Commit Graph

68441 Commits

Author SHA1 Message Date
Jakob Gruber
b9f1977196 [small-vector] Hard-crash on failed allocation
.. of the backing store, instead of continuing and silently attempting
to deref nullptr.

Bug: chromium:1198657
Change-Id: I82e51abc4d2f9dfe0de596b082a6f78089af7df8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2824438
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73949}
2021-04-14 10:01:44 +00:00
Victor Gomes
885b1ac91f [x64] Fix allocating large stack space on macOS
Similarly to Windows, on macOS we should touch the memory in a page
when allocating stack space that crosses page boundaries.

Change-Id: I8968805c4abe255123a41d0f63f89d4af509b6c8
Bug: v8:11615
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2825588
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73948}
2021-04-14 09:56:24 +00:00
Toon Verwaest
f6d54b7c10 [sparkplug] Reenable write_protect_code_memory for sparkplug
By using RWX memory to write we've likely managed to avoid the largest
part of the cost on Intel CPUs.

Bug: v8:11420
Change-Id: Ibf571abc136fc97b3e6429fe42ebf4cfc423b458
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2824443
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73947}
2021-04-14 08:46:34 +00:00
v8-ci-autoroll-builder
2bbc2eab27 Update V8 DEPS.
Rolling v8/build: 79006be..b30d9d1

Rolling v8/third_party/aemu-linux-x64: dXMWT4elldlEXvj4YHtc9u0W4YEfTP-KZbIKpA75-7MC..81MEiC7zu9wgtKKP_jHorqj5uRmgBSx04zU75G1PX8YC

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/8680ff0..6cb38d7

Rolling v8/third_party/depot_tools: 057831e..f9d141a

Rolling v8/tools/clang: 7168936..633b99a

Rolling v8/tools/luci-go: git_revision:cbabdf2ff62e64e99bfdf57ab5625d3da3eb5db9..git_revision:de0691397dd4daa4ae63d308fe911bb6ee8630d6

Rolling v8/tools/luci-go: git_revision:cbabdf2ff62e64e99bfdf57ab5625d3da3eb5db9..git_revision:de0691397dd4daa4ae63d308fe911bb6ee8630d6

Rolling v8/tools/luci-go: git_revision:cbabdf2ff62e64e99bfdf57ab5625d3da3eb5db9..git_revision:de0691397dd4daa4ae63d308fe911bb6ee8630d6

TBR=v8-waterfall-sheriff@grotations.appspotmail.com

Change-Id: Iffe657ca45beccf7379237650b0cd8574b55b836
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2824104
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#73946}
2021-04-14 03:58:01 +00:00
Yuki Shiino
ceb8e42b87 [fastcall] Support FastApiCallbackOptions::CreateForTesting
https://crrev.com/c/2817958 is going to support artificial
calls of NoAllocDirectCall for a testing purpose, and this
new API will be used there.

Change-Id: If47ba080eede96e91ba60b89ff502dd3d3e34b93
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2822188
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73945}
2021-04-14 03:39:21 +00:00
Ng Zhi An
a9cd53c74d [x64][ia32] Move more AVX_OP into SharedTurboAssembler
We add one more member function template to AvxHelper to allow one new
way of calling:

- Andps(x, y, z) -> vandps(x, y, z), andps(x, z) && x == y

Clean up a bunch of places where we need to pass an int literal as a
byte.

Unfortunately we cannot define Movq using AVX_OP. Because of the way
movq is defined in the assembler, using function templates, there are
versions of movq with 1 argument defined. That is not a valid
instruction (but is valid for `dec`). We end up selecting
vmovq(XMMRegister, Register) and movq(XMMRegister), which is not valid.

Bug: v8:11589
Change-Id: I45e3bc213d93ece7f65da8eb1e3fa185aec4c573
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2815560
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73944}
2021-04-14 00:14:30 +00:00
Ng Zhi An
9d3f354527 [wasm-simd][ia32][x64] Fix swizzle with constant masks
We optimized swizzle with constant mask, but failed to actually swizzle
using the masks...

Bug: v8:10992
Change-Id: If655fdad1e17e92b62e8a2eaabbf1f8d82e4d5e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2822951
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73943}
2021-04-13 22:49:36 +00:00
Ng Zhi An
3844a6bdcc [x64][ia32] Reconcile supported extensions
This is similar in spirit to https://crrev.com/c/2808621, which is to
ensure that no matter what combination of --[no-]enable-{extension} flag
is passed, we end up with a set of supported extensions that make sense.

