This reverts commit abd0adf106.
Reason for revert: Test times out on Win64
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Win64%20-%20msvc/23024/overview
Original change's description:
> [compiler] Make ReduceWord32EqualForConstantRhs work for Word64Equal
>
> Adds reduction case in MachineOperatorReducer for when the left-hand side of a
> Word64Equals is based on a 64-bit shift-and-mask operation, as is the case
> when Torque accesses 64-bit bitfields.
>
> This improves Speedometer2 by 0.15% on a Neoverse-N1 machine, with
> React-Redux being improved by 0.4%.
>
> Change-Id: Icd0451c00c1b25f7d370e81bddcfd668a5b2523c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3834027
> Commit-Queue: George Wort <george.wort@arm.com>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82593}
Change-Id: I26515348a3d8de58445ecddc0486d9fcc2711cec
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3839048
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Owners-Override: Shu-yu Guo <syg@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82603}
Currently there is nothing ensuring the internal VM state of shared
objects are in a coherent state and visible to other threads when the
shared object is published.
This CL adds a store-store memory barrier when returning from Factory methods that allocate shared JSObjects that are exposed to user JS code. For primitives, there is an additional store-store memory barrier in the shared value barrier.
Bug: v8:12547
Change-Id: I4833c7ebf02cc352da9b006d2732669d6d043172
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_isolates_rel_ng,v8_linux64_tsan_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3819041
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82596}
Adds reduction case in MachineOperatorReducer for when the left-hand side of a
Word64Equals is based on a 64-bit shift-and-mask operation, as is the case
when Torque accesses 64-bit bitfields.
This improves Speedometer2 by 0.15% on a Neoverse-N1 machine, with
React-Redux being improved by 0.4%.
Change-Id: Icd0451c00c1b25f7d370e81bddcfd668a5b2523c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3834027
Commit-Queue: George Wort <george.wort@arm.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82593}
NormalPageMemoryRegion is a span of 10 pages, all of which must belong
to the same space. This requirement imposes a fragmentation issue for virtual space, which is not ideal for the current 2GB cage
configuration.
The CL fixes this by mixing pages of different spaces inside the same
NormalPageMemoryRegion. With cage it's actually not necessary anymore
to have NormalPageMemoryRegion, but we keep it to allow the code to be
uniform for cage/non-cage configurations.
There is no type confusion across spaces, since pages (even empty) are
never shared between spaces. In addition, the shared cage puts an
additional memory constraint on the GC. So, there is no security benefit
in having NormalPageMemoryRegion assigned to a single space.
Savings in reserved address space:
cnn:2021: 14%
facebook_infinite_scroll:2018: 23%
Bug: chromium:1325007, chromium:1352649
Change-Id: I7b49032d581dd56feb8633734a1f37803e9526c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3840749
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82584}
This CL removes the COMPLETE state from incremental marking. Since
then the only states left were STOPPED and MARKING, we can replace
the state with an is_running_ boolean field.
The state could change back-and-forth between MARKING and COMPLETE.
IsMarking() was already also checking for COMPLETE. So most code
already treated both states the same. IsComplete() now checks whether
marking is running and a transitive closure was reached already.
IncrementalMarking::Step() didn't process the marking queue when in
COMPLETE. This should be relatively rare though since it only
transitioned into COMPLETE when the stack guard was armed and the
allocation observer ran again before reaching a stack guard check.
Bug: v8:12775
Change-Id: Ied48d8c512ad3d1b3d2e29393d43b434b5fda8fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3835689
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82581}
Add a version of BalanceDuration which take two TimeDurationRecord
and add them internally after converting to BigInt as nanoseconds so it will not overflow the double.
Use "std::isinf()" instead of "!std::isfinite()"
Inspired by https://github.com/tc39/proposal-temporal/issues/2380#issuecomment-1219194995
Bug: v8:11544
Change-Id: I29e06fa857ff43f2668e1e4ffd07735ff6efee42
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3837852
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82576}
This is a reland of commit 872b7faa32
Original change's description:
> Fix Context PromiseHook behaviour with debugger enabled
>
> This is a solution for https://github.com/nodejs/node/issues/43148.
>
> Due to differences in behaviour between code with and without the debugger enabled, some promise lifecycle events were being missed and some extra ones were being added. This change resolves this and verifies the event sequence is consistent between code with and without the debugger.
>
> Change-Id: I3dabf1dceb14233226b1752083d659f1c2f97966
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3779922
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82132}
Change-Id: Ifdd407261c793887fbd012d5a04ba36b3744c349
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3805979
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82575}
Reference instruction lowerings are in the corresponding issue:
https://github.com/WebAssembly/relaxed-simd/issues/40
Lowers directly to Pmulhrsw in the macro assembler as we use
DefineSameAsFirst in place of the Movdqa on non-AVX hardware
Bug: v8:12609, v8:12284
Change-Id: I6de45a2d8895637f895d3b0cc68f5dd1f67f77aa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3837853
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82571}
Traced nodes were allocated black, even outside of GCs. Nodes would
always survive one GC, while the objects pointed to could die.
This CL removes black allocation and relies on proper write barriers
(that are anyways in place) to mark the nodes and their objects. This
also means that marked nodes should always point to live objects which
is now verified in the atomic pause.
Bug: v8:13141
Change-Id: Ie5cdc92d8fe5f57865d02b71d3fae9425ae532fa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3820070
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82559}
Also fix eqref/i31ref fromJS() handling to accept unwrapped Smis.
This does not convert HeapNumbers to Smis if they fit.
Bug: v8:7748
Change-Id: Ida70a826f9541b7f3fbe9eecbb2b4fe362b5ef70
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829477
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82558}
Introducing IncrementalMarking::AdvanceForTesting as last bottleneck
for driving incremental marking in addition to AdvanceFromTask
and AdvanceOnAllocation.
Now that we have those 3 bottlenecks, Step() and AdvanceWithDeadline()
can become private methods in IncrementalMarking. We also don't need
the StepResult return value in Step() anymore, which allows us to
remove CombineStepResult.
Bug: v8:12775
Change-Id: I702714439ef7ea4b9abf2156387503d4d00a7a48
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3823131
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82552}
This is a reland of commit ee89a26977
Original change's description:
> [wasm-gc] Add extern.externalize
>
> This adds `extern.externalize(ref null any): ref null extern` to wasm
> which packs wasm objects into JS objects if the js-interop flag is not set.
> This is the counterpart to extern.internalize introduced in
> 50ec8a11f2.
>
> Bug: v8:7748
> Change-Id: I67b8fe6d70b9f526ff6c43b0a4d7861c7ff5dad0
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3825879
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82492}
Bug: v8:7748
Change-Id: Ie13cfd6464006dcadc2a53f2dbf77f76ab185504
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829940
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82551}
When a string is in a local or on the value stack at a breakpoint,
DevTools should be able to show its value.
