1. Return null if the transition is out of bound.
2. Remove incorrect MAYBE_RETURN which is handled by the IsNothing check.
Bug: v8:11544
Change-Id: Ia54f68831120bd2460cb813464168b1a2c92da3d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893595
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83171}
Instead of having e.g. `string.new_wtf8` that takes an immediate
specifying the particular UTF-8 flavor to parse, make one instruction
per flavor.
See https://github.com/WebAssembly/stringref/pull/46.
Bug: v8:12868
Change-Id: I2e9f2735c557b2352b6e75314037e473710d87a9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892695
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andy Wingo <wingo@igalia.com>
Cr-Commit-Position: refs/heads/main@{#83170}
This also allows allocation folding to be tested in cctests.
Bug: v8:13070
Change-Id: I7b6991461dd7ad4423539b33f59a05d6b247c3e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891257
Auto-Submit: Teo Dutu <teodutu@google.com>
Commit-Queue: Teo Dutu <teodutu@google.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83169}
Double-representation field loads were DCHECKing that the entry in the
descriptor array for a double-representation IC is also double
representation. With in-place map updates, however, the IC may be out of
date, so weaken this DCHECK to take into account in-place updates, and
rely on compilation dependency commit making this lookup safe.
Bug: v8:7700
Change-Id: Iff3c80d396274d14034e010dbe98f5640c9e4495
Fixed: chromium:1358872
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892692
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83166}
ElementAccessFeedback transition groups can contain multiple maps in a
transition group if feedback is polymorphic on elements kind but not
otherwise the map kind. Maglev should treat this case as polymorphic.
Bug: v8:7700
Change-Id: I779299e4cf9d1c3a30e77f7a953d057ea5a69935
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892691
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83165}
For frame inspection (i.e. not deoptimization), no RegisterValues are
available to TranslatedState and thus any register-allocated value is
unavailable.
Stack trace collection require `function` and `receiver` values to be
available and thus stack-allocated. Both are immutable and have fixed
stack slots so this is not a problem; we just lost track of the receiver
inside Maglev when function parameters were wrapped inside exception Phi
nodes.
We solve this for now by special-casing the `receiver` to reuse the
InitialValue node instead of creating a new Phi.
Bug: v8:7700
Change-Id: I4f4de9a643b98e2fcbc7ee7a53688cc97a8d6f1d
Fixed: chromium:1359428
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893856
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83164}
BE machines use a 4 byte bias to spill/fill 32-bit values on
the stack. This is done so because TF always fills 64-bit values
even if the spilled value was 32-bits. To make sure this holds between
LO and TF we have added a 4 byte bias in this CL:
crrev.com/c/2756712
LoadSpillAddress needs to also take this into account and
add a bias if the spilled value was 4 bytes.
Change-Id: Ibd2b2071ce1fb11a9c5884611ae8edd1f17cb0c9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891196
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83163}
GetIterator on object o consists of two steps:
1) iter = load o[#Symbol.Iterator]
2) call iter
For null / undefined step (1) throws an exception, meaning
step (2) is never reached. Up to this change, turbofan
deopts if for either of the two steps there isn't enough
feedback, meaning that we have a deopt loop for null and
undefined.
Change-Id: Ie0eaf8e231a149313e10af9e95fd80bc77dc0beb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890980
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83159}
FillCurrentPage assumed that everything after top is empty, which
doesn't work with MinorMC and sweeping. Revise FillCurrentPage based
SimulateFullSpace for MinorMC.
I similar implementation is provided both in unittests and cctest.
Migrating affected cctest to unittests is left a future work.
Bug: v8:12612
Change-Id: Ie29be2fc7aaee25e1fd5f66b1c0959c2a45f007f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3885888
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83158}
During ExternalPointerTable::Grow, if we cross one of a handful of
predefined utilization thresholds, we now request a (major) GC to free
up entries that are no longer used in the table.
Bug: v8:10391
Change-Id: Id2d262f0f1d4dc37aec1e4978a8be2d223fb2b2b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890971
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83155}
v8_multi_arch_build toggles v8_enable_pointer_compression, but some
other flags are set depending on v8_enable_pointer_compression.
Previously the v8_multi_arch_build condition was resetting some of these
in its branch, but we can make this simpler by moving the pointer
compression toggle earlier, immediately after the default pointer
compression setting.
Change-Id: Ie5f4e73f947b693d4ba2abe4e1cf30009a2bbb2c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890918
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83154}
The way to determine whether a MaybeObject is a strong or weak
reference to the heap object is to check its lowest two bits.
