This reverts commit 1416d5a565.
Reason for revert: blocks roll https://chromium-review.googlesource.com/c/chromium/src/+/1564550
Original change's description:
> [map] Support in-place field representation changes.
>
> This adds a new flag --modify-field-representation-inplace (enabled by
> default), which lets the runtime perform field representation changes
> for Smi to Tagged or for HeapObject to Tagged in-place instead of
> creating new maps and marking the previous map tree as deprecated.
>
> That means we create (a lot) fewer Maps and DescriptorArrays in the
> beginning and also need to self-heal fewer objects later (migrating
> off the deprecated maps). In TurboFan we just take the "field owner
> dependency" whenever we use the field representation, which is very
> similar to what we already do for the field types. That means if we
> change the representation of a field that we used in optimized code,
> we will simply deoptimize that code and have TurboFan potentially
> later optimize it again with the new field representation.
>
> On the Speedometer2/ElmJS-TodoMVC test, this reduces the total execution
> time from around 415ms to around 352ms, which corresponds to a **15%**
> improvement. The overall Speedometer2 score improves from around 74.1
> to around 78.3 (on local runs with content_shell), corresponding to a
> **5.6%** improvement here. 🎉
>
> On the CNN desktop browsing story, it seems that we reduce map space
> utilization/fragmentation by about 4-5%. But since we allocate a lot
> less (fewer Maps and DescriptorArrays) we also significantly change
> the GC timing, which heavily influences the results here. So take this
> with a grain of salt. 🤷♂️
>
> Note: For Double fields, this doesn't change anything, meaning they
> still create new maps and deprecate the previous map trees.
>
> Bug: v8:8749, v8:8865, v8:9114
> Change-Id: I694a53f87ae5caeb868fd98a21809b66d4297d35
> Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
> Doc: http://bit.ly/v8-in-place-field-representation-changes
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561132
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60764}
TBR=jarin@chromium.org,neis@chromium.org,ishell@chromium.org,bmeurer@chromium.org,verwaest@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:8749, v8:8865, v8:9114
Change-Id: I666975d08d51bbe7ab4faec9428b9a1f88e9b322
Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564208
Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60807}
This reverts commit ffe6940fbc.
Reason for revert: Breaks UBSan bot
Original change's description:
> Reland^2 "[torque] Throw exception instead of aborting if something goes wrong"
>
> This is a reland of 251d1623f3
>
> The reland fixes ASAN component builds by adding RTTI build config to both
> torque executables. Big thanks to sigurds for finding the fix.
>
> Original change's description:
> > Reland "[torque] Throw exception instead of aborting if something goes wrong"
> >
> > This is a reland of 3bd49f9b90
> >
> > The issue on the windows bot is apparently a compiler bug in MSVC related to
> > move construction. The fix seems to be to change the order of the fields in
> > "JsonParseResult" (go figure).
> >
> > Drive-by-change: Fix LS on windows by emitting correct line endings and
> > enabling exceptions for the LS executable as well.
> >
> > Original change's description:
> > > [torque] Throw exception instead of aborting if something goes wrong
> > >
> > > This CL enables exceptions for the Torque compiler and Torque language
> > > server. Instead of aborting when something goes wrong during
> > > compilation, a TorqueError is thrown, containing the error message
> > > and a source position. The compiler executable still prints the error
> > > and aborts, while the language server will pass this information
> > > along to the client (not included in this CL).
> > >
> > > R=danno@chromium.org
> > >
> > > Bug: v8:8880
> > > Change-Id: Iad83c46fb6a91c1babbc0ae7dbd94fbe4e7f1663
> > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1526003
> > > Reviewed-by: Daniel Clifford <danno@chromium.org>
> > > Commit-Queue: Simon Zünd <szuend@chromium.org>
> > > Cr-Commit-Position: refs/heads/master@{#60512}
> >
> > Bug: v8:8880
> > Change-Id: I00e6591bbb4c516dd7540a7e27196853bc637f11
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1545995
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Commit-Queue: Simon Zünd <szuend@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#60736}
>
> Bug: v8:8880
> Change-Id: Iba198d771169283e83e74324f27aa9e90b8d8975
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1563770
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60804}
TBR=sigurds@chromium.org,tebbi@chromium.org,szuend@chromium.org
Change-Id: I30ccec8ac28158c102a4e9a01074432172685f96
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8880
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564207
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60805}
This is a reland of 251d1623f3
The reland fixes ASAN component builds by adding RTTI build config to both
torque executables. Big thanks to sigurds for finding the fix.
Original change's description:
> Reland "[torque] Throw exception instead of aborting if something goes wrong"
>
> This is a reland of 3bd49f9b90
>
> The issue on the windows bot is apparently a compiler bug in MSVC related to
> move construction. The fix seems to be to change the order of the fields in
> "JsonParseResult" (go figure).
>
> Drive-by-change: Fix LS on windows by emitting correct line endings and
> enabling exceptions for the LS executable as well.
>
> Original change's description:
> > [torque] Throw exception instead of aborting if something goes wrong
> >
> > This CL enables exceptions for the Torque compiler and Torque language
> > server. Instead of aborting when something goes wrong during
> > compilation, a TorqueError is thrown, containing the error message
> > and a source position. The compiler executable still prints the error
> > and aborts, while the language server will pass this information
> > along to the client (not included in this CL).
> >
> > R=danno@chromium.org
> >
> > Bug: v8:8880
> > Change-Id: Iad83c46fb6a91c1babbc0ae7dbd94fbe4e7f1663
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1526003
> > Reviewed-by: Daniel Clifford <danno@chromium.org>
> > Commit-Queue: Simon Zünd <szuend@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#60512}
>
> Bug: v8:8880
> Change-Id: I00e6591bbb4c516dd7540a7e27196853bc637f11
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1545995
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60736}
Bug: v8:8880
Change-Id: Iba198d771169283e83e74324f27aa9e90b8d8975
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1563770
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60804}
Adding a 'PrepareFunctionForOptimization' call will prevent the test
case in question to become flaky when stress testing bytecode flushing.
R=jarin@chromium.org
Bug: v8:9123
Change-Id: If192ebf571d3cd4f0d1ee31bc3f6313b74d3c866
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564202
Auto-Submit: Simon Zünd <szuend@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60803}
This CL changes the Symbol "stack_trace_symbol" to directly hold a
FrameArray instead of wrapping it with a JSArray first.
Bug: v8:9115
Change-Id: I2ac0b1fb380211568abdc6d9f50431c405349dec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564060
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60801}
See intent to ship here: https://groups.google.com/forum/#!topic/v8-users/zM05lYEBVog
wasm-module-builder.js is also changed to use the new syntax for specifying a table
index in an element segment. In the MVP, the table index was always zero. The
reference types proposal adds support for multiple tables, and originally used this
value to specify a non-zero table index. The bulk memory proposal needed a way to
specify a passive element segment, so it re-purposed the table index as a flags field
and uses a different field for the table index.
Bug: v8:7747
Change-Id: If24f2d04e88a29b714f1a78ed417803bae702c76
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1560215
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60796}
This is particularly useful to fuzzers that seek to provoke
optimization.
Bug: v8:9119
Change-Id: I729f72a0e22686fbd56793875175c230e0230823
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564196
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60794}
It should work when Object.defineProperty is used to set a new value for seal object.
Add more test to cover this case as well.
