This reverts part of crrev.com/c/2413252 since std::unique_ptr does
not satisfy is_standard_layout; and is_standard_layout is needed
to use offsetof:
error: offset of on non-standard-layout type [-Werror,-Winvalid-offsetof]
Fixed: v8:12721
Change-Id: Ifbb1235fc3b8d1d855d41a226117fed88c506078
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540141
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79597}
Report fine-grain incremental mark/sweep statistics to the Recorder API.
These will be used by Blink to populate UMA histograms such as
V8.GC.Event.MainThread.Full.Incremental.(Mark|Sweep).
Bug: chromium:1154636
Change-Id: I1cbdcb2ffa49bd01d04a2e1d43921cebf956ac84
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545070
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79596}
The debugger maintains a stack of promises used for catch prediction
with promise builtins and async functions. Previously this stack would
hold on to the individual promises strongly, and subtle bugs that lead
to not properly cleaning up the stack in some corner cases would often
lead to significant memory issues (e.g. leaking whole iframes).
This refactors the PromiseOnStack to be
(a) on the V8 heap, rather than allocating C++ structs with global
handles pointing to the promises, and
(b) hold on to the promises only weakly.
While this will not guarantee proper promise stack management, it will
at least ensure that edge cases don't lead to catastrophic (debugger
only) leaks.
Bug: chromium:1292063
Change-Id: I9c293ca2032de3a59e1e9624f132d37187805567
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545176
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79594}
Before productionizing this, we probably want to just ignore the whole
section if it contains invalid data, but for now failing with a decode
error is more consistent with existing checks.
R=ecmziegler@chromium.org
Bug: v8:12537
Change-Id: I7fc5933573a4d6eddd039bf51361c5bee5c5170d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545177
Reviewed-by: Emanuel Ziegler <ecmziegler@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79593}
Accidentally, remembered sets for slots and source objects were passed
by value when visiting.
Bug: chromium:1029379
Change-Id: I1942a13605990c0b13c378d33d3ace602daddf0d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545318
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Auto-Submit: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79591}
This reverts commit 164a040a2a.
Reason for revert: roll failure: https://ci.chromium.org/ui/p/chromium/builders/try/cast_shell_linux/1164753/overview
Original change's description:
> cppgc: Add regression test and check for object start bitmap
>
> Access to the object start bitmap is only safe during marking until
> sweeping is started as the concurrent sweeper may clear and rebuild
> the bitmap at any time during sweeping.
>
> Adds a DCHECK and an additional test for a previously broken
> pre-finalizer scenario.
>
> Bug: chromium:1307471
> Change-Id: If67ade43f7cdad6de4720c0efeac11bfe8c22b3c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3535782
> Reviewed-by: Nikolaos Papaspyrou <nikolaos@chromium.org>
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79550}
Bug: chromium:1307471
Change-Id: I181e63a34eae9369184fb86112bc64e53b8bfad5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545317
Owners-Override: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79590}
Remove deprecated TracedGlobal<>, greatly simplifying handling of
traced references in general.
Also saves a word per v8::TracedReference as there's no need to keep a
possible callback around.
Bug: v8:12603
Change-Id: Ice35d7906775b912d02e97a27a722b3e1cec28d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3532251
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79589}
Currently, we assume:
allocated-object-size = marked-bytes-on-previous-cycle + k,
which is not the case for the sticky bits (with the young generation
enabled). The CL introduces a variable
StatsCollector::marked_bytes_so_far_ that keeps track of marked bytes
across GCs.
Bug: chromium:1029379
Change-Id: I749c8c0174889c10093c75f88c096c68905bf36e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545167
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79588}
This fixes a general race with stack-scoped `TestPlatform` which
may go out of scope while tasks on workers are still running.
Add a barrier for workers, implemented through tasks, to synchronize
destruction of `TestPlatform`.
While this fixes general races, such short-lived platforms still
break if tasks cache the global platform pointer.
