We shouldn't spill weak pointers onto the stack when calling functions
that can trigger GC. DynamicMapChecks operator was using feedback loaded
from the feedback vector across the TryMigrateInstance function call.
The feedback can be a weak pointer to receiver map for monomorphic cases
and TryMigrateInstance can trigger a GC. This cl fixes it by holding
a holding a strong reference to the feedback.
Bug: v8:10774,v8:10582,v8:9684
Change-Id: Ia36f4d8ad46421ae570f41439bc1f0875081deee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2336804
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69338}
This is a reland of 60ee70bb40.
The wasm c-api flakes were fixed in https://crrev.com/c/2349293.
Original change's description:
> [wasm] Ensure that only TurboFan code is serialized
>
> We have the implicit assumption that Liftoff code will never be
> serialized, and we start relying on that when implementing new features
> (debugging, dynamic tiering).
>
> This CL makes the serializer fail if the module contains any Liftoff
> code. Existing tests are changed to ensure that we fully tiered up
> before serializing a module (similar to the logic in Chromium).
> The "wasm-clone-module" test needs to serialize the module before
> enabling the debugger.
>
> Note that chrome currently only serializes a module after it fully
> tiered up, so that should be fine. If other embedders need the ability
> to serialize a module in an arbitrary state, we will have to fix this
> later. With this CL we will be on the safe side though and (gracefully)
> fail serialization instead of accidentally serializing Liftoff code.
>
> R=ahaas@chromium.org
>
> Bug: v8:10777
> Change-Id: I1245e5f7fda3447a544c1e3525e1239cde759174
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2336799
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#69276}
Bug: v8:10777
Change-Id: I2a7c1429812ca46d88a2902b8e0a7b7e3d638b56
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2349290
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69335}
Now that background threads participate in sweeping, this method
races because multiple threads now want to update that counter. We could
either make this counter atomic or remove it entirely. This CL removes
this counter since it isn't strictly necessary, it is only used when
sweeper finds more garbage than markers. This happens e.g. with
right-trimming but should be rare and is eventually fixed in the next
GC.
Bug: v8:10315
Change-Id: Iebae8937860160a3b49bedd03c2e21e41f7dfe76
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2349296
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69334}
This CL checks the version of the log file
by checking the format of Map Objects processed
by the IC processor. The version check requirement
came from the modified IC event logging pipeline
of the V8.
Bug: v8:10644
Change-Id: Ic661a34cfaf15edfde5fa24588275ac055a5bb5e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2343067
Commit-Queue: Zeynep Cankara <zcankara@google.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69333}
We only want to serialize TurboFan code, because Liftoff code could
contain breakpoints, and we start thinking about embedding other
non-relocatable constants.
Thus, wait until top-tier compilation finished before triggering
serialization.
A follow-up CL will make serialization fail if any Liftoff code is
encountered.
R=ahaas@chromium.org
Bug: v8:10777
Change-Id: I73d6c2d868545fcd4069a8cf9850ca7fca375ecb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2349293
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69332}
This removes the {InterpretWasmModuleForTesting} function in favor of
{InterpretWasmModule}, and uses that in {InterpretAndExecuteModule}.
The latter again is reused in {WasmExecutionFuzzer::FuzzWasmModule},
such that all fuzzers execute the same checks now.
R=ahaas@chromium.org
Bug: chromium:1112099, chromium:1113681
Change-Id: Ia8818b93e9274266a81573edd6852e4e4734b150
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2346283
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69331}
This is the first step in refactoring Worklist to allow arbitrary
number of local worklists with private segments:
- Introduce MarkingWorklistImpl<> which will eventually replace
(and will be renamed to) Worklist.
- MarkingWorklistImpl<> owns the global pool of segments but does not
keep track of private segments.
- MarkingWorklistImpl<>::Local owns private segments and can be
constructed dynamically on background threads.
- Rename the existing MarkingWorklistsHolder to MarkingWorklists.
- Rename the existing MarkingWorklists to MarkingWorklists::Local.
- Rename the existing marking_workists_holder to marking_worklists.
- Rename the existing marking_worklists to local_marking_worklists.
Design doc: https://bit.ly/2XMtjLi
Bug: v8:10315
Change-Id: I9da34883ad34f4572fccd40c51e51eaf50c617bc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2343330
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69330}
This change adds support for skipping locations that are in a skipList
on step over. This feature is useful for when we are debugging
C++ applications that have DWARF information we only want to stop on
every breakable location in C++, not non every breakable location
on wasm level.
Bug: chromium:1105765
Change-Id: Ie835b011a00cf31e0c5b2df1ac96ebd89f53d23a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2339458
Reviewed-by: Eric Leese <leese@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69329}
Remove the {ErrorThrower} parameter to {CallWasmFunctionForTesting} (it
was only populated in a subset of failures anyway), and merge it with
{RunWasmModuleForTesting}.
