623bfed77a66bdd064ea8065536264515eae
Bug: v8:13141
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3812039
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82306}
2022-08-09 15:04:31 +00:00
Georgia Kouveli
d757c72e09 [compiler] Don't copy blocks in EnsureCFGWellFormedness
This is no longer necessary, because `EnsureSplitEdgeForm` no longer
adds new blocks.

Change-Id: I48daaa556ff1be5c9641b054937699ac401613f9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3810464
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Cr-Commit-Position: refs/heads/main@{#82305}
2022-08-09 14:54:01 +00:00
Qifan Pan
25530fd6fb Reland "Reland "[TurboFan] Support BigIntMultiply""
This is a reland of commit 30ee069059

Avoid terminating from another thread in unit tests to make the termination of optimized bigint multiplication deterministic on windows

Original change's description:
> Reland "[TurboFan] Support BigIntMultiply"
>
> This is a reland of commit ccde420538
>
> Added a test case for terminating optimized bigint multiply and attached frame_state to the runtime call to provide deopt information to determine the throw location
>
> Original change's description:
> > [TurboFan] Support BigIntMultiply
> >
> > Bug: v8:9407
> > Change-Id: Iab0a4ca8dd5d83444d1addd6043a5c8e3a8577a7
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3773773
> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> > Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> > Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#82140}
>
> Bug: v8:9407
> Change-Id: Ia691d758265148da1de291365d41c7c1d1f98ddd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3810391
> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82232}

Bug: v8:9407
Change-Id: I7d04897f4e8f260aba31dbad55ce1263406473d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3819621
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82304}
2022-08-09 14:26:01 +00:00
Tobias Tebbi
c902ce585f Revert "[heap] Handle old-to-new slot promotion to shared heap"
This reverts commit 9cca4e60f1.

Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20-%20debug%20-%20single%20generation/6185/overview

Original change's description:
> [heap] Handle old-to-new slot promotion to shared heap
>
> The GC might promote an in-place internalizable string from new space
> directly into the shared heap. This means that the GC might need to
> create OLD_TO_SHARED slots when updating OLD_TO_NEW slots.
>
> This CL implements this both for minor and full GCs.
>
> Bug: v8:11708
> Change-Id: I6102b9024d1dd5dd602d654b006ea5897ab5baa6
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3804604
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82298}

Bug: v8:11708
Change-Id: I4cfdcff22552ff92ec85497d58021e83a6e038b0
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3819647
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Owners-Override: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82303}
2022-08-09 13:57:21 +00:00
Tobias Tebbi
b833afc63a Revert "Reland "[d8] Dump stack trace on d8 tests timeouts on posix systems""
This reverts commit 55c2566c45.

Reason for revert: msan failures: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/45213/overview

Original change's description:
> Reland "[d8] Dump stack trace on d8 tests timeouts on posix systems"
>
> This is a reland of commit 5592bad963
>
> Disable timeout signal handler with --fuzzing
>
> Original change's description:
> > [d8] Dump stack trace on d8 tests timeouts on posix systems
> >
> > - Add a SIGTERM handler in d8 that dupms the stack trace
> > - Send SIGTERM before SIGKILL in the test runner
> >
> > Bug: v8:13115
> > Change-Id: I75285f33caabab61ff6ae83c1fbc6faf45cf595a
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3791906
> > Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> > Reviewed-by: Igor Sheludko <ishell@chromium.org>
> > Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#82173}
>
> Bug: v8:13115
> Change-Id: I8ddbf2a5e601737c2326384d832902b38c371f81
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816670
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82296}

Bug: v8:13115
Change-Id: Iea5a808f1ba3b06f53568e6b4af6c973a5ba5e1b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3819646
Owners-Override: Tobias Tebbi <tebbi@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82302}
2022-08-09 13:27:19 +00:00
Tobias Tebbi
d6c7b272b3 [builtins] update builtins PGO data for x64
Bug: chromium:1350916

Change-Id: I161dc57506e87b997508b07a0b4f4a206439cb02
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816651
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82301}
2022-08-09 12:02:32 +00:00
Tobias Tebbi
666aa19e9d Revert "[wasm] Enable lazy compilation on --future"
This reverts commit b67385d22f.

Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20no-concurrent-marking/10251/overview

Original change's description:
> [wasm] Enable lazy compilation on --future
>
> This should increase test coverage of lazy compilation.
>
> R=​clemensb@chromium.org
>
> Bug: v8:12852
> Change-Id: I205f4b642576add07db5851126370becdad52fb8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3784597
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82291}

Bug: v8:12852
Change-Id: I7cb5a60aa5cf093c12371877b98c72ad754c5ed3
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3819622
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82300}
2022-08-09 11:33:12 +00:00
Teodor Dutu
703b0b31db [ptr-compr-8gb] Align runtime allocations to 8 bytes
In order to support a larger heap cage (8GB, 16GB), the cage offset
will take up more than 32 bits. As a consequence, for 8GB cages, the
least significant bit of the cage offset will overlap with the most
significant bit of the tagged offset. To avoid this, allocations need
to be aligned to 8 bytes to free up one bit from the offset.
All changes are deactivated behind the build flag
`v8_enable_pointer_compression_8gb`.

Bug: v8:13070
Change-Id: Ibb0bd0177f3e88dcd24fc0ee7526335df0faa987
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3791052
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Teo Dutu <teodutu@google.com>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82299}
2022-08-09 10:37:23 +00:00
Dominik Inführ
9cca4e60f1 [heap] Handle old-to-new slot promotion to shared heap
The GC might promote an in-place internalizable string from new space
directly into the shared heap. This means that the GC might need to
create OLD_TO_SHARED slots when updating OLD_TO_NEW slots.

This CL implements this both for minor and full GCs.

Bug: v8:11708
Change-Id: I6102b9024d1dd5dd602d654b006ea5897ab5baa6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3804604
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82298}
2022-08-09 10:20:10 +00:00
Dominik Inführ
251b550166 [heap] Remove unused traced_pending_phantom_callbacks_
Change-Id: I00acbcac8bbd86b502ef5d921bfcc9b2fa0f3860
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816672
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82297}
2022-08-09 10:17:32 +00:00
Camillo
55c2566c45 Reland "[d8] Dump stack trace on d8 tests timeouts on posix systems"
This is a reland of commit 5592bad963

Disable timeout signal handler with --fuzzing

Original change's description:
> [d8] Dump stack trace on d8 tests timeouts on posix systems
>
> - Add a SIGTERM handler in d8 that dupms the stack trace
> - Send SIGTERM before SIGKILL in the test runner
>
> Bug: v8:13115
> Change-Id: I75285f33caabab61ff6ae83c1fbc6faf45cf595a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3791906
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82173}

Bug: v8:13115
Change-Id: I8ddbf2a5e601737c2326384d832902b38c371f81
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816670
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82296}
2022-08-09 10:16:30 +00:00
Michael Lippautz
186baea13a [heap] Refactorings and cleanups around global handles
Splitting off cosmetics and unrelated test refactorings from a larger
CL reworking traced global handles.

Bug: v8:13141
Change-Id: I675cdbd4898346ab55b0db65d53e992f2eb95744
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816671
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82295}
2022-08-09 10:15:28 +00:00
Dominik Inführ
ddbe396686 [heap] Remove CompletionAction and infer action from StepOrigin
StepOrigin is enough to infer the right completion action: Either
finalization by task (for StepOrigin::kTask) or stack guard
(for StepOrigin::kV8).

Only tests with StepOrigin::kV8 were violating this but they also just
pass when enabling the stack guard.

Bug: v8:12775
Change-Id: I5df50198d8e3612ee97142f84bd497820a5cec78
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816664
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82294}
2022-08-09 10:14:26 +00:00
Jakob Linke
ca33c73e7c [masm] Move tiering logic to macro-assembler
.. since these functions will also be used by Maglev codegen.

Bug: v8:7700
Change-Id: I6fdf830976369aa0dc70ca54be2165a1186eab06
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816666
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82293}
2022-08-09 10:13:24 +00:00
Tobias Tebbi
74d4f133d8 Revert "Reland "[shared-struct] Add Atomics.Condition""
This reverts commit b1020a4345.

