Commit Graph

78829 Commits

Author SHA1 Message Date
Toon Verwaest
d615000959 [maglev] Fix 2 minor inlining issues
- Support JumpInlined in ComputePostDominatingHoles
- Bail out inlining of uncompiled functions

Bug: v8:7700
Change-Id: I0544a0b62e25cb68f7586da60226877417d967ad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031552
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84337}
2022-11-17 17:40:07 +00:00
Manos Koukoutos
cb5adce1dd [wasm-gc] Type new node in WasmGCOperatorReducer
Bug: v8:7748
Change-Id: I9225a9eccba1f6a7e3aee6622cbca8c6e8089b37
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031181
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84336}
2022-11-17 17:06:27 +00:00
Leszek Swirski
e4077cc01d Revert "[ext-code-space] Change compression scheme for Code pointers"
This reverts commit 70e65f8961.

Reason for revert: Breaks roll (https://chromium-review.googlesource.com/c/chromium/src/+/4030636/6?checksPatchset=6&checksRunsSelected=chromeos-amd64-generic-rel&tab=checks)

Original change's description:
> [ext-code-space] Change compression scheme for Code pointers
>
> Unlike the default scheme the ExternalCodeCompressionScheme allows
> the cage to cross 4GB boundary at a price of making decompression
> slightly more complex. The former outweighs the latter because it
> gives us more flexibility in allocating the code range closer to
> the .text section in the process address space. At the same time
> decompression of the external code field happens relatively rarely
> during GC.
>
> Bug: v8:11880
> Change-Id: Ia62bedd318f88c2147534ff000ab9fad354777f3
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899307
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84269}

Bug: v8:11880
Change-Id: I65607590dd12e92c741ccedf84ac3c6b2fcf075e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031182
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84335}
2022-11-17 17:03:17 +00:00
Tobias Tebbi
76861e3005 [turboshaft] bailout when building huge FrameState
Bug: chromium:1383203
Change-Id: Idd698628890d823587190c45ac5db07b969af13f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4034328
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84334}
2022-11-17 16:26:58 +00:00
pthier
1003348c0e [regexp] Remove useless DCHECK from parser
Remove machinery from regexp parser that keeps track of the type of the
last added token. This is used only in one spot for a DCHECK that
doesn't really provide any benefit for stability or security, but
keeping track of the last added type is tedious and error-prone.

Bug: chromium:1385569
Change-Id: I98e239a03a4c7c9ff22c24fc42e12ae6b643a6d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030583
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84333}
2022-11-17 16:06:37 +00:00
Leszek Swirski
00db0fff8c [maglev] Support call speculation disabling
Add a FeedbackSource to DeoptInfo which allows the caller to specify
that this deopt is part of call speculation, and that call speculation
should be disabled for this call when the speculation fails. This is a
mechanism to prevent deopt loops, also used by TurboFan.

Bug: v8:7700
Change-Id: I59b5db3956e074ec808b218c00ae85796455742e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030438
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84332}
2022-11-17 15:22:18 +00:00
Darius M
1f26a28f0e Reland "[turboshaft] Port BranchElimination to turboshaft"
Original change's description:
> [turboshaft] Port BranchElimination to turboshaft
>
> Bug: v8:12783
> Change-Id: Ib1e7d3cb3ec18bfad57577ae6c830994e6139601
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899298
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84258}

Bug: v8:12783
Change-Id: I48214de33d05b7aa61a488b86bd5539fdb92e1f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030576
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84331}
2022-11-17 15:11:10 +00:00
Manos Koukoutos
3f3e218057 [wasm][liftoff] Relax stack slot compatibility requirements
Since we don't do accurate type tracking in liftoff, we end up in
situation where we mix up ref and (ref null). This is safe and should
be allowed.
We merge {IsAssignable} into {CheckCompatibleStackSlotTypes}, and
rename and simplify it.

Bug: v8:13499
Change-Id: Ifaa2ff1e3f090a5d91219305ce4bb6f08bc5c00f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030512
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84330}
2022-11-17 14:36:27 +00:00
Igor Sheludko
0446de4202 [assembler][tests] Test builtin calls generation
Some of the tests were accidentally disabled (TestCallBuiltinPCRelative
and TestCallBuiltinIndirect).
Also add tests for builtin tail calls.

