During a frame merge we call ForEachValue that "get"s every
live register, including the virtual accumulator. That currently
fails since we need to check if the register is the virtual
accumulator and set/get the accumulator field in InterpreterFrameState.
The virtual accumulator slot in RegisterFrameArray (the same as the
return address in a live frame) is actually unused.
So we can use this slot for the InterpreterFrameState's accumulator,
instead of a separate field.
Bug: v8:7700
Change-Id: Ife33946a4f9c58ca1f4eadeb587f9880f6fb2afc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3536648
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79553}
This reverts commit 6b690a6b48.
Reason for revert: causes a few regressions here https://chromeperf.appspot.com/group_report?rev=79528
Original change's description:
> Reland [compiler] Simplify "==0" branches in MachineOperatorReducer
>
> This is a reland of 48b443f692.
>
> While fixing the initial CL, we stumbled upon a few bugs that
> we had to fix:
>
> - CommonOperatorReducer and SimplifiedOperatorReducer were applied
> before and after SimplifiedLowering, but always assumed that it
> was before SimplifiedLowering, and thus had the wrong semantics
> for branches in some cases. They now have an added parameter to
> know which semantics of branch they should use.
>
> - The lowering of StaticAssert was wrong and could leave kHeapConstant
> in the assert (instead of machine Booleans).
>
> Original change's description:
> > [compiler] Simplify "==0" branches in MachineOperatorReducer
> >
> > Bug: v8:12484
> > Change-Id: I0667c7464c0dd71338bc199a24a69248a7a0a525
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3497303
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Owners-Override: Tobias Tebbi <tebbi@chromium.org>
> > Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#79379}
>
> Bug: v8:12484
> Change-Id: Ibbf5df96fce5ccb04868dc517539479bf69f5703
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3516869
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79528}
Bug: v8:12484
Change-Id: I457464d793e9c5af8448564aa3b46be863b96fbb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540148
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79552}
Port b2978927d8
Original Commit Message:
This CL removes:
- Dynamic map checks aka minimorphic property loads (TF support,
builtins).
- "Bailout" deopts (= drop to the interpreter once, but don't
throw out optimized code).
- "EagerWithResume" deopts (= part of dynamic map check
functionality, we call a builtin for the deopt check and deopt
or resume based on the result).
R=jgruber@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N
Change-Id: I64476f73810774c2c592231d82c4a2cbfa2bf94e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3537881
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#79551}
Access to the object start bitmap is only safe during marking until
sweeping is started as the concurrent sweeper may clear and rebuild
the bitmap at any time during sweeping.
Adds a DCHECK and an additional test for a previously broken
pre-finalizer scenario.
Bug: chromium:1307471
Change-Id: If67ade43f7cdad6de4720c0efeac11bfe8c22b3c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3535782
Reviewed-by: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79550}
This way Blink will not sanitize error events coming from JavaScript
entered via the DevTools console, and instead forward the original error
event as-is, which is more likely to match the developers' expectations.
Bug: chromium:1295750
Change-Id: Id02c048e4af21d0c232d8e44d11115f6b61c0bf1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540145
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79549}
When cross realm invoke PromiseConstructor and realm not
allowed to CrossRealmAccess, PromiseConstructor will
silently return undefined, which will cause crash in
ConstructJSWithTarget type cast, Change to throw type
error when HasAccessCheck failed.
Bug: v8:12705
Change-Id: I18f697a1897c31163dd60522db12449033419f9a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3521174
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79548}
Originally, 'Promise()' without 'new' will throw "undefined is not a
promise". Now it will throw "Promise constructor cannot be invoked
without 'new'".
Bug: v8:10817
Change-Id: Ic8b72a902ed395e44dbb32ccf96a2130a4a9422f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3459924
Reviewed-by: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79547}
This CL removes:
- Dynamic map checks aka minimorphic property loads (TF support,
builtins).
- "Bailout" deopts (= drop to the interpreter once, but don't
throw out optimized code).
- "EagerWithResume" deopts (= part of dynamic map check
functionality, we call a builtin for the deopt check and deopt
or resume based on the result).
Fixed: v8:12552
Change-Id: I492cf1667e0f54586690b2f72a65ea804224b840
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3401585
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79544}
Reporting messages can trigger termination in case of `inspector-test`,
which we need to be able to deal with gracefully for the fuzzer.
Fixed: chromium:1307449
Change-Id: I88ba2b13d920134a1670b808adc4ace4ca6d1dff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540260
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79543}
- Avoid redrawing property-link tables if the contents don't change
- Don't update timeline legends if the selection doesn't change
- Use shorter class names for the flamechart for faster parsing
- Round positions in flamechart to avoid long strings that would be
created from raw double positions
- Don't redraw the tooltip if the content is the same
Change-Id: I925f1708400286c7c9f8db62f75c3b5fe8a16b12
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3521945
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79540}
This implements the last bits of basic concurrent Maglev compilation.
When jobs have been processed, schedule an interrupt to trigger codegen
and building the Code object on the main thread.
Changed since the initial version:
- Put the include behind V8_ENABLE_MAGLEV.
- Skip 18.js until we have deterministic test helpers for concurrent
tiering.
Bug: v8:7700
Change-Id: Ibc103f097fe00f7df93a33a785939e43901f3734
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3536662
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79539}
Avoid instruction selector to emit sign extension instruction after most
`xxx.w` instructions in RV64I and RV64M, because `xxx.w` instructions
will automatically sign-extend the result
Change-Id: Ia4291242dc3e51f49be1e6dda2d5a3365b5e7bfa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3536845
Reviewed-by: Yahan Lu <yahan@iscas.ac.cn>
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#79537}
Will re-enable once a few issues have been resolved.