Reason for revert: Causes timeout for `condition-workers`: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20debug/40516/overview

Original change's description:
> Reland "[shared-struct] Add Atomics.Condition"
>
> This is a reland of commit e2066ff6bf
>
> Changes since revert:
> - Rebased against c991852491, which
>   uses the external pointer table for the WaiterQueueNode stored
>   in the state field when compressing pointers. This relaxes
>   the alignment requirement of the state field to be 4-bytes when
>   compressing pointers.
> - Moved the state field into the JSSynchronizationPrimitive base
>   class, since alignment and padding can now be made simpler.
>
> Original change's description:
> > [shared-struct] Add Atomics.Condition
> >
> > Bug: v8:12547
> > Change-Id: Id439aef9cab3348171a23378cdd47ede5f4d7288
> > Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_rel_ng,v8_linux64_tsan_rel_ng
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3630350
> > Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> > Reviewed-by: Adam Klein <adamk@chromium.org>
> > Commit-Queue: Shu-yu Guo <syg@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#81734}
>
> Bug: v8:12547
> Change-Id: I638304c3d5722c64bd04708ed4cf84863cdebb81
> Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_rel_ng,v8_linux64_tsan_rel_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3763787
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82278}

Bug: v8:12547
Change-Id: I27c2aeb131f1b68c2240323189db88d552aa92f9
Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_rel_ng,v8_linux64_tsan_rel_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3817187
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Owners-Override: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82292}
2022-08-09 10:12:21 +00:00
Andreas Haas
b67385d22f [wasm] Enable lazy compilation on --future
This should increase test coverage of lazy compilation.

R=clemensb@chromium.org

Bug: v8:12852
Change-Id: I205f4b642576add07db5851126370becdad52fb8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3784597
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82291}
2022-08-09 09:22:32 +00:00
Omer Katz
98faaba5da [heap] Introduce explicit grey to MinorMC.
Mark objects as grey when pushing to worklist and mark as black when
objects are visited.

Bug: v8:12612
Change-Id: I5ad28c4481052f41588f43dc39dd44f132a27dfb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3810467
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82290}
2022-08-09 09:21:30 +00:00
Samuel Groß
37869a0745 Allow GC during Deserializer::PostProcessNewJSReceiver
JSArrayBuffer::Setup may trigger GC during PostProcessNewJSReceiver.
This is Ok if we drop the raw_obj parameter and instead always reference
the object through a Handle.

Bug: v8:13121
Change-Id: I70361b16a48599ff83094d11008f6288a1402c7f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3810342
Auto-Submit: Samuel Groß <saelo@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82289}
2022-08-09 09:09:50 +00:00
v8-ci-autoroll-builder
116e84ef7d Update V8 DEPS (trusted-versions)
Rolling v8/buildtools/linux64: git_revision:9ef321772ecc161937db69acb346397e0ccc484d..git_revision:3d773bba0927e67eae8fdaee5e28b0f6203d3bee

Rolling v8/buildtools/third_party/libc++/trunk: 6c8f712..75bbec9

Rolling v8/buildtools/third_party/libunwind/trunk: 012c343..c38cbd4

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/84a7988..4755386

Rolling v8/third_party/depot_tools: 2cd4823..647cfe6

Rolling v8/third_party/fuchsia-sdk/sdk: version:9.20220728.1.1..version:9.20220808.1.1

Rolling v8/buildtools: 56cc5bc..1453422

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: I497e392a7c7690f422550d966d553b1ffa8a8c76
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816766
Owners-Override: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82288}
2022-08-09 09:07:23 +00:00
Lu Yahan
e71be34361 [riscv][ext-code-space] Add InterpreterEntryTrampolineForProfiling
builtin

Port commit 1067c6accc

Change-Id: Ibbe4aa66f988a55ed4201d87019ac9f31bbfa9cc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3819043
Reviewed-by: Philip Pfaffe <pfaffe@chromium.org>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Commit-Queue: Philip Pfaffe <pfaffe@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82287}
2022-08-09 08:54:40 +00:00
Matthias Liedtke
0cb7e2457b [wasm-gc] Use corresponding null type in gc operator reducer
Bug: v8:7748
Change-Id: I511d5016ae5106a1e4aa148038b3ab2f43da1a6d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3810177
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82286}
2022-08-09 08:42:51 +00:00
Nico Hartmann
97d1ab6c59 Reland "[turbofan] Support Phi nodes in SL Verifier"
This reverts commit 82a876b0cd.