Bug: v8:12635
Change-Id: Ifc6ecc29f0e2b7297ca52051eae9bd81013b60ce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3536651
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79587}
This reverts commit 9e1db51817.
Reason for revert: https://chromium-review.googlesource.com/c/v8/v8/+/3535782 causes roll failures, this needs to be reverted too because it's based on it
Original change's description:
> cppgc: Add DCHECK that object start bitmap is safe to use
>
> During sweeeping/compaction the bitmap is being reconstructed and
> should not be relied on for finding object start.
> Add a DCHECK that the bitmap is fully populated.
>
> Bug: chromium:1307471
> Change-Id: I4aa414722262bb6fb169123a49fce1510a60d3ef
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540680
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Omer Katz <omerkatz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79575}
Bug: chromium:1307471
Change-Id: I377b8737609fff33199776dce3d997f31074c59b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545316
Auto-Submit: Tobias Tebbi <tebbi@google.com>
Owners-Override: Tobias Tebbi <tebbi@google.com>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#79586}
This reverts commit d9e1f2aee5.
Reason for revert: Linux test failures: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux/45960/overview
Original change's description:
> [wasm][liftoff] Spill regs for multi-value merges
>
> If there is more than one value in the merge region, a stack-to-stack
> move can overwrite the source of a stack-to-register move. To avoid
> this, spill all registers.
>
> R=clemensb@chromium.org
>
> Bug: chromium:1299183
> Change-Id: I10495434d0a18c9072ee3882e00a687edd8c592a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3523044
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79584}
Bug: chromium:1299183
Change-Id: I465129695cfc1c5678923f7eefe5b91e31383798
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3546745
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Owners-Override: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79585}
If there is more than one value in the merge region, a stack-to-stack
move can overwrite the source of a stack-to-register move. To avoid
this, spill all registers.
R=clemensb@chromium.org
Bug: chromium:1299183
Change-Id: I10495434d0a18c9072ee3882e00a687edd8c592a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3523044
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79584}
Since assignments to read-only private references can be skipped due
to short-circuiting in logical assignments, we should not eagerly
emit the error of invalid writes, and should instead load the values
as usual, only emitting an error when the assignment happens,
which can be handled by BytecodeGenerator::BuildAssignment().
Bug: v8:12680, v8:8330, v8:10372
Change-Id: Ia5fea9090bc48b0af8a9c8d6f95174f7aa2d86f8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3509298
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/main@{#79583}
ThinStrings always forward to internalized strings that have the same
character contents and thus the same length.
Change-Id: I5929d266f96b23029f4786baf993a431cf4ad38d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3541522
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79582}
CreateInterpreterDataForDeserializedCode checks for bytecode, copies the
InterpreterEntryTrampoline, and installs that and the bytecode on
InterpreterData. However, the bytecode can be flushed when the IET is
copied, which results in a failure to read it afterward.
Add an IsCompiledScope to guard against this.
As a drive-by, guard against baseline code being installed on the
function. This shouldn't happen in normal execution, but could
theoretically happen with some extra support for --always-sparkplug.
Bug: chromium:1308178
Change-Id: Ia5e81b376bff2aaa19e9c6007242629ab8b0d4a8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545171
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79580}
Instead of manually ensuring checkpoints and marking that operations had
side effects, do this in AddNewNode based on OpProperties.
Bug: v8:7700
Change-Id: I1e2699af537056d066e7f919abe5e7479bd3af91
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545174
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79578}
During sweeeping/compaction the bitmap is being reconstructed and
should not be relied on for finding object start.
Add a DCHECK that the bitmap is fully populated.
Bug: chromium:1307471
Change-Id: I4aa414722262bb6fb169123a49fce1510a60d3ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540680
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79575}
The code is dead since migrating to jobs API.
Change-Id: Icdcc3523ffe5830ef5851cf4ea86e579841f543c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540103
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79573}
The lookup is safe during executing pre-finalizers which requires that
the GC is put in the atomic pause.
