For accessors, instead of storing the descriptor index + holder in the
LoadHandler, store the getter directly (avoiding the
map->descriptor->pair->getter hops). For the non-prototype case, where
there's no LoadHandler, store the AccessorPair directly as a weak
handler instead of the Smi handler. We can't store the getter here
directly, because it could be in new space, and then we can't use it in
the stub cache.
Required some rejiggling of ic.cc method signatures, to allow
ComputeHandler to return a weak ref.
Change-Id: I22c0e64bec9880a3ba23c2d1eeb3a1c23179ca4b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865557
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83059}
assertEquals() compares objects by comparing each property for both
objects. This was done by using Object.keys() which however only returns
enumerable properties.
With this change also non-enumerable properties are compared.
Still, the comparison doesn't require the properties to be equal.
So, if one property is marked enumerable in one object but not the
other, the objects would still be considered equal.
This could be adapted in a follow-up CL if desired.
The prototype is still ignored for the comparison.
Change-Id: I1bb9df055bfb764ac1c02d971ac6f4a50f4a98e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876384
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83058}
This is a reland of commit 24e60017d4
The reland changes %ClearFunctionFeedback to clear *all* feedback
slot kinds including binary/compare/for-in slots. In the tests we
thus no longer have to resort to tricks to restore the function to
it's initial state, instead simply call %ClearFunctionFeedback.
Original change's description:
> [maglev] Deopt on overflow in >>>
>
> Re-enable the int32 fast path for ShiftRightLogical, but account for
> Maglev's missing signed/unsigned representation tracking by a)
> removing rhs==0 as the identity value (a shift by 0 is still a
> signed-unsigned conversion) and b) deoptimizing if the result cannot
> be converted to a non-negative smi.
>
> Note this is not a deopt loop, since a non-smi result will change the
> feedback to kSignedSmallInputs (from kSignedSmall).
>
> To fix this properly, we should track signed/unsigned representations
> and convert the result to a heap number if it doesn't fit within smi
> range.
>
> Bug: v8:7700
> Change-Id: Ifd538d227a6f1290eb7f008d9bfad586ff91ea0f
> Fixed: v8:13251
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876366
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Jakob Linke <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83025}
Bug: v8:7700
Change-Id: I2f607a0fb863b80e8589c9c1e86ee31fbac48c25
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879491
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83057}
Attempting to set a FunctionTemplate without a code handler as an
accessor for a property will fail in the runtime, which expects to be
able to call the handler. Add an API check that guards against this.
Change-Id: I270f0ca3d20de507bc9bde2c4c8d23b2614313dd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879490
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83055}
The current abort will crash if the generator is created by the
interpreter and resumed by the maglevved code.
This current workaround is not ideal since it can introduce
a deopt-reopt loop.
Bug: v8:7700, v8:13109
Change-Id: I7db71a896711255d866ace98eddde85538aa2903
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879228
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83054}
At the moment the shared heap is internally implemented as its own
isolate - the shared isolate. This CL prepares to remove the shared
isolate and replace it with shared spaces in the main isolate.
This CL introduces the --shared-space flag to opt-in into this shared
heap-approach. Isolate::is_shared_space_isolate() and
Isolate::shared_space_isolate() are added as well to identify the
main isolate (or shared space isolate).
Bug: v8:13267
Change-Id: I1a79c839de3b3b9cc988401e2e6e70ce3b02fa22
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3874928
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83050}
.. to increase bus factor in EU time zones.
Change-Id: I7f1bca0fd765f8f1720ff5534823b4daaa290ea3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879488
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83049}
Set COMPACTION_WAS_ABORTED page flag also when aborting evacuation
due to OOM.
Bug: chromium:1359294, v8:12578
Change-Id: Ia9833dbf9213375698cb7b1595ade7df5e24189d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3877145
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83047}
This CL fixes redesigns the current API, which does not correctly
manage lifetimes of the shared object conveyors.
See design doc at
https://docs.google.com/document/d/1TV6agY9dafVJFvdPrUAGbEvos8wL2WDnsmf84n3OJVU/edit?usp=sharing
This CL also removes the incorrect behavior of serializing all shared
strings by sharing instead of copying. Shared strings may be sent to
another process, which should still work.