Bug: chromium:951374
Change-Id: Idbbcc052b627587c71d5b5252340130d0fdfd595
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1562470
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#60786}
The shared engine tests started flaking. They are broken since some
time, because the shared pointer to the {NativeModule} has temporary
additional users during compilation (in the {BackgroundCompileScope}).
This CL fixes the test by just removing the checks for use counts.
R=mstarzinger@chromium.org
Bug: v8:9117
Change-Id: Ia55ce66426f8d85c0ed8e4185aa6e507a6d327ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564056
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Auto-Submit: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60781}
This adds references to HeapObject fields to Torque.
The syntax is based on Rust (which is essentially C pointer syntax).
The type &T is a reference to T (which must be a scalar type for now).
We can create references from field access expressions, using the
addressof(&) operator:
&obj.fieldname
To read or assign a reference, we use the dereference(*) operator:
*someref = *otherref
This CL also uses references internally normal class field accesses,
but only if there is no overload for field accessor functions.
This allows to have overloaded field accessors for a subtype like
FastJSArray. However, there is a change in behavior in that an
operator ".fieldname" will stop reference creation and will therefore
also stop write access to a class field of the same name. That's why
this CL had to add a write overload ".length=" for FastJSArray.
References desugar to a pair of a tagged HeapObject pointer and an
untagged offset into this HeapObject. On the CSA-side, they are
represented by the C++ struct
struct TorqueReference {
TNode<HeapObject> object;
TNode<IntPtrT> offset;
};
Bug: v8:7793
Change-Id: Ica6468d47847bd68fb6b85f731cf8fbe142fa401
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1557151
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60780}
The {code_table_} in {NativeModule} is protected by the
{allocation_mutex_}. The {code} and {code_table} accessors did not
acquire this lock though.
This CL removes the unsafe {code_table} accessor, renames {code} to
{GetCode} and protects it by a lock.
R=mstarzinger@chromium.org
Bug: v8:9112
Change-Id: Id2df68460b4c10291a49b4016b9574e02744e8b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561315
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60779}
On x64, we allocate one big code region such that we can use near jumps
and near calls. The jump table did not make use of that design yet.
This CL changes that by emitting jump table slots as near jumps. This
also speeds up patching jump table slots significantly, since far jumps
populate the inline constant pool, which is unneeded overhead in this
case.
As a drive-by, this CL cleans up the API of near_call and near_jmp. The
current semantics is broken, and only works because this is only used
for WebAssembly calls which are patched anyway after code generation.
Also, x64 now uses the same path in test-jump-table-assembler.cc as
arm64 to ensure that all targets are within near-call-distance.
R=mstarzinger@chromium.org
Bug: v8:8916
Change-Id: Iffc34e248b72167307ffdab62dd2212c4ae86a32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561313
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60777}
When clearing a DebugInfo, we need to check whether that function is
currently executing and, if so, update the on-stack BytecodeArray
pointer to refer to the original BytecodeArray. Otherwise, the original
BytecodeArray might get flushed, which can cause problems when
attempting to resume execution of the function.
Bug: v8:9067
Change-Id: Ief28a501294f5a34052e13f618fa084311eaa0b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1548573
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#60774}
The current NumberEqual check ignores -0 when it is stored to
a constant unboxed double field containing 0.
Bug: v8:9113
Change-Id: I7eb59ca8af09ab7317da3c6ce9c9cedad81f6cae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561317
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60771}
... and ensure that runtime behaviour is in sync with the IC code.
Bug: chromium:950747, v8:9113
Change-Id: Ied66c9514cbe3a4d75fc71d4fc3b19ea1538f9b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561319
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60768}
Previously we'd need to eagerly compile upon access to function.length for a
lazy function. The preparser already computes function.length, however, so we
can store that information in the already available preparse data.
Change-Id: I19007c9db5839e8038291fb4433866303935f089
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564190
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60767}
MicrotasksScope has accidentally ignored the given MicrotaskQueue instance
when it's scoping out. That confused the embedder to start using the non
default MicrotaskQueue.
Change-Id: Id345605cf6520cd073429b08698de75f7681d93c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1563836
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Taiju Tsuiki <tzik@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60765}
This adds a new flag --modify-field-representation-inplace (enabled by
default), which lets the runtime perform field representation changes
for Smi to Tagged or for HeapObject to Tagged in-place instead of
creating new maps and marking the previous map tree as deprecated.
That means we create (a lot) fewer Maps and DescriptorArrays in the
beginning and also need to self-heal fewer objects later (migrating
off the deprecated maps). In TurboFan we just take the "field owner
dependency" whenever we use the field representation, which is very
similar to what we already do for the field types. That means if we
change the representation of a field that we used in optimized code,
we will simply deoptimize that code and have TurboFan potentially
later optimize it again with the new field representation.
On the Speedometer2/ElmJS-TodoMVC test, this reduces the total execution
time from around 415ms to around 352ms, which corresponds to a **15%**
improvement. The overall Speedometer2 score improves from around 74.1
to around 78.3 (on local runs with content_shell), corresponding to a
**5.6%** improvement here. 🎉
On the CNN desktop browsing story, it seems that we reduce map space
utilization/fragmentation by about 4-5%. But since we allocate a lot
less (fewer Maps and DescriptorArrays) we also significantly change
the GC timing, which heavily influences the results here. So take this
with a grain of salt. 🤷♂️
Note: For Double fields, this doesn't change anything, meaning they
still create new maps and deprecate the previous map trees.
Bug: v8:8749, v8:8865, v8:9114
Change-Id: I694a53f87ae5caeb868fd98a21809b66d4297d35
Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Doc: http://bit.ly/v8-in-place-field-representation-changes
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561132
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60764}
When getting the starting address of a data segment, you can't use
`&vector[offset]` if offset is equal to the length of the vector. This
can happen when the length of the segment is 0.
The fix is to use Vector::SubVector instead.
Bug: v8:9106
Change-Id: Icf8968cc246c6d217d8061f76fb2631c2292433c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1560405
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60755}
The wasm engine is the same for all units, thus we should store (or
get) it in the compilation task, and not store it duplicated in each
compilation unit.
R=mstarzinger@chromium.org
Bug: v8:8916, v8:8343
Change-Id: Id4b062b5b8a52228b4d6051a67e025088a61d466
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1559863
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60754}
If the runtime does not transition in keyed store IC miss handler,
avoid generating transitioning handler since this could make
the receiver map non-stable. (The optimizing compiler does not like
non-stable fast prototype maps.)
Bug: chromium:950328
Change-Id: I113880d2033518e3eb8fd11df1599e56a67d7fd0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1559867
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60752}
This is a reland of Ie3ac389e1c082d1671efd4d74abc076ce943301b with a fix
for MSAN failures.
Interrupt budget was store in bytecode array and used to be shared
across all contexts. With lazy feedback allocation, using context
independent interrupt budget might lead to performance cliffs when
we have closures that do not share the same feedback (for ex: across
contexts). This would be a problem even earlier but it could be
more pronounced with feedback vector allocation, since the budgets
for optimization is much higher (144x) than the budget for feedback
allocation.
Bug: chromium:948835, v8:8394
Change-Id: I74f998c30e27caf3bd34510f4d7f57b65e6c7f0d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561072
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60750}
This reverts commit 251d1623f3.
