REPL 'let' declared variables use VariableLocation::REPL_GLOBAL which
was not handled by a switch in the bytecode generator. The default
case ran into an UNREACHABLE.
This CL fixes this by properly handling VariableLocation::REPL_GLOBAL
for delete.
Drive-by: Replaced the default case with an explicit case for
VariableLocation::MODULE.
Bug: chromium:1052721
Change-Id: I1330ff2f2c6f042a596a8298599a5d58769894f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2060488
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66301}
By replacing usage of the IsNotArrayIndex bit with IsNotIntegerIndex,
we get back one bit that we can use to increase the number of hash bits
stored. The price is that strings that represent array/integer indices
beyond the cacheable range will have to be scanned more often, but these
strings should be rare, and we expect that the additional hash bit is
more worthwhile to have.
Bug: v8:9904
Change-Id: I33f74b0a73f4754aee85805d4b7c409177668439
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2051947
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66299}
Implement the latest spec changes:
- Allow declarative segments to behave like passive & dropped segments.
- Enforce that only declared functions may be returned or used in globals
as funcref.
- Ensure that table fill does not modify any entries if OOB.
Spec tests for select and br_table are still failing due to proposal issue
Bug: v8:10156
R=ahaas@chromium.org
Change-Id: I5b95be36a67bc7482a84b848908cc4cbdf94af03
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2027458
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Emanuel Ziegler <ecmziegler@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66297}
Currently dirty FinalizationGroups are processed by the cleanup task in
LIFO order. This results in starvation when FinalizationGroups are added
to the dirty list faster than the cleanup task is run.
R=ulan@chromium.org
Bug: v8:8179
Change-Id: I6e4a5bbd490396120b07ca6053176beded7cef6e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2051619
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66296}
This is to fix the hang (rarely happen). The potential root cause is
that before initialing recompilation, the recompilation callback is
added and then already cleared out by other running threads from initial
compilation.
Bug: v8:10086, v8:9654
Change-Id: I769bac621cce4611ccde1f0998b0f2bc0e9c04cf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2053248
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66295}
There is a copy of the pointer decompression logic in
TypedArrayBuiltinsAssembler::SetJSTypedArrayOnHeapDataPtr,
which was not updated for the new ("smi-corrupting") pointer
compression scheme: it erroneously used a sign-extending cast
from compressed to full representation. This causes incorrect
values to be computed when the heap size can grow beyond 2GB.
Bug: v8:9706, chromium:1051005
Change-Id: I2220ce759df1147f255ffca93428888858929fd9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2060494
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66293}
This adds 3 flags to the numfuzz fuzzer depending on a probability:
--budget-for-feedback-vector-allocation=0
--interrupt-budget=100
--no-lazy-feedback-allocation
No-Try: true
Bug: v8:10204
Change-Id: I83dabcd0e3ca80bebe596d65d03b3e99d8ecbf03
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2060490
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66291}
This reduces the pointer-compression experiment by 3% as it is in
production since a while.
This also uses turbofan when comparing across architectures as tests
run faster and likely find the same or more relevant bugs.
No-Try: true
Change-Id: I35ec97188a101a7cb43454903f7bf9765e57893c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2059995
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66290}
Pass --no-lazy-feedback-allocation in all second runs depending
on a probability. Also combine with --interrupt-budget=100.
This also allows adding several extra flags behind one probability.
The tests are improved to ensure valid flags and configs.
No-Try: true
Bug: v8:10215
Change-Id: I2766ef5044cd8c7096f6b76f39b60b568f550bde
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2059991
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66289}
This again improves readability and makes the code much shorter. It
might also allow us to generate a scheduled graph directly in the
future, for improved wrapper compile times.
R=jkummerow@chromium.org
Bug: v8:10123
Change-Id: I0225d685a0660adb265eedcd160dfac6b4b23c87
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2060001
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66287}
... instead of first claiming space on the stack and then storing it,
which was sometimes causing the profiler to read the uninitialised frame
type slot right after it was claimed, but before it was written to.
Bug: v8:9907
Change-Id: I33318aec44b6083488317ec5e226a06e59c7560c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2056473
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Cr-Commit-Position: refs/heads/master@{#66285}
The arm/arm64 simulators debugger has a command "mem" that prints
the content of the memory. It also prints a short summary for JS
objects (SMI, Array, JSFunction, ...). That is very handy, but
when trying to print incomplete initialized memory, it could raise
an exception.
It is useful to have a command that prints the content of the memory
for non-initialized or bogus values without the risk of raising
an exception. This CL adds the command "dump".
Change-Id: I682f97afa30a8d9dc572fe5e9dd256eeebf79de9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2056468
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66284}
port 9d3dc6fhttps://crrev.com/c/1914218
Original Commit Message:
FunctionEntry StackChecks is one of the two cases where we generate a
StackCheck bytecode. In these cases, we do stack check against the js
limit (not to be confused with the real js limit). Their purpose is to
be able to interrupt the running code.
We can omit the FunctionEntry StackCheck by embedding its code into
the InterpreterEntryTrampoline builtin. We save one bytecode per
interpreted function.
This change has rippling effects for optimized code, as well as the
deoptimizer.
Change-Id: I2ad985959a3f55dfe80fabeffee3d344c1817c88
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2050055
Auto-Submit: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66281}
This variable significantly slows down indexed-getter.html of blink_perf.bindings on linux-perf
https://pinpoint-dot-chromeperf.appspot.com/job/136cce54620000
V8_STACK_UNINITIALIZED macro is the same as http://crrev.com/c/1974951
Bug: chromium:977230
Change-Id: I3e7e91804e13b856d6b2ba0a5d67f0354636c510
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2046872
Commit-Queue: Vitaly Buka <vitalybuka@chromium.org>
Auto-Submit: Vitaly Buka <vitalybuka@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66278}
Intl.RelativeTimeFormat constructor crash while the locale or
numberingSystem contains an "algorithmic" numberingSystem.