Bug: v8:13086, v8:12619
Change-Id: Idcc42f36b642fefb3ed706214e7385cccc89effc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3779687
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82285}
2022-08-09 08:39:30 +00:00
Qifan Pan
c838539447 [test] Terminate from the current thread
Avoid terminating from another thread in some thread termination
unit tests.

Change-Id: I0f66e49f1f4e7e3d6ec4c614c2cc1afc9fdb0a22
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816663
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82284}
2022-08-09 08:28:51 +00:00
Marja Hölttä
e919941b2b [rab/gsab] Permanently stage --harmony-rab-gsab
TF optimizations are still missing, but otherwise the feature is code
complete; further bugs at this point will be unexpected.

Bug: v8:11111
Change-Id: I21f85f29a3753d21baa0f4f76daa6e69ff46097b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3810466
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82283}
2022-08-09 07:38:52 +00:00
jameslahm
15aa8c589c [runtime] Invalidate TypedArraySpeciesLookupChain protector
... when setting the prototype of TypedArray constructor.

Setting the __proto__ of TypedArray constructor could change TypedArray's
@@species, thus we need to invalidate the @@species protector.

Bug: v8:13110
Change-Id: Ib3b2c88d1136965c221492ff81a26ae69533b356
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813063
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82282}
2022-08-09 05:56:41 +00:00
Lu Yahan
ccc3138e04 [riscv] Fix wasm/externref-globals-liftoff failed
Change-Id: I4671a704fc76063a64ed90c337770ec17fe8e393
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3815778
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#82281}
2022-08-09 03:49:23 +00:00
Samuel Groß
f7c20baea0 [sandbox] Atomically load/store ExternalPointerHandles
Since those are accessed from background threads during marking, they
should generally be loaded and stored using atomic operations. Further,
when an external pointer slot is initialized, the handle should be
stored using release semantics to prevent reordering of the store into
the pointer table after the store of the handle to the object.

Bug: v8:10391, v8:13156
Change-Id: I5c33b4e791482f84e2770cd047a11f5762a0aa65
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3812035
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82280}
2022-08-09 02:42:30 +00:00
Lu Yahan
a271ab14af [riscv] Fix asm atomic op test case failed
Change-Id: I406d211bdac02501b1bfefdf6ebb63b97bb02e44
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3815774
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#82279}
2022-08-09 01:24:40 +00:00
Shu-yu Guo
b1020a4345 Reland "[shared-struct] Add Atomics.Condition"
This is a reland of commit e2066ff6bf

Changes since revert:
- Rebased against c991852491, which
  uses the external pointer table for the WaiterQueueNode stored
  in the state field when compressing pointers. This relaxes
  the alignment requirement of the state field to be 4-bytes when
  compressing pointers.
- Moved the state field into the JSSynchronizationPrimitive base
  class, since alignment and padding can now be made simpler.

Original change's description:
> [shared-struct] Add Atomics.Condition
>
> Bug: v8:12547
> Change-Id: Id439aef9cab3348171a23378cdd47ede5f4d7288
> Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_rel_ng,v8_linux64_tsan_rel_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3630350
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81734}

Bug: v8:12547
Change-Id: I638304c3d5722c64bd04708ed4cf84863cdebb81
Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_rel_ng,v8_linux64_tsan_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3763787
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82278}
2022-08-09 00:22:00 +00:00
Ryan Everett
7f62066e42 [compiler][arm64] Fold SXTW, ASR into a single SBFX instruction
Use a single SBFX instruction for Word64Sar(ChangeInt32ToInt64(x), imm)
when possible.

Using PGO, this improves Speedometer2 by 0.4% on a Cortex-A55 machine,
and 0.27% on a Neoverse-N1 machine.

Change-Id: I6fea5e473f0f0869f8f6cebd9a4e61bb2fc6e9ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3807586
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Rodolph Perfetta <rodolph.perfetta@arm.com>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82277}
2022-08-08 23:05:31 +00:00
Matthias Liedtke
3a639c3bb5 [wasm-gc] Introduce extern null type noextern
noextern is the abstract null type for the extern type.

