.. that should now be a jump to `no_code_for_osr` since
AttemptOnStackReplacement is now emitted in deferred code and may thus
no longer fall through.
Fixed: chromium:1403135
Bug: v8:7700
Change-Id: I3dcd7696dc5a19a0cd955b2eef1538c07b2d6e00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4124200
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85022}
Mark rhs as clobbered since we may negate it. Negate the lhs in rax.
Bug: v8:7700, chromium:1403470
Change-Id: I9a26de78fcd8d1db90c1d26617001c0c699c350e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110814
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85021}
As a drive-by this also fixes property load from smi. We still need to check that we actually have a smi...
Bug: v8:7700, chromium:1403280, chromium:1403323
Change-Id: I3c4f050b94550b8d7e4e65f733f9c1dad47941d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4120575
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85015}
Even if we have a constant load, if the map is not stable, we cannot
guarantee that the load is preserved across side-effecting calls.
Fixed: chromium:1403324
Bug: v8:7700
Change-Id: Ib900cf7574711115439e6521ed8cfaa866525e78
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4123532
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85014}
It's possible that various branches merged already with a value that's
in a liveness hole, but we only figure out later. If so, drop the merge
as well.
Bug: v8:7700, chromium:1403399
Change-Id: Ifd97e0c1959ffe51017e400fb028041047885a9c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4111932
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85013}
Many locations use the generic GetReadOnlyRoots() function to get access
to read only roots. Prominently this happens in Object::IsUndefined and
friends. The function is quite inefficient on shared read only root
build configurations as it always has to check if the shared read only
heap is already initialized or not. However, the heap is only
uninitialized during bootstrapping.
This CL replaces the branch by a CHECK and deals with the fallout
twofold. First, the SoleReadOnlyHeap is initialized earlier, right
after all heap objects have been created. Second, any location that
calls GetReadOnlyRoots() during initialization is fixed to access
the isolate-local read only roots table instead of the shared one.
Bug: v8:13466
Change-Id: I03e3e68eeefc8651818700629f69ff6163ceb6ac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4116776
Commit-Queue: Olivier Flückiger <olivf@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Olivier Flückiger <olivf@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85012}
Drop --future from 25% to 5% for a few days until all currently open
correctness cases associated with --future are fixed.
No-Try: true
Bug: v8:7700
Change-Id: I161a0adbc767c5cec46409443fe58c634531487c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4114292
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85010}
Some TF builtins (*_WithFeedback variants) consume some of the stack
arguments and pass the rest through to ASM builtins.
We need to seperately align the stack arguments consumed by the TF
builtin and the arguments passed to the ASM builtins via TailCall.
Bug: v8:7700
Change-Id: I26de558fd961cb35b5c642430f9e2c8523ecf096
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4118741
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85009}
Source register has to be 32-bit.
Bug: v8:7700
Change-Id: Ica2a51de100d81bc36447988f6508800f87379ae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4118740
Auto-Submit: Patrick Thier <pthier@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85008}
The issue causing this test to fail on the usban bot was fixed with
https://crrev.com/fcda478d890caea6bf04a50e6106682b64cf8d5a
Bug: v8:13611, v8:13612
Change-Id: I1d0a713160cdddf8623e767d43277a988509bce0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110955
Auto-Submit: Patrick Thier <pthier@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85007}
Check strings length before calling to Builtin::StringEqual. If length
is not equal, the strings must also be not equal.
Change-Id: I4f8c2e72720d0919b3fd57013d06dcc8d83f2ab4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4090410
Commit-Queue: Hao A Xu <hao.a.xu@intel.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85005}
Wasm graph builder duplicates a vector of local variables for each block or branch, but it never frees them. So, if a single function has a lot of local variables allocated, the graph builder bloats the memory.
This CL actively frees the locals vector and reuses them within the zone. It's easy to reuse them since the locals vector always have the same size. This saves 95% of memory for the reported wasm binary.
Bug: v8:13543
Change-Id: Ibf5e846b405adc24101ed79dd34d08160ceda2fb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4112638
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Choongwoo Han <choongwoo.han@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#85004}
This CL plugs the hole in the outside<-ShadowRealm direction (i.e.
getting a reference to an object inside of the ShadowRealm from outside
the ShadowRealm).
This is a follow-on CL to
https://chromium-review.googlesource.com/c/v8/v8/+/4108810, which
plugged the getFunction hole in the ShadowRealm<-outside direction (i.e.
getting a reference to an object outside of the ShadowRealm from inside
the ShadowRealm).
Bug: v8:1198
Change-Id: Ic06533ba8b1cc6477ef9d55a23cb8b0b6584d4a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4115657
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85003}
Port e17eee4894
Original Commit Message:
After https://crrev.com/c/3859787 those frames would be printed like
standard Wasm frames, but in the place of the WasmInstanceObject, they
have a WasmApiFunctionRef object instead.
So special-case the {WasmToJsFrame::instance()} to load the instance
properly. Also special-case the {position()} accessor for imported
functions.
R=clemensb@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N
Change-Id: I370bc4f4f84e1262c4542879b9058f6cf1d9f84e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4122830
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84999}
With smi feedback, we use int32 operations for arithmetics.