Bug: v8:11527
Change-Id: I42c7249cde44ff055ff6cb0c908ec1611b24353c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031034
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84329}
2022-11-17 13:52:57 +00:00
Omer Katz
dbbccae19a Reland "[heap] Invoke allocation observers before limiting the LAB"
This is a reland of commit 39d387bb72

Original change's description:
> [heap] Invoke allocation observers before limiting the LAB
>
> Currently whenever we reach a step we get a small LAB the same size as
> the allocated object. This is becuase the remaining step size is smaller
> then the current allocation.
> Invoking observers before limiting the LAB, and thus updating step
> sizes, should eliminate the small LAB we get whenever we reach a step.
>
> Drive-by: remove redundant method arguments.
>
> Bug: v8:12612
> Change-Id: Ied92a947308368d3b289e246fdb4f40ac5e5981f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4013683
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Omer Katz <omerkatz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84157}

Bug: v8:12612, v8:13465
Change-Id: I40fb930a755cb5decccd932c4d25ed7d5d224da4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4020177
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84328}
2022-11-17 13:51:38 +00:00
Darius M
e5230b85db [turboshaft] SnapshotTable: remove Scope and add predecessors
Scope: In practice, we don't need Scopes, so it'll be simpler to
access the table directly.

Predecessors: Phi inputs are often not mergeable (because they often
aren't defined in all predecessors). As a result, if we want to know
the value of a Phi input through the SnapshotTable, we need to lookup
its value in a predecessor, which is the feature that this CL
introduces.


Bug: v8:12783
Change-Id: I12a9e6abddd88ff1f3de172a387c9a502356f351
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030581
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84327}
2022-11-17 13:47:27 +00:00
JianxiaoLuIntel
76fb582d57 [turbofan] Optimize address calculation of load
Example in builtin GeneratorPrototypeNext
Before:
19  REX.W movq rcx,rbp
1c  REX.W movq rdi,0xfffffff8
23  REX.W movq rdi,[rdi+rcx*1+0x18]

After:
19  REX.W movq rcx,rbp
1c  REX.W movq rdi,[rcx+0x10]

Change-Id: I0068575d808e0ab8e511e7972cc1ad3afbef763e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4015570
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jianxiao Lu <jianxiao.lu@intel.com>
Cr-Commit-Position: refs/heads/main@{#84326}
2022-11-17 13:46:17 +00:00
Leszek Swirski
8fa1da43af [deoptimizer] Remove deoptimized code list
The deoptimized code list is inserted into when walking a native context
to find Code objects marked for deoptimization, and is then only used
for two purposes:

  1. Looking up lazy deoptimizing code objects by PC, and
  2. Counting deoptimizing code that's not marked for deoptimization.

Point 1 is slow, as it is a linked list traversal, and is made slightly
slower by the CodeT refactoring which adds another layer of indirection
to the list. The existing Isolate::FindCodeObject approach is faster,
and is already used in the deoptimizer for Code objects not found in the
list, in particular all eager deopts.

The careful reader will notice that point 2 results in a count that's
always zero, since the count excludes exactly those code objects which
are added to the list (ones marked for deopt). Indeed, all uses (which
were all in tests) were verying only that it is equal to zero.

So, we can remove this deoptimized code list entirely.

Change-Id: I352e77b1df83260a30464dbac7f268484211b2e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030582
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84325}
2022-11-17 13:32:17 +00:00
Anton Bikineev
7f0edaad07 Reland "unified-young-gen: Trace cross-heap references"
This reverts commit bdf634f851.

The tsan race were fixed by
- removing unmodified wrapper reclamation with --cppgc-young-generation
- moving Oilpan's final pause after young trace handle marking

Original change's description:
> unified-young-gen: Trace cross-heap references
>
> The CL enables the marking visitor in CppGC to trace
> v8::TracedReferences (by just reusing the unified heap visitor from the
> full GC). In addition, it specifies VisitJSApiObject for
> NewSpaceVisitors to be able to trace wrappers from Minor MC in case
> --cppgc-young-generation is enabled.
>
> Bug: v8:13475
> Change-Id: I04ba1f2a22e05caebf53dc8d64f2488c42ab8579
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4026896
> Commit-Queue: Anton Bikineev <bikineev@chromium.org>
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84313}

Change-Id: I64d5bfabfa1b83337b1f11666495ccbd7e7e46c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030318
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84324}
2022-11-17 13:08:06 +00:00
Mikhail Khokhlov
1c2e2a54d5 Fix cctest build in Chromium with v8_use_perfetto=true
We're migrating Chrome tracing to Perfetto SDK, and the first step is
to make everything build with perfetto library.