Bug: v8:12868
Change-Id: I79014d74c8ef7b212469382bdedca85568b3bcc7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3834038
Commit-Queue: Philip Pfaffe <pfaffe@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Philip Pfaffe <pfaffe@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82542}
This is a reland of commit 9cca4e60f1
This CL disables the mjsunit tests as well in single generation mode.
Original change's description:
> [heap] Handle old-to-new slot promotion to shared heap
>
> The GC might promote an in-place internalizable string from new space
> directly into the shared heap. This means that the GC might need to
> create OLD_TO_SHARED slots when updating OLD_TO_NEW slots.
>
> This CL implements this both for minor and full GCs.
>
> Bug: v8:11708
> Change-Id: I6102b9024d1dd5dd602d654b006ea5897ab5baa6
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3804604
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82298}
Bug: v8:11708
Change-Id: I9e96fe7c3f263d4088536d3a15af6d00fa82625e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3828099
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82540}
This allows V8 to be compiled without zlib.
Currently we use zlib for 3 features:
1. Snapshot compression. The cl asserts v8_snapshot_compression
implies v8_use_zlib.
2. Compression of translation arrays (experimental flag). The runtime
flag is only enabled if v8_use_zlib.
3. Snapshot checksums. We fallback to a simple Fletcher algorithm if
v8_use_zlib is false.
Change-Id: If043c3c21bba4d734573d7e1199d3ddf17b84f41
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3833817
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82527}
We should only tier to Sparkplug from Ignition. Previously, the
'!ActiveTierIsSparkplug' condition was correct since only Ignition (and
Sparkplug itself) entered the TieringManager. But now that Maglev is
also present, the condition must be clarified to 'ActiveTierIsIgnition'.
Bug: v8:7700
Change-Id: Ic7ea898facf9ce65407d09cead35e0181e49db31
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3835562
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82519}
- Move InnerPointerToCodeCache to using internal callbacks.
- Refactor internal and external callbacks to use a unified interface.
Bug: v8:13184
Change-Id: If0006d324b0433f5d6bbf00b6d0fc1a2589227bc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3834583
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82515}
Distinguish internalized forwarding indices from external forwarding
indices stored in a strings hash.
Bug: v8:12957
Change-Id: Ic01386a3291ac8d618cf4282aa7112e74e1b9169
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829471
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82513}
Int32MulWithOverflow on arm64 uses a cmp to set flags rather than
the multiply instruction itself, thus we can use a left shift when
the multiplication is by a power of two.
This provides 0.15% for Speedometer2 on a Neoverse-N1 machine,
with React being improved by 0.45%.
Change-Id: Ic8db42ecc7cb14cf1ac7bbbeab0e9d8359104351
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829472
Commit-Queue: George Wort <george.wort@arm.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82499}
This is a reland of commit a19316d9d7
- Revert malloc_usable_size() changes temporarily to land them in
isolation.
- Add cosmetics from https://crrev.com/c/3827876
Original change's description:
> [heap] Rework Worklist base type
>
> Worklist uses a singly-linked list of segments to hold entries.
> Segment size was based on a compile-time constant but already stored
> in the segment itself.
>
> Rework the segments to query `malloc_usable_size()` on allocation and
> adjust the capacity properly. For PartitionAlloc, it turns out that
> there's ~20% more capacity available for the 64-element segments.
>
> This slows down actual allocation of the segments with the upside of
> improving utilization and requiring 20% less segments.
>
> Change-Id: Ib8595c3fb9fb75b02e4022f6c525bb59a2df7ab7
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3826047
> Commit-Queue: Anton Bikineev <bikineev@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Anton Bikineev <bikineev@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82432}
Change-Id: Ic8c5257cfe3c347b11eea5c513ca7f62e09f637f
Bug: v8:13193
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829475
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82493}
This adds `extern.externalize(ref null any): ref null extern` to wasm
which packs wasm objects into JS objects if the js-interop flag is not set.
This is the counterpart to extern.internalize introduced in
50ec8a11f2.
Bug: v8:7748
Change-Id: I67b8fe6d70b9f526ff6c43b0a4d7861c7ff5dad0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3825879
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82492}
This CL fixes a CHECK that checks the wrong thing. Specifically when
we `Advance` the debug::PropertyIterator it can throw an exception.
We have a CHECK that verifies that a corresponding v8::TryCatch catches
the exception when the return value indicates this. Unfortunately, the
CHECK was looking at the wrong v8::TryCatch scope.
R=jarin@chromium.org
Bug: chromium:1353051
Change-Id: Ic52e4efd44b89f8e4d1f6acace234c6065e081cb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829543
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82489}
Consider the function:
function foo() {
debugger;
let y = 1;
}
V8 will elide the hole initialization for 'y'. When we pause at the
debugger statement, then 'y' evaluates to 'undefined'.
This CL fixes this in the ScopeIterator. When we encounter local
variables with an `undefined` value we check the static scope
information if we are stopped *before* the variable's initializer.
If yes, then we are in the variable's TDZ and report
"value unavailable".
Drive-by: Mark `GetSourcePosition()` as `const` to make it available
in the visitor method.
R=bmeurer@chromium.org
Bug: chromium:1328681
Change-Id: I8b966eaa2af64a35a58095a744440851760921a0
Fixed: chromium:1303493
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829539
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82483}
When freezing flags, not only remember this in a global variable, but
also actually memory-protect the memory that holds the flag values.
R=cbruni@chromium.org
CC=sroettger@chromium.org
Bug: v8:12887
Cq-Include-Trybots: luci.v8.try:v8_linux_blink_rel
Change-Id: I2ae638790d1f08f4bcc1b7e6cb5970e4e7463aad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3811286
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82478}
TotalDurationNanoseconds previously return a double to represent the
total duration nanoseconds, but the value could be easily bigger than
the precise value a double can represent. A double can precisely
represent integer to 2^53, which is only about 104 days if that value
is nanoseconds. So we need to change the return type to BigInt.
Refactor BalanceDuration to merge common code.
Change JSTemporalDuration::Compare to use the BigInt version of
TotalDurationNanoseconds
Change the call site of TotalDurationNanoseconds in RoundDuration
Add newly defined BalancePossiblyInfiniteDuration and change
BalanceDuration to call it.
Spec text:
https://tc39.es/proposal-temporal/#sec-temporal-balancepossiblyinfinitedurationhttps://tc39.es/proposal-temporal/#sec-temporal-balancedurationhttps://tc39.es/proposal-temporal/#sec-temporal-totaldurationnanoseconds
Split from changes in cl/3750098
Bug: v8:11544
Change-Id: Ia4ca8f9bdba49c3a5e54edeef0d2a5833b0002a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3824658
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82475}
Make sure there is no background GC when setting flags.