However, if the MaybeObject is known to not be a smi, that is, the
lowest bit is known to be 1, we can check one bit instead. This
allows Turbofan to select better instructions:
x64:
Before:
movl r9,r11
andl r9,0x3
cmpb r9l,0x1
After:
testb r11,0x2
arm64:
Before:
and w8, w7, #0x3
cmp w8, #0x1 (1)
b.ne #+0x320
After:
tbnz w7, #1, #+0x320
Change-Id: I03623183406ad7d920c96a752651e0116a22832e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3861310
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Hao A Xu <hao.a.xu@intel.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83153}
.. Throw|LazyDeopt. Whether a builtin can Throw|LazyDeopt depends
on the implementation, so to be safe all builtin calls should be
marked as such - UNLESS we know for certain that one or the other
doesn't happen.
Drive-by: For calls with two result registers, properly consider
the second register in a few spots.
Bug: v8:7700
Change-Id: Icbcffb51e9760761a2f4e32d79af33abccb8f1cb
Fixed: chromium:1361245
Fixed: chromium:1360800
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879617
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83152}
.. where we sometimes want to inspect Node contents. With this CL, for
a human-readable print in gdb:
print node->Print()
Note: Since we use an adhoc-created graph labeller, the output can't
properly identify input nodes and instead prints them as 'unregistered
node'.
Bug: v8:7700
Change-Id: Icba458ac1a5c43a09b815e12582443aca4e19380
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890914
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83151}
Add a fast path for keyed loads that are:
1. Monomorphic,
2. Fast elements accesses,
3. Not out-of-bounds (deopt on OOB),
4. Not holey
Bug: v8:7700
Change-Id: I4d46f4d0ce7065c93a9b092833fb16a8c9e9f94e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3882974
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83149}
The normative change in
https://github.com/tc39/proposal-resizablearraybuffer/pull/93 changed
the behavior of TypedArray.prototype.subarray(begin, end) such that if
the receiver is a length-tracking TA and end is undefined, the result
TypedArray is also length-tracking.
This change reached consensus in the March 2022 TC39.
Bug: v8:11111
Change-Id: If1a84cc3134f3ce8046196d6cc36683b6996dec0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3888382
Commit-Queue: Marja Hölttä <marja@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83147}
Loop used value lifetimes extension extends the lifetime of anything
used inside of a loop but defined outside of it, to make sure that it is
considered 'live' for the entire body of the loop (this is so that we
don't e.g. clobber their stack slots with stack slot reuse).
The implementation works on the principle that a) basic blocks are
topologically sorted by forward control flow, and b) loops are
irreducible. This means that basic blocks between a loop header and the
jump to that loop header are inside the loop, and nodes whose id
preceeds the loop header's id must be before the loop.
Generator resumes break this irreducibility by jumping into the middle
of loops. This is principally not a problem for the above lifetime
extension, it just means that the loop's used nodes will overapproximate
and include these generator nodes. However, there was an implicit
additional assumption that the node must be loadable by the loop end, to
extend its lifetime. This fails for the generator resume case, because
it's possible that the node didn't make it into any loop merge state,
e.g. because the resume would immediately deopt or return, e.g.
Start
/ \
/ GeneratorResume
| |
v |
.>Loop header |
| | |
| Branch |
| | | |
| | Suspend |
| | |
| | Resume <-'
| | |
| | Return
| v
`--JumpLoop
Here the Resume will get the accumulator from the generator and the
Return will use it, which will be seen as an out-of-loop use of the
generator, but the generator was never reachable from the "real" loop
body.
At the end of the day, since there are no actual uses of the generator
value in the loop body, the lifetime extension does no harm; all that
fails is a DCHECK that the values loop lifetime extension extends are
actually loadable. So, we can relax this DCHECK for this specific
generator edge case, by checking for whether the JumpLoop is reachable
from the generator resume.
Bug: v8:7700
Change-Id: Iec4db2aee5b8812de61c3afb9004c8be3982baa2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890975
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83144}
Allow distinguishing control nodes that do and don't allow continued
execution.
Bug: v8:7700
Change-Id: Ifa13b64821484584929bd62a0d8585aee160c19e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891255
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83143}
v8::String::MakeExternal is currently incorrectly using the shared
isolate of the shared string, which will race when setting VM state. In
general the shared Isolate shouldn't be used for anything, it's an
implementation detail to hold the shared heap space.
