The new Smi handler created to handle StoreIC_Slow and
KeyedStoreIC_Slow can get incorrectly assigned to global Objects.
Added an extra Check to avoid that.
Bug: chromium:1002628
Change-Id: I370e617e791792c98fa7b0cbf89ee7458f4e4c68
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803659
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Suraj Sharma <surshar@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#63813}
This will allow the test infrastructure to bypass isolate scheduling
restrictions.
Bug: chromium:1002582
Change-Id: Ib22a599cf6c826c3d412898520dba6f4045175b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1801995
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Fernando Serboncini <fserb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63811}
This reverts commit 5d8c489000.
Reason for revert: Fails on UBSan bot:
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20UBSan/7946
Original change's description:
> Remove all custom CopyCharsUnsigned implementations
>
> It's unclear whether the custom implementation have any advantage over
> the standard library one's.
> Since we update our toolchain and standard library regularly, it might
> well be the case that the custom implementations are slower by now.
>
> Thus this CL removes all {CopyCharsUnsigned} implementations and
> implements {CopyChars} generically using {std::copy_n}.
>
> Note that this does not touch the {MemMove} and {MemCopy} functions
> yet, as we have seen regressions when trying to remove them before
> (https://crbug.com/v8/8675#c5).
>
> R=leszeks@chromium.org
>
> Bug: v8:9396
> Change-Id: I97a183afebcccd2fbb567bdba02e827331475608
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1800577
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63808}
TBR=leszeks@chromium.org,clemensh@chromium.org
Change-Id: Ia16da942c7c28ba71076d1e3b0b8a6388a4ba359
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9396
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1806103
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63810}
There were two already TNodified methods, but lacking TNodification
on the variables that they were assigning to.
Now only CallRuntimeN and ExitPoint remain in interpreter-generator.
Bug: v8:6949, v8:9396
Change-Id: I66f74306b88c2254ad8ed1cb2c17187afa4fe0ad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1805644
Auto-Submit: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63809}
It's unclear whether the custom implementation have any advantage over
the standard library one's.
Since we update our toolchain and standard library regularly, it might
well be the case that the custom implementations are slower by now.
Thus this CL removes all {CopyCharsUnsigned} implementations and
implements {CopyChars} generically using {std::copy_n}.
Note that this does not touch the {MemMove} and {MemCopy} functions
yet, as we have seen regressions when trying to remove them before
(https://crbug.com/v8/8675#c5).
R=leszeks@chromium.org
Bug: v8:9396
Change-Id: I97a183afebcccd2fbb567bdba02e827331475608
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1800577
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63808}
Split OLD_TO_NEW remembered set and add OLD_TO_NEW_SWEEPING. The
OLD_TO_NEW remembered set is moved to OLD_TO_NEW_SWEEPING during
mark-compact. OLD_TO_NEW_SWEEPING is then modified by the sweeper.
Before using the page again, OLD_TO_NEW and OLD_TO_NEW_SWEEPING are
merged again.
This means only the main thread modifies OLD_TO_NEW, the sweeper only
removes entries from OLD_TO_NEW_SWEEPING. We can use this property
to make accesses non-atomic in a subsequent CL.
Bug: v8:9454
Change-Id: I9057cf85818d647775ae4c7beec4c8ccf73e18f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771783
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63807}
We used to have two special cases for named accesses on the global
proxy, one based on seeing the global proxy constant in the graph and
on based on seeing the global proxy map either in the feedback or in
the graph. A change I made a while ago accidentally disabled the second
one. This CL restores that.
Moreover, given how things are set up now (this might have been
different before), the first optimization is subsumed by the second
one, so this CL also removes the first one.
Finally, this CL records an accumulator hint in the case of a load,
which improves precision of the serializer for concurrent inlining.
Tbr: tebbi@chromium.org
Bug: v8:7790
Change-Id: I255afc6c79e5c5c900b3ccfcd8459d836d21e42b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1801954
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63806}
For the last few months Chrome has been seeing many "impossible" crashes
on Intel Gemini Lake, family 6 model 122 stepping 1 CPUs. These crashes
only happen with 64-bit Chrome and only happen in the prologue of two
functions. The crashes come and go across different Chrome versions.
Analysis of most of the crashes shows that the address of the crashing
instruction follows some patterns:
When crashing in GetFieldIndex() the last byte of the address is always
1c, 5c, 9c, or dc.
When crashing in UpdateCaches (fewer unique samples) the last byte of
the address is always 5d or 9d.
The address of the function is 0xc or 0xd bytes earlier so the crashing
functions always start with an address that ends in 10, 50, 90, or d0.
Those addresses are for the crashes on a load of the __security_cookie.