Bug: v8:12547
Change-Id: I7413abd2d871fd3d52c9b433445cfa1d03e4a732
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3868713
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83044}
Change-Id: I46763c17f7078a3a5730c5a160ec899663ed990b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879483
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83043}
The src/wasm/stacks.h file became progressively bigger, create a
cc file for it and move some function definitions there.
R=clemensb@chromium.org
Bug: v8:12191
Change-Id: I6880a4e11884856bd2f4d777cb745a3c06c71841
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3874936
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83039}
When stress testing compaction, also abort evacuation for 5% of the
pages somewhere in the middle of the page.
Bug: chromium:1359294, v8:12578
Change-Id: Ie2e9873660ea2c330f175607b443f536f5d3abd2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876369
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83036}
.. which sets the --interrupt-budget-for-maglev to a very low value
s.t. that tiering to Maglev happens very early. Note this affects
both normal tierup and OSR.
Also add flag handling to fuzzer.py, both as added globally with
probability 0.1, and added to InterruptBudgetFuzzer (which I also
updated with other tiering-related flags).
Bug: v8:7700
Change-Id: I844cf53a6a2da459565d0ad0ccae02b04853cd26
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878165
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83033}
- Remove the {ValueRepr} parameter from Wasm table and global object
internals. It is now the responsibility of the user to transform
to/from a JS object. This removes duplicate work in some cases (type
checking in the caller, transforming in the callee).
- For the reverse direction in the JS API, introduce
{WasmObjectToJSReturnValue}.
Bug: v8:7748
Change-Id: Ie7625cc0f08d38fe74dbe57e69004de2d93b8a11
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876184
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83031}
This reverts commit 703b0b31db.
Reason for revert: a simpler approach will be used instead.
Original change's description:
> [ptr-compr-8gb] Align runtime allocations to 8 bytes
>
> In order to support a larger heap cage (8GB, 16GB), the cage offset
> will take up more than 32 bits. As a consequence, for 8GB cages, the
> least significant bit of the cage offset will overlap with the most
> significant bit of the tagged offset. To avoid this, allocations need
> to be aligned to 8 bytes to free up one bit from the offset.
> All changes are deactivated behind the build flag
> `v8_enable_pointer_compression_8gb`.
>
> Bug: v8:13070
> Change-Id: Ibb0bd0177f3e88dcd24fc0ee7526335df0faa987
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3791052
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Auto-Submit: Teo Dutu <teodutu@google.com>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82299}
Bug: v8:13070
Change-Id: I5cb60f8e4500c908bdef5d417393edbe89652c9c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3877146
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Teo Dutu <teodutu@google.com>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83030}
This reverts commit 24e60017d4.
Reason for revert: Change breaks maglev GC stress tests.
Original change's description:
> [maglev] Deopt on overflow in >>>
>
> Re-enable the int32 fast path for ShiftRightLogical, but account for
> Maglev's missing signed/unsigned representation tracking by a)
> removing rhs==0 as the identity value (a shift by 0 is still a
> signed-unsigned conversion) and b) deoptimizing if the result cannot
> be converted to a non-negative smi.
>
> Note this is not a deopt loop, since a non-smi result will change the
> feedback to kSignedSmallInputs (from kSignedSmall).
>
> To fix this properly, we should track signed/unsigned representations
> and convert the result to a heap number if it doesn't fit within smi
> range.
>
> Bug: v8:7700
> Change-Id: Ifd538d227a6f1290eb7f008d9bfad586ff91ea0f
> Fixed: v8:13251
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876366
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Jakob Linke <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83025}
Bug: v8:7700
Change-Id: Ibd4c29cc57b999e1cfcd040cee3228ea27a74029
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876374
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83029}
... which works for stale pointers. The default == operator contains
a DCHECK guarding against Code vs. non-Code object comparisons and
thus it can't be used for stale pointer.
Bug: chromium:1360793, v8:11880
Change-Id: Ic5faf9b05e1586a15388cc1cbf3e8dcddbea452f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879222
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83028}
Re-enable the int32 fast path for ShiftRightLogical, but account for
Maglev's missing signed/unsigned representation tracking by a)
removing rhs==0 as the identity value (a shift by 0 is still a
signed-unsigned conversion) and b) deoptimizing if the result cannot
be converted to a non-negative smi.