Bug: v8:12007, v8:13276
Fixed: v8:13276
Change-Id: I21ec57645ed4740a4c19c51b8fa1e2928a07a0f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3888384
Reviewed-by: Adam Klein <adamk@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83139}
callstats.html creates grouped entries on the fly. Thus we can safely
ignore already added group entries from the input file.
Change-Id: I5a17fc895c4d36bfd7b79fcdb6d4644498998f86
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890977
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83135}
GetNamedPropertyFromSuper needs both the receiver and the
lookup_start_object (the home object prototype), as it does lookups on
the latter but calls accessors with the former as the receiver.
Bug: v8:7700
Change-Id: Ib8b930d06eb8bed090ad1839a05514f0dffc321f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891253
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83134}
A call to cancel_join_thread() is removed as it is suspected to leave
the done_queue with garbled data on process join.
Bug: v8:13113
Change-Id: I85a736cee98d1c2a315efdd468cde216ad848c99
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891251
Reviewed-by: Liviu Rau <liviurau@google.com>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83132}
Rolling v8/base/trace_event/common: 640fc6d..521ac34
Rolling v8/build: 24bb610..6180903
Rolling v8/buildtools: 46ab4c3..a7f5ad0
Rolling v8/buildtools/linux64: git_revision:00b741b1568d56cf4e117dcb9f70cd42653b4c78..git_revision:b4851eb2062f76a880c07f7fa0d12913beb6d79e
Rolling v8/buildtools/third_party/libc++/trunk: 85a3363..60f9078
Rolling v8/buildtools/third_party/libc++abi/trunk: 6285577..5c3e02e
Rolling v8/buildtools/third_party/libunwind/trunk: 42aa6de..60a480e
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/7ee0711..861067d
Rolling v8/third_party/depot_tools: a089281..2d25dbd
Rolling v8/third_party/fuchsia-sdk/sdk: version:9.20220902.1.1..version:9.20220912.0.1
Rolling v8/third_party/zlib: 9f4113d..05e137d
Rolling v8/tools/clang: 0a22859..2a5ebae
Rolling v8/tools/luci-go: git_revision:3226112a79a7c2de84c3186191e24dd61680a77d..git_revision:c93fd3c5ebdc3999eea86a7623dbd1ed4b40bc78
Rolling v8/tools/luci-go: git_revision:3226112a79a7c2de84c3186191e24dd61680a77d..git_revision:c93fd3c5ebdc3999eea86a7623dbd1ed4b40bc78
R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com
Change-Id: Ife89abccaa2696ade97bb5640010c4f5bdc7009c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891191
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#83131}
This is a reland of commit 49c5967830
The non-deterministic snapshot issue has been fixed by using the correct
field size for CodeDataContainers in serializer.cc.
Original change's description:
> [sandbox] Fold V8_SANDBOXED_EXTERNAL_POINTERS into V8_ENABLE_SANDBOX
>
> Now that all external pointers have been sandboxed,
> V8_SANDBOXED_EXTERNAL_POINTERS is no longer needed. This change also
> shrinks external pointer slots to 32 bits when the sandbox is enabled.
>
> Bug: v8:10391
> Change-Id: Iccbef27ac107b988cb23fe9ef66da6fe0bae087a
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869269
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83083}
Bug: v8:10391
Change-Id: I29870404406902d99ba6016c570cc0c4d05c6c85
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3887899
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83130}
Exception handlers were allowing register state to leak through, which
had knock-on effects of Phi allocation inserting gap moves in an illegal
location (specifically, at the end of the block, thinking that it's
allocating a control node since it's not allocating a body node).
Fix the register leak by clearing register state, and add some invariant
guards in the areas where the failure appeared.
Bug: v8:7700
Change-Id: I15c1fba1a250e295f0147a4e51a6c8c5481e8c7e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890989
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83129}
Make the flush-baseline-code tests use --no-maglev in addition to
--no-turbofan.
Bug: v8:7700
Change-Id: I12145735e7a88f156d30e15621a9fe12e18abecf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890990
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83127}
During verification all LABs are iterable. For PagedNewSpace we can
therefore use the property that all new space pages are iterable.
Bug: v8:12612
Change-Id: I71ec079fde3c0b719ccf91b431b0b29a8a9c5a2e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3888019
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83126}
Not passing null object but passing undefined while calling
ToTemporalDate()
Bug: v8:11544
Change-Id: I9376c32f306b000980d37bf233ffef3e83baf706
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3885352
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83124}