Reason for revert: Breaks ASAN debug builders for ClusterFuzz, see https://ci.chromium.org/p/v8/builders/ci/V8%20Clusterfuzz%20Linux64%20ASAN%20-%20debug%20builder/8115
Original change's description:
> Reland "[torque] Throw exception instead of aborting if something goes wrong"
>
> This is a reland of 3bd49f9b90
>
> The issue on the windows bot is apparently a compiler bug in MSVC related to
> move construction. The fix seems to be to change the order of the fields in
> "JsonParseResult" (go figure).
>
> Drive-by-change: Fix LS on windows by emitting correct line endings and
> enabling exceptions for the LS executable as well.
>
> Original change's description:
> > [torque] Throw exception instead of aborting if something goes wrong
> >
> > This CL enables exceptions for the Torque compiler and Torque language
> > server. Instead of aborting when something goes wrong during
> > compilation, a TorqueError is thrown, containing the error message
> > and a source position. The compiler executable still prints the error
> > and aborts, while the language server will pass this information
> > along to the client (not included in this CL).
> >
> > R=danno@chromium.org
> >
> > Bug: v8:8880
> > Change-Id: Iad83c46fb6a91c1babbc0ae7dbd94fbe4e7f1663
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1526003
> > Reviewed-by: Daniel Clifford <danno@chromium.org>
> > Commit-Queue: Simon Zünd <szuend@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#60512}
>
> Bug: v8:8880
> Change-Id: I00e6591bbb4c516dd7540a7e27196853bc637f11
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1545995
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60736}
TBR=danno@chromium.org,tebbi@chromium.org,szuend@chromium.org
Change-Id: I0b22db1652bd46fbb7167f75b710ed5e408ea8ac
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8880
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561311
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60747}
Instead of having sequential compilation implemented as a separate
path, we can just use the existing parallel compilation path, and
restrict the number of parallel compilations (if deterministic
compilation is required).
R=mstarzinger@chromium.org
Bug: v8:9104
Change-Id: Ia12c6e45455834a131b3d2ed55f5fe9132903d8e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552782
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60740}
This is a reland of 3bd49f9b90
The issue on the windows bot is apparently a compiler bug in MSVC related to
move construction. The fix seems to be to change the order of the fields in
"JsonParseResult" (go figure).
Drive-by-change: Fix LS on windows by emitting correct line endings and
enabling exceptions for the LS executable as well.
Original change's description:
> [torque] Throw exception instead of aborting if something goes wrong
>
> This CL enables exceptions for the Torque compiler and Torque language
> server. Instead of aborting when something goes wrong during
> compilation, a TorqueError is thrown, containing the error message
> and a source position. The compiler executable still prints the error
> and aborts, while the language server will pass this information
> along to the client (not included in this CL).
>
> R=danno@chromium.org
>
> Bug: v8:8880
> Change-Id: Iad83c46fb6a91c1babbc0ae7dbd94fbe4e7f1663
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1526003
> Reviewed-by: Daniel Clifford <danno@chromium.org>
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60512}
Bug: v8:8880
Change-Id: I00e6591bbb4c516dd7540a7e27196853bc637f11
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1545995
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60736}
This reverts commit f39944853f.
Reason for revert:
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/26128
Original change's description:
> [interpreter] Move interrupt budget from BytecodeArray to FeedbackCell
>
> Interrupt budget was store in bytecode array and used to be shared
> across all contexts. With lazy feedback allocation, using context
> independent interrupt budget might lead to performance cliffs when
> we have closures that do not share the same feedback (for ex: across
> contexts). This would be a problem even earlier but it could be
> more pronounced with feedback vector allocation, since the budgets
> for optimization is much higher (144x) than the budget for feedback
> allocation.
>
> Bug: chromium:948835, v8:8394
> Change-Id: Ie3ac389e1c082d1671efd4d74abc076ce943301b
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1558088
> Commit-Queue: Mythri Alle <mythria@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60734}
TBR=jarin@chromium.org,mlippautz@chromium.org,mythria@chromium.org,jgruber@chromium.org,bmeurer@chromium.org
Change-Id: Icbec4d28d6ac258827e222461cff51f2a2f42472
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:948835, v8:8394
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1560990
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60735}
Interrupt budget was store in bytecode array and used to be shared
across all contexts. With lazy feedback allocation, using context
independent interrupt budget might lead to performance cliffs when
we have closures that do not share the same feedback (for ex: across
contexts). This would be a problem even earlier but it could be
more pronounced with feedback vector allocation, since the budgets
for optimization is much higher (144x) than the budget for feedback
allocation.
Bug: chromium:948835, v8:8394
Change-Id: Ie3ac389e1c082d1671efd4d74abc076ce943301b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1558088
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60734}
@@replace should only call ToString(replaceValue) once. Prior to this
CL this was not the case when
1. the given regexp is fast
2. the replacement is not callable
3. and its string representation contains a '$'.
In such a situation we'd call ToString both in the RegExpReplace
builtin, and after bailing out again in the RegExpReplaceRT runtime
function.
The fix is to pass the result of ToString(replaceValue) to the runtime
function. ToString in RegExpReplaceRT will be a no-op since the value
is already guaranteed to be a string.
Bug: chromium:947822
Change-Id: I14b4932a5ee29e49de4c2131dc2e98b50d93da49
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1559739
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60733}
- Add a new ClassScope for block scopes created for classes.
- Add a VariableMap in the class scope for private name resolution,
and a separate UnresolvedList for private names that will be resolved
only using ClassScopes. These are stored in RareData and will only be
allocated when there are private name declaration or access in the
class.
Design: https://docs.google.com/document/d/1l-D70uaHzXU8QVgQZ3ACikb3FLO6LTAfQVdGDXsh5mw/edit?usp=sharing
TBR: hpayer@chromium.org
Bug: v8:8330
Bug: v8:7468
Change-Id: I78191fc075f7f195f6c56c959773c382346cce8a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1488271
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60726}
The test is working since some time. It was blocked on the jump table,
and patching it correctly when redirecting imported functions to the
interpreter.
R=mstarzinger@chromium.org
Bug: v8:7767
Change-Id: Id3a16de9c6403cab0321958b681ff18f216fe978
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1559852
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60716}
This adds support for passing/returning reference type parameter/return
values when the interpreter is calling extern functions. It expands the
existing test coverage to the interpreter.
R=clemensh@chromium.org
TEST=mjsunit/wasm/anyref-interpreter,mjsunit/wasm/anyfunc-interpreter
BUG=v8:8091,v8:7581
Change-Id: I377e9d28aa36866c0441683ffd6a48160b721ec1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1559853
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60715}
Since wasm optimizations are independent of JS optimizations, we can
just combine the "no_liftoff" variant with the existing "stress"
variant (which has the similar "--always-opt" option for JS), and add
a "Liftoff only" variant as part of "nooptimization".
This gives more coverage to find bugs like https://crrev.com/c/1543354
more easy.
R=mstarzinger@chromium.org, machenbach@chromium.org
Change-Id: I81bb22074c59dcb650a05252da43a4170cd467ac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1559740
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60714}
This change aims to simplify RawMachineAssembler::CallCFunction
interface by use of variadic templates.
Change-Id: Ie7081f692f62674f891f09abfd7149e8d95eeb81
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1526015
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60710}
Drive-by fix: In ProcessFeedbackForGlobalAccess, we had forgotten to
return the feedback when it already existed.
Bug: v8:7790, v8:9094
Change-Id: Ie4be6cef5755bbdd9d8ed472caaa2e32d243893d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1554680
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60705}
The {remaining_uncommitted_code_space} method is only used for testing.