The crashes also occasionally happen on the two instructions that follow
the __security_cookie load in which case the crashing instruction's
address has been seen to end with 23 or a3. This corresponds to a
function start address of 10 or 90.
Since the crash involves reading incorrect instruction bytes when
crossing a 16-byte boundary and since the crash appears to only happen
with particular 16-byte alignments it seems reasonable to force the
function's alignments to a multiple of 32 to see if this reliably
avoids the crashes. This change uses the gcc/clang __attribute__
directive to force 32-byte alignment. I have tested this change enough to
verify that it triggers the desired alignment (with up to 31 "int 3"
instructions added for padding) but since I have never reproduced this
crash I have no way of testing its efficacy.
Bug: chromium:968683, chromium:964273
Change-Id: Ia6e1c6d1e044b84d274817374b25523303e78b51
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803775
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Bruce Dawson <brucedawson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63804}
The first land did not correctly handle exceptions for already evaluated
modules.
Original description:
Implements AsyncModules in SourceTextModule. However, there is no
support in the parser or D8 for actually creating / resolving
AsyncModules. Also adds a flag '--top-level-await,' but the only
external facing change with the flag enabled is that Module::Evaluate
returns a promise.
Bug: v8:9344
Change-Id: I24725816ee4a6c3616c3c8b08a75a60ca9f27727
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1797658
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63803}
This randomizes new memory allocations and reservations. It's currently
used to test far jump tables in wasm better, but might be helpful
generally for testing arbitrary virtual memory layouts.
R=mstarzinger@chromium.org
Bug: v8:9477
Change-Id: Ie60b7c6dd3c4cd0f3b9eb8e2172912e0851c357d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803340
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63802}
This is a reland of 2869d9de0d
Original change's description:
> [turbofan,arm64] Add float loads poisoning.
>
> Also extend load poisoning testing for arm and arm64.
>
> This is a port of I1ef202296744a39054366f2bc424d6952c3bbe9d,
> originally introduced for arm.
>
> Change-Id: I7d317bba6be633dd1e563daa7231d3c5e930f8e4
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691032
> Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63519}
Change-Id: I8155456f6ad571897f6274a86e58fec6cd66ee7d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1800583
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/master@{#63800}
This CL adds a flag to reduce the initial code space reservation size
(--wasm-max-initial-code-space-reservation), and adds a test which creates at
least four separate code spaces and calls between them.
R=mstarzinger@chromium.org
Bug: v8:9477
Change-Id: I1b4c430266962eb94dbe4b381f46b03c2ec07fc2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1782999
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63797}
Changes the Array(Includes|IndexOf)(Holey|Packed)Doubles builtins to
first check the input array is not empty before attempting to cast it to
a FixedDoubleArray as an empty array of doubles can be backed by a
FixedArray.
Bug: chromium:1004061
Change-Id: I12f302afa9596fb8a5581849662cd67fcc06f92b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1806676
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63794}
Disable a flaky test.
This is a reland of cbf028e8b8
Bug: v8:9714
Change-Id: Ifc136ad80bd7f2a0ae67a15e688a3d08ceed3c44
Cq-Include-Trybots: luci.v8.try:v8_linux_gc_stress_dbg
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1806915
Auto-Submit: Victor Gomes <victorgomes@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@google.com>
Cr-Commit-Position: refs/heads/master@{#63793}
If a new code space is added after functions have already been
compiled, we need to initialize the new jump tables to contain all
these functions.
R=mstarzinger@chromium.org
Bug: v8:9477
Change-Id: Ie960966ec5ad667e0626f86eceb7c2b4da72e5bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803337
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63792}
Ensure that the "padding" (actually needed for crashpad) is allocated
at the beginning of the new code space.
R=ahaas@chromium.org
Bug: v8:9477
Change-Id: I44b9e9feb559788e286fd5c57df90db7cf7f5340
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803650
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63790}
A local build with g++ 8.3.0 failed with two warnings. This CL fixes
them.
The errors were:
1) error: 'char* strncat(char*, const char*, size_t)' output truncated
before terminating nul copying as many bytes from a string as its
length [-Werror=stringop-truncation]
2) error: 'char* strncpy(char*, const char*, size_t)' specified bound
depends on the length of the source argument
[-Werror=stringop-overflow=]
R=petermarshall@chromium.org
Bug: v8:9396
Change-Id: I175a72435becd694e4151a64e538084ec17d8500
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803636
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63788}
The current JSObject type is too specific as it can also be passed proxy
objects.
BUG=chromium:1003919,v8:6949
Change-Id: I2766868543827fc5ee6f99f3b120c7ffe9cfed39
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803651
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63787}
This reimplements the "--time" option of run-tests.py to print the
20 slowest tests, on top of json_test_results infrastructure just
like the bots do it.