R=ahaas@chromium.org
Bug: chromium:1113681
Change-Id: I5391e2f911928641a907bc5dad5a54677c90acb6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2346279
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69327}
This CL adds more systematic predicates to JSFunction to reason about
available code kinds. Introduced terminology:
- Attached code kinds are accessible directly from the JSFunction
itself.
- Available code kinds are either attached or accessible indirectly.
- The Active code kind is the one that would be executed on the next
function execution.
Bug: v8:8888
Change-Id: I9468884dfe97a6cb73f8329b2b6cb62b622d3e7a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2345966
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69325}
The "wasm fuzzer" and "wasm async fuzzer" use the
{InterpretAndExecuteModule} function, which did not check for possible
nondeterminism in the interpreter yet. This can lead to wrong reports
of mismatches, or in endless loops being executed in compiled code which
was not executed in the interpreter.
This CL adds the check for nondeterminism in that function, and adds a
TODO to merge the two very similar methods.
R=ahaas@chromium.org
Bug: chromium:1112099, chromium:1113681
Change-Id: I80b01d4c53d04f0632807fa852147dc9fb8075ca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2346280
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69324}
The interpreter is used for testing (including fuzzing) only, and in
these cases it's often important to see the exact value of a float. Both
decimal and scientific notation does not show the full value though, and
decimal representation can also be really long for large values, making
it hard to compare values.
This CL switches this debug output to hexadecimal float values, which
always shows the float value in full precision and is also much shorter
than decimal notation in many cases.
R=ahaas@chromium.org
Bug: chromium:1112099
Change-Id: Ia84824227fcd2f1e763ab89280a202ed44930a71
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2346646
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69323}
32-bit MSVC generates a C4018 warning for signed/unsigned mismatch.
Fix this by casting the std::numeric_limits<int32_t>::max() return
value.
Change-Id: Iaff6b81c797a88654a7d2fa6d910da105d824df8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2346934
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69321}
The design included per-location lists, but they were left out in
Version 1 of the implementation.
In addition: drive-by style unification.
Bug: v8:10239
Change-Id: Ia4d69fdf4ce0c3aad2dae8082e00e9fa14c4170a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2339620
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69319}
The hight 32 bits of the result of mulhw are undefined and need
to be cleared manually.
Change-Id: I0e746898aa26a7970ab59b89c374afd1377028ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2347208
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#69318}
This reverts commit 57242a051e.
Reason for revert: regression tests fails:
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20debug/31477
Original change's description:
> [wasm-simd][arm] Use vmov to move all ones to register
>
> vceq(dst, dst, dst) does not seem to always set the register to all
> ones. The right way should be be to use vmov (immediate) anyway. This
> was not supported in the assembler yet, so we need changes to the
> assembler, diassembler, and simulator.
>
> There is an unfortunate fork in logic in the simulator, due to the way
> the switches are set up, vmov (imm) logic is duplicated across two
> different cases, because the switch looks at the top bit of the
> immediate. Refactoring this will be a bigger change that is irrelevant
> for this bug, so I'm putting that off for now. Instead we extract the
> core of vmov (imm) into helpers and call it in the two cases.
>
> Bug: chromium:1112124
> Change-Id: I283dbcd86cb0572e5ee720835f897b51fae96701
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2337503
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Bill Budge <bbudge@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#69315}
TBR=bbudge@chromium.org,jkummerow@chromium.org,v8-arm-ports@googlegroups.com,zhin@chromium.org
Change-Id: I5d9d1dcb81771f71001d959ec5a03a43a11c4233
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:1112124
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2347211
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69316}
vceq(dst, dst, dst) does not seem to always set the register to all
ones. The right way should be be to use vmov (immediate) anyway. This
was not supported in the assembler yet, so we need changes to the
assembler, diassembler, and simulator.
There is an unfortunate fork in logic in the simulator, due to the way
the switches are set up, vmov (imm) logic is duplicated across two
different cases, because the switch looks at the top bit of the
immediate. Refactoring this will be a bigger change that is irrelevant
for this bug, so I'm putting that off for now. Instead we extract the
core of vmov (imm) into helpers and call it in the two cases.
Bug: chromium:1112124
Change-Id: I283dbcd86cb0572e5ee720835f897b51fae96701
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2337503
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69315}
Optimize shuffles which only use a single operand (called swizzles),
after canonicalization.
Bug: v8:10696
Change-Id: I2e5ffdb723123dffb0abcb6126345972ddc9f652
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2335735
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69313}
With a displacement of int32_t min (-2^31), and a displacement mode of
kNegativeDisplacement, we will try to negate this constant, but the
result will not fit in an int32_t, leading to a runtime crash.
Check for this special case in CanBeImmediate, and return false.
Bug: chromium:1091892
Change-Id: I7f18153d13805f2836dd5c8e1bc098f1e9600566
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2341095
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69311}
The plain "wasm fuzzer" (which takes the fuzzer input as the wasm wire
bytes) was already running both the interpreter and compiled code, but
it did not compare the results of both.
