With the flag --always-use-string-forwarding-table (only used for
testing), we can have young generation strings in the
StringForwardingTable.
We need to update references to these strings when they are evacuated
during mark compact (previously this was only done after scavenge).
Bug: v8:12877, v8:12007
Change-Id: Ie108add176f71dcdf296bd94bdffa664cb75ae02
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3650719
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80575}
1) In copy/move ctors and operator=() we can just copy raw compressed
value;
2) For null check we don't need to decompress the value;
3) Same for operator==().
4) Hashing can also be optimized in a followup.
Bug: chromium:1325007
Change-Id: Ic1bf2c5049802c078b3e0121dcbe62d9ecea83b3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647359
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80571}
Part of the improve error messages initiative.
Based on a resource of JSON.parse() errors found at
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Errors/JSON_bad_parse
Previously JSON.parse(NaN) would output:
SyntaxError: Unexpected token N in JSON at position 0
Now the output is:
SyntaxError: "NaN" is not valid JSON
Previously JSON.parse("{a:1}") would output:
SyntaxError: Unexpected token a in JSON at position 1
Now the output is:
SyntaxError: Expected property name or '}' in JSON at position 1
Bug: v8:6551
Change-Id: Ic9fad1fdbd295e1302805b81e6603fc526121960
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3513684
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Issack John <issackjohn@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#80567}
The check whether worklists are empty sits after marking the
transitive closure, when it is guaranteed that no concurrent marker is
running anymore.
Bug: chromium:1325628
Change-Id: Ibfa7278df2181a0aa6c7e0f1d53d51e8afaa3352
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647830
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80566}
This adds a new struct "OOMDetails" which is passed to the
OOMErrorCallback. It currently holds the "is_heap_oom" bool that was
also passed before, plus an optional "detail" string.
The struct can later be extended without having to change the signature
of the OOMErrorCallback. Removing fields will have to follow the
standard deprecation rules, but this is also easily possible without the
hassle for this initial change.
We modify the deprecated OOMErrorCallback definition and un-deprecate it,
which can be seen as removing a deprecated API and adding a new one in
one CL.
R=mlippautz@chromium.org, jkummerow@chromium.org
Bug: chromium:1323177
Change-Id: Ic4c2cb5856906ebd664626fe463d8e96cb99b0a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647827
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80565}
Mostly in comments, not much to be said...
Bug: v8:12425
Change-Id: Ib1e4d3913f9b91eeafefbef13330fd1388223c06
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3650597
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80562}
Calls to Flip and ResetLinearAllocationArea of SemiSpaceNewSpace are
(almost) always called together, and always at the start of evacuation.
Introducing NewSpace::EvacuatePrologue, allows removing these methods
from SemiSpaceNewSpace public interface and reduces future branches
between the semi space and paged new space cases.
Bug: v8:12612
Change-Id: Ic589a48c1e7751631603da757f4f5f7edb69e571
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3650599
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80561}
This fixes a flaky crash when running with --turbo-stats or
--turbo-stats-wasm.
With dynamic tiering, it can happen that a compilation job is started
shortly before the program/test/benchmark terminates and the main thread
goes through its teardown sequence. When such a late job finishes, it
still wants to report its statistics, which currently crashes due to
UAF if the CompilationStats object, which is owned by the main thread,
has already been deleted.
Change-Id: Ie25a97299fdf40ece8f286487063feadcfa2eea9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3645410
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80560}
Otherwise opening a HandleScope nested in a SHS also wouldn't allow PHS. This
currently happens in maglev..
Bug: v8:7700
Change-Id: Id279cf7ad8c83f68a3ba0050a0df718892636e9f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3650601
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80559}
This patch adds a side table to the MachineGraph that stores the
previously observed call count for the Call nodes used for Wasm
direct calls. This replaces a more convoluted system that accessed
processed feedback during compilation, keyed on source position.
Bug: v8:12166
Change-Id: I06109918030b8f256c5f170da5853394c1a69cc2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644803
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80558}
Record old-to-shared references in the C++ write barrier. When
an old-to-shared reference is created, this particular slot will be
atomically inserted into the old-to-new remembered set.
We already stopped clearing the old-to-new-remembered set after a
shared GC, so we already need to be able to handle such slots when
invalidating objects and in the sweeper.
Bug: v8:11708
Change-Id: I1b5854d58f6496228f3a3d9eb7acfd9492f09e68
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3557232
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80555}
This uses a SparseBitVector instead of a BitVector for storing sets of
blocks. As we only use the mid-tier register allocator for huge
functions, this should generally be a win in both compile time and
memory usage.