Additionally this CL speeds up a bunch of slow tests.
Bug: v8:9396
Change-Id: I40797d2c8c3bfdd310b72f15cd1a035844b7c6f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803635
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63786}
Removed all references to builds [v8_mips_compile_rel,
V8 Mips - builder, V8 Mips - big endian - nosnap] from
configuration files in master branch. Also removed
dead code and unused artifacts that resulted from the
above mentioned changes.
Bug: v8:8858
Change-Id: If9f8d9db433a50997f35219ef4ea9d8a91a1a495
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1798431
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Commit-Queue: Liviu Rau <liviurau@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63785}
All converted except for two calls to PrepareValueForWriteToTypedArray.
Bug: v8:6949, v8:9396
Change-Id: I3c695b8067487bd8845e38cf760519bef1f37f2b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803351
Auto-Submit: Dan Elphick <delphick@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63782}
Port 0a8ddb134c
Original Commit Message:
If the jump is too large for a near jump, we patch the far jump table
instead, and patch the (near) jump table to jump to the far jump table
slot.
Change-Id: Id9f12dee885b369a4946642301720d110dfe4f31
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803641
Auto-Submit: Mu Tao <pamilty@gmail.com>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63781}
This reverts commit 46f9d4008a.
Reason for revert: as planned
Original change's description:
> Reland "[turbofan] Temporarily disable future=>concurrent_inlining"
>
> This is a reland of ce42112243.
> Speculatively relanding, because the failure seems unrelated.
>
> Original change's description:
> > [turbofan] Temporarily disable future=>concurrent_inlining
> >
> > ... in order to reset the benchmarks now that we are actually running
> > in the background.
> >
> > Bug: v8:7790
> > Change-Id: Ifa811fbcc51eccef790e6215d330f8b45c31a492
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1801836
> > Reviewed-by: Georg Neis <neis@chromium.org>
> > Commit-Queue: Georg Neis <neis@chromium.org>
> > Auto-Submit: Maya Lekova <mslekova@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#63741}
>
> Bug: v8:7790
> Change-Id: I49316516b300e6d2754043848d95ac5511fc6015
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1801849
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Auto-Submit: Maya Lekova <mslekova@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63755}
TBR=neis@chromium.org,mslekova@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:7790
Change-Id: Ic31f1bf47c0b00ec497452fd29d8c09a32e14316
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803642
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63779}
- Get rid of a bunch of unnecessary friend classes. This required making
the constructor public
- Remove log_events_ field which is not used
- Use unique_ptr for owned members
- Use make_unique instead of bare constructors
- Use a scoped vector instead of a unique ptr to array for
the dynamically sized array of WasmModules
Bug: v8:9396
Change-Id: Icdca904e7227d2ce2d75caf092f259d47ff15809
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803339
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63776}
Install intrinsic default prototypes for Intl.ListFormat,
Intl.PluralRules, Intl.RelativeTimeFormat, and Intl.Segmenter.
Observable when attempting to construct cross-realm via a
new.target with a non-Object .prototype property.
Bug: v8:9712
Change-Id: I77ae75e5ea1ee8e9a01cf5788b664a5945aa1f7e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1801252
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63774}
Port 213504b9d7
Original Commit Message:
The code fields in a JSRegExp object now either contain irregexp
compiled code or a trampoline to the interpreter. This way the code
can be executed without explicitly checking if the regexp shall be
interpreted or executed natively.
In case of interpreted regexp the generated bytecode is now stored in
its own fields instead of the code fields for Latin1 and UC16
respectively.
The signatures of the jitted irregexp match and the regexp interpreter
have been equalized.
R=pthier@google.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: Ia2a80ce927afa644441c0749add0fc35111eb720
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803657
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#63773}
Convert all but 4 Node*s to TNode and all Variables to TVariable.
In the process this also deletes several unused functions.
Bug: v8:6949, v8:9396
Change-Id: I83db40eefacf8a4a1b155249c5bb8217e6c7da83
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803347
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63770}
Port 0a8ddb134c
Original Commit Message:
If the jump is too large for a near jump, we patch the far jump table
instead, and patch the (near) jump table to jump to the far jump table
slot.
R=clemensh@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: Ic42dfea83799ba6aae1d6d32607391393353815a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1802742
Reviewed-by: Milad Farazmand <miladfar@ca.ibm.com>
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#63769}
By rolling icu to faee8bc which contains the upstream CLDR fix.
Bug: v8:992694
Change-Id: I073d15396fa0e7c5054aa4e0806e5842228955f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1799424
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63768}