Bug: v8:12612, v8:13185
Change-Id: I0a2d4796abe265defa00d86f826003eb048e5bf1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829482
Auto-Submit: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82474}
This CL builds upon https://crrev.com/c/3284887 (and partly reverts it).
Class literals are a bit iffy when it comes to source position and
debugging. Mainly the debugger assumes the following invariant:
When we are paused inside a class scope, then we expect the class's
BlockContext to be pushed already. On the other hand, when we are
paused outside a class scope in a function, we don't expect to find
the class's BlockContext.
The problem is that there are cases where we can either pause
"inside" or "outside" the class scope. E.g.:
* `var x = class {};` will break on `class` which is inside
the class scope, so we expect the BlockContext to be pushed
* `new class x {};` will break on `new` which is outside the
class scope, so we expect the BlockContext to not be pushed
yet.
The issue with the fix in https://crrev.com/c/3284887 is that it
adjusted the break position for the bytecode of class literals to
ALWAYS be after the BlockContext is pushed. This breaks the
second example above. We need to tighten the fix a bit and only
defer the break position if the "current source position" is
inside the class's scope. This way we always guarantee that the
BlockContext is pushed or not, depending if the source position
that corresponds to the break position is inside or outside the
class's scope.
Note 1: The CL updates a lot of the bytecode expectations. This
is because the class literals are often the first statement in
the snippet so we don't need to defer the break position.
Note 2: We add a mirrored debugger test to the inspector test so
the fuzzer can have some more fun.
Fixed: chromim:1350842
Change-Id: I9b5a409f77be80db674217a685a3fc9f8a0a71cf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3827871
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82473}
Bug: v8:12781
Change-Id: I759024fb18ee596ecb678e5b70c95235ea91e520
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3827126
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82464}
This is a reland of commit cf765fc348
Original change's description:
> [Temporal] Use double instead of int32_t for input of BalanceTime
>
> To avoid overflow int32_t in the math of balancing time.
>
> Bug: v8:13182, v8:11544
> Change-Id: Ib76cf95bbd4f9b47efd6921a67b09d3024e72b13
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3827310
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Frank Tang <ftang@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82409}
Bug: v8:13182, v8:11544
Change-Id: I7550b3a7186beed0e32e95a41cae87030d0c5a7c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3827671
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82445}
to get rid of the pattern
```
EnsureHash();
uint32_t field = raw_hash_field();
```
which requires an additional load and might be misleading in the
presence of forwarding indices for shared strings, as raw_hash_field()
can return a forwarding index, whereas EnsureRawHash() will always
return a computed hash value.
Bug: v8:12957
Change-Id: I33426fef433f774fb323d4381e784c1037fb6fbb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829469
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82441}
This reverts commit a19316d9d7.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20UBSan/22670/overview
Original change's description:
> [heap] Rework Worklist base type
>
> Worklist uses a singly-linked list of segments to hold entries.
> Segment size was based on a compile-time constant but already stored
> in the segment itself.
>
> Rework the segments to query `malloc_usable_size()` on allocation and
> adjust the capacity properly. For PartitionAlloc, it turns out that
> there's ~20% more capacity available for the 64-element segments.
>
> This slows down actual allocation of the segments with the upside of
> improving utilization and requiring 20% less segments.
>
> Change-Id: Ib8595c3fb9fb75b02e4022f6c525bb59a2df7ab7
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3826047
> Commit-Queue: Anton Bikineev <bikineev@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Anton Bikineev <bikineev@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82432}
Change-Id: I14994e11ff5ffaba70b93d977d40dd2f6e9e5d35
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829474
Owners-Override: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82438}
The existing version for paged spaces simply reset the freelist, which
doesn't work for tests that require actual objects in the space.
The version for new space also doesn't work because it assumes
everything after top is free space.
Fill the space with FixedArray by iterating over the freelist and
creating an object in place of each freelist entry.
This method actually fills the space, so that we can also use it to
force page promotion.
Bug: v8:12612
Change-Id: Ie0d73e846bbf688ea52030be29e0587b2f37ed4e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3823135
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82437}
Worklist uses a singly-linked list of segments to hold entries.
Segment size was based on a compile-time constant but already stored
in the segment itself.
Rework the segments to query `malloc_usable_size()` on allocation and
adjust the capacity properly. For PartitionAlloc, it turns out that
there's ~20% more capacity available for the 64-element segments.
This slows down actual allocation of the segments with the upside of
improving utilization and requiring 20% less segments.
Change-Id: Ib8595c3fb9fb75b02e4022f6c525bb59a2df7ab7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3826047
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82432}
This adds `extern.internalize(ref null extern): ref null any` to wasm
which unpacks the wrapped wasm object if the js-interop flag is not set.
I31 values are still wrapped in object wrappers and don't use SMIs.
Bug: v8:7748
Change-Id: Ie4a4507961d0ad41caf430054a3d341f474b8e66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3819645
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82426}
This has been broken even prior to the any <-> extern split.
The code decided to use the generic wrapper for type any even though
the generic wrapper doesn't support wrapping the return value of functions
and unwrapping arguments passed to it.
Bug: v8:7748
Change-Id: I9dbb893cc4bc4f2bb789b3b3a9addd0208d526ae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3826056
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82424}
Bug: v8:13181
Change-Id: I8eaa84ffc408225ee28dca17607b940fd3f34977
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3826068
Commit-Queue: Adam Klein <adamk@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82414}
This reverts commit cf765fc348.
Reason for revert: fixes more tests than expected in test262:
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20shared/49412/overview
Original change's description:
> [Temporal] Use double instead of int32_t for input of BalanceTime
>
> To avoid overflow int32_t in the math of balancing time.
>
> Bug: v8:13182, v8:11544
> Change-Id: Ib76cf95bbd4f9b47efd6921a67b09d3024e72b13
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3827310
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Frank Tang <ftang@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82409}
Bug: v8:13182, v8:11544
Change-Id: Id7dd491b4485d13b0e2cc6aae8603479c7949ce8
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3827670
Auto-Submit: Adam Klein <adamk@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82413}
To avoid overflow int32_t in the math of balancing time.
Bug: v8:13182, v8:11544
Change-Id: Ib76cf95bbd4f9b47efd6921a67b09d3024e72b13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3827310
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82409}
Remove the unnecessary int64_t version of RoundNumberToIncrement
and remove the unneeded RoundHalfAwayFromZero. Change the type of the
increment to double from int64_t.
split from cl/3750098
Bug: v8:11544
Change-Id: I591486c472e9c1343306ff9a1d0384d06fe01835
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3824194
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82403}
So far, we decoded instructions with the 0xFB prefix as two-byte, i.e.
a single "u8" byte following the prefix.