Bug: chromium:1307471
Change-Id: I4e61573f5cadf2585daab24d73ad798004d54188
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545173
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79572}
Some edges are self looping because of incorrect `horizontalPos`. This is occuring because of an unexpected scenario caused due to incorrect calculation of `inputApproch` and `outputApproach`. And all of this is occuring because of insufficient distance between two nodes.
An example of the problem is shown in the image: https://imgur.com/aAmnzaK.
Change-Id: I056e1fbcc420ce65a3ae9201e187b22ad3fbaaba
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3535791
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79570}
Following up on https://crrev.com/c/3540145, this also changes local
debug evaluate scripts to be marked as shared-cross-origin.
Drive-by-fix: This also updates the test for global debug evaluate to
use the official (debug) API instead of peaking into the V8 internals
unnecessarily.
Bug: chromium:1295750
Change-Id: Ief0bc76a4333671f8db761d1f6a5fb740aae698e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3541780
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79568}
This reverts commit aaedd8b788.
Changes in the reland:
The inital problem was caused by nodes that were removed during SL
because they are no-ops but have an effect on typing (in the repro, this
was e.g. PlainPrimitiveToNumber). The reland introdocues a new operator
SLVerifierHint that is used exclusively in SL to provide hints to the
verifier and that solves this problem. SLVerifierHint also replaces the
previous use of TypeGuard to type constant nodes for the verifier.
Bug: v8:12619, chromium:1302572
Change-Id: I0957645c03d8b7c26cd6d630a1ecbd0a6a8223ce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3512574
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79564}
CallProperty IR has inputs 0 (function), 1 (context), and the
remaining are variable according to the register count.
Bug: v8:7700
Change-Id: Ie9d8785bd5c1ae878c664683f8ebcff4ce6c408a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3541924
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79562}
This is a reland of 6b690a6b48.
The previous version of this CL was a bit too aggressive in the
duplication of branch conditions. This caused an increase in
register pressure in some cases, thus reducing performance.
In fact, duplicating branch conditions that require an "== 0" to be
added provides no benefits. We are thus now a bit less aggressive, and
only duplicate comparisons.
Original change's description:
> Reland [compiler] Simplify "==0" branches in MachineOperatorReducer
>
> This is a reland of 48b443f692.
>
> While fixing the initial CL, we stumbled upon a few bugs that
> we had to fix:
>
> - CommonOperatorReducer and SimplifiedOperatorReducer were applied
> before and after SimplifiedLowering, but always assumed that it
> was before SimplifiedLowering, and thus had the wrong semantics
> for branches in some cases. They now have an added parameter to
> know which semantics of branch they should use.
>
> - The lowering of StaticAssert was wrong and could leave kHeapConstant
> in the assert (instead of machine Booleans).
>
> Original change's description:
> > [compiler] Simplify "==0" branches in MachineOperatorReducer
> >
> > Bug: v8:12484
> > Change-Id: I0667c7464c0dd71338bc199a24a69248a7a0a525
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3497303
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Owners-Override: Tobias Tebbi <tebbi@chromium.org>
> > Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#79379}
>
> Bug: v8:12484
> Change-Id: Ibbf5df96fce5ccb04868dc517539479bf69f5703
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3516869
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79528}
Bug: v8:12484
Change-Id: I31f575a59811a83c7c1acb4c14bf5ded63a8f536
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540102
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79560}
Currently getting the following 2 errors:
```
error: reference to 'MarkingType' is ambiguous
error: reference to 'SweepingType' is ambiguous
```
Change-Id: Ia50d1b5ea8af0fcc85acb9c0dc5cfae1956cec62
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540624
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#79556}
This fixes the following compiler warning:
```
src/compiler/backend/register-allocator-verifier.cc:365:19: warning: loop variable 'pair' of type 'const
std::__1::pair<const v8::internal::compiler::InstructionOperand, v8::internal::compiler::Assessment *>' creates a
copy from type 'const std::__1::pair<const v8::internal::compiler::InstructionOperand,
v8::internal::compiler::Assessment *>' [-Wrange-loop-analysis]
for (const auto pair : map()) {
^
src/compiler/backend/register-allocator-verifier.cc:365:8: note: use reference type 'const
std::__1::pair<const v8::internal::compiler::InstructionOperand, v8::internal::compiler::Assessment *> &' to
prevent copying
for (const auto pair : map()) {
^~~~~~~~~~~~~~~~~
&
```
Signed-off-by: Darshan Sen <raisinten@gmail.com>
Change-Id: Ifbaa85345d8dcdf56a68d194bba98d76878c96f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3538286
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79555}
During a frame merge we call ForEachValue that "get"s every
live register, including the virtual accumulator. That currently
fails since we need to check if the register is the virtual
accumulator and set/get the accumulator field in InterpreterFrameState.
