The Runtime_WasmCompileLazy function was returning a ptr-sized address,
wrapped in an Object. This worked because no GC is triggered between the
return from the runtime function and the point where we jump to the
returned address.
In a pointer-compressed world though, generated code assumes that all
objects live in the same 4GB heap, so comparisons only compare the lower
32 bit. On a 64-bit system, this can lead to collisions where a
comparison determines that the returned address equals a heap object,
even though the upper 32-bit differ.
This happens occasionally in the wild, where the returned function entry
pointer has the same lower half than the exception sentinel value. This
leads to triggering stack unwinding (by the CEntry stub), which then
fails (with a CHECK) because there is no pending exception.
This CL fixes that by returning a Smi instead which is the offset in the
jump table where the kWasmCompileLazy builtin should jump to. The
builtin then gets the jump table start address from the instance object,
adds the offset that the runtime function returned, and performs the
jump.
We do not include a regression test because this failure is very
spurious and hard to reproduce.
R=jkummerow@chromium.org
Bug: chromium:1311960
Change-Id: I5a72daf78905904f8ae8ade8630793c42e223984
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3663093
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80729}
The Wasm C API currently disabled dynamic tiering, in order to have
deterministic behaviour for serialization of Wasm modules.
As dynamic tiering is now shipped, also the C API should follow.
Serialization of a Wasm module now just serializes the current state, so
embedders are responsible for warming up a module before serializing it.
If requested, we can add an internal API to enforce full tier-up of all
functions, but we will leave that for later.
R=ahaas@chromium.org, jkummerow@chromium.org
Bug: v8:12899
Change-Id: I55df63f0b6c1f285e4983f9f7d5fb66aa41637bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3660261
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80727}
Math between disparate enums is deprecated. Use constexprs instead.
This requires switching some caller code to work with the new non-enum
constants also.
Bug: chromium:1284275
Change-Id: Ifb3c8757ed62e2a0966120f830f0a7e282b53a16
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3661148
Auto-Submit: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80722}
We can check map validity cells for Sminess without checking their
value, since their value as a Smi (and not a Cell) should always be
"valid"
Change-Id: Ie73079107144e352c358c0ec42abd0c10bdcf73a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3663090
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80721}
Clean up a couple of the StoreHandler methods returning Builtins to
directly return the Code object, so that it can be used as a handler
straight away without having to go via the MakeCodeHandler helper (which
wasn't making anything anymore).
Change-Id: I4976829d25e2bdad0cf41088b76121ac9b500cd5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3663083
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80720}
Stop the unmapper tasks before running a full GC. This ensures that all
freed memory is actually reusable in the following full GC. We also need
to keep freed pages around until after the GC in order to be able to
perform page flags checks on them when updating pointers. However,
when unmapper tasks are still running pages freed during the GC may be
unmapped too early.
Bug: chromium:1327132
Change-Id: I4fde7853b987975ae6ef304e89c53eb20b004d55
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3660247
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80718}
The phase is generally sub-ms. What's left as a follow up is to remove
the finalization step that schedules a finalization step (including
embedder callbacks) through a stack guard.
Bug: v8:12775
Change-Id: I35f36e5ba07f9acb4e92acf2a414559ccd6ad9bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3663081
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80716}
Print the function, bytecode and feedback vector of any function we
attempt to compile with maglev while any of the printing flags are
enabled.
Bug: v8:7700
Change-Id: I92831fbd6c687e10afee7e0698ef2c42d11c63ee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3663085
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80715}
Due to differences in compiler versions and optimization levels,
std::floor treats snan differently, as does std::ceil and std::trunc.
So the implementation of some instructions is sometimes inconsistent
with the physical machine. We add extra processing to them.
Besides, fix Loong64Debugger::Debug error in simulator, IsTrap
returns true only if break is encountered.
