All --stress-* flags are now automatically tested. This also removes
a superfluous option that was never changed. The default value is
now inlined.
No-Try: true
Bug: v8:13113
Change-Id: If7428b383ed01ff36a93f618badababfc448db26
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899259
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83258}
A recent refactoring changed the behavior of dropping/keeping
results after test execution. The numfuzz loop has previously
treated all results as analysis results, as it expected that others
are dropped. After keeping all results, the second round invalidated
the analysis results and the test loop stopped early.
We now add an additional safeguard that ensures the received result
is indeed associated with an analysis run and do not depend anymore
on result presence/absence.
This also adds all analysis-based instances to the test cases.
No-Try: true
Bug: v8:13295
Change-Id: Ic1ede904d279a0c2b318ec997e7c77542dbc75bb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3901812
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83244}
This improves the num-fuzzer system test. Previously, the test
didn't actually start up the main functionality of num-fuzz and
executed 0 tests. Now several of the production fuzzers are used to
run fake test cases. The overall timeout signal, used to
stop numfuzz, is mocked with a counter. The observer signals via the
event method that would have caused the hang fixed in:
https://crrev.com/c/3891373
No-Try: true
Bug: v8:13113
Change-Id: I47d17c1fa2099474079acaad5640228d8c454eb1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893807
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83243}
Since enabling the sandbox is now required for example for mkgrokdump,
add it to the default gn args. Also treat non-sandbox builds as
"non-shipping" in mkgrokdump.cc
Bug: v8:13281
Change-Id: I08042aa53057e25c556e166c059373e2fdb9d2c1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899317
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83231}
Cached template objects only need to be cached for reference identity
comparisons. If there is no strong reference to the cached template
object, then there's nothing to compare it against if it were to be
loaded from the cache, so we can hold it in the cache weakly.
Bug: v8:13190
Change-Id: I4a787eb33eab734fe9df6c424ff915d775fce70f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898692
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83220}
Based on bots and local testing, MinorMC has reached a stable state in
terms of correctness.
Enable fuzzing with MinorMC to flush out additional issues.
Bug: v8:12612
Change-Id: I9cf8c5791d7256ff63c777b295863506436ee165
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872265
Reviewed-by: Almothana Athamneh <almuthanna@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83190}
The numfuzz fuzzer.py has a loop to send a new test after receiving
a result. When all test processors go into stopped state, attempts
of sending new tests return False. That case wasn't handled here
and we kept looping forever.
Bug: v8:13113
Change-Id: Ief2686614d9703fb590400ac3e73b6ac9008c8f6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891373
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83188}
Joining a queue-using process can deadlock if the child process is
about to write to the queue, but the parent process wants to join the
child. To fix this, we now drain elements from a separate thread of
the main process.
Bug: v8:13113
Change-Id: Ic279e66ab84eb89a4034ff1f2c025eb850b65013
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891116
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83177}
callstats.html creates grouped entries on the fly. Thus we can safely
ignore already added group entries from the input file.
Change-Id: I5a17fc895c4d36bfd7b79fcdb6d4644498998f86
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890977
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83135}
A call to cancel_join_thread() is removed as it is suspected to leave
the done_queue with garbled data on process join.
Bug: v8:13113
Change-Id: I85a736cee98d1c2a315efdd468cde216ad848c99
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891251
Reviewed-by: Liviu Rau <liviurau@google.com>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83132}
This is a reland of commit 49c5967830
The non-deterministic snapshot issue has been fixed by using the correct
field size for CodeDataContainers in serializer.cc.
Original change's description:
> [sandbox] Fold V8_SANDBOXED_EXTERNAL_POINTERS into V8_ENABLE_SANDBOX
>
> Now that all external pointers have been sandboxed,
> V8_SANDBOXED_EXTERNAL_POINTERS is no longer needed. This change also
> shrinks external pointer slots to 32 bits when the sandbox is enabled.
>
> Bug: v8:10391
> Change-Id: Iccbef27ac107b988cb23fe9ef66da6fe0bae087a
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869269
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83083}
Bug: v8:10391
Change-Id: I29870404406902d99ba6016c570cc0c4d05c6c85
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3887899
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83130}
On termination of the worker pool in the main process, a SIGTERM is
sent from pool to worker. It was meant to terminate long-running
tests in the worker process. The signal handler on the worker side,
however, was only registered during test execution. During the
remaining logic (<1% of the time probably) the default system
behavior for SIGTERM would be used (which will likely just kill
the process). The ungracefully killed process might be killed while
writing to the results queue, which then remains with corrupted data.
Later when the main process cleans up the queue, it hangs.
We now register a default handler in the worker process that catches
the SIGTERM and also gracefully stops the processing loop. Like
that, the SIGTERM signal will always be handled in workers and never
fall back to SIGKILL.
However, a small time window exists when the SIGTERM was caught
right when starting a test process, but when the test-abort handler
was not registered yet. We keep fixing this as a TODO. Worst case,
the main process will block until the last test run is done.
Bug: v8:13113
Change-Id: Ib60f82c6a1569da042c9f44f7b516e2f40a46f93
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3882972
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83101}
Now that all external pointers have been sandboxed,
V8_SANDBOXED_EXTERNAL_POINTERS is no longer needed. This change also
shrinks external pointer slots to 32 bits when the sandbox is enabled.
Bug: v8:10391
Change-Id: Iccbef27ac107b988cb23fe9ef66da6fe0bae087a
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869269
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83083}
.. which sets the --interrupt-budget-for-maglev to a very low value
s.t. that tiering to Maglev happens very early. Note this affects
both normal tierup and OSR.