The virtual accumulator slot in RegisterFrameArray (the same as the
return address in a live frame) is actually unused.
So we can use this slot for the InterpreterFrameState's accumulator,
instead of a separate field.
Bug: v8:7700
Change-Id: Ife33946a4f9c58ca1f4eadeb587f9880f6fb2afc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3536648
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79553}
This reverts commit 6b690a6b48.
Reason for revert: causes a few regressions here https://chromeperf.appspot.com/group_report?rev=79528
Original change's description:
> Reland [compiler] Simplify "==0" branches in MachineOperatorReducer
>
> This is a reland of 48b443f692.
>
> While fixing the initial CL, we stumbled upon a few bugs that
> we had to fix:
>
> - CommonOperatorReducer and SimplifiedOperatorReducer were applied
> before and after SimplifiedLowering, but always assumed that it
> was before SimplifiedLowering, and thus had the wrong semantics
> for branches in some cases. They now have an added parameter to
> know which semantics of branch they should use.
>
> - The lowering of StaticAssert was wrong and could leave kHeapConstant
> in the assert (instead of machine Booleans).
>
> Original change's description:
> > [compiler] Simplify "==0" branches in MachineOperatorReducer
> >
> > Bug: v8:12484
> > Change-Id: I0667c7464c0dd71338bc199a24a69248a7a0a525
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3497303
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Owners-Override: Tobias Tebbi <tebbi@chromium.org>
> > Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#79379}
>
> Bug: v8:12484
> Change-Id: Ibbf5df96fce5ccb04868dc517539479bf69f5703
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3516869
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#79528}
Bug: v8:12484
Change-Id: I457464d793e9c5af8448564aa3b46be863b96fbb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540148
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79552}
Port b2978927d8
Original Commit Message:
This CL removes:
- Dynamic map checks aka minimorphic property loads (TF support,
builtins).
- "Bailout" deopts (= drop to the interpreter once, but don't
throw out optimized code).
- "EagerWithResume" deopts (= part of dynamic map check
functionality, we call a builtin for the deopt check and deopt
or resume based on the result).
R=jgruber@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N
Change-Id: I64476f73810774c2c592231d82c4a2cbfa2bf94e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3537881
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#79551}
Access to the object start bitmap is only safe during marking until
sweeping is started as the concurrent sweeper may clear and rebuild
the bitmap at any time during sweeping.
Adds a DCHECK and an additional test for a previously broken
pre-finalizer scenario.
Bug: chromium:1307471
Change-Id: If67ade43f7cdad6de4720c0efeac11bfe8c22b3c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3535782
Reviewed-by: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79550}
This way Blink will not sanitize error events coming from JavaScript
entered via the DevTools console, and instead forward the original error
event as-is, which is more likely to match the developers' expectations.
Bug: chromium:1295750
Change-Id: Id02c048e4af21d0c232d8e44d11115f6b61c0bf1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540145
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79549}
When cross realm invoke PromiseConstructor and realm not
allowed to CrossRealmAccess, PromiseConstructor will
silently return undefined, which will cause crash in
ConstructJSWithTarget type cast, Change to throw type
error when HasAccessCheck failed.
Bug: v8:12705
Change-Id: I18f697a1897c31163dd60522db12449033419f9a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3521174
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79548}