Example build errors:
https://ci.chromium.org/ui/p/chromium/builders/try/linux-rel/1202724

Bug: chromium:1006766
Change-Id: If9dbc616e025f77c13bae77be981c3ad7b18ad06
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4032153
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Mikhail Khokhlov <khokhlov@google.com>
Cr-Commit-Position: refs/heads/main@{#84323}
2022-11-17 12:59:57 +00:00
Toon Verwaest
704ea7ab3c [runtime] Always succeed rewriting SameValue to non-config/writable prop
Bug: chromium:1383883
Change-Id: I08d5b6c1c841a0f178d214f34bff0d2e973bbb02
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031193
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84322}
2022-11-17 11:45:11 +00:00
Leszek Swirski
7837b354d3 [maglev] Re-enable maglev inlining
It disappeared in one of the call refactorings.

Bug: v8:7700
Change-Id: Idc40eca44f81bd87984e94af6586da05d01e6d57
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031826
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84321}
2022-11-17 11:44:07 +00:00
Andreas Haas
a9e53d6e44 [wasm] Cache the tiering budget with the code
With dynamic tiering, each WebAssembly function has a tiering budget,
and the function gets optimized once the tiering budget is reached. So
far the tiering budget exists per process, which means that whenever
a web application got loaded, it started with a full tiering budget.
As a result, functions that only get called few times during startup
and never reach the tiering budget would never get optimized.

With this CL the tiering budget gets written to the cache. Given that
caching events are happening, this means that also startup functions get
optimized eventually as long as the web application gets visited often
enough.

R=clemensb@chromium.org
Bug: chromium:1384530

Change-Id: I5066bc8f3daf457159b6eb785d2e17eda43c8c4c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4026769
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84320}
2022-11-17 11:16:26 +00:00
Manos Koukoutos
145853f5c1 [wasm-gc] Fix zero-supertypes validation
Only validate that a supertype is in-bounds if it exists.
Also, fix format parameter for the respective error message.

Bug: v8:7748
Change-Id: I8891562a57e680ed7f6e65f83147cd8db3771607
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031207
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84319}
2022-11-17 10:57:21 +00:00
Lu Yahan
52e0a90dc3 [riscv64] fmv_x_w should use sext32 to extend rd.
Change-Id: I808771e8792c74971be4a92399dddf8e7cd08ac8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4032017
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Commit-Queue: ji qiu <qiuji@iscas.ac.cn>
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#84318}
2022-11-17 09:28:28 +00:00
Dominik Inführ
700dfe36c3 [heap] Rework C++ shared marking barrier checks
Simplify the checks in the C++ marking barrier that deal with
shared objects. The checks we now use here are the same we will be
using for the JS barrier in RecordWrite (see
https://crrev.com/c/4020176).

This CL also reworks WriteWithoutHost, the barrier used for traced
handles. It doesn't use MarkValue anymore since the logic is a
bit different to the regular marking barrier on objects.

Bug: v8:13267
Change-Id: If23b65ce5f06af99a5cea864ce28a68f8d5b37de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031028
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84317}
2022-11-17 09:13:56 +00:00
Lu Yahan
e39af94dd1 [riscv64] Fix failed: vector[] index out of
GenPCRelativeJumpAndLink doesn't use BlockTrampolinePoolScope.
It inserts a BlockTrampolinePool which causes this error.

And also alter debug info format.

Change-Id: I160f13f4261fdcf1f7978bfce9b5169d363e6a10
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4032016
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Commit-Queue: ji qiu <qiuji@iscas.ac.cn>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#84316}
2022-11-17 07:09:36 +00:00
Manos Koukoutos
94d26bcfe1 [turbofan] Introduce enum for signalling NaN propagation
We introduce {SignallingNanPropagation} in MachineOperatorReducer to
make the call-sites easier to read.

Change-Id: I61d46fda5f6156a87f8504c38cae6b014e4021ab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4026771
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84315}
2022-11-17 06:49:36 +00:00
Shu-yu Guo
bdf634f851 Revert "unified-young-gen: Trace cross-heap references"
This reverts commit 43f03448d3.