R=mslekova@chromium.org
Bug: chromium:1313379, v8:12780
Change-Id: Icf5b50c62f1c5fd69877cd54833d9dea8d1c37e1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3634781
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80554}
A few of LogTests have been crashing intermittently
after they were moved to unittests in this CL:
https://crrev.com/c/3616424
Will re-enable once issue is investigated.
Change-Id: I53435596274c935c028a625b610c54eadda9d1de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647092
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#80551}
SpaceWithLinearArea will holds a ref to a struct containing
original_top_ and original_limit_ as well the lock used to sync them
for querying IsPendingAllocation.
PagedSpace is split into PagedSpaceBase (that holds all funcitonality)
and PagedSpace. The actual fields are owned by PagedSpace and NewSpace.
This is done in preparation for PagedNewSpace to allow PagedSpaceiBase
and NewSpace to share the same original_top_ and original_limit_ fields.
Bug: v8:12612
Change-Id: Iefbbd5209c5553db4ee16cb261734e6479e0f23f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644795
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80549}
Use the newly introduced FormattedString class
(https://crrev.com/c/3644622) for formatting OOM messages in Wasm.
Those details will soon be put in a special "OOMDetails" struct instead
of in the location (see linked bug), but we will still generate a similar
string.
R=mlippautz@chromium.org
Bug: chromium:1323177
Change-Id: I4012e8816965285ec654f67ac700befbbbbeb9e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644625
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80547}
We currently have a BitVector implementation which is used a lot by the
two (mid-tier and top-tier) register allocators. Their size is the
number of virtual registers or the number of blocks in the function. If
one of those numbers gets huge, the BitVector does not perform well any
more, and it consumes huge amounts of memory (we see up to several GBs
for huge Wasm functions).
This CL introduces a SparseBitVector implementation with a compatible
interface, meant to replace the BitVector implementation. Usages will be
introduced in follow-up CLs, first for the mid-tier allocator, then
top-tier. This will allow us to assess performance changes better, and
revert individual usages.
R=mslekova@chromium.org
Bug: chromium:1313379, v8:12780
Change-Id: I804311e0c188526961f70e88a43dd1ea26497cda
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3634780
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80546}
Bug: v8:12868
This wires up the parser and the decoder interface for stringref. All
of the interfaces throw UNIMPLEMENTED, however.
Change-Id: If8cb131032e425a5672f793c6e4c24ddd188aebc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3645115
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andy Wingo <wingo@igalia.com>
Cr-Commit-Position: refs/heads/main@{#80545}
This CL removes some deprecated sandbox APIs and introduces new ones, in
particular IsSandboxInitialized and GetSandboxReservationSizeInBytes. In
additon, this CL also adds comments to the various public methods of the
Sandbox class.
Bug: v8:10391
Change-Id: If5c3081a0b9f7f192966150a0d2716099357363a
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647362
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80544}
This is a reland of commit 2b79eefed3
A DCHECK was using map[key] and inadvertently inserted into the map
that way.
Original change's description:
> Reland^2: [heap] Store size with invalidated object
>
> This is a reland of commit 23b2d571a7
>
> When updating pointers during a full GC, a page might not be swept
> already. In such cases there might be invalid objects and slots
> recorded in free memory. Updating tagged slots in free memory is fine
> even though not strictly necessary.
>
> However, the GC also needs to calculate the size of potentially dead
> invalid objects in order to be able to check whether a slot is within
> that object. But since that object is dead, its map might be dead as
> well which makes size calculation impossible on such objects. The CL
> changes this to cache the size of invalid objects. A follow-up CL will
> also check the marking bit of invalid objects.
>
> Reason for reverts:
>
> Revert #2: In-object slack tracking on JSObjects doesn't update the
> cached size of invalidated objects. The fix here was to stop
> invalidating recorded slots on JSObjects at all and avoid that problem
> completely (see https://crrev.com/c/3620274).
>
> Revert #1: Not all size changes go through NotifyObjectLayoutChange, so
> https://crrev.com/c/3607992 introduced NotifyObjectSizeChange as a
> bottleneck for object size changes/right-trimming. This method is
> now used to update the size of invalidated objects.
>
> Bug: v8:12578, chromium:1316289
> Change-Id: I0478d04601c0270ddb39419ca6cf98719951eb4d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3623542
> Reviewed-by: Jakob Linke <jgruber@chromium.org>
> Reviewed-by: Patrick Thier <pthier@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80344}
Bug: v8:12578, chromium:1316289
Change-Id: Ibcc04c209213c584860a7c473082526cb4e53c59
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3627635
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80542}
GCC complains about empty format strings, and also clang already
required special-handling for this case.