This patch changes that to 0xFB + LEB, which is how all prefixed
instructions are supposed to do it. Currently this makes a difference
only for the stringref proposal (instructions 0x80 through 0xb3).
It has the unfortunate consequence that all stringref instructions need
three bytes for now. We expect them to go back to a two-byte encoding
scheme (while remaining LEB compliant) when their final encoding is
decided.
Bug: v8:12868
Change-Id: I603f60adae88e9b985cb65288d9eeb7f98da8138
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3825887
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82400}
This is a reland of commit 9d36b2dd0d.
The test case is fixed to actually protect a part of the data section
instead of the stack (which was unintended and could lead to segfaults).
Original change's description:
> [base] Add new API to protect data memory
>
> This adds a new {base::OS::SetDataReadOnly} method, which is similar to
> {SetPermissions(kRead)}, but using another system call on Windows such
> that it works on pages in the data segment.
> {VirtualAlloc} will fail if called on a page of the data section,
> whereas {VirtualProtect} succeeds. For the general {SetPermissions}
> API we still want to use {VirtualAlloc} though, as it also changes the "committed" state of the pages.
>
> Note that we do not add a platform API for this, as the memory was
> never allocated through the platform. We just directly protect it in
> V8.
>
> R=mlippautz@chromium.org
>
> Bug: v8:12887
> Change-Id: If83bf6e5c500cc5cf08c76d04dfac5e2b4d35a2d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3820482
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82349}
Bug: v8:12887
Change-Id: Ib7c24b43b53d568dafb4a56cf8db7479c784e8d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3825889
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82398}
... in compiler and other components.
Bug: v8:11880
Change-Id: I3a51c33499e7c7169f171c4be0600d7822dafc27
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3825883
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82391}
This CL removes the bailout when trying to collect the scope info
for the class member initializer function. While this might not have
worked previously, now we only need to tweak the scope search
slightly to fix this. Class member initializer functions never
have their own context but instead us the class context. That means
that most of the logic in debug-scopes.cc doesn't really matter and we
only need to initialize the ScopeIterator properly with the class
context and the member initializer JSFunction.
Note that this still does not fully fix bug 1350842. That is because
we still run into a DCHECk when paused at a `new class { ... }`
statement. We'll fix that in a separate CL.
R=bmeurer@chromium.org
Bug: chromium:1350842
Change-Id: Id128b10676a5aa8a77309735e755e485f2c14446
Fixed: chromium:1246889
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3825881
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82387}
This function should properly forward any exceptions it encounters,
instead of silently swallowing them. Being an API function, that
means moving them from "pending" to "scheduled" state.
Fixed: v8:13123
Change-Id: I20b0782fd806e456f14dda84100000c857481d09
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3825880
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82386}
This is a reland of commit 532ca59910
Fix interger overflow when result_location is invalid in
MaglevCompiler::InReturnValues.
Original change's description:
> [maglev] Support LdaModuleVariable and StaModuleVariable
>
> Bug: v8:7700
> Change-Id: I036ac71324e0c1c96a4da4aacdb5a6718726db31
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3821203
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Commit-Queue: 王澳 <wangao.james@bytedance.com>
> Cr-Commit-Position: refs/heads/main@{#82347}
Bug: v8:7700
Change-Id: I24f56691eefd1c6cb695fedd3b5c14264bb17943
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3824942
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82379}
We have a bug report from 2018 that no longer reproduces on ToT.
This CL adds a regression bug regardless to make sure we don't
re-introduce the bug that got fixed as a side-effect.
R=kimanh@chromium.org
Fixed: chromium:1246896
Change-Id: I8f9fdcbf7051b23e03cbbfc572771a410f70ad37
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3822668
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82372}
This is a reland of commit b1020a4345
Changes since revert:
- Fixed global safepoint interrupts in
https://chromium-review.googlesource.com/c/v8/v8/+/3820913
Original change's description:
> Reland "[shared-struct] Add Atomics.Condition"
>
> This is a reland of commit e2066ff6bf
>
> Changes since revert:
> - Rebased against c991852491, which
> uses the external pointer table for the WaiterQueueNode stored
> in the state field when compressing pointers. This relaxes
> the alignment requirement of the state field to be 4-bytes when
> compressing pointers.
> - Moved the state field into the JSSynchronizationPrimitive base
> class, since alignment and padding can now be made simpler.
>
> Original change's description:
> > [shared-struct] Add Atomics.Condition
> >
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3630350
> > Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> > Reviewed-by: Adam Klein <adamk@chromium.org>
>
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3763787
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Bug: v8:12547
Change-Id: Ibc6de74c7853e4ea766ff2c70f92339ba69f2675
Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_rel_ng,v8_linux64_tsan_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3820901
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82368}
This reverts commit 9d36b2dd0d.
Reason for revert: Win64 crashes
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Win64%20-%20debug/43496/overview
Original change's description:
> [base] Add new API to protect data memory
>
> This adds a new {base::OS::SetDataReadOnly} method, which is similar to
> {SetPermissions(kRead)}, but using another system call on Windows such
> that it works on pages in the data segment.
> {VirtualAlloc} will fail if called on a page of the data section,
> whereas {VirtualProtect} succeeds. For the general {SetPermissions}
> API we still want to use {VirtualAlloc} though, as it also changes the "committed" state of the pages.
>
> Note that we do not add a platform API for this, as the memory was
> never allocated through the platform. We just directly protect it in
> V8.
>
> R=mlippautz@chromium.org
>
> Bug: v8:12887
> Change-Id: If83bf6e5c500cc5cf08c76d04dfac5e2b4d35a2d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3820482
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82349}
Bug: v8:12887
Change-Id: I86fffa60d6766dcdaf44f57f18266fec22eb9016
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3824409
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82360}
The zone-allocated objects, the destructor is never called. Such
objects must therefore never contain members that themselves have
non-trivial destructors, e.g. std containers.
Fix occurrences of this antipattern in Maglev.
Bug: v8:7700
Change-Id: I6892cf5203bb6e842397fd4292918b18134f97cc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3822672
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82358}
ML-TF tiering remains very similar to Ignition-TF tiering:
- When the interrupt budget is exhausted, enter the TieringManager
which potentially decides to tier up and sets the appropriate
TieringState on the FeedbackVector.
- The prologue on ML function entry recognizes the TieringState (and
also available cached TF code) and starts compilation and/or jumps
into optimized code.
TODOs:
- ML-to-TF OSR is not yet supported.
- ML code is no longer cached on the FeedbackVector.
- Tracing is rudimentary.
- The generated function-entry prologue is fairly large and must be
either minimized or extracted into a builtin.
- Tiering involving Sparkplug is not entirely robust yet (Sparkplug
code may be installed with unexpected timing).