Bug: v8:7748
Change-Id: I03ac0daf3051f479e096f3d05f4fa7cbf03968f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3810191
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82276}
2022-08-08 18:20:20 +00:00
Dominik Inführ
c1874ac332 [heap] Remove unnecessary IncrementalMarking::EnsureBlackAllocated
We now have different mechanisms for black allocation, for regular
sized objects we will set all mark bits for the LAB. For large
objects we will set the mark bit when initializing that large page.

So when we reach this method, the object is already marked black.

Bug: v8:11708
Change-Id: Ie0f82f78eefe06a25103264098cc59a3ee46d20c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3817742
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82275}
2022-08-08 17:32:38 +00:00
Matthias Liedtke
18105c72d1 [wasm-gc] Introduce function null type nofunc
nofunc is the abstract null type, the equivalent of none but for the
function type hierarchy.
none and nofunc (and later on noextern) all can only represent a null
value, however their nulls are distinct (as there isn't any subtype
relationship between them).

Bug: v8:7748
Change-Id: Ic5ae502cc21a581ca2e0f5abc46139435d950af9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3805884
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82274}
2022-08-08 16:18:22 +00:00
Clemens Backes
e5524920a6 [codegen] Change a few DCHECKs to V8_ASSUMEs
This might or might not give clang-tidy a hint that the reported case
(see issue) cannot happen. It might also generate slightly better code
by giving hints to the compiler.
Note that V8_ASSUME is actually a DCHECK in DEBUG builds, so we do not
loose any checks here.

Some DCHECKs were removed because they are redundant
(RegisterBase::code() assumes to be only called on valid registers).

R=jkummerow@chromium.org

Bug: chromium:1349619
Change-Id: I467e7917a87ec86dd692f0edeed6bb72e0393cc4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3804667
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82273}
2022-08-08 16:16:32 +00:00
jameslahm
df251e4496 [web snapshot] Add verification mode
We should verify the consistency of the objects we produced after deserializing successfully.

Bug: v8:11525
Change-Id: Ieec1aa7112ab6eda0c61a1a9ab78e86ad8352942
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813061
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82272}
2022-08-08 15:47:22 +00:00
Andreas Haas
b9e7db851d [wasm] Fix gc test with lazy compilation
The test-gc cctest loads the WasmCode from the NativeModule and then
executes it. With lazy compilation, the WasmCode object first has to get
generated before it can get loaded.

R=jkummerow@chromium.org

Bug: v8:12852
Change-Id: I83a8a2433ac5d11690c82f07e4ae01ddc979821c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3809811
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82271}
2022-08-08 14:55:52 +00:00
Dominik Inführ
3a25d74c7a [heap] Regroup page flags to improve page flag checks
Keep page flags which are used in the write barrier together in order
to help reduce code size and reduce register usage.

Bug: v8:11708
Change-Id: I42efa1eeb431dea338d65aef0318cba479f2f431
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3811158
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82270}
2022-08-08 14:44:22 +00:00
jameslahm
518de889e5 [maglev] Support CallRuntimeForPair
Bug: v8:7700
Change-Id: Ib27a3a818189acb5c1a1f39543762b3f0fcd9d69
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3815485
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#82269}
2022-08-08 14:29:20 +00:00
Joyee Cheung
90a39679fd [string] handle strings sliced from externalized one-byte strings
...in Runtime_StringToArray.

When a string is sliced from an externalized two-byte string that has
only one-byte chars, String::IsFlat() and
should not call ToOneByteVector() on it and instead we should use

String: :IsOneByteRepresentation() can both be true, while
FlatContent: :IsOneByte() returns false. In this case we
String: :Get() to get the individual characters.
Bug: chromium:1350270
Change-Id: I735408602072279f09b32e1997c97b2900942bdd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813070
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/main@{#82268}
2022-08-08 14:28:18 +00:00
Matthias Liedtke
5c9c1d7555 [wasm-gc] Make funcref unrelated to anyref
This change removes the subtyping between funcref and anyref.
Currently, nullref (ref null none) is still a subtype of funcref and externref.
This has to be adapted in a follow-up change introducing nullexternref
(ref null noextern) and nullfuncref (ref null nofunc).