The 2 rules are:

- If a newer extension is supported (SSE4_2), older extensions are
supported (SSE4_1, SSSE3, SSE3),
- If an older extension is not supported (SSE4_1), new extensions are
not supported (SSE4_2, AVX)

Tests have been added to both ia32 and x64 to check that we follow these
above 2 rules.

We change the ProbeImpl to have a reconciliation step to ensure that we
stick to the 2 rules.

E.g. if --enable-avx --no-enable-sse4-2, we will first set AVX to
supported, then in the second step, fix-up AVX to unsupported. In this
sense, the --no version of the flags take priority. This more accurately
follows the intention of the flags.

Bug: chromium:1195579
Change-Id: I0390f24de9d203fe6bbd4cc02a23771a1f052618
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2818570
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73942}
2021-04-13 22:05:26 +00:00
Luis Fernando Pardo Sixtos
7cc6127b6a Fix for Issue 10782: Bug in semantics of ArraySetLength.
Added a comparison to throw a TypeError when the "enumerable"
field of the new descriptor doesn't match the one of the old descriptor.

Bug: v8:10782
Change-Id: I2f1acf215e597b85be5d29e22c006cbd79afcb47
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2818067
Commit-Queue: Luis Fernando Pardo Sixtos <lpardosixtos@microsoft.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73941}
2021-04-13 16:31:13 +00:00
Jochen Eisinger
1142ac1a44 v8::Object::CreateDataProperty shouldn't execute for regular objects
Bug: chromium:728583
Change-Id: I0d88b7516d053f2024a43bed84843ee47e06cd42
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2823697
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73940}
2021-04-13 16:30:08 +00:00
Victor Vianna
2da4212225 Revert "[wasm] Enable wasm threads by default in V8"
This reverts commit 6ec52d9026.

Reason for revert: Caused failure on Chromium android-asan bot. More info in crbug.com/1198565.

Original change's description:
> [wasm] Enable wasm threads by default in V8
>
> Finer grained control of platforms that support threads are
> enforced by chromium.
>
> Bug: chromium:1167733
> Change-Id: Ic34a4950aebf6ba394053b79df97b703af333636
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2810190
> Reviewed-by: Lutz Vahl <vahl@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73919}

Bug: chromium:1167733
Change-Id: I8a7740c70c227dea42de5a54bb1cfa07fc139098
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821704
Auto-Submit: Victor Vianna <victorvianna@google.com>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#73939}
2021-04-13 16:25:11 +00:00
Camillo Bruni
c0e7d6b6fe [samples] Add cbruni as owner
Change-Id: I5b5024fdcf4806b6e91112448db3c334f9ede48b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821957
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73938}
2021-04-13 15:32:28 +00:00
Patrick Thier
5f49bbdf84 [test][sparkplug] Test Ignition -> Sparkplug OSR
- Add %BaselineOsr to manually trigger OSR to Baseline.
- Add flags to %GetOptimizationStatus to check if the topmost frame is
an Interpreter/Baseline frame.
- Add mjsunit test.

Bug: v8:11420
Change-Id: Id80421ad97ee719a67ef299cc700da9c44f23bae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814567
Auto-Submit: Patrick Thier <pthier@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73937}
2021-04-13 14:51:28 +00:00
Junliang Yan
7de9631d57 s390x: enable liftoff testing
Change-Id: I35c08f9d64210f0ddbedd2c394f59bc3cb5180fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821635
Commit-Queue: Junliang Yan <junyan@redhat.com>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73936}
2021-04-13 14:06:09 +00:00
Santiago Aboy Solanes
53f0698ddd [compiler] Perform accessors atomically only if concurrent marking is on
From the concurrent compiler's perspective, we can perform those
read/writes non-atomically and have wider TSAN coverage. The concurrent
marker, however, needs them to be atomic.