Note this is not a deopt loop, since a non-smi result will change the
feedback to kSignedSmallInputs (from kSignedSmall).
To fix this properly, we should track signed/unsigned representations
and convert the result to a heap number if it doesn't fit within smi
range.
Bug: v8:7700
Change-Id: Ifd538d227a6f1290eb7f008d9bfad586ff91ea0f
Fixed: v8:13251
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876366
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83025}
Abort evacuation for ~10% of evacuation candidates during stress
testing. This should make aborting of evacuation more frequently and
uncover bugs sooner.
Bug: chromium:1359294, v8:12578
Change-Id: I2fb2124b10456ea71da12df71ef92cf2c3d89c03
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878173
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83023}
The laneidx of LoadLaneParameters will be taken as char type when
PrintParameter. Fix operator<< to print laneidx with integer type.
Change-Id: Ibe9992326014d912f9aa09e785c8c3632ed02c06
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878768
Auto-Submit: Yolanda Chen <yolanda.chen@intel.com>
Commit-Queue: Yolanda Chen <yolanda.chen@intel.com>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83022}
We've previously used JSFunction::GetActiveTier, which looks at
JSFunction::code to determine the active tier. However, that may
diverge from the actually active tier (i.e. the calling frame type),
e.g. when Turbofan code is available but we haven't yet tiered up
because we're stuck in a longrunning loop.
With this CL, we determine the caller code_kind by splitting the
BytecodeBudgetInterrupt runtime function up into _Ignition,
_Sparkplug, and _Maglev variants s.t. the tier is passed implicitly
without extra overhead at runtime.
Bug: v8:7700
Change-Id: I46d19c4676e3debb6d608d9fbc53495feef5cadf
Fixed: chromium:1358577
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871196
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83020}
Re-implement the --log-function-events functionality after
refactoring the tiering state bits on the FeedbackVector.
The new version also tries to log first-execution of non-interpreter
code and will handle OSR events.
Not-yet supported:
- First-execution logging when OSR-ing in Sparkplug or Maglev
Bug: v8:13146
Change-Id: I2059c6d8105091f20586eaf157ef19d5e65295aa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3832375
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83019}
This is a reland of commit d00c040547
Changes since revert: Use AsAtomicTagged instead of
base::AsAtomicPointer to store a hash value in the forwarding table.
Original change's description:
> [strings] Support shared external strings>
>
> With this CL shared strings can be externalized and external strings can
> be shared.
> The StringForwardingTable is used to delay the real transition to the
> next full GC. On the API side strings marked for externalization will
> look like externalized strings.
>
> Bug: v8:12957
> Change-Id: I53b6509129bc5679c06bdf99421bdb41ea5d9082
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849643
> Reviewed-by: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Commit-Queue: Patrick Thier <pthier@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82966}
Bug: v8:12957
Change-Id: I17715e927e4339240a6aa12a3c4a3c2ea50eb567
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871211
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83018}
Add an enum in the jump buffer to represent the state of the
stack: active, suspended, or retired. Update the state on stack switch
and check that they are consistent.
The previous method relied on comparing the current stack pointer with
the bounds of the stack, which was not reliable because the upper bound
of the native stack is not known precisely.
R=clemensb@chromium.org
Bug: v8:13236
Change-Id: If1880aa3efd5a9dc03c3c52ac5315d369d886a50
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870925
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83017}
External pointers used in external strings are always stored in the
shared external pointer table.
Prior to this CL we didn't mark external pointer entries for external
strings residing in client heaps.
Bug: v8:13260
Change-Id: Ifc5dc86f4ebe2791bfb8c4c8fe2673886d24e8a8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3875028
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83016}
When migrating code objects, we also need to record typed slots in the
old-to-shared remembered set.
In addition this CL also removes handling of typed slots and code
pointers because both they only occur in the old generation.
Bug: v8:11708, v8:13265
Change-Id: I2f05f79f1a24ab0d36dc54c5e450207496a15cfd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876822
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83014}
Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.
R=ishell@chromium.org
Bug: v8:12887
Change-Id: Ic54ad0c1135f6d3ff9f261df40f2138bf511d5be
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876383
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83013}