Change-Id: Ieed60efcb6d59cc5ca10931913dd4d9ffea8b9f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3532202
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#79533}
This is a reland of 48b443f692.
While fixing the initial CL, we stumbled upon a few bugs that
we had to fix:
- CommonOperatorReducer and SimplifiedOperatorReducer were applied
before and after SimplifiedLowering, but always assumed that it
was before SimplifiedLowering, and thus had the wrong semantics
for branches in some cases. They now have an added parameter to
know which semantics of branch they should use.
- The lowering of StaticAssert was wrong and could leave kHeapConstant
in the assert (instead of machine Booleans).
Original change's description:
> [compiler] Simplify "==0" branches in MachineOperatorReducer
>
> Bug: v8:12484
> Change-Id: I0667c7464c0dd71338bc199a24a69248a7a0a525
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3497303
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Owners-Override: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79379}
Bug: v8:12484
Change-Id: Ibbf5df96fce5ccb04868dc517539479bf69f5703
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3516869
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79528}
This reverts commit cf25b3bc53.
Reason for revert: https://crbug.com/1307471. TraceTrait must only be used during marking.
Original change's description:
> cppgc: Rework prefinalizers
>
> Move the check for whether an object is live or dead out of the
> prefinalizer trampoline. Moving it into the backend allows for
> inlining the check which avoids a call to the trampoline for live
> objects.
>
> On catapult benchmarks (e.g. cnn:2021, nytimes:2020), there's often
> ~2k finalizers registered. In order to avoid memory overhead in the
> range of a few KB, we store the fact whether the object points to the
> base object payload in the LSB of the pointer. For caged builds this
> is replaced with just storing the index into the cage for both object
> and base object payload.
>
> Locally saves around ~10% of atomic sweeping processing time which is
> in the order of .05ms.
>
> Bug: v8:12698
> Change-Id: I198205a6b1d57fc2df821ee4e73e53dc6f825ff5
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3497764
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79442}
Bug: v8:12698, chromium:1307471
Change-Id: I5c4e70d46cb99af66c77f0c013625b6af6c6eb8e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3535781
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79527}
There are problems calling WaitForRunningWorkers when we
call quit().
First, suppose the main thread first calls quit(),
and the worker thread calls quit() after the main
thread calls quit(), then sched_yield to wait for
quit_once_ updated to ONCE_STATE_DONE. However
the main thread is WaitForRunningWorkers to wait
for the worker thread to join, thus causing deadlock.
Second, suppose the worker thread calls quit() and empty
the running_workers_ by WaitForRunningWorkers, then
the main thread calls `onExit(isolate, true)` to dispose
the platform and other global data, which will crash other
running workers.
Bug: v8:12219
Change-Id: I333e5aad431daefb1c163f69e66d8e9d5e9bf754
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3518908
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79525}
This implements the last bits of basic concurrent Maglev compilation.
When jobs have been processed, schedule an interrupt to trigger codegen
and building the Code object on the main thread.
Bug: v8:7700
Change-Id: I348ade4777ddddf7c3a6b0575d9f51e5fa00c9fb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3528494
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79516}
.. into new virtual subclass TurbofanCompilationJob. Update all TF code
to derive from this class. Specifically, the OptimizedCompilationInfo is
TF-specific and now lives in TurbofanCompilationJob.
The motivation behind this is that Maglev now also uses this
infrastructure.
Drive-by: Replace CompilationMode with ConcurrencyMode.
Bug: v8:7700
Change-Id: Iae6d1ffd1c810e2e45cad6c9b4e43d4c82ac54a7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3528493
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79515}
In JSCallReducer::ReduceArrayPrototypeShift, add Unsigned32
TypeGuard for index Node used in fast path, avoid representing
kRepFloat64 (Range(1, inf)) to kRepWord64 when converting
input for kLoadElement.
Bug: v8:12632
Change-Id: I2e4b00840dc5462e4351e13a372c33b6272b9ea1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3528373
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79514}
This started out as a minor code move of early-osr logic, but
became a more general refactor of the tiering decisions.
Early-OSR: the intent here is to trigger OSR as soon as possible
when matching OSR'd code is cached. Move this out of ShouldOptimize
(since it has side effects), and into a dedicated function that's
called early in the decision process.
Note that with this change, we no longer trigger normal TF optimization
along with the OSR request - TF tiering heuristics are already complex
enough, let's not add yet another special case right now.
Other refactors:
- Clarify terminology around OSR. None of the functions in TM actually
perform OSR; instead, they only increase the OSR urgency, effectively
increasing the set of loops that will trigger OSR compilation.
- Clarify the control flow through the tiering decisions. Notably,
we only increment OSR urgency when normal tierup has previously been
requested. Also, there is a bytecode size limit involved. These
conditions were previously hidden inside other functions.
Bug: v8:12161
Change-Id: I8f58b4332bd9851c6b299655ce840555fb7efa92
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3529448
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79512}
- Restructure the runtime function implementation.
- Rename osr_loop_nesting_level to osr_urgency and add helpers.
The motivation for the latter: I've always struggled with the
`osr_loop_nesting_level` term; it neither matches terminology of
what it's compared against (= the loop depth), nor implies what it's
used for (= osr is triggered when `loop depth < osr nesting level`).
In this CL it's renamed to `osr_urgency` to reflect that as urgency
rises, we consider more and more loops as OSR candidates.
Bug: v8:12161
Change-Id: I194ec5a3f1f02526641af1c7796ee0956b6fd3a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3528735
Reviewed-by: Patrick Thier <pthier@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79509}