Bug: v8:7790
Change-Id: I96897f4f6237c90da018ec89be838aae894c24bc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817538
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73935}
2021-04-13 14:04:28 +00:00
Liu Yu
db8ef77a4e [mips] Allowing map word to be used for other state in GC header.
Port: 5e0b94c4dc

Bug: v8:11624
Change-Id: I0b462dceaf4b155bf662e4fb9204a237c252b4ec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2822273
Auto-Submit: Liu yu <liuyu@loongson.cn>
Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/master@{#73934}
2021-04-13 10:39:18 +00:00
Andreas Haas
9e76247ae8 [wasm][x64] Use the cmov instruction for WebAssembly's Select
R=thibaudm@chromium.org, jgruber@chromium.org

Bug: v8:10740
Change-Id: Iceb20f00f6f8505885856400a0c0228708ff3979
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2807610
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73933}
2021-04-13 10:37:08 +00:00
Thibaud Michaud
6d80e61215 [regalloc] Stop search for intersections earlier
When looking for intersections between the current range and inactive
range, we can stop the search as soon as the inactive range's next start
is past the current range's end position. We know that subsequent
inactive ranges cannot intersect either, because they are ordered by
their next start.

R=sigurds@chromium.org

Bug: chromium:986862
Change-Id: I249a781be281abc7b438f31848f5d6cb3a25303f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821434
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73932}
2021-04-13 10:25:38 +00:00
Sara Tang
41fb9f9724 [diagnostics] Fix macos system instrumentation for ios-sim
Original CL: https://chromium-review.googlesource.com/c/v8/v8/+/2807157

Bug: v8:11043
Change-Id: I49d29323bf3ae6ede7e48e63645f4ee0a750c83e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2818573
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Sara Tang <sartang@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#73931}
2021-04-13 10:23:18 +00:00
Benedikt Meurer
6165fef8cc [api] Remove previously deprecated Function::GetDisplayName().
The method was scheduled for removal in M92, as finaly part of the
fn.displayName support removal.

Fixed: chromium:1177685
Doc: https://bit.ly/devtools-function-displayName-removal
Change-Id: I243dd6c9849a6f39e76dd003300b639bfd8df604
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821954
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73930}
2021-04-13 09:49:48 +00:00
Camillo Bruni
670be6aedc [runtime] Mark more methods const on Isolate and Heap
Bug: v8:11263
Change-Id: I320a75b8819353ab7af5bf7608329e6f0a7a66ca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821544
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73929}
2021-04-13 08:01:17 +00:00
Maya Lekova
930f26549f [turbofan] Move large array allocation bailout earlier
The CanAllocateArray used to be executed during JSCreateLowering,
leading to bailouts when large arrays are passed as arguments to
an async function or a bound function. This meant that
JSCreateAsyncFunctionObject or JSCreateBoundFunction will reach
JSGenericLowering, where they are not lowered. This CL moves
the checks earlier in the pipeline during JSNativeContextSpecialization
and JSCallReducer respectively, so that those operators are not
created at all in such cases and we bail out to the runtime instead.

Bug: v8:11564
Change-Id: I232ce7d9378730ae0cc8690e52fde840a484e069
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2807609
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73928}
2021-04-13 06:48:57 +00:00
Manos Koukoutos
524f41db67 [wasm] Remove multivalue feature flag
Multivalue has been shipped for a while now, so it is time to remove
its experimental feature flag.

Additional change: Set kV8MaxWasmFunctionReturns to the old
kV8MaxWasmFunctionMultiReturns value.

Change-Id: I5c4d33b036e64a7221de17f0e97119bb0a036838
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817790
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73927}
2021-04-13 06:35:34 +00:00
v8-ci-autoroll-builder
3a407f7b2b Update V8 DEPS.
Rolling v8/build: 563f147..79006be

Rolling v8/third_party/aemu-linux-x64: _EJXYI9PIL6jmQi9nGYfsMiQZf2CFqi_hE7uUCqpScAC..dXMWT4elldlEXvj4YHtc9u0W4YEfTP-KZbIKpA75-7MC

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/ab687ea..8680ff0

Rolling v8/tools/clang: 006bc90..7168936

Rolling v8/tools/luci-go: git_revision:f784260b204b2d93c7bd6d1a619f09c6822e5926..git_revision:cbabdf2ff62e64e99bfdf57ab5625d3da3eb5db9

Rolling v8/tools/luci-go: git_revision:f784260b204b2d93c7bd6d1a619f09c6822e5926..git_revision:cbabdf2ff62e64e99bfdf57ab5625d3da3eb5db9

Rolling v8/tools/luci-go: git_revision:f784260b204b2d93c7bd6d1a619f09c6822e5926..git_revision:cbabdf2ff62e64e99bfdf57ab5625d3da3eb5db9

TBR=v8-waterfall-sheriff@grotations.appspotmail.com

Change-Id: I73becb94dcd7fba838472e99d0bb9202146b221f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2822914
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#73926}
2021-04-13 03:56:04 +00:00
Yahan Lu
10f5f9ca75 [riscv64] Clean todo comment
Clean todo comment in constant-riscv64.h about PCRelativeJumpRange.