We could either drop it, since statically empty strings are not that
useful anyway, but for completeness I fix it via "if constexpr" instead.
R=tebbi@chromium.org
Bug: chromium:1323177
Change-Id: I4d59e1b361afd1edcd552e8a9ce395759646e67f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644433
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80540}
This CL adds to the existing experimental implementation of the
object start bitmap, that is evaluated as a mechanism for resolving
inner pointers (behind the flag v8_enable_conservative_stack_scanning).
It fixes method ObjectStartBitmap::FindBasePtr to ensure that the
correct base pointer is returned, even if the bitmap is not fully
populated (e.g., with object evacuation or inline object allocation).
This method now recalculates the part of the bitmap that is
required for returning the correct result, by iterating through
objects of the page. A special constructor has been introduced to the
PagedSpaceObjectIterator for this purpose.
It also moves the existing inline methods of ObjectStartBitmap to a
new -inl.h header file, to avoid circular dependencies.
Bug: v8:12851
Change-Id: Iabd0df020bee3bb63ef9d4888591b25d24d79dd9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3641179
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80538}
This is a reland of commit 8278cb5015
The reland adds the RestartFrameTrampoline to the list of
builtins that the deoptimizer is allowed to return from for
control flow integrity.
Original change's description:
> [inspector] Re-enable Debugger#restartFrame
>
> Doc: https://bit.ly/revive-restart-frame
>
> This CL "undeprecates" Debugger#restartFrame and adds a new optional
> "mode" parameter for back-wards compatibility. Moreover, the return
> values are all deprecated. They were never actually used in the
> DevTools frontend and the same information is available from the
> Debugger#paused event that fires once execution stops at the
> beginning of the restarted function.
>
> The CL also re-baselines all the restart-frame inspector tests that
> now run successfully.
>
> R=bmeurer@chromium.org, kimanh@chromium.org
>
> Bug: chromium:1303521
> Change-Id: I34bddeb1f2f4ff3dee58dd82e779c111495566f3
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3616505
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80491}
Bug: chromium:1303521
Change-Id: I13e2f8b5011795a38e541310622b8333a3d08049
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644624
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80534}
MSVC does not implicitly convert the std::array iterator to a char*,
hence explicitly use the {data()} accessor instead of {begin()}, which
is cleaner anyway.
R=mlippautz@chromium.org
Bug: chromium:1323177
Change-Id: I65c6836889eb57a18b655cb9e6c98008a8fbcaac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644794
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80533}
Read only a single byte of FLAG_trace_osr in assembly builtin code to
make asan happy in the simulator.
Bug: chromium:1324042
Change-Id: I002cea0b4917af3780d6bdedfb0ec55008e146c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644793
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Auto-Submit: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80532}
This test tests the interpreted/baseline and optimized behaviour of cpu
profiler ticks. We should eventually support this for maglev too, but
for now just disable it.
Bug: v8:7700
Change-Id: Iba89ab2c718025ebf90c86a84ed937c2d1d0af7f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647363
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80531}
This is more consistent with similar features, for example
V8_ENABLE_WEBASSEMBLY or V8_ENABLE_MAGLEV.
Drive-by: remove V8_SANDBOX_IS_AVAILABLE as it's no longer needed.
Bug: v8:10391
Change-Id: I8658c5b0c331a4c73892737083b2c2f9b8f84056
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647355
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Samuel Groß <saelo@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80530}
This introduces a class which can be used for formatting dynamic values
into a constant-size, stack-allocated array. You get ostream-style code
but printf-style performance, and in particular no dynamic allocation.
This makes this class also suitable to be used in OOM or other fatal
situations where we cannot rely on dynamic memory allocation to still
work.
Using FormattedString will automatically compute the format string
depending on the types. It also computes the maximum size of the output.
Last but not least, it makes the code a lot more readable than
traditional printf style printing.
R=mlippautz@chromium.org
Bug: chromium:1323177
Change-Id: I47228b3603c694c1fa23516dd3f1c57e39c0ca35
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644622
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80529}
We initialize the JSObject in the payload of a ByteArray, so we know
that no slots were recorded there. This also means we don't need to
remove any recorded slots and thus invalidation isn't required.
With this change only strings use object slot invalidation on
String::MakeExternal.
Bug: v8:12578
Change-Id: I009635c2a61ae8ff2b9e2480cb7d374451a8cc7d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644614
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80528}