Change-Id: I240d91ed658645a2453162107b6dd172735fbfef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3661259
Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Auto-Submit: Liu Yu <liuyu@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#80714}
Instead of invoking both the generational and marking barrier
explicitly, we can just invoke the combined barrier which does both
for us.
Also we simply use the full write barrier for all writes in the deserializer. While we could avoid the generational barrier in a few
cases, this only costs us a single predictable untaken branch without
an additional load.
Bug: v8:11708
Change-Id: Iebd0af06efe42a3ac4e5725131362600ab16bc7a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3662900
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80712}
Disable --always-use-string-forwarding-table when --shared-string-table
is set.
With --shared-string-table we can have parallel GCs in multiple client
isolates. With --always-use-string-forwarding-table we can have young
generation strings in the forwarding table, requiring table updates when
the string gets promoted. This is not supported for parallel GCs.
This CL also reverts the incorrect try to fix an issue with these flag
combination introduced in https://crrev.com/c/3650719
Bug: v8:12877, v8:12007
Change-Id: I49a2aa300af36b82007a7d215afe9a70ac1ce39e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3660258
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80710}
Previously the LookupIterator ignores private symbols
(including private names) for the access check. This patch
removes these exceptions so that they are always checked.
Drive-by: removes the unused should_throw parameter in
Runtime::DefineObjectOwnProperty()
Bug: chromium:1321899
Change-Id: I9677b1e377f01d966daa1603eee1ed9535ffab92
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3623419
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/main@{#80700}
Fix requesting an Int32 from a tagged value that was already converted
to Float64 (because it was on one side of Number feedback but was itself
a Smi), and DoubleRegister locations in deopts.
Bug: v8:7700
Change-Id: I01615a6c520c9e086f3544c2656aa04bf3fc1eaa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3660254
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80698}
My previous change https://crrev.com/c/3597106 led to some performance
regressions in time spent on parsing and compilation. Those regressions
might be due to increasing the reuse of old top-level
SharedFunctionInfos. If the top-level SFI is old enough that its
bytecode can be flushed, then perhaps other SFIs within the script have
already been flushed. In that case, discarding information from a
background compilation or code cache deserialization could be harmful.
Bug: v8:12808, chromium:1325566, chromium:1325567, chromium:1325601
Change-Id: Ia7651bed86eecdbef8878e6132b894ed10163cdc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657472
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80697}
This was an oversight in https://crrev.com/c/3557234, which led to a
really weird developer experience: once a `window.onerror` handler was
installed, typing into the Console or other side-effect free debug
evaluations triggered this handler.
Fixed: chromium:1328008
Bug: chromium:1295750
Change-Id: I4029ff19ceb7cfe0a8eb6afff19c3ef9a4a82e25
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3660253
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80696}
It sometimes meant just the field and sometimes the computed byte
length. This rename makes it less confusing.
Bug: v8:11111
Change-Id: I64bb8b6b9be2befb57d53ae5456b6ce8f6472456
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657429
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80695}
Add an implementation of BranchIfInt32Compare, which is emitted whenever
a compare op is immediately followed by a branch.
Bug: v8:7700
Change-Id: I2c56d9de199bac8de33b33201f8614aee8e9894e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647693
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80694}
SimulatorBase::ConvertArg should be a protect member so that
CallArgument::CallArgument can access it.
Change-Id: I60b23b45c2247cd28e73808df7b77e604d154932
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3659057
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Yu Liu <liuyu@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#80693}
Deopt InputLocation next_use fields are not initialised, so if a deopt
is the last use of a node we won't release it. Fix this by initialising
the input location array. Also add a DCHECK to verify that register
assignments match what registers a node thinks it's in.
Bug: v8:7700
Change-Id: I4003a027489cf8eeef7c4e60fa64f72cebd2c4e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657438
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80690}
Mostly in comments, again, not much to be said...
Bug: v8:12425
Change-Id: If0890132606b5ae8d5e173907bfdc063b9811ac6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657428
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80689}