When negating 0, we have to fallback to float as we can't represent -0
in int32. We can simply deopt in that case without causing a deopt loop, as a non-smi result will change the feedback to kSignedSmallInputs (from kSignedSmall).
Bug: chromium:1403102
Change-Id: Ic27c267349a1de6904639e91b1cade2c4f7d1fe2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4122829
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Auto-Submit: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84998}
We should compare only 32 bits for smi when pointer compression
is enabled.
Bug: v8:7700
Change-Id: I6cbc22e57e873cb8ab3c26a4b655a393e258e697
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4122831
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84997}
This CL introduced four more operators in TurboFan: BigIntLessThan,
BigIntLessThanOrEqual, and the corresponding speculative operators so
that all the BigInt comparisons are supported.
This CL also implemented fast paths for small BigInt inputs.
Bug: v8:9407
Change-Id: Iaa2d4dbebf68656d775a7feb65b97fb5c598ec23
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4111951
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84995}
After https://crrev.com/c/3859787 those frames would be printed like
standard Wasm frames, but in the place of the WasmInstanceObject, they
have a WasmApiFunctionRef object instead.
So special-case the {WasmToJsFrame::instance()} to load the instance
properly. Also special-case the {position()} accessor for imported
functions.
R=victorgomes@chromium.org
Bug: chromium:1402270
Change-Id: I39805805a50e7a73d7d8075c63c46bdf5a373a33
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4116778
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84993}
Pass the {WasmModule} in the {CompilationEnv} argument in
{CompileWasmImportCallWrapper} to {BuildWasmToJSWrapper}, which in
turn passes it to {FromJS}.
Bug: chromium:1401934
Change-Id: I8d689d881e4d8013cd4dcb6cfb54d663d1c4ec38
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4120443
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84992}
In the future we want to be able to return statically known pointers of
read only roots. To be able to do so we must ensure that heap
initialization code does not rely on the fact that the root is not
initialized yet and the accessor returns null. Instead we must
explicitly test if the root is initialized.
Bug: v8:13466
Change-Id: Id2b93388f499a58ff26ca5fb566b4538e00916e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4106452
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Olivier Flückiger <olivf@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84990}
Rolling v8/build: 8b3f134..92221be
Rolling v8/buildtools: 600a615..134af4c
Rolling v8/buildtools/third_party/libc++/trunk: 7b20455..7c5e4b4
Rolling v8/buildtools/third_party/libc++abi/trunk: 123239c..df3cc8e
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/1e43416..1651224
Rolling v8/third_party/depot_tools: 5decb17..cf31045
Rolling v8/third_party/fuchsia-sdk/sdk: version:11.20221219.3.1..version:11.20221221.3.1
Rolling v8/tools/clang: cab032b..3b54a13
Change-Id: Iac0610e49ec38efc0cebb8c1d09ba07941596561
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4121196
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#84985}
This prevents blink leak detection from complaining when there is a
reference from SharedFunctionInfo to a blink object that is a target of
leak detection.
Bug: chromium:1393246
Change-Id: I9381f5e27e90c77e4ed721fcc3d257b5f6edd212
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4114056
Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84984}
It's failing regularly on the ubsan bot, closing the tree.
This CL also adds a 'variant == future' section in the mjsunit.status
file to enable easy disabling of maglev-specific failures.
No-Tree-Checks: true
Bug: v8:13612
Change-Id: I3c0f7725e1fb36577e97c662cd3830c64ba298e0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4120554
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84982}
This will prevent building v8 arm code when all we want is the snapshot
file.
Bug: chromium:1402705
Change-Id: If8137e8ef79ff1943c24d5bd71d8374e59bdf561
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4117695
Commit-Queue: Adam Klein <adamk@chromium.org>
Auto-Submit: Andrew Grieve <agrieve@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84981}
Clearing the exact amount of padding bytes apparently measurably
regresses some string operations. For freshly allocated strings we can
write into the payload area too, since that one is being written later.
This allows us to clear a statically known amount of padding bytes which
greatly speeds up the initialization.
Bug: chromium:1402898
Bug: v8:13466
Change-Id: Ib5fd4877a88c88fbf5247ed0e2c4b2de1775623d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4118772
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Olivier Flückiger <olivf@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84980}
This reverts commit 8623fd473b.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20no-concurrent-marking/12508/overview
Original change's description:
> [maglev] Destroy jobs on BG thread
>
> Maglev job destruction is suprisingly expensive, taking up roughly a
> third of total finalization time. Rather than destroying jobs as part of
> finalization, re-post them to the concurrent dispatcher to be destroyed
> in the background
>
> Bug: v8:7700
> Change-Id: I450d8a7b49737504c2aaebbfa7754e0ae15e7f05
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4111238
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Auto-Submit: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84970}
Bug: v8:7700
Change-Id: I797a34529652c814b11cd13309b2d3a5ff68266e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4115747
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84977}
Replace SafeEquals with normal equals operator in `IsUndefined` and
friends. This will allow us to have more efficient checks with static
roots, since pointers do not need to be decompressed.
After this change calling Is##Type on CodeObjects is no longer possible.
This is ensured by dchecks in operator==. The change might reveal more
callers that need to be fixed.
Bug: v8:13466
Change-Id: I3353d10aebb7a192a77281c44e4159f0da336297
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4106849
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Olivier Flückiger <olivf@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84974}