Reason for revert: Data race caught by TSAN:
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20isolates/22640/overview

Original change's description:
> unified-young-gen: Trace cross-heap references
>
> The CL enables the marking visitor in CppGC to trace
> v8::TracedReferences (by just reusing the unified heap visitor from the
> full GC). In addition, it specifies VisitJSApiObject for
> NewSpaceVisitors to be able to trace wrappers from Minor MC in case
> --cppgc-young-generation is enabled.
>
> Bug: v8:13475
> Change-Id: I04ba1f2a22e05caebf53dc8d64f2488c42ab8579
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4026896
> Commit-Queue: Anton Bikineev <bikineev@chromium.org>
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84313}

Bug: v8:13475
Change-Id: I8b8351774a121ca2296efa3c8d3a588fa7380d86
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4032053
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84314}
2022-11-17 00:08:26 +00:00
Anton Bikineev
43f03448d3 unified-young-gen: Trace cross-heap references
The CL enables the marking visitor in CppGC to trace
v8::TracedReferences (by just reusing the unified heap visitor from the
full GC). In addition, it specifies VisitJSApiObject for
NewSpaceVisitors to be able to trace wrappers from Minor MC in case
--cppgc-young-generation is enabled.

Bug: v8:13475
Change-Id: I04ba1f2a22e05caebf53dc8d64f2488c42ab8579
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4026896
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84313}
2022-11-16 21:47:38 +00:00
Marja Hölttä
47aaddc508 [rab/gsab] Now really fix the destination being resizable in TA.p.slice
Cancel the unnecessary fix
https://chromium-review.googlesource.com/c/v8/v8/+/4028559
and fix the problem at its root, TypedArraySpeciesCreateByLength.

This fix also fixes other variants of this bug (see tests).

Drive by: harden by setting length = 0 (not only byte_length) for length
tracking TAs.

Bug: v8:11111,chromium:1384474
Change-Id: I3ba660f7f600c0b946c75e7f13276703394c7df2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030259
Auto-Submit: Marja Hölttä <marja@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84312}
2022-11-16 21:38:50 +00:00
Tom Anderson
3e0c51309f mb_config.pyl: Add instrumented_libraries_release arg to MSAN bots
This mirrors the following Chromium CL:
https://crrev.com/31c75523db83496571386484cc03510cef35038a

`instrumented_libraries_release` will be necessary while the
msan bots are upgraded from Xenial to Focal.

Bug: chromium:1260217
Change-Id: I116a9f516c695797433c7b719f2579c0bda95ec8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4029616
Commit-Queue: Thomas Anderson <thomasanderson@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84311}
2022-11-16 21:07:21 +00:00
Clemens Backes
8de33e292e [wasm] Enable wasm-gc for fuzzers
This will make our generic fuzzers (wasm-fuzzer, wasm-code-fuzzer,
wasm-async-fuzzer, ...) fuzz wasm-gc opcodes.
We were already fuzzing specific instructions in the wasm-compile
fuzzer, but were missing fuzzer coverage for corner cases and
instructions not supported by that fuzzer.

R=jkummerow@chromium.org
CC=manoskouk@chromium.org

Bug: v8:13496
Change-Id: Iccca96e32a64d20c11bc425fb5b1e9a1e3aa7486
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030986
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84310}
2022-11-16 20:41:36 +00:00
Marja Hölttä
0fa99183ef [testing] Flush the output before crashing w/ unreachable in Torque
Bug: chromium:1384479
Change-Id: Iee75837da6cfdb792563f1d2f1c7640f492ced6b
Fixed: chromium:1384479
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030491
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84309}
2022-11-16 19:42:46 +00:00
Frank Tang
2ada52cffb [intl] Enhance Date parser to take Unicode SPACE
This is needed to prepare for the landing of ICU72.
Allow U+202F in the Date String, which the toLocaleString("en-US")
will generate w/ ICU72.

Bug: v8:13494
Change-Id: I41b83c4094ce3d0737a72dcd6310b52c68fdcdca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4027341
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jungshik Shin <jshin@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84308}
2022-11-16 18:00:56 +00:00
Toon Verwaest
78bd802348 [maglev] Put verbose deopt printing behind a flag
It's a bit much

Bug: v8:7700
Change-Id: I23fd1c5f6d16e0c97c9f52e503bfd63947a959b0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030988
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84307}
2022-11-16 17:46:06 +00:00
Anton Bikineev
4ac7982861 unified-young-gen: Support Oilpan tracing from minor MC
The CL adds standalone Oilpan tracing to minor MC. No cross-heap
references are currently processed. In addition, the CL removes
wrapper iteration from Oilpan Minor MC.