This CL fixes this by reusing some logic that was already present in the
fuzzers based on the {WasmCompileFuzzer} class.
R=ahaas@chromium.org
Bug: chromium:1113681, chromium:1112099
Change-Id: I9d407f66dfcba0eec90f050630b028edd5fae1d1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2339624
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69310}
Add missing source position for stack check, used by OSR to find the
correct return address.
R=clemensb@chromium.org
Bug: v8:10235
Change-Id: Ie26dd3b2079168e846f84b3a4ffe18b838649be7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2339625
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69309}
We consider some function "test-only" function, e.g. if they have a
"ForTesting" in their name. The src/runtime/runtime-test.cc file should
be allowed to call such functions.
R=tmrts@chromium.orgCC=ahaas@chromium.org
Change-Id: Ib57bba36ba35f29c7673d4cef6d6b1e5ad9c7f65
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2339623
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69308}
The {name} parameter was unused, we always picked the exported "main"
function.
R=ahaas@chromium.org
Bug: chromium:1113681
Change-Id: Iee4b8f72e1137a7e366c3c31b4fa4e4ef81863b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2345964
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69307}
* CopyElementsOnWrite
* CopyFixedArrayElements
* GrowElementsCapacity
There are two versions of CopyFixedArrayElements which still remain to
be TNodified and removed ParameterMode.
Bug: v8:9708, v8:6949
Change-Id: I0d63b51004aefbc55dfc57184ed9a0dda7c9b526
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2339478
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69306}
A new field for signature type was added to WasmExportedFunctionData.
It is set to 0 or 1 depending on the parameter count.
(It's set and being used only in 0 and 1 parameter cases.)
Added new JS tests for 1 parameter wasm functions.
Bug: v8:10701
Change-Id: I349d881a2860f1a50b91e08d0126ca71c5f6483b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2339622
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69302}
New space size needs to be adjusted during global safepoint.
Bug: v8:10315
Change-Id: I670024faa55ce68a4091af6f358f45d20c66fa0b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2239573
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69301}
Previously, all ThisExpression's had kNoSourcePositions leading to
incorrect error messages like this:
➜ d8 -e "function t() { for (const x of this) {} } t();"
unnamed:1: TypeError: undefined is not a function
function t() { for (const x of this) {} } t();
^
TypeError: undefined is not a function
at t (unnamed:1:11)
at unnamed:1:43
This patch allows creation of a ThisExpression with a source position,
leading to a better error message:
➜ d8 -e "function t() { for (const x of this) {} } t();"
unnamed:1: TypeError: this is not iterable
function t() { for (const x of this) {} } t();
^
TypeError: this is not iterable
at t (unnamed:1:32)
at unnamed:1:43
This patch does not remove the existing cached version of
ThisExpression and instead creates a new one when required.
Bug: v8:6513
Change-Id: Idee4fe8946a9b821d06ff4a5e7eaefe54874ec59
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2345226
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69300}
Rolling v8/build: 2943e82..a740400
Rolling v8/buildtools: 1ecfe3c..b00ad0a
Rolling v8/buildtools/linux64: git_revision:3028c6a426a4aaf6da91c4ebafe716ae370225fe..git_revision:e327ffdc503815916db2543ec000226a8df45163
Rolling v8/third_party/aemu-linux-x64: xa2xI0A-kKlMVwMtJRzexwWWPSwHynmUpB0Z6C9Y7wkC..OPyy2ts1trS4QpWQ4KGvoohvI1WfiBoTrjuFjdL-PcsC
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/5cf00e2..c4d3ff4
Rolling v8/third_party/depot_tools: 24289f2..0fa91d0
Rolling v8/tools/clang: e6863f8..95f204aTBR=machenbach@chromium.org,tmrts@chromium.org,v8-waterfall-sheriff@grotations.appspotmail.com
Change-Id: I6b94a2aa7ecec9e2f3e158a54f21cd808720d6a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2341731
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#69296}
Up until now. we only checked the size of tables defined in a module
at instantiation time. For imported tables we only checked if the
imported table matched the declared import in size. This causes a
problem because we allocate function tables also for imported tabled
before we actually look at the imported table.
With this CL we first check the size of all tables, and only then start
to initialize and load them.
R=jkummerow@chromium.org
Bug: chromium:1114006
Change-Id: Iaf194ed21fb83304fe3a7f0f7ba7b282396e3954
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2339473
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69291}
Forgetting to add a new bytecode into the lists in
serializer-in-background-compiler.cc results in a confusing CHECK
failure.
This moves the failure to a discoverable place.
Change-Id: I3e78b4702bfa724748ec8ed3f7f49e0eedc504fc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2324246
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69290}
The cast from uint32_t to int caused an integer overflow that let a
bounds check succeed that should have failed.
R=jkummerow@chromium.org
Bug: chromium:1114005
Change-Id: Iea1af70af300be54c2a33d7dd10b3faa34d56eaa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2339472
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69289}