Bug: v8:7700
Change-Id: I86b0692477f51b9967f318a4093bc874344120b3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3629149
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82351}
This adds a new {base::OS::SetDataReadOnly} method, which is similar to
{SetPermissions(kRead)}, but using another system call on Windows such
that it works on pages in the data segment.
{VirtualAlloc} will fail if called on a page of the data section,
whereas {VirtualProtect} succeeds. For the general {SetPermissions}
API we still want to use {VirtualAlloc} though, as it also changes the "committed" state of the pages.
Note that we do not add a platform API for this, as the memory was
never allocated through the platform. We just directly protect it in
V8.
R=mlippautz@chromium.org
Bug: v8:12887
Change-Id: If83bf6e5c500cc5cf08c76d04dfac5e2b4d35a2d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3820482
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82349}
This is a reland of commit 6953b5550e
The reland fixes tests that retrieved the stack start from a
non-inlined frame's fp. This does not work in certain configurations
as the resulting marker is too low to consider the first local
variables in subsequent calls.
The fix uses an inline frame address for the tests to get an upper
bound of stack addresses to consider.
Original change's description:
> [handles] Remove precise on-stack representation of global handles
>
> Since https://crrev.com/c/3806439 on-stack traced handles are marked
> conservatively when being used in combination with CppHeap.
>
> This change removes the precise on-stack representation of the
> internal traced nodes as they nodes would anyways be marked
> conservatively. The effects are:
> - cheaper representation (just a single node space);
> - uniform handling: no checks to distinguish on-stack vs on-heap;
> - no brittleness around cleaning on-stack handles when the event loop
> is empty;
>
> Change-Id: Id859623bfed77a66bdd064ea8065536264515eae
> Bug: v8:13141
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3812039
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82306}
Bug: v8:13141
Change-Id: I53ece36220e99d02be6df18f83c18450e5d5037b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3820585
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82342}
Growing Wasm memory is allowed to fail nondeterministically.
I checked locally that this is indeed what is making this test fail in
--verify-predictable mode.
R=jkummerow@chromium.org
Bug: v8:13167
Change-Id: I91d21c91481ac692a9f6000be45d43d517e76cd4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3822684
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82341}
This CL adds a small inspector test to verify that Runtime.evaluate
with silent on/off can be interleaved while replMode is true for all
evaluations.
This is to check that the interaction between console and live
expressions works as expected when the user enables
"Pause on exceptions".
R=bmeurer@chromium.org
Bug: chromium:1335439
Change-Id: Iebd3f9f207312dc6dcd3d0b9a8483ef09608528f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3822685
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82337}
... which affect how builtin calls are generated.
This CL replaces the following boolean options
- builtin_calls_as_table_load,
- inline_offheap_trampolines,
- short_builtin_calls,
- use_pc_relative_calls_and_jumps,
with an enum BuiltinCallJumpMode and a boolean option
use_pc_relative_calls_and_jumps_for_mksnapshot.
Bug: v8:11880, v8:11527
Change-Id: Ia842b1d126c99dbe83e5b4f6118dcd44082ed168
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3820063
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82330}
This CL includes:
1) Using 1 full GC instead of 2 young GCs to force object promotion.
2) A couple of needed bailouts.
3) Using manual evacuation candidates in old space to ensure an object
is evacuted (moved to a different address) instead of relying on
Scavenger.
And some other minor tweaks
Bug: v8:12612
Change-Id: Idfd925ccdf30215998ab6e7cc632ce750fa2077a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816661
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82327}
{memory-protection-unittest} assumes that code objects exist after
compilation. This is not true with lazy compilation. Therefore this
CL disables lazy compilation in the test.
R=clemensb@chromium.org
Bug: v8:12852
Change-Id: I66039319fdfe4354afb32064e3e9105d334f5b07
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3819643
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82325}
This CL tries to improve readability of TryMarkingComplete() by
splitting it up into multiple smaller methods.
It also removes StepResult::kWaitingForFinalization since this was
only used in one test which could easily be rewritten to not need this
value. This makes CombineStepResult() and Step()s return value simpler
to understand.
Bug: v8:12775
Change-Id: I981bc7b736246ab53058d1e61e3c67db0d1130b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816668
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82319}
This pr refactor all usage of v8_str in unittests/ into NewString
method in test-utils.h
Change-Id: I8ffc456851488e8c050d7a38f5459aebfa3f314f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813064
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#82314}
This reverts commit 6953b5550e.
Reason for revert: Failing on CI: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20full%20debug/22876/overview
Original change's description:
> [handles] Remove precise on-stack representation of global handles
>
> Since https://crrev.com/c/3806439 on-stack traced handles are marked
> conservatively when being used in combination with CppHeap.
>
> This change removes the precise on-stack representation of the
> internal traced nodes as they nodes would anyways be marked
> conservatively. The effects are:
> - cheaper representation (just a single node space);
> - uniform handling: no checks to distinguish on-stack vs on-heap;
> - no brittleness around cleaning on-stack handles when the event loop
> is empty;
>
> Change-Id: Id859623bfed77a66bdd064ea8065536264515eae
> Bug: v8:13141
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3812039
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82306}
Bug: v8:13141
Change-Id: I5ebb2ed9eeec1394c2dd48504e91f6ff789b0711
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3820584
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82313}
Since https://crrev.com/c/3806439 on-stack traced handles are marked
conservatively when being used in combination with CppHeap.
This change removes the precise on-stack representation of the
internal traced nodes as they nodes would anyways be marked
conservatively. The effects are:
- cheaper representation (just a single node space);
- uniform handling: no checks to distinguish on-stack vs on-heap;
- no brittleness around cleaning on-stack handles when the event loop
is empty;
Change-Id: Id859623bfed77a66bdd064ea8065536264515eae
Bug: v8:13141
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3812039
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82306}
This is a reland of commit 30ee069059
Avoid terminating from another thread in unit tests to make the termination of optimized bigint multiplication deterministic on windows
Original change's description:
> Reland "[TurboFan] Support BigIntMultiply"
>
> This is a reland of commit ccde420538
>
> Added a test case for terminating optimized bigint multiply and attached frame_state to the runtime call to provide deopt information to determine the throw location
>
> Original change's description:
> > [TurboFan] Support BigIntMultiply
> >
> > Bug: v8:9407
> > Change-Id: Iab0a4ca8dd5d83444d1addd6043a5c8e3a8577a7
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3773773
> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> > Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> > Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#82140}
>
> Bug: v8:9407
> Change-Id: Ia691d758265148da1de291365d41c7c1d1f98ddd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3810391
> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82232}
Bug: v8:9407
Change-Id: I7d04897f4e8f260aba31dbad55ce1263406473d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3819621
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82304}
This reverts commit 9cca4e60f1.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20-%20debug%20-%20single%20generation/6185/overview
Original change's description:
> [heap] Handle old-to-new slot promotion to shared heap
>
> The GC might promote an in-place internalizable string from new space
> directly into the shared heap. This means that the GC might need to
> create OLD_TO_SHARED slots when updating OLD_TO_NEW slots.