Bug: v8:13475
Change-Id: I3a0670e1f3431a3aa723217d5361e4e74f9b0c0f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4027209
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84306}
2022-11-16 17:28:45 +00:00
Victor Gomes
2f1b530dbc [maglev] Reduce FunctionPrototypeApply
Bug: v8:7700
Change-Id: Ie8a0ea4adbcc50668f4b5c14f3948c8edfdfadb1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4026122
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84305}
2022-11-16 17:10:45 +00:00
Toon Verwaest
1ffbbe5969 [runtime] Make stores to existing double fields always drop const
Dedeprecation to tagged is otherwise madness.

Bug: chromium:1383976

Change-Id: I4ed16b9cc59ca113c16099895d1721e3eb0288b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030486
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84304}
2022-11-16 17:05:25 +00:00
Nikolaos Papaspyrou
9554743a0b [heap] Refactor the stack object
The stack object is primarily used for conservative stack scanning, both
by the V8 and C++ garbage collectors. This CL introduces the notion of a
"stack context", which comprises of the current stack marker (the lowest
address on the stack that may contain interesting pointers) and the
values of the saved registers. It simplifies the way in which iteration
through the stack is invoked: the context must have previously been
saved and iteration always uses the stack marker.

Bug: v8:13257
Bug: v8:13493
Change-Id: Ia99ef702eb6ac67a3bcd006f0edf5e57d9975ab2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4017512
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84303}
2022-11-16 16:21:50 +00:00
Dave Tapuska
8016f5c667 [inspector] Pass the Context into terminateExecution
Adding and removing the MicrotasksCompletedCallback should be
associated with the microtask queue of the Context. We store the
context as WeakPtr and always remove the callback when it completes
regardless of the state of the debugger.

BUG=v8:13450

Change-Id: I40d623b05952575febfb76accc15512a38d14ab9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4004602
Commit-Queue: Dave Tapuska <dtapuska@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84302}
2022-11-16 15:44:55 +00:00
Manos Koukoutos
0861b4b658 [wasm-gc] Disallow array.new_{data, elem} as constant expressions
Additionally:
- Remove the early data-count section from module-decoder and
  wasm-module-builder.js.
- Move a test from gc-nominal.js to array-init-from-segment.js.
- Comment-out relevant tests.

Bug: v8:7748
Change-Id: I5e038e0b6227c28ce79ffe39529ada59c34187eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4028144
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84301}
2022-11-16 14:44:29 +00:00
Clemens Backes
435c5d7a96 [wasm][fuzzer] Use a consistent namespace
Most wasm fuzzers live in the v8::internal::wasm::fuzzer namespace.
Thus also move the wasm-fuzzer there. Additionally
- use the C++20 syntax for declaring the namespace,
- skip unneeded full or partial classifications on types, and
- remove a redundant HandleScope.

R=ahaas@chromium.org

Bug: v8:13496
Change-Id: I31d948af449efd9708aa6b27f35e8f3c9280a3f9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030579
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84300}
2022-11-16 14:38:18 +00:00
Victor Gomes
076e7554da [maglev] Avoid clobbering value register in StoreIntDataViewElement
... if element size > 1.

Bug: v8:7788
Change-Id: I5b6364dae8ec0ce02716e402c3ddff4a2b089af9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030496
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84299}
2022-11-16 14:04:57 +00:00
Thibaud Michaud
cd89980624 [wasm] Compute precise stack segment start
StackMemory::base() returned an approximate value for the root stack.
Ensure that it returns the exact value reported by the OS, so that
conservative stack scanning can use this method to determine the bounds
of each segment in a uniform way.

R=ahaas@chromium.org,nikolaos@chromium.org

Bug: v8:13493
Change-Id: I9f267a568494a7744882d148fd65fe42f7b119af
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030316
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84298}
2022-11-16 13:52:07 +00:00
Clemens Backes
3af74a2e04 [wasm] Disable write protection by default
Now that lazy compilation is shipped, we effectively overwrite the
default (true) via the weak negative implication anyway. Hence switch
the default to false to avoid confusion.

R=ahaas@chromium.org

Bug: v8:12852
Change-Id: Idd662992930db8a5df565b967a6820d662681ec6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030480
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84297}
2022-11-16 13:04:47 +00:00
pthier
50932b5750 [regexp] Decouple handling of text elements from the rest of the parser
Create RegExpTextBuilder as a separate class to handle creation of text
elements in the regular expression parser.
The main motivation is to re-use the text builder for StringDisjunctions
in unicode sets mode (to be implemented).