Change-Id: I9067134e96e4801fbd1f976d0e5d033085d5f133
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817975
Reviewed-by: Brice Dobry <brice.dobry@futurewei.com>
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/master@{#73925}
2021-04-13 01:01:13 +00:00
Shu-yu Guo
153f2cea8b [ptr-cage] Deprecate Symbol::Description() in favor of Symbol::Description(isolate)
With a shared cage, there's no easy way to recover an Isolate from a
heap pointer. Symbol::Description relies on RO symbols' description slot
being uncompressed so a Handle could point to it. This isn't possible
with a shared cage without going through TLS to get an Isolate for
Handle construction, so deprecate the method in favor of one that takes
an Isolate directly.

Bug: v8:11460
Change-Id: I69b2b7d77f4c00d0f58954cd80e22cba5ff222e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2802860
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73924}
2021-04-12 20:23:53 +00:00
Milad Fa
fb533e8dda PPC/s390: Allowing map word to be used for other state in GC header.
Port 5e0b94c4dc

Original Commit Message:

    This CL adds features to pack/unpack map words.

    Currently V8 cannot store extra metadata in object headers -- because V8
    objects do not have a proper header, but only a map pointer at the start
    of the object. To store per-object metadata like marking data, a side
    table is required as the per-object metadata storage.

    This CL enables V8 to use higher unused bits in a 64-bit map word as
    per-object metadata storage. Map pointer stores come with an extra step
    to encode the metadata into the pointer (we call it "map packing").
    Map pointer loads will also remove the metadata bits as well (we call it
    "map packing").

    Since the map word is no longer a valid pointer after packing, we also
    change the tag of the packed map word to make it looks like a Smi. This
    helps various GC and barrier code to correctly skip them instead of
    blindly dereferencing this invalid pointer.

    A ninja flag `v8_enable_map_packing` is provided to turn this
    map-packing feature on and off. It is disabled by default.

    * Only works on x64 platform, with `v8_enable_pointer_compression`
      set to `false`

R=wenyu.zhao@anu.edu.au, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N

Change-Id: I4a13093e7b20bb38990d947c697008a920cfe715
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821649
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#73923}
2021-04-12 20:00:03 +00:00
Michael Lippautz
224b7f079c cppgc: Fix trace performance benchmark
Bug: v8:11635
Change-Id: I71c5542a503ca4b94fc3c8746e96fb0bc4e6c1f8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2822628
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73922}
2021-04-12 19:31:33 +00:00
Junliang Yan
3540e4f511 s390x: [liftoff] implement emit_smi_check
Change-Id: Icb0d165c97e4a08d4111dd1ad0e1402f4a28746f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821634
Reviewed-by: Milad Fa <mfarazma@redhat.com>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/master@{#73921}
2021-04-12 19:05:43 +00:00
Jochen Eisinger
eacdf599c2 Add assertions that Object::SetPrototype doesn't throw
It's used when setting up the context snapshot for blink, so we want to
be sure that it doesn't execute script.

Bug: chromium:728583
Change-Id: I46507e18d178e6473dd10348a9f253016a9178b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2807615
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73920}
2021-04-12 18:22:05 +00:00
Deepti Gandluri
6ec52d9026 [wasm] Enable wasm threads by default in V8
Finer grained control of platforms that support threads are
enforced by chromium.

Bug: chromium:1167733
Change-Id: Ic34a4950aebf6ba394053b79df97b703af333636
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2810190
Reviewed-by: Lutz Vahl <vahl@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73919}
2021-04-12 18:19:13 +00:00
Thibaud Michaud
a04c6680e5 [wasm] Fix interpreter EH stack height bug
R=ahaas@chromium.org

Bug: chromium:1197408
Change-Id: I9a9ede5cf141cd7d19b67438465bcba35e2b87f6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821543
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73918}
2021-04-12 18:00:33 +00:00
Andreas Haas
db0be02d69 [turbofan][arm64] The input count for selects is not fixed
The existing code assumes that the number of inputs is fixed to 4.
However, the fuzzer says that at least 5 inputs are also possible.
This CL makes the number of inputs more flexible.