This CL removes it, and replaces all uses by {committed_code_space}.
R=mstarzinger@chromium.org
Bug: v8:8217
Change-Id: Icb50471da3564a5cd114b15836c8b346b932a108
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1559735
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60704}
This adds support for loading and storing mutable imported globals
having a reference type in the interpreter. It expands existing test
coverage to the interpreter.
R=clemensh@chromium.org
TEST=mjsunit/wasm/anyref-globals-interpreter
BUG=v8:8091,v8:7581
Change-Id: I78e0c5c73664a183e1d92ec91eadf8b9a93e4787
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1559743
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60701}
When compilation hints are disabled (they are by default) the decoder
failed on custom sections with the name 'compilationHints'. This is
fixed and a test is added.
Bug: v8:9003
Change-Id: I5d25c019a702a722d8baf497d1bcd3a578a2d4bf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1557150
Commit-Queue: Frederik Gossen <frgossen@google.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60696}
This adds support for handling reference types when loading/storing
globals. Support for imported mutable globals is still missing and will
be done in a follow-up change.
R=clemensh@chromium.org
TEST=mjsunit/wasm/exceptions-global-interpreter
BUG=v8:8091,v8:7581
Change-Id: I0d14919b1ce7f49c4a0541e3d6a99ee203cfb311
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1558086
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60695}
This changes the existing cctest/test-field-type-tracking tests to
use actual Code objects and proper code dependencies to test that the
runtime actually does the right thing (aka deoptimizes the Code objects
correctly). Before it was using the CompilationDependencies, which as
of now no longer check whether the runtime actually deoptimized or not.
This is a prerequisite for changing the way we handle field representation
changes, specifically going from Smi or HeapObject to Tagged.
Bug: v8:8749, v8:8865
Change-Id: I260294217550cee2b42f7ba7e9c92bf0d1db0b8c
Doc: http://bit.ly/v8-in-place-field-representation-changes
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1557149
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60686}
This adds preliminary support for references types as argument or return
values to functions that are redirected to the interpreter. The current
interpreter entry stub remains unchanged, using one buffer area that is
hidden from the GC. The corresponding {Runtime_WasmRunInterpreter} now
correctly boxes/un-boxes reference types into handles. This switch to a
handlified representation happens before any method that potentially
triggers a GC is called.
R=clemensh@chromium.org
TEST=mjsunit/wasm/exceptions-anyref-interpreter
BUG=v8:8091,v8:7581
Change-Id: I41c766ed5ac877042d5964e72f3fd7df390c4e98
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1557147
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60684}
For CheckNonEmptyString we not only need to rule out that the input is
not the empty string, but also make sure that the input is actually a
string, hence we need to do a proper instance type check in the general
case.
Bug: chromium:949996, chromium:947949, v8:8834, v8:8931, v8:8939, v8:8951
Change-Id: Icc260d735d19337bba4bb71570a6c6385e47c310
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1557146
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60681}
The JSInliningHeuristic is now completely heap-access free. JSInliner
still includes Allow* guards and will be brokerized as a follow-up CL.
R=neis@chromium.org
Bug: v8:7790
Change-Id: I6df5d8515bb8bd8d512e8442e4f4dba9ebe9dd2e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1528437
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60680}
This ensures that ApiObjects in V8 are not dropped if they are
currently used as WeakCollection keys. As proxy to determine key
status we use the presence of the identity hash on the object.
R=ulan@chromium.org
Bug: v8:8557, chromium:949244
Change-Id: Ifa0e24be44431a0200fd6a1d9898cd366b940bd5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1557143
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60675}
We would only increment write barrier counters from the the MacroAssembler's
RecordWrite method which is only used in limited cases. Instead, we should
increment it inside the RecordWrite stub, this way we catch all uses, including
WASM.
Also, we had a static counter aimed at telling us how many barriers exist in
generated code, as opposed to how many are executed. This counter was not
functional since the compiler isn't aware of counters at the moment. Let's just
remove it to avoid confusion.
Change-Id: I6b173ab858c8984ef03ede225afdc999ba82b5c9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1524483
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/master@{#60673}
Remove unused includes and add includes that were indirect.
Remove UnboundQueue which was not used anywhere.
Change-Id: If47faac45fc9c16a27453ecabed927ea00df3045
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1557136
Auto-Submit: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60672}
The test is so slow that it might have caused the test driver to hang after the
normal hard timeout.
TBR=sergiyb@chromium.org
NOTRY=true
Bug: v8:9098
Change-Id: I28ad1551f66fab989494d7a3b015d661c5ab6efb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1557142
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60671}
This is a reland of 63608968b6
The previous CL failed on Windows, but it was a general bug. The
dropped_elem_segments was not being set on the instance properly in
cctests, so`table.init` instructions would fail by reading uninitialized
data.
I took this opportunity to also add an implementation of
`elem.drop` in the interpreter, and ported the JS tests for those too.
Original change's description:
> [wasm] Implement table.init for interpreter
>
> This also fixes CheckCallViaJS when a trap occurs. In that case, the
> trap callback is called instead of an exception being thrown, so if it
> isn't handled, a bogus result will be returned instead.
>
> Bug: v8:8965
> Change-Id: I560e89f353756df23c062fb8c9484d9971c19253
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1539078
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Commit-Queue: Ben Smith <binji@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60473}
Bug: v8:8965
Change-Id: Ia547d9530b7ca67fde5bd94539f49153b796e82d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1547142
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60664}
This makes sure that the implicit operand stack slot used for passing an
exception from the throw-site to the catch-site is counted against the
maximum stack height.
R=clemensh@chromium.org
TEST=mjsunit/wasm/exceptions-rethrow-interpreter
BUG=v8:8091
Change-Id: I7e8f47ba4662eb273792e7508207f67588264a2f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1554683
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60658}
Typed arrays with elements cannot be frozen, but this function
previously would have falsely reported that they are after
an `Object.freeze()` call. Since the latter bails out when
the object is already frozen, the effect was that when calling
`Object.freeze()` on a typed array more than once, the first call
would throw and subsequent ones would not.
Change-Id: I75e59f51ebb94797cdf39bac4ec4c25c547e70a3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552781
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60652}
This ensures the lifetime of reference values on the simulated operand
stack of the interpreter is coupled to a lifetime of the {ThreadImpl}.
We no longer directly store reference values on the stack, but maintain
a separate "reference stack" on the GC'ed heap. This will ensure the GC
traces such references properly.
The new {StackValue} safety wrapper makes sure all use-sites that access
the operand stack properly convert to/from handles when dealing with
reference values.
R=clemensh@chromium.org
TEST=mjsunit/wasm/exceptions-interpreter
BUG=v8:8091,v8:7581
Change-Id: I8c05f2d945a6def943b89be0cfca538a73df8855
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552791
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60650}
This is the first step towards full huge typed array support in V8.
Before this change, the JSTypedArray::length and the elements backing
store length (FixedTypedArrayBase::length) were used more or less
interchangeably to determine the number of elements in a JSTypedArray.
With this change we disentangle these two lengths, and instead make
JSTypedArray::length authoritative. For on-heap typed arrays, the
FixedTypedArrayBase::length will remain the number of elements in the
backing store, but for the off-heap typed arrays, this length will be
set to 0 (matching the fact that the FixedTypedArrayBase instance does
not contain any elements itself).