>
> This CL implements this both for minor and full GCs.
>
> Bug: v8:11708
> Change-Id: I6102b9024d1dd5dd602d654b006ea5897ab5baa6
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3804604
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82298}
Bug: v8:11708
Change-Id: I4cfdcff22552ff92ec85497d58021e83a6e038b0
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3819647
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Owners-Override: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82303}
The GC might promote an in-place internalizable string from new space
directly into the shared heap. This means that the GC might need to
create OLD_TO_SHARED slots when updating OLD_TO_NEW slots.
This CL implements this both for minor and full GCs.
Bug: v8:11708
Change-Id: I6102b9024d1dd5dd602d654b006ea5897ab5baa6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3804604
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82298}
Splitting off cosmetics and unrelated test refactorings from a larger
CL reworking traced global handles.
Bug: v8:13141
Change-Id: I675cdbd4898346ab55b0db65d53e992f2eb95744
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816671
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82295}
StepOrigin is enough to infer the right completion action: Either
finalization by task (for StepOrigin::kTask) or stack guard
(for StepOrigin::kV8).
Only tests with StepOrigin::kV8 were violating this but they also just
pass when enabling the stack guard.
Bug: v8:12775
Change-Id: I5df50198d8e3612ee97142f84bd497820a5cec78
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816664
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82294}
This reverts commit b1020a4345.
Reason for revert: Causes timeout for `condition-workers`: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20debug/40516/overview
Original change's description:
> Reland "[shared-struct] Add Atomics.Condition"
>
> This is a reland of commit e2066ff6bf
>
> Changes since revert:
> - Rebased against c991852491, which
> uses the external pointer table for the WaiterQueueNode stored
> in the state field when compressing pointers. This relaxes
> the alignment requirement of the state field to be 4-bytes when
> compressing pointers.
> - Moved the state field into the JSSynchronizationPrimitive base
> class, since alignment and padding can now be made simpler.
>
> Original change's description:
> > [shared-struct] Add Atomics.Condition
> >
> > Bug: v8:12547
> > Change-Id: Id439aef9cab3348171a23378cdd47ede5f4d7288
> > Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_rel_ng,v8_linux64_tsan_rel_ng
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3630350
> > Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> > Reviewed-by: Adam Klein <adamk@chromium.org>
> > Commit-Queue: Shu-yu Guo <syg@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#81734}
>
> Bug: v8:12547
> Change-Id: I638304c3d5722c64bd04708ed4cf84863cdebb81
> Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_rel_ng,v8_linux64_tsan_rel_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3763787
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82278}
Bug: v8:12547
Change-Id: I27c2aeb131f1b68c2240323189db88d552aa92f9
Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_rel_ng,v8_linux64_tsan_rel_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3817187
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Owners-Override: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82292}
Avoid terminating from another thread in some thread termination
unit tests.
Change-Id: I0f66e49f1f4e7e3d6ec4c614c2cc1afc9fdb0a22
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816663
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82284}
... when setting the prototype of TypedArray constructor.
Setting the __proto__ of TypedArray constructor could change TypedArray's
@@species, thus we need to invalidate the @@species protector.
Bug: v8:13110
Change-Id: Ib3b2c88d1136965c221492ff81a26ae69533b356
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813063
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82282}
This is a reland of commit e2066ff6bf
Changes since revert:
- Rebased against c991852491, which
uses the external pointer table for the WaiterQueueNode stored
in the state field when compressing pointers. This relaxes
the alignment requirement of the state field to be 4-bytes when
compressing pointers.
- Moved the state field into the JSSynchronizationPrimitive base
class, since alignment and padding can now be made simpler.
Original change's description:
> [shared-struct] Add Atomics.Condition
>
> Bug: v8:12547
> Change-Id: Id439aef9cab3348171a23378cdd47ede5f4d7288
> Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_rel_ng,v8_linux64_tsan_rel_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3630350
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81734}
Bug: v8:12547
Change-Id: I638304c3d5722c64bd04708ed4cf84863cdebb81
Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_rel_ng,v8_linux64_tsan_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3763787
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82278}
Use a single SBFX instruction for Word64Sar(ChangeInt32ToInt64(x), imm)
when possible.
Using PGO, this improves Speedometer2 by 0.4% on a Cortex-A55 machine,
and 0.27% on a Neoverse-N1 machine.
Change-Id: I6fea5e473f0f0869f8f6cebd9a4e61bb2fc6e9ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3807586
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Rodolph Perfetta <rodolph.perfetta@arm.com>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82277}
noextern is the abstract null type for the extern type.
Bug: v8:7748
Change-Id: I03ac0daf3051f479e096f3d05f4fa7cbf03968f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3810191
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82276}
nofunc is the abstract null type, the equivalent of none but for the
function type hierarchy.
none and nofunc (and later on noextern) all can only represent a null
value, however their nulls are distinct (as there isn't any subtype
relationship between them).
Bug: v8:7748
Change-Id: Ic5ae502cc21a581ca2e0f5abc46139435d950af9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3805884
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82274}
We should verify the consistency of the objects we produced after deserializing successfully.
Bug: v8:11525
Change-Id: Ieec1aa7112ab6eda0c61a1a9ab78e86ad8352942
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813061
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82272}
The test-gc cctest loads the WasmCode from the NativeModule and then
executes it. With lazy compilation, the WasmCode object first has to get
generated before it can get loaded.
R=jkummerow@chromium.org
Bug: v8:12852
Change-Id: I83a8a2433ac5d11690c82f07e4ae01ddc979821c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3809811
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82271}
...in Runtime_StringToArray.
When a string is sliced from an externalized two-byte string that has
only one-byte chars, String::IsFlat() and
should not call ToOneByteVector() on it and instead we should use
String: :IsOneByteRepresentation() can both be true, while
FlatContent: :IsOneByte() returns false. In this case we
String: :Get() to get the individual characters.
Bug: chromium:1350270
Change-Id: I735408602072279f09b32e1997c97b2900942bdd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813070
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/main@{#82268}
This change removes the subtyping between funcref and anyref.
Currently, nullref (ref null none) is still a subtype of funcref and externref.
This has to be adapted in a follow-up change introducing nullexternref
(ref null noextern) and nullfuncref (ref null nofunc).
Bug: v8:7748
Change-Id: I77a1b3fef387faf710f7bf7bf9d4655fb600ffdc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3804253
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82267}
Add a --deopt-to-baseline flag, on by default, which allows returning to
sparkplug code when deoptimizing.
However when we turn this off, no longer deoptimizing to baseline code
means we can omit marking most bytecodes as valid jump targets. Leaving
just OSR and exception handling entry points.