Fix by fallback to the locale without the nu
Bug: chromium:1041319
Change-Id: Ica520e8dec6ace21264504274b92cb2c3d16286f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2055970
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66276}
Use adoptSymbols(NumberingSystem *) API in Intl.NumberFormat to reduce string size
Bug: v8:10207
Change-Id: I3163c524612b61cfdad51743d58ece08b437520a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2055567
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66273}
It was using nullptr to signal that it was empty.
Bug: v8:10155
Change-Id: I0844d6a2bfacb1fd35ba83c24307de86f77f4e40
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2056470
Reviewed-by: Dan Elphick <delphick@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66271}
The method has been non-const since initially introduced in de070ccfa6.
Here's a minor change to make it const, for it may/shall be, for other
similar methods are, and for making it easier for future changes
(accessing this method in another const method, etc.).
Change-Id: I3449214fc086403fc9b24b6f502ca20ac0b1426a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2055123
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66270}
Since the size of the parameters and locals inputs is already stored on
the FrameStateFunctionInfo, this skips the calls to size() and just
reuses the previous values. The stack parameter can only have a size of
0 or 1 depending on whether it's a InterpretedFunction frame or not.
It also extends the verifier to check that the values to match those
returned by StateValueAccess::size and changes a unit test that added
a TypedStateValues of size 2 to the stack input.
Bug: v8:10051
Change-Id: I3693c04b4677812b9f19491c198d0551df20f817
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2047045
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66268}
This skips gay-*.cc cctest files for lint checking. The files
contain 99.9% data not structures. Alternatively, maybe the
data could be moved to non-cc resource files.
This speeds up v8_presubmit without caching locally from 39s to 23s.
This is how it's executed on the continuous CI builder.
No-Try: true
Change-Id: Ide58618a0b1ecd5900b5c9633d584c59b559df32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2056463
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66267}
The previous code was relying on {compilation_unit_builder_} to check if
a section was after or before the code section. This only works for the
first section after code section, since the compilation unit builder is
then reset. Use an additional field to track this instead.
R=clemensb@chromium.org
Bug: chromium:1051912
Change-Id: Id1dfa803ecde2cf77f206ea781c007fc61168942
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2054099
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66265}
LoadTransform cannot efficiently be executed on BE machines as a
single operation since loaded bytes need to be reversed to
match BE ordering before any operations can take place.
This CL divides LoadTransform into separate "load" and "operation"
nodes on BE machines.
Change-Id: Idc3f66d7f17647c189c75593e8906f8645448006
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2050811
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66264}
May override the global symbol_level config. Useful for debugging V8
within a release Chromium, like v8_enable_debugging_features.
Change-Id: Ie081b5110dc93914cbe53fdde3cdec77822b9819
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2051959
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66262}
These tests are likely missing %PrepareFunctionForOptimization
annotation of lambdas. Thus lambdas are no longer inlined and
%DeoptimizeNow does nothing, while the entire point of these tests is
to test deoptimization paths.
Disabling lazy feedback allocation is a quick fix to restore coverage
until we can land a more complete fix (for details see the linked
bug).
Bug: v8:10195
Change-Id: I4038cdc5718230253ffb5bbc57d574342c652377
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2054096
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66261}
Use similar strategy to scavenger when calculating number of parallel
compaction tasks. Do not add task for each page but every fourth page.
Bug: chromium:1051883
Change-Id: Iaba3046de9c9a3ab63c0e7afcc6e4a9c398c5a10
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2054097
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66260}
The fix in b8b6075021 was insufficient.
The bug is that induction variable typing does not take into account
that the value can become NaN through addition or subtraction of
Infinities. The previous fix incorrectly assumed that this can only
happen when the initial value of the loop variable is an Infinity.
Bug: chromium:1051017
Change-Id: I8c9ffb2925288b80c00e18e7bc22a556bf540733
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2051957
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66258}
In the final version of our pointer compression scheme, decompression
uses zero-extension of the compressed value. The API copy of that code
erroneously still used a sign-extending decompression from an earlier
iteration of the scheme.
Bug: v8:9706, v8:10198
Change-Id: I17c3a52d26ce26bc0623627d725f686c379fbd6e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2051954
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66256}
This is a reland of 137bfe47c9
Original change's description:
> [arm64] Protect return addresses stored on stack
>
> This change uses the Arm v8.3 pointer authentication instructions in
> order to protect return addresses stored on the stack. The generated
> code signs the return address before storing on the stack and
> authenticates it after loading it. This also changes the stack frame
> iterator in order to authenticate stored return addresses and re-sign
> them when needed, as well as the deoptimizer in order to sign saved
> return addresses when creating new frames. This offers a level of
> protection against ROP attacks.
>
> This functionality is enabled with the v8_control_flow_integrity flag
> that this CL introduces.
>
> The code size effect of this change is small for Octane (up to 2% in
> some cases but mostly much lower) and negligible for larger benchmarks,
> however code size measurements are rather noisy. The performance impact
> on current cores (where the instructions are NOPs) is single digit,
> around 1-2% for ARES-6 and Octane, and tends to be smaller for big
> cores than for little cores.
>
> Bug: v8:10026
> Change-Id: I0081f3938c56e2f24d8227e4640032749f4f8368
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1373782
> Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#66239}
Bug: v8:10026
Change-Id: Id1adfa2e6c713f6977d69aa467986e48fe67b3c2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2051958
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Cr-Commit-Position: refs/heads/master@{#66254}