Bug: v8:7748
Change-Id: I77a1b3fef387faf710f7bf7bf9d4655fb600ffdc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3804253
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82267}
2022-08-08 14:27:15 +00:00
Pierre Langlois
f1d1b2f9db [baseline] Reduce jump targets behind --no-deopt-to-baseline flag.
Add a --deopt-to-baseline flag, on by default, which allows returning to
sparkplug code when deoptimizing.

However when we turn this off, no longer deoptimizing to baseline code
means we can omit marking most bytecodes as valid jump targets. Leaving
just OSR and exception handling entry points.

This reduces the baseline code size by ~18% on Arm64.

Bug: v8:13082
Change-Id: I5b5a6679465807d7fe812cb977464167efffa7ab
Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_cfi_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3785006
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/main@{#82266}
2022-08-08 14:26:10 +00:00
Andreas Haas
d9dcca6d2f [wasm] Add lazy compilation metrics for 60s and 120s
In https://crrev.com/c/3811502 metrics for lazy compilation were
introduced that get recorded 5 seconds and 20 seconds after
instantiation. With this CL we record these metrics also 60 seconds and
120 seconds after instantiation.

R=clemensb@chromium.org

Bug: v8:12852
Change-Id: If95a3453f6a8510b567d291158d4119b022c1c9b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3810248
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82265}
2022-08-08 14:25:07 +00:00
Darius Mercadier
588f3b3792 Revert "Move some string allocation functions from Factory to FactoryBase"
This reverts commit 5965c90b3c.

Reason for revert: breaks tree

Original change's description:
> Move some string allocation functions from Factory to FactoryBase
>
> In a subsequent CL, I'll need to do String allocations in Turbofan (in
> the background), where only a LocalFactory is available. By moving
> those string allocation functions to FactoryBase, they will also be
> available in the LocalFactory.
>
> Change-Id: I066bbd4b5016645de183633ef237986e0ae50f5d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3811581
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82262}

Change-Id: I27b4dd06286562ec67e5e6e681e6bcebbff08980
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816662
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Owners-Override: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82264}
2022-08-08 13:36:22 +00:00
ishell@chromium.org
1067c6accc [ext-code-space] Add InterpreterEntryTrampolineForProfiling builtin
... - a code range size agnostic version of InterpreterEntryTrampoline
builtin. The new builtin is fully compatible with the default version
and used as a template for creating interpreter entry trampoline
Code objects when --interpreted-frames-native-stack is enabled.

This CL introduces a new assembler option "position_independent_code"
which affects the way builtin calls are generated.
This mode is enabled only for InterpreterEntryTrampolineForProfiling.

Motivation:

* InterpreterEntryTrampoline uses RelocInfo::CODE_TARGET for calling
  other builtins which requires the code range to be small enough to
  allow PC-relative jumps/calls between Code objects. This is the
  reason why --interpreted-frames-native-stack was not supported on
  arm and might not work on arm64 because the code range is bigger
  than the max PC-relative distance for call/jump instructions.
  The new builtin calls other builtins via builtins entry table which
  makes the code fully relocatable and usable for any code range size.

* RelocInfo::CODE_TARGET requires a target code to be materialized
  as a Code object which contradicts the Code-less builtins goal.

* The --interpreted-frames-native-stack is rarely used in the wild but
  we have to pay the price of deserializing InterpreterEntryTrampoline
  builtin as a Code object which consumes address space in the code
  range and thus limits the number of V8 isolates that can be created
  because of code range exhaustion. Now the pointer compression cage
  becomes the limiting factor instead of the code range.

* We can remove complicated logic of Factory::CopyCode() and respective
  support on GC side.

Bug: v8:11880, v8:8713, v8:12592
Change-Id: Ib72e28c03496c43db42f6fe46622def12e102f31
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3811287
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82263}
2022-08-08 12:50:42 +00:00
Darius M
5965c90b3c Move some string allocation functions from Factory to FactoryBase
In a subsequent CL, I'll need to do String allocations in Turbofan (in
the background), where only a LocalFactory is available. By moving
those string allocation functions to FactoryBase, they will also be
available in the LocalFactory.

Change-Id: I066bbd4b5016645de183633ef237986e0ae50f5d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3811581
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82262}
2022-08-08 12:25:02 +00:00