This also unifies the JSTypedArray::set_/length() and length_value()
methods to only have JSTypedArray::set_/length() which returns/takes
size_t values. Currently this still requires the values to be in Smi
range, but later we will extend this to allow arbitrary size_t values
(in the safe integer range).
Bug: v8:4153, v8:7881
Change-Id: Iff9089130bb31fa9e08e0cf913e7ab52c3dbf107
Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1543729
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60648}
Locks for compilation state callbacks and for the native module are
again taken one after the other. As a consequence, publishing compiled
Wasm code again happens in parallel. Compile times are now comparable to
before lazy hints were enabled.
Bug: chromium:949050
Change-Id: I45c52254d046de080938bd131fd3ed8116660bef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552787
Commit-Queue: Frederik Gossen <frgossen@google.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60646}
Indexed fields in classes can now be initialized using iterators
and a spread syntax, e.g.:
class Foo {
length: Smi;
elements[length]: Object;
}
new Foo{length: 5, elements: ...iter};
where iter implements Torque's iterator protocol. This protocol
requires the definition of a method with the following signature:
Next(): <type> labels NoMore;
Where <type> is the Torque type of the values to be iterated.
In the case of indexed field initialization, the type must be
the field's type or a subtype thereof.
Field initialization with spread is desugared into a loop that
calls the spread iterator's Next method and assigns each
returned value in order to the corresponding indexed field
element.
The general machinery for the spread syntax has been added to
the ast and parser, however, it can currently only be used in
the specific context of indexed field initialization. Spread
operators used in any other context will cause an error.
Bug: v8:7793
Change-Id: If071e61db8166573c28d13318879c88ba96f6d98
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1550407
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60639}
Context::microtask_context can be null after v8::Context::DetachGlobal
is called, and that should cancel microtasks that are associated to
the detached context.
However, there are several callers left without the null check to the
microtask queue, and that causes crashes.
This CL adds the null check and cancellation as the crash fix.
Bug: chromium:937784
Change-Id: Ie8d107f28f200cee6e75798e3f72c5ed7a2a461c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1545139
Commit-Queue: Taiju Tsuiki <tzik@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60623}
This changes the syntax for constructing structs and classes to explicitly
mention the fieldnames, similar to JavaScript object literals.
The fields still have to be listed in the same order as in the struct/class
declaration.
As in Javascript, {foo: foo} can be abbreviated as {foo}.
Example:
macro NewJSArray(implicit context: Context)(
map: Map, elements: FixedArrayBase): JSArray {
return new JSArray{
map,
properties_or_hash: kEmptyFixedArray,
elements,
length: elements.length
};
}
Drive-by cleanup: Make struct and class constructors follow the same pattern
in the parser and the AST.
Bug: v8:9018 v8:7793
Change-Id: I22ff7f68270e4f406aa80731a709d41ea52f52bb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1551999
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Daniel Clifford <danno@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60622}
Making 43K of room for landing ICU64.
Size Change (on x64.release)
D8 before 23,683,192
D8 after 23,639,296
Reduce 43,896 bytes
Bugs: v8:8348
Change-Id: I057f7d59e955a2e5e017873e5b3b5daf5b142ae2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1478710
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60616}
These tests make sure the ticks are correct when resolving against a
Promise.
Without the optimization, the result is:
"start,tick 1,tick 2,tick 3,tick 4,done,tick 5"
With the optimization, the result is:
"start,tick 1,tick 2,done,tick 3,tick 4,tick 5"
Bug: v8:8267
Change-Id: I6c6499c7c256927531a99bab4ae1c5bd5069ef7c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1534884
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60615}
When TurboFan optimizes field access, we need to check first that the
runtime already determined the correct field representation properly.
If the field representation is still None, we cannot optimize this in
TurboFan straight away but we have to call the IC to let the runtime
do the magic.
Bug: chromium:944865
Change-Id: I032a48824e83806e1be7670346f518b258a9dd65
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1549167
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60607}
Using the Isolate's allocator when creating the WasmModule can lead to
use-after-free situations when the NativeModule is shared across
Isolates.
R=mstarzinger@chromium.org
Bug: v8:9079
Change-Id: I5a564852179cc5b9d4cbad2a002d3b6e14b01968
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1550404
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60605}
Reading --verify_predictable makes me sad, whereas --verify-predictable
makes me happy. This CL introduces more happiness.
R=machenbach@chromium.org
Bug: v8:8834
Change-Id: Id51a75f32e6d5a2f87aed81e058a8b6dff189758
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1550399
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60599}
This adds preliminary support for handling the "br_on_exn" opcode in the
interpreter. It also makes "catch" and "rethrow" use a proper exception
reference instead of a dummy value.
To that end this also adds {Handle<>} as a new kind of {WasmValue} which
is intended to pass reference values (e.g. "anyref" or "except_ref") to
the runtime system. Therefore lifetime of such a {WasmValue} is directly
coupled to any surrounding {HandleScope}.
For now we just store {Handle<>} directly on the simulated operand stack
of the interpreter. This is of course bogus, since the surrounding scope
does not outlive the interpreter activation. Decoupling the lifetime of
the operand stack from a {HandleScope} will be done in a follow-up CL.
As a drive-by this change also implements support for the "ref_null" and
the "ref_is_null" opcodes as a proof-of-concept that the new {WasmValue}
is also applicable to the "anyref" reference type.
R=clemensh@chromium.org
TEST=cctest/test-run-wasm-interpreter/ReferenceTypeLocals
BUG=v8:8091,v8:7581
Change-Id: I2307e0689a19c4aab1d67f1ba6742cb3cc31aa3c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1550299
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60598}
During instantiation, exceptions can be thrown when looking up the
imports, e.g. because of proxies. If the exception is thrown
internally, before actually calling out to JS code, it won't be
externally caught.
This CL removes the DCHECK that errornously checked that a pending
exception was externally caught.
R=mstarzinger@chromium.org
Bug: chromium:948228
Change-Id: Idbdb340167c1943f78397cc9b310ef5743755726
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1547855
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60593}
Const-qualified fields are allowed in both classes and structs.
In both cases, const fields can only be set via initialization
during construction.
Drive-by: unitialized -> uninitialized
Bug: v8:7793
Change-Id: Idec08df30f7897c756b7dd6f2b10bb6012fefb6a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1547853
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60592}
The tiers are now consistently referred to as baselin and top tier.
Bug: v8:9003
Change-Id: I74ad1867aca63bee9eb83b7f0f9fbaf2b1523dcb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1547667
Commit-Queue: Frederik Gossen <frgossen@google.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60591}
Adds the notion of a "source type" to CpuProfileNode instances, hinting
at the underlying source of the function or state that resulted in the
generation of the node.
Bug: v8:9001
Change-Id: Ie14c54d41b99eb02f54b423fa5d939e9d7f63785
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1510576
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60590}
Includes both changing from compressed pointers and to compressed pointers.
Also added tests to the representation changer test
B
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng,v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:8977
Change-Id: I8a13f6b7ec2208442aa354949173cc9061bce168
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1533866
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60587}
All standard containers provide a method named {empty} to check whether
the container is empty. On {base::Vector}, that method is named
{is_empty}, while {empty} is an unused factory method for creating an
empty {Vector}.
This CL renames {is_empty} to {empty} and removes the unused factory
method.