This reduces the baseline code size by ~18% on Arm64.
Bug: v8:13082
Change-Id: I5b5a6679465807d7fe812cb977464167efffa7ab
Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_cfi_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3785006
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/main@{#82266}
... - a code range size agnostic version of InterpreterEntryTrampoline
builtin. The new builtin is fully compatible with the default version
and used as a template for creating interpreter entry trampoline
Code objects when --interpreted-frames-native-stack is enabled.
This CL introduces a new assembler option "position_independent_code"
which affects the way builtin calls are generated.
This mode is enabled only for InterpreterEntryTrampolineForProfiling.
Motivation:
* InterpreterEntryTrampoline uses RelocInfo::CODE_TARGET for calling
other builtins which requires the code range to be small enough to
allow PC-relative jumps/calls between Code objects. This is the
reason why --interpreted-frames-native-stack was not supported on
arm and might not work on arm64 because the code range is bigger
than the max PC-relative distance for call/jump instructions.
The new builtin calls other builtins via builtins entry table which
makes the code fully relocatable and usable for any code range size.
* RelocInfo::CODE_TARGET requires a target code to be materialized
as a Code object which contradicts the Code-less builtins goal.
* The --interpreted-frames-native-stack is rarely used in the wild but
we have to pay the price of deserializing InterpreterEntryTrampoline
builtin as a Code object which consumes address space in the code
range and thus limits the number of V8 isolates that can be created
because of code range exhaustion. Now the pointer compression cage
becomes the limiting factor instead of the code range.
* We can remove complicated logic of Factory::CopyCode() and respective
support on GC side.
Bug: v8:11880, v8:8713, v8:12592
Change-Id: Ib72e28c03496c43db42f6fe46622def12e102f31
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3811287
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82263}
So far there was no support for allocating large objects in the
shared heap.
Bug: v8:11708
Change-Id: Ie4ec8244fee2e75fc0e2265847fe5976da2645ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3811579
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82261}
This allows arm64 to produce an extending load from ChangeInt32ToInt64(Load(x)) more frequently.
Reduces embedded code size by 0.66% for arm64.
This change gives 0.3% for Speedometer on an A55 machine.
Change-Id: Ie27a134cea3dfc8a26b87553f27ca01bf9f00f1a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3803227
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: George Wort <george.wort@arm.com>
Cr-Commit-Position: refs/heads/main@{#82258}
Many messages already do not end in a ".", which makes sense for
embedders that format location and message in one line, like Chrome.
Before:
V8 error: Empty MaybeLocal. (v8::ToLocalChecked).
After:
V8 error: Empty MaybeLocal (v8::ToLocalChecked).
R=mlippautz@chromium.org
Change-Id: Ibfb226c50ae8dce4057cdf0012e58fa1f27faa2a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3811586
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82257}
JSTypedArray needs the base_pointer ByteArray immediately
if it's on heap. JSTypedArray's base_pointer was initialized
to Smi::uninitialized_deserialization_value at first when
deserializing, and if base_pointer was deferred, we will
mistakenly check JSTypedArray not on heap.
Bug: v8:13149
Change-Id: I104c83ff9a2017de1c8071a9e116baa602f6977d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813068
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#82254}
This CL enables Myers algorithm introduced with
https://crrev.com/c/3804860.
Note that Myers finds slightly different diffs in some cases compared
to the current approach so this CL has to rebaseline one test.
R=kimanh@chromium.org
Bug: chromium:1205288
Change-Id: Ife4708a9edf543db938024a5e14c34a589d6a22a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3810244
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82247}
This is a reland of commit ccde420538
Added a test case for terminating optimized bigint multiply and attached frame_state to the runtime call to provide deopt information to determine the throw location
Original change's description:
> [TurboFan] Support BigIntMultiply
>
> Bug: v8:9407
> Change-Id: Iab0a4ca8dd5d83444d1addd6043a5c8e3a8577a7
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3773773
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82140}
Bug: v8:9407
Change-Id: Ia691d758265148da1de291365d41c7c1d1f98ddd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3810391
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82232}
The infrastructure runs everything already in Python3, so this is
mostly a clean-up.
For MB, a python2 holdover was removed and new lint errors were
fixed.
The renames were automated with:
git grep -e "/usr/bin/python$" |
cut -d':' -f1 |
xargs
sed -i 's/#!\/usr\/bin\/python$/#!\/usr\/bin\/python3/1'
and
git grep -e "/usr/bin/env python$" |
cut -d':' -f1 |
xargs
sed -i 's/#!\/usr\/bin\/env python$/#!\/usr\/bin\/env python3/1'
Bug: v8:13148
Change-Id: If4f3c7635e72fa134798d55314ac1aa92ddd01bf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3811499
Reviewed-by: Liviu Rau <liviurau@google.com>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82231}
This CL fixes a crash when we build the scope chain after re-parsing
for Debugger.evaluateOnCallFrame.
The following script causes the crash:
class A {
test(){
debugger;
}
f = (x) => {}
}
let a = new A()
a.test()
The current scope search tries to be smart and descends deeper
into the scope tree based on source position. That is not a sound
approach as V8 doesn't guarantee that sibling scopes don't overlap.
In the above case V8 creates an instance initializer scope where
f is assigned (and the initializer scope is the parent scope for
the arrow function). The problem is that the initializer scope
uses the same source range as the class `A` itself, so when we
look for the scope for `test`, we descend wrongly into the
initializer scope and can't recover.
The solution is to not try and be too smart:
- First, find the closure scope with a straight-up DFS.
- Once we have that, descend from there and try to find the
closest fitting scope around the break position.
R=bmeurer@chromium.org, jarin@chromium.org
Bug: chromium:1348186
Change-Id: Ic5e20c4d12b3d768f76a17367dc0f87bcc73763b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3807594
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82216}
This is a reland of commit 491de34bcc
co-authors: Ji Qiu <qiuji@iscas.ac.cn>
Alvise De Faveri Tron <elvisilde@gmail.com>
Usman Zain <uszain@gmail.com>
Zheng Quan <vitalyankh@gmail.com>
Original change's description:
> [riscv32] Add RISCV32 backend
>
> This very large changeset adds support for RISCV32.
>
> Bug: v8:13025
> Change-Id: Ieacc857131e6620f0fcfd7daa88a0f8d77056aa9
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3736732
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
> Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82053}
Bug: v8:13025
Change-Id: I220fae4b8e2679bdc111724e08817b079b373bd5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3807124
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82198}
v8::TracedReference is supposed to be used from objects allocated on
CppHeap. Such objects can be in construction during garbage
collection, meaning that they are unable to invoke
Trace(v8::TraceReference) as they have not been properly set up.
It is thus necessary to use conservative tracing to find
v8::TracedReference (backed by TracedNode in GlobalHandle) in
in-construction objects.