Bug: v8:11935
Change-Id: Ice5f035f1638bb6d9c58f62ce2a133882da736ae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3967901
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84296}
2022-11-16 12:41:37 +00:00
Clemens Backes
0431a2575c [liftoff] Use root register instead of instance field
The isolate root is stored on the Wasm instance but also available
directly in the root register. Save (at least) one load and use the root
register directly.

R=jkummerow@chromium.org

Bug: v8:13449
Change-Id: I7426c6d2295e443e4971eea097b849ee50bf09c8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4026123
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84295}
2022-11-16 11:47:47 +00:00
Andreas Haas
63fc14c68b [wasm] Add --no-wasm-lazy-compilation to nooptimization
With shipping lazy compilation, we lose the test coverage for eager
compilation. This is bad, because with PGO, eager compilation may have
a comeback. With this CL we enable eager compilation in the
nooptimization test variant. This variant seems to be the best fit, as
there are no conflicts with existing flags. The --liftoff flag is not a
problem, because Liftoff was anyways the default for eager compilation.

R=clemensb@chromium.org

Bug: v8:12852
Change-Id: I002ecb2a31ad2e2335a0469fdf5e3d5bda3b33bc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4027004
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84294}
2022-11-16 11:42:17 +00:00
Clemens Backes
bb717e6f29 [wasm] Refactor native module cache API
Refactor the API to avoid passing in a pointer to a {shared_ptr}. In the
caller it's not always obvious that this can change the object that the
{shared_ptr} points to, which again can lead to UAF bugs.
Passing in a {shared_ptr} and receiving back a potentially updated
{shared_ptr} makes this more obvious.

R=ahaas@chromium.org, thibaudm@chromium.org

Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel
Change-Id: Ib209c3c223df07446f0cd4472bc3f68f3897919f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4020230
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84293}
2022-11-16 11:39:37 +00:00
Andreas Haas
2528312195 [wasm] Unconditionally register the caching callback
So far the callback was not registered when the module got loaded from
the code cache.

R=clemensb@chromium.org

Bug: chromium:1384530
Change-Id: I9477ad50a2642e2268bfacf97a2eacda6610b25d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4027927
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84292}
2022-11-16 11:07:45 +00:00
Leszek Swirski
3a6d0ba8dd [maglev] Make sure constants are tagged in exception handling
Don't re-use the same mechanism for non-tagged constants as we do for
tagged ones, since then we end up with untagged values in exception
phis.

Instead, emit constants along with other non-tagged materialisations --
however, avoid unnecessarily Push/Popping them on the stack, or calling
Builtin::kNewHeapNumber, but embed them directly as tagged values in the
code.

Bug: v8:7700
Change-Id: I8db1314c274104cec292178d37fac58ef45d769f
Fixed: chromium:1385271
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030477
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84291}
2022-11-16 10:57:39 +00:00
Leszek Swirski
5443787221 [maglev] Move use marking to input visit
Allow nodes to be considered dead as soon as they are visited during
input assignment, by updating uses immediately (rather than waiting
until all inputs are assigned). This helps the case of clobbered
registers, which now know whether they need to be saved or not.

Also, disallow using existing blocked registers when assigning clobbered
inputs, so that a clobbering input doesn't accidentally clobber a
non-clobbering one.

Bug: v8:7700
Change-Id: I9b91b66ac159f0dd20c9554a860fdbf2545c400d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4020508
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84290}
2022-11-16 10:56:20 +00:00
Michael Lippautz
c71ace71d3 [handles] Temporarily add CHECKs for node consistency
Adding diagnosing CHECKs. Will be reverted after fixing issue.

Bug: chromium:1380114, v8:13372
Change-Id: I33a7f3886de9440be9a94e542697fc7bc9f649cf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4028644
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84289}
2022-11-16 10:55:08 +00:00
Leszek Swirski
c7c8a5ce4e [maglev] Use tagged_alternative for Float64 EnsureTagged
EnsureTagged for Int32 and Uint32 uses NodeInfo::tagged_alternative, but
Float64 was still using the old "check next node" approach. Update this
to be inline with the others.

Bug: v8:7700
Change-Id: I682c48828753d98b740df0f6ac21ae1c6bda722c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4022708
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84288}
2022-11-16 10:43:58 +00:00