R=leszeks@chromium.org
Bug: v8:8834
Change-Id: I686bd07527801fbe783c412bc241221d8ec3660a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1547862
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60584}
This is a reland of 3cda21de77
Original change's description:
> V8 x64 backend doesn't emit ABI compliant stack frames
>
> On 64 bit Windows, the OS stack walking does not work because the V8 x64
> backend doesn't emit unwinding info and also because it doesn't emit ABI
> compliant stack frames. See
> https://docs.google.com/document/d/1-wf50jFlii0c_Pr52lm2ZU-49m220nhYMrHDi3vXnh0/edit
> for more details.
>
> This problem can be fixed by observing that V8 frames usually all have the same
> prolog and epilog:
>
> push rbp,
> mov rbp, rsp
> ...
> pop rbp
> ret N
>
> and that it is possible to define XDATA (UNWIND_CODEs) that specify how Windows
> should walk through V8 frames. Furthermore, since V8 Code objects are all
> allocated in the same code-range for an Isolate, it is possible to register a
> single PDATA/XDATA entry to cover stack walking for all the code generated
> inside that code-range.
>
> This PR contains changes required to enable stack walking on Win64:
>
> EmbeddedFileWriter now adds assembler directives to the builtins
> snapshot source file (embedded.cc) to emit additional entries in the .pdata and
> in the .xdata section of the V8 executable. This takes care of stack walking
> for embedded builtins. (The case of non-embedded builtins is not supported).
> The x64 Assembler has been modified to collect the information required to emit
> this unwind info for builtins.
>
> Stack walking for jitted code is handled is Isolate.cpp, by registering
> dynamically PDATA/XDATA for the whole code-range address space every time a new
> Isolate is initialized, and by unregistering them when the Isolate is
> destroyed.
>
> Stack walking for WASM jitted code is handled is the same way in
> wasm::NativeModule (wasm/wasm-code-manager.cpp).
>
> It is important to note that Crashpad and Breakpad are already registering
> PDATA/XDATA to manage and report unhandled exceptions (but not for embedded
> builtins). Since it is not possible to register multiple PDATA entries for the
> same address range, a new function is added to the V8 API:
> SetUnhandledExceptionCallback() can be used by an embedder to register its own
> unhandled exception handler for exceptions that arise in v8-generated code.
> V8 embedders should be modified accordingly (code for this is in a separate PR
> in the Chromium repository:
> https://chromium-review.googlesource.com/c/chromium/src/+/1474703).
>
> All these changes are experimental, behind:
>
> the 'v8_win64_unwinding_info' build flag, and
> the '--win64-unwinding-info' runtime flag.
>
> Bug: v8:3598
> Change-Id: Iea455ab6d0e2bf1c556aa1cf870841d44ab6e4b1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1469329
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Paolo Severini <paolosev@microsoft.com>
> Cr-Commit-Position: refs/heads/master@{#60330}
Bug: v8:3598
Change-Id: If988baf7d3e4af165b919d6e54c1ad985f8e25e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1534618
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#60581}
This is a reland of 660d828790
Original change's description:
> [debug] Mark toLocaleString and TA#join builtins as side-effect free.
>
> Bug: chromium:940373
> Change-Id: If5f90ff5f873f0687c6a6a4063e0d09d6bbbd556
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1533157
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
> Cr-Commit-Position: refs/heads/master@{#60440}
Bug: chromium:940373
Change-Id: I03fe4c06cad9848db211739170462d52ce3f7acf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1538791
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Cr-Commit-Position: refs/heads/master@{#60575}
This happened because {EphemeronKeyWriteBarrierFromCode} will also be
called if both table and key are in old-space, and key is an evacuation
candidate.
Bug: chromium:948307, v8:8557
Change-Id: Ic1284209584b74cb343163e4beec632a3f1544b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1547858
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60568}
This CL adds all the necessary {WasmCodeRefScope}s in the code base, or
at least a good approximation. A follow-up CL will enable a check that
a {WasmCodeRefScope} exists whenever a pointer to a {WasmCode} object
is returned from the {NativeModule}. This should flush out any missing
scopes.
R=titzer@chromium.org
Bug: v8:8217
Change-Id: I54c7eb39aeb1acde38273c399396e6b1390a4cb2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1533860
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60566}
Don't just DCHECK that intrinsic calls are one-byte, but explicitly
check and return (a failure) when they are not.
Bug: chromium:948248
Change-Id: If2c16f337e9c97e5a585d21a51a985f4abbe1c29
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1547857
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60565}
This is a reland of 09fa63a935
Original change's description:
> [wasm-hints] Enabled Lazy Compilation by Hint
>
> Hints for lazy compilation are now taken into consideration. If the
> custom hints section suggests lazy compilatin we do so unless the module
> consists of a single function.
>
> Bug: v8:9003
> Change-Id: Ibdc400453cee20d4d5c814733887b38fb675b220
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1535827
> Commit-Queue: Frederik Gossen <frgossen@google.com>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60557}
Bug: v8:9003
No-Try: true
Change-Id: I8d6f4518aa548c815fba4e6e62d2206129336cc6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1547851
Commit-Queue: Frederik Gossen <frgossen@google.com>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60564}
This reverts commit 09fa63a935.
Reason for revert: Falkes on https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20shared/29942
Original change's description:
> [wasm-hints] Enabled Lazy Compilation by Hint
>
> Hints for lazy compilation are now taken into consideration. If the
> custom hints section suggests lazy compilatin we do so unless the module
> consists of a single function.
>
> Bug: v8:9003
> Change-Id: Ibdc400453cee20d4d5c814733887b38fb675b220
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1535827
> Commit-Queue: Frederik Gossen <frgossen@google.com>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60557}
TBR=mstarzinger@chromium.org,clemensh@chromium.org,frgossen@google.com
Change-Id: I18dd424fe8cf05f220f7498bb1ebe4b9fce7d240
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9003
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1547668
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60558}
Hints for lazy compilation are now taken into consideration. If the
custom hints section suggests lazy compilatin we do so unless the module
consists of a single function.
Bug: v8:9003
Change-Id: Ibdc400453cee20d4d5c814733887b38fb675b220
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1535827
Commit-Queue: Frederik Gossen <frgossen@google.com>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60557}
- We didn't take stability dependencies on the inferred maps
in case of kUnreliableReceiverMaps.
- We didn't take stability dependencies on the prototype chains.
Bug: v8:9041
Change-Id: I85418dbed219f51e7fb46c59a0cb9cbb9b499bc1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1541107
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60550}
It was missing a control output.
Bug: chromium:946889
Change-Id: I85f203fc6e27a60f0b86e0e2999dd798a5416dfc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1547655
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60549}
The CheckNonEmptyString lowering was the wrong way around and would
deoptimize if it doesn't see the empty string. This leads to the
creation of invalid ConsStrings and also to unnecessary deopt loops
with proper code.
Bug: chromium:947949, v8:8834, v8:8931, v8:8939, v8:8951
Change-Id: Ib2cc4e92cc9ec7e0284d94f74d14f67f8c878dec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1545908
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60542}
That saves some bytes on the frontend side and some cycles when generating and parsing protocol JSON for stacks.
BUG=chromium:946411
Change-Id: I36b3a48b5d8246a05b877bc21f36c08803a1c304
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1542800
Commit-Queue: Alexei Filippov <alph@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60532}
This fixes initialization of reference type global variables (i.e.
anyref and except_ref) based on an index of another global. It extends
the existing support to exception types, fixes the logic, and also fixes
a missing write barrier.