CC=sam.parker@arm.com

Bug: chromium:1197393
Change-Id: I487ac96570b96f04b4d0a47065e7b383ba39016f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821435
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73917}
2021-04-12 17:55:23 +00:00
Shu-yu Guo
3ada6f2740 [ptr-cage] Introduce PtrComprCage
The pointer compression cage is the virtual memory reservation
that all compressed pointers fall within. This CL splits pointer
compression into two modes: a per-Isolate cage and a shared cage
among multiple Isolates.

When multiple Isolates are sharing a cage, they can decompress
each others' pointers and share the same virtual memory range.

Bug: v8:11460
Change-Id: I7b89b7413b8e7ca6b8b6faafd083dc387542a8b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2783674
Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73916}
2021-04-12 17:49:43 +00:00
Wenyu Zhao
5e0b94c4dc Allowing map word to be used for other state in GC header.
This CL adds features to pack/unpack map words.

Currently V8 cannot store extra metadata in object headers -- because V8
objects do not have a proper header, but only a map pointer at the start
of the object. To store per-object metadata like marking data, a side
table is required as the per-object metadata storage.

This CL enables V8 to use higher unused bits in a 64-bit map word as
per-object metadata storage. Map pointer stores come with an extra step
to encode the metadata into the pointer (we call it "map packing").
Map pointer loads will also remove the metadata bits as well (we call it
"map packing").

Since the map word is no longer a valid pointer after packing, we also
change the tag of the packed map word to make it looks like a Smi. This
helps various GC and barrier code to correctly skip them instead of
blindly dereferencing this invalid pointer.

A ninja flag `v8_enable_map_packing` is provided to turn this
map-packing feature on and off. It is disabled by default.

* Only works on x64 platform, with `v8_enable_pointer_compression`
  set to `false`

Bug: v8:11624
Change-Id: Ia2bdf79553945e5fc0b0874c87803d2cc733e073
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2247561
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73915}
2021-04-12 17:34:13 +00:00
Junliang Yan
71d0a9dde5 s390x: [liftoff] implement AtomicXor
Change-Id: Ic7ed7938527dcf32d856a965da86a33cd713b83d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821630
Reviewed-by: Milad Fa <mfarazma@redhat.com>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/master@{#73914}
2021-04-12 17:06:43 +00:00
Ross McIlroy
08f4771e6b [TurboProp] Move CHECKS back to DCHECKS in mid-tier-regalloc
BUG=chromium:1180335

Change-Id: Ic6e4d18595b1003a036d247e8b11b03fcdae9b01
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821538
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73913}
2021-04-12 16:48:24 +00:00
QiuJi
ed9fc67e33 [riscv64] Optimize load and store with offset
Refs: https://bugs.chromium.org/p/v8/issues/detail?id=11628
Change-Id: Ia651b14acd6fc3293abddbe5e49277d8dadb19ba
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814563
Reviewed-by: Brice Dobry <brice.dobry@futurewei.com>
Commit-Queue: Brice Dobry <brice.dobry@futurewei.com>
Cr-Commit-Position: refs/heads/master@{#73912}
2021-04-12 16:43:23 +00:00
Santiago Aboy Solanes
f2b4272dae [compiler] Perform Map::bit_field_3 non-release/acquire if possible
We have to have special rules for bit_fields since we multiple accesors
touch the same field. I used:
 * If the accessor is set at map initalization time only and:
   * only the main thread accesses it: non-atomic write/read
   * bg accesses it too: non-atomic write, relaxed read (read has to be
     relaxed due to the whole bit_field being modified concurrently via
     other bit_field3 accessors)
 * If the accessor is set after map initialization:
   * but it is not necessary for synchronization: relaxed write/read
   * If the accessor is needed for synchronization: release/acquire

As a note, Map::NumberOfOwnDescriptors are the bits accessed by the
concurrent marker. For concurrent marker reasons it can be relaxed, but
we would like it to be release/acquire for the compiler since that's
where we synchronize Maps with adding descriptors to the descriptor
array.

Bug: v8:7790, chromium:1150811
Change-Id: I0ba7d2f8cb81d65a487970b4ea0bfa2a4cb3a975
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773286
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73911}
2021-04-12 16:10:33 +00:00
Camillo Bruni
e101c057af [logging] Add runtime-call-stats compile-time flag
Make runtime-call-stats a compile-time flag. Disabling RCS saves roughly
1MB binary size on 64bit systems and yields minor performance
improvements.