Change-Id: I5b4ac6e7805ff7ded33f63a405db65ea08d809ad
Bug: v8:13141, chromium:1322114
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3806439
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82188}
Implement the WebAssembly.Function-based API.
With the old API, wrapping an import and export with JS Promise
Integration looked like:
WebAssembly.returnPromiseOnSuspend(<wasm_export>);
WebAssembly.suspendOnReturnedPromise(
new WebAssembly.Function(<sig>, <js_import>));
With the new API:
new WebAssembly.Function(<sig>, <wasm_export>, {promising: 'first'})
new WebAssembly.Function(<sig>, <js_import>, {suspending: 'first'})
For details, see
https://github.com/WebAssembly/js-promise-integration/pull/8/filesR=ahaas@chromium.org
Bug: v8:12191
Change-Id: Iaefaac5304a038fc39283db165b637af7e48b009
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3804669
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82183}
With streaming compilation we delay the generation of errors until after
all bytes are received, so that potentially better error messages get
generated. With this CL we also delay the generation of errors in the
combination of lazy compilation and streaming compilation.
In particular, this CL does the following:
* It avoids the creation of a `DecodeFail` task in
`FinishAsyncCompileJobWithError`, which would create an error immediately before a potential name section arrived.
* It calls `CompilationStateImpl::SetError()` so that an error is
created once the stream finishes.
* It removes the return value of `ProcessFunctionBody` so that wire
bytes continue to be received even after a validation error.
* It adds an early exit to `ProcessFunctionBody` if
`CompilationStateImpl::failed()` is true, so that we don't continue
validation after the first detected error.
R=clemensb@chromium.org
Bug: v8:12852
Change-Id: Ie8c6be243a257ef62cbb29fea6b8e0c205060680
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3802691
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82181}
Async compilation with lazy compilation generated an error message that
did not include the function name. With this CL the function name now
gets included.
R=clemensb@chromium.org
Bug: v8:12852
Change-Id: Ia8aed83a2114a2c9da1367045404b20fa8554c8a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3804863
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82172}
The serialized module contains information for each function whether the
serialized code for the function exists, and whether the function has
been executed before serialization. The latter information is used to
decide if the function should get compiled eagerly after deserialization
(in case the function has been executed before serialization), or if the
function should get compiled lazily because it will probably not be
executed anytime soon.
So far this code only worked for eager compilation. When lazy compilation
was enabled, all functions would get compiled lazily after
deserialization. With this CL the behavior described above is extended to
lazy compilation.
R=clemensb@chromium.org
Bug: v8:12926
Change-Id: Ifd6f400396222105feffa472c2e8787e1358220e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3807583
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82171}
This is a reland of commit a1392fa113
The original change was reverted due to v8:13135, which was fixed
separately.
Original change's description:
> Enable background merging when --stress-background-compile
>
> This change adds new functions to BackgroundCompileTask which closely
> match those in BackgroundDeserializeTask. These functions allow a caller
> to manage background merging of newly compiled content into an existing
> Script from the Isolate compilation cache. These functions are not yet
> exposed via the API; instead, StressBackgroundCompileThread uses them to
> increase test coverage of the merging logic.
>
> Bug: v8:12808
> Change-Id: I4d2f429164223785169fe447ce2bdd8beaee00d4
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3793959
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82121}
Bug: v8:12808
Change-Id: I530c6e87bbad11e178ef4abfdc25fa98530f0224
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3806590
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#82165}
Some tests assume that liftoff code is available immediately after
compilation. Add the `--no-wasm-lazy-compilation` flag to these tests
so that they work even after shipping lazy compilation.
R=clemensb@chromium.org
Bug: v8:12926
Change-Id: I839610221390822b90b25e1bef3ae727fa33d1ca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3804862
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82162}
This reverts commit a1392fa113.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/43149/overview
Original change's description:
> Enable background merging when --stress-background-compile
>
> This change adds new functions to BackgroundCompileTask which closely
> match those in BackgroundDeserializeTask. These functions allow a caller
> to manage background merging of newly compiled content into an existing
> Script from the Isolate compilation cache. These functions are not yet
> exposed via the API; instead, StressBackgroundCompileThread uses them to
> increase test coverage of the merging logic.
>
> Bug: v8:12808
> Change-Id: I4d2f429164223785169fe447ce2bdd8beaee00d4
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3793959
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82121}
Bug: v8:12808
Change-Id: Ibb0bc2adb79e4655b39a8a6ac33d8c8ffc5ebdb9
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3804602
Owners-Override: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82137}
This reverts commit 872b7faa32.
Reason for revert: Somewhat speculative revert because of https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/39673/overview (reverting locally resolved the issue for me)
Original change's description:
> Fix Context PromiseHook behaviour with debugger enabled
>
> This is a solution for https://github.com/nodejs/node/issues/43148.
>
> Due to differences in behaviour between code with and without the debugger enabled, some promise lifecycle events were being missed and some extra ones were being added. This change resolves this and verifies the event sequence is consistent between code with and without the debugger.
>
> Change-Id: I3dabf1dceb14233226b1752083d659f1c2f97966
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3779922
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82132}
Change-Id: I3e05adead5d8033906055e0741854da68aade2ac
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3804859
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Owners-Override: Nico Hartmann <nicohartmann@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82136}
This is a solution for https://github.com/nodejs/node/issues/43148.
Due to differences in behaviour between code with and without the debugger enabled, some promise lifecycle events were being missed and some extra ones were being added. This change resolves this and verifies the event sequence is consistent between code with and without the debugger.
Change-Id: I3dabf1dceb14233226b1752083d659f1c2f97966
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3779922
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82132}
This change adds new functions to BackgroundCompileTask which closely
match those in BackgroundDeserializeTask. These functions allow a caller
to manage background merging of newly compiled content into an existing
Script from the Isolate compilation cache. These functions are not yet
exposed via the API; instead, StressBackgroundCompileThread uses them to
increase test coverage of the merging logic.
Bug: v8:12808
Change-Id: I4d2f429164223785169fe447ce2bdd8beaee00d4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3793959
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82121}
struct.new_default may not be called for immutable structs.
Follow-up to d2c75d321e.
Change-Id: I7b682938ca5da00ef6c9bec29856133301beb6b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3802688
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82108}
Introduce RootVisitor and related class hierarchy to just handle
roots. This avoids the awkard definitions for roots visiation in all
the cases they are not needed.
Change-Id: Ib0912e4bf543db2ecf68caead6929c68d6afdda6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3782794
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82107}
Bump the memory size limit of memory64 memories from 4GB to 16GB. Tests
are added for larger sizes (5GB, 16GB).
Drive-by: Improve two decoder errors to properly include the unit,
tested by the new tests.
R=jkummerow@chromium.org