R=ahaas@chromium.org
TEST=mjsunit/wasm/exceptions-global
BUG=v8:8091
Change-Id: Ia91f1ea03be24fadf3023a5acdd073badb8dcd93
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1539581
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60525}
Even though both are allowed in the style guide, it recommends to use
'using', as its syntax is more consistent with the rest of C++.
This CL turns all typedefs in heap code to 'using' declarations.
R=mstarzinger@chromium.org
Bug: v8:8834
Change-Id: I8a9f6e1eebdd0adca4373c866e95ebab0a1e992d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1545892
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60523}
Even though both are allowed in the style guide, it recommends to use
'using', as its syntax is more consistent with the rest of C++.
This CL turns all typedefs in wasm code to 'using' declarations.
R=ahaas@chromium.org
Bug: v8:8834
Change-Id: Ibdce88a5cc31e0785cbc1b34088bd39aa3ec84b3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1545890
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60519}
In reducers, we should avoid reductions of the form
ReduceWithValue(node, replacement)
return Replace(node)
because such reduction does not kill the original node, so it may
become subject to resurrection from some side table (in the bug
referenced below it was load elimination's side table). Instead,
we should use
ReduceWithValue(node, replacement)
return Replace(replacement)
Bug: chromium:945644
Change-Id: Id210efe0d214a53241392d30b7f0eee8e7515e2a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1545229
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60517}
This reverts commit 3bd49f9b90.
Reason for revert: Build failure on Win Bot
Original change's description:
> [torque] Throw exception instead of aborting if something goes wrong
>
> This CL enables exceptions for the Torque compiler and Torque language
> server. Instead of aborting when something goes wrong during
> compilation, a TorqueError is thrown, containing the error message
> and a source position. The compiler executable still prints the error
> and aborts, while the language server will pass this information
> along to the client (not included in this CL).
>
> R=danno@chromium.org
>
> Bug: v8:8880
> Change-Id: Iad83c46fb6a91c1babbc0ae7dbd94fbe4e7f1663
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1526003
> Reviewed-by: Daniel Clifford <danno@chromium.org>
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60512}
TBR=danno@chromium.org,mvstanton@chromium.org,szuend@chromium.org
Change-Id: Iac253da404eaf6e534267f59a42ca93667c205e4
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8880
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1543849
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60513}
This CL enables exceptions for the Torque compiler and Torque language
server. Instead of aborting when something goes wrong during
compilation, a TorqueError is thrown, containing the error message
and a source position. The compiler executable still prints the error
and aborts, while the language server will pass this information
along to the client (not included in this CL).
R=danno@chromium.org
Bug: v8:8880
Change-Id: Iad83c46fb6a91c1babbc0ae7dbd94fbe4e7f1663
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1526003
Reviewed-by: Daniel Clifford <danno@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60512}
This CL splits a specific test out the bigint.js test suite in order to
be, eventually, ignored by the wasm-bigint proposal 32-bit support CL.
Change-Id: I8ab673abfb53bac95952b11716fe4f29a4a7feaa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1543352
Commit-Queue: Sven Sauleau <ssauleau@igalia.com>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60510}
This is a reland of 93716b9e71
Original change's description:
> [snapshot] Add support for native counters.
>
> Counters in generated code, as enabled with --native-code-counters, do not work
> in the snapshot. This adds a `v8_enable_snapshot_code_counters` build option
> enabled by defaut in debug mode that allows code from the snapshot to increment
> the current isolate's set of counters.
>
> For this to work, we need to add native code counters in the external reference
> table.
>
> To keep the no snapshot configuration similar, we've also enabled the
> --native-code-counters flag by default for debug builds.
>
> Change-Id: I4478b79858c9b04f57e06e7ec67449e9e3a76f53
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1528998
> Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60495}
Change-Id: Ib6427caf068ca196a032e3f3b97d9f9219e0fe60
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1543349
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/master@{#60507}
When switching from atomicops to std::atomic, I introduced a bug that
makes us miss the actual peak memory consumption, and only report the
second-highest memory usage in each zone.
This CL fixes that.
R=petermarshall@chromium.org
Bug: chromium:939724
Change-Id: I3db8eeb9719eb026cf6b4a9690c702cbc4c11bd9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1541227
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60505}
Previously when lazy source positions were enabled, source positions
were immediately collected whenever an exception was thrown for every
frame in the stack trace.
This change makes source position collection trigger only when the
source positions of a stack frame are actually accessed with the
exception of the top frame which is still eagerly collected for now.
Additionally when stack overflows occur during source position
collection, the bytecode is marked with exception in the
source_position_table field so it can be distinguished from the case
where source position collection has never been attempted (undefined)
or is not desired because the bytecode is for natives
(empty_byte_array).
Bug: v8:8510
Change-Id: If7ee68edbacc9e2adadf00fe5ec822a8dbe1c79a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1520721
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60504}
test/mjsunit/elements-kind.js calls %NeverOptimizeFunction followed by
%OptimizeFunctionOnNextCall later. If NeverOptimize marker is set, the
funciton would not be optimized even when requested through
%OptimizeFunctionOnNextCall
Change-Id: I37307fee7afd083953699026a82bbf12c85581ac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1533865
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60503}
This reverts commit 93716b9e71.
Reason for revert: Breaks asan debug:
https://ci.chromium.org/p/v8/builders/ci/V8%20Clusterfuzz%20Mac64%20ASAN%20-%20debug%20builder/7872https://ci.chromium.org/p/v8/builders/ci/V8%20Clusterfuzz%20Linux64%20ASAN%20-%20debug%20builder/7874
Original change's description:
> [snapshot] Add support for native counters.
>
> Counters in generated code, as enabled with --native-code-counters, do not work
> in the snapshot. This adds a `v8_enable_snapshot_code_counters` build option
> enabled by defaut in debug mode that allows code from the snapshot to increment
> the current isolate's set of counters.
>
> For this to work, we need to add native code counters in the external reference
> table.
>
> To keep the no snapshot configuration similar, we've also enabled the
> --native-code-counters flag by default for debug builds.
>
> Change-Id: I4478b79858c9b04f57e06e7ec67449e9e3a76f53
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1528998
> Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60495}
TBR=sigurds@chromium.org,jgruber@chromium.org,petermarshall@chromium.org,pierre.langlois@arm.com
Change-Id: I93f1ed714e3dcd309f3100685e4bd282db471d46
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1543209
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60500}
A microtask requires a non-detached Context to trigger, and the Context
is usually pulled from the primary handler.
On an example below, |on_rejected| is primary, as the attached promise
is rejected and |on_rejected| will be called as the reaction.
Promise.reject().then(on_fulfilled, on_rejected);
If the primary handler is undefined or invalid, we used to use the
promise's context as the fallback. E.g. the primary handler is undefined
on the examlpe below, and the context of |promise| was used.
let promise = Promise.reject();
promise.then(on_fulfilled);
However, that causes a non-intuitive behavior around a detached
context:
let DeadPromise = iframe.contentWindow.Promise;
iframe.src = "http://example.com"; // navigate away.
// DeadPromise's Context is detached state now.
let p = DeadPromise.reject();
// |on_rejected| is called, as the context is pulled from |on_rejected|.
p.then(on_fulfilled, on_rejected);
// |on_rejected| was NOT called, as a microtask to settle |q| does not
// run due to the detached context.
let q = p.then(on_fulfilled);
q.catch(on_rejected);
After this CL, we use non-primary handler as a source of fallback context.