Bug: v8:11299
Change-Id: Ia1db75e330a665db5251b685c164b96857e38d2d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2799766
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73910}
2021-04-12 15:53:03 +00:00
Georg Neis
fd29e246f6 [compiler] Fix bug in RepresentationChanger::GetWord32RepresentationFor
We have to respect the TypeCheckKind.

Bug: chromium:1195777
Change-Id: If1eed719fef79b7c61d99c29ba869ddd7985c413
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817791
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73909}
2021-04-12 15:02:33 +00:00
Yahan Lu
f87baad0f8 [riscv64] Add call builtin info in simulator
Skip wasm/simd test for riscv64
    Add buitin info when call a builtin.
    Port 064ca18ca2

Change-Id: I1150de98a95231abf9d5def9e95ad38a8a42bbb3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814128
Reviewed-by: Brice Dobry <brice.dobry@futurewei.com>
Commit-Queue: Brice Dobry <brice.dobry@futurewei.com>
Cr-Commit-Position: refs/heads/master@{#73908}
2021-04-12 14:25:53 +00:00
Junliang Yan
c74e48b0a1 s390x: [liftoff] implement AtomicOr
Change-Id: Ia49c840d5e87554dd28222ba96dcba860a21d051
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821648
Reviewed-by: Milad Fa <mfarazma@redhat.com>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/master@{#73907}
2021-04-12 14:20:05 +00:00
Mike Stanton
5636d54c15 [compiler] Handle Dead nodes in ShouldUseCallICFeedback
If a loop is removed in dead code elimination, we may have a dead node
in the control chain. This wasn't expected, and endless recursion could
result.

Bug: chromium:1196185
Change-Id: Id6d69d0eaed11b0c6158b5643d3433b11611af59
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817792
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73906}
2021-04-12 12:47:43 +00:00
Maya Lekova
727c648994 [fastcall] Mark test as incompatible with deopt_fuzzer
This CL makes more assumptions in the fast-api-call mjsunit test
explicit and specifies --deopt-every-n-times=0 for it, as it relies
on particular optimization/deoptimization sequences. It also fixes an
inconsistency between the fast/slow path results.

Bug: v8:11620
Change-Id: I385949a04534cd1658236878875efa6622936bc5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817607
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73905}
2021-04-12 12:27:43 +00:00
Andreas Haas
15bf851978 [wasm] Set thread-in-wasm flag correctly after stack unwinding
In Isolate::UnwindAndFindHandler(), the thread-in-wasm flag was set
before the destructor of some objects in that function got executed,
e.g. the destructor of {WasmCodeRefScope}. On Windows-asan, these
destructors could throw exceptions (asan on Windows uses exceptions for
its memory access tracking), which get handled initially by the wasm
trap handler, and would thereby invalidate the thread-in-wasm flag.

With this CL a new scope gets introduced which makes sure that setting
the thread-in-wasm flag is the last thing that happens in
Isolate::UnwindAndFindHandler().


Bug: chromium:1195595
Change-Id: If9f5f486c55b3bc2718a1d5aee3e3bd290d0ff35
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817598
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73904}
2021-04-12 11:24:42 +00:00
Georg Neis
02f84c745f [compiler][x64] Fix bug in InstructionSelector::ChangeInt32ToInt64
Bug: chromium:1196683
Change-Id: Ib4ea738b47b64edc81450583be4c80a41698c3d1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2820971
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73903}
2021-04-12 10:05:42 +00:00
Jakob Gruber
1e4b1c521a [arm] Stricter checks for 24-bit immediates
Several spots in arm codegen require 24-bit integers; since getting
this wrong is usually a security problem, let's change these DCHECKs
into CHECKs.

Bug: chromium:1197363
Change-Id: I277dc8fe4771adae89375adbe19a33d2c9f6783c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2820972
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73902}
2021-04-12 09:25:42 +00:00
Camillo Bruni
854f704e06 [api] Improving ablation API
Bug: chromium:1193459
Change-Id: I6d9dace9341e96f2586a469d7e16bfa38bf68029
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2810845
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73901}
2021-04-12 09:16:52 +00:00
Marja Hölttä
a5ce9ac6b1 [web snapshot] Deduplicate SFIs
The de-duplication happens when
1) we have a JSFunction for an outer function and a JSFunction for its
inner function in the snapshot and
2) we call the outer function again after deserializing

Expectation: the created JSFunction for the inner function uses the
SFI which was created when deserializing.

Bug: v8:11525
Change-Id: I80933514873e857452585317248fa34913d8d8e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2794438
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73900}
2021-04-12 08:50:52 +00:00