Also add flag handling to fuzzer.py, both as added globally with
probability 0.1, and added to InterruptBudgetFuzzer (which I also
updated with other tiering-related flags).
Bug: v8:7700
Change-Id: I844cf53a6a2da459565d0ad0ccae02b04853cd26
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878165
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83033}
This is a reland of commit d00c040547
Changes since revert: Use AsAtomicTagged instead of
base::AsAtomicPointer to store a hash value in the forwarding table.
Original change's description:
> [strings] Support shared external strings>
>
> With this CL shared strings can be externalized and external strings can
> be shared.
> The StringForwardingTable is used to delay the real transition to the
> next full GC. On the API side strings marked for externalization will
> look like externalized strings.
>
> Bug: v8:12957
> Change-Id: I53b6509129bc5679c06bdf99421bdb41ea5d9082
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849643
> Reviewed-by: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Commit-Queue: Patrick Thier <pthier@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82966}
Bug: v8:12957
Change-Id: I17715e927e4339240a6aa12a3c4a3c2ea50eb567
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871211
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83018}
This adds Python logging to several code locations that previously
used to just print. The locations aren't yet complete. The changed
code locations should help for investigating hanging test runs.
The default level is WARNING for running tests locally, and INFO
when called from bots that pass the --swarming parameter.
Bug: v8:13113
Change-Id: If3a336703e7c346a5c718f2359b1a80e37e1ca6d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876183
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83006}
This reverts commit d00c040547.
Reason for revert: Failing CI tests on Mac arm64
Original change's description:
> [strings] Support shared external strings
>
> With this CL shared strings can be externalized and external strings can
> be shared.
> The StringForwardingTable is used to delay the real transition to the
> next full GC. On the API side strings marked for externalization will
> look like externalized strings.
>
> Bug: v8:12957
> Change-Id: I53b6509129bc5679c06bdf99421bdb41ea5d9082
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849643
> Reviewed-by: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Commit-Queue: Patrick Thier <pthier@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82966}
Bug: v8:12957
Change-Id: I13155fcc788d217db56cbfd1c9e4457a81a9dbd7
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870486
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82970}
With this CL shared strings can be externalized and external strings can
be shared.
The StringForwardingTable is used to delay the real transition to the
next full GC. On the API side strings marked for externalization will
look like externalized strings.
Bug: v8:12957
Change-Id: I53b6509129bc5679c06bdf99421bdb41ea5d9082
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849643
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82966}
This ignores one of --assert-types and --stress-concurrent-inlining if
used together. We already filter those from trials, but they also might
get picked from // Flags lines in test cases.
No-Try: true
Bug: chromium:1359829
Change-Id: I7e46afb53bdbb0a871c7443a5a66a339046eb3de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871195
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82961}
Add logic to drop cyclic contradictory flags from
correctness-fuzzing command lines. Add the currently known
biggest offenders.
Without this, the correctness fuzzing harness runs into a CHECK
failure during smoke testing, when attempting to pass cyclic flags
to d8. It fails fast, but uselessly burns fuzzing time.
This change drops one of the known cyclic flags instead to make the
test run still useful. The precedence is right to left like in the
V8 test framework.
Additionally on Clusterfuzz, all crashes during smoke testing are
deduped as one crash report. We don't know if there are other
problems before this one is fixed/hidden.
No-Try: true
Bug: chromium:1330303
Change-Id: I06cbb4655cd3cf467f5cce6f84dba653834ca72e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865562
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82939}
.. and update old entries:
- Remove --no-untrusted-code-mitigations (flag no longer exists)
- Make --stress-concurrent-inlining-attach-code less likely since it
mostly overlaps with --stress-concurrent-inlining and there haven't
been many reports in this are lately.
Bug: v8:7700
Change-Id: Ic88ea74ca88a7c14edfc39bc0a55b846bb01e465
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3867506
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82882}
If we see a default ctor, walk up the constructors until we find a non-
default one.
Default ctors can only be skipped if there are no class fields / private
brands.
This CL implements the Ignition parts; Sparkplug, Maglev and TF will
be implemented as follow ups. (This is fine, since this feature is
behind a flag.)
Bug: v8:13091
Change-Id: Ie8ca8aedb01bd4b13adf1063332a5cdf41ab358a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3804601
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82872}
Due to https://crbug.com/1195263, large typed arrays can have an
observable difference on the same architecture, depending on
optimization behavior.
For differential fuzzing comparisons, we previously used a proxy
for typed arrays that capped the maximum size only when comparing
different architectures - there an observable difference is WAI.
We move the capping code and make it arch-independent for now until
the bug above gets fixed, since it caused too many duplicates, which
degrade fuzzing performance.
Bug: chromium:1195263
Change-Id: Ic81c383e547413378cbe037de3c38eb900a9e5dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3866173
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82860}
There are 2 kinds of WasmToJs code: one uses a WasmFrame and the other
a simple TypedFrame TF frame. This CL introduces WasmToJsFunctionFrame
(as a simple TypedFrame) to dfferentiate from the WasmFrame counterpart.
This was not an issue before
https://crrev.com/c9c490891ab3d63fc790770cb1c76f8013ba963f
since we used to use a single master function for pointer iteration.
No-Tree-Checks: true
Bug: v8:13243
Change-Id: I97f7e8c897159ca3cafa65ff6ddf836c5ef7b76e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865969
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82856}