On the last example above, the Context is pulled from |on_fullfilled|,
so that |q| is settled using that context.
Bug: chromium:941271
Change-Id: Iff71acf7c3617f3493d100abcd2c5c36bd1bbfd1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1535916
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Taiju Tsuiki <tzik@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60499}
Counters in generated code, as enabled with --native-code-counters, do not work
in the snapshot. This adds a `v8_enable_snapshot_code_counters` build option
enabled by defaut in debug mode that allows code from the snapshot to increment
the current isolate's set of counters.
For this to work, we need to add native code counters in the external reference
table.
To keep the no snapshot configuration similar, we've also enabled the
--native-code-counters flag by default for debug builds.
Change-Id: I4478b79858c9b04f57e06e7ec67449e9e3a76f53
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1528998
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60495}
The elements of a {WasmInstanceObject} were not visited during GC,
leading to crashes when using them later.
This CL fixes this by visiting the whole {JSObject} header, consisting
of properties and elements.
R=titzer@chromium.org
Bug: chromium:839919, chromium:946350
Change-Id: I070fb3e6a7fd87a7288fc68b284100a2f9c72e9a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1541237
Auto-Submit: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60488}
regress-crbug-178790 test can cause overflow on debug mode
Drive-by: clean up simulator skiped tests
Change-Id: Iec6151518fe1814e8eefcaaf09439782a2d29426
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1539791
Auto-Submit: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#60485}
- Fixes a bug where signaling NaNs are converted to
Infinities rather than quiet NaNs.
Bug: v8:6020,v8:8639
Change-Id: I2601378f06f1987983f2b93e8970f401333073be
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1536911
Commit-Queue: Bill Budge <bbudge@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60480}
If the LHS has a proxy in its prototype chain (or is itself one), then
the LHS's [prototype_or_initial_map] being the hole does not necessarily
imply that the result is false.
This CL also adds support for --force-slow-path, which would have been
useful in finding this bug earlier.
Bug: v8:9036
Change-Id: I6f5134d6ce18f9f14549ced3d33527f54ce9bcb2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1539497
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60476}
This reverts commit 63608968b6.
Reason for revert:
https://ci.chromium.org/p/v8/builders/ci/V8%20Win32%20-%20debug/19535
Original change's description:
> [wasm] Implement table.init for interpreter
>
> This also fixes CheckCallViaJS when a trap occurs. In that case, the
> trap callback is called instead of an exception being thrown, so if it
> isn't handled, a bogus result will be returned instead.
>
> Bug: v8:8965
> Change-Id: I560e89f353756df23c062fb8c9484d9971c19253
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1539078
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Commit-Queue: Ben Smith <binji@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60473}
TBR=binji@chromium.org,mstarzinger@chromium.org
Change-Id: Iee528ac2f16988b25579af3555e6f17974cb0b05
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8965
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1539498
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60474}
This also fixes CheckCallViaJS when a trap occurs. In that case, the
trap callback is called instead of an exception being thrown, so if it
isn't handled, a bogus result will be returned instead.
Bug: v8:8965
Change-Id: I560e89f353756df23c062fb8c9484d9971c19253
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1539078
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60473}
Drive-by: also add support for trivial bytecodes such as LdaFalse.
Bug: v8:7790
Change-Id: I72626500096310899d37d57e3d0dd3bd54fddff4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1532066
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60460}
The bottlenecks to prevent storing signalling NaNs in backing stores
were not perfect. This change makes it harder by ensuring that all
the Torque-side "[]=" operator overloads for FixedDoubleArray stores
have signalling NaNs silenced.
Bug: chromium:944435
Change-Id: I295d9b34f4c896db30989bb9db1a2b452daa03ae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1538517
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60459}
Force to use locale with extension if the created NumberFormat
is not a DecimalFormat.
Check the dynamic class id.
Guard DecimalFormat casting code
Bug: v8:9035
Change-Id: Id32a3f652b93ddfca82f95f30ad2107b364ee7fc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1536571
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60452}
Allocate feedback vectors lazily when the function's interrupt budget has
reached a specified threshold. This cl introduces a new field in the
ClosureFeedbackCellArray to track the interrupt budget for allocating
feedback vectors. Using the interrupt budget on the bytecode array could
cause problems when there are closures across native contexts and we may
delay allocating feedback vectors in one of them causing unexpected
performance cliffs. In the long term we may want to remove interrupt budget
from bytecode array and use context specific budget for tiering up decisions
as well.
Bug: v8:8394
Change-Id: Ia8fbb71f5e8543a92f14c44aa762973da82d445c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1520719
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60450}
This adds OBJECT/SNAPSHOT trace events for Script and SharedFunctionInfo
objects, logging their creation with appropriate information to make
sense of them.
Based on that we introduces five flow events to model the optimized
compilation via tracing in the "disabled-by-default-v8.compile" category:
- "v8.optimizingCompile.start" logs the creation of the
PipelineCompilationJob (for TurboFan JavaScript optimization)
with the "function" argument referring to the trace event
object created for the SharedFunctionInfo.
- "v8.optimzingCompile.prepare" logs the preparation of the
PipelineCompilationJob on the main thread, also carrying the
"function" argument. This connects the flow event to the actual
tracing duration event associated with the preparation phases.
- "v8.optimizingCompile.execute" logs the (usually concurrent)
optimization of the TurboFan graph (again with "function").
- "v8.optimizingCompile.finalize" logs the main thread phase which
finalizes the optimized code and eventually installs it (in case
of success).
- "v8.optimizingCompile.end" signals the end of the
PipelineCompilationJob, which carries the "compilationInfo",
that contains the interesting bits of the OptimizedCompilationInfo,
specifically whether the compile was successfull and which functions
were inlined for example.
This also adds two instant events "V8.AbortOptimization" and
"V8.RetryOptimization" in "disabled-by-default-v8.compile" category
that are emitted when TurboFan cannot optimize a certain function.
In case of "V8.RetryOptimization", TurboFan might be able to optimize
it later, whereas "V8.AbortOptimization" permanently disables the
optimization of a given function. The JSON representation of this is
```js
{
"pid": 256639,
"tid": 256639,
"ts": 6935411377801,
"tts": 159116,
"ph": "I",
"cat": "disabled-by-default-v8.compile",
"name": "V8.AbortOptimization",
"dur": 0,
"tdur": 0,
"args": {
"reason": "Function is too big to be optimized",
"function": {
"id_ref": "0x600000001",
"scope": "v8::internal::SharedFunctionInfo"
}
}
},
```
where the "function" refers to a previously emitted SNAPSHOT for the
function in question. In the trace viewer it will show up as instant
event under "v8.optimizingCompile.prepare" in case of the relevant
example where optimization is disabled due to reaching the bytecode
limit (as in the JSON above), i.e. it'll look something like this
https://i.paste.pics/aafc2de9df10ea8f5acc1a761d80f07b.png
for the example highlighted in the recent blog post
https://ponyfoo.com/articles/javascript-performance-pitfalls-v8
that describes the optimization limit. The "v8.optimizingCompile.end"
duration event will also carry this information as part of the
"compilationInfo" object, but specifically for CI tools, etc. it might
be a whole lot easier to just look for the "V8.AbortOptimization"
instant event.
Bug: v8:8598, v8:9039
Tbr: ulan@chromium.org
Doc: bit.ly/v8-tracing-signals
Change-Id: Ic87ac336004690c65b6b15ad73bc6fbd4b5f12c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1511483
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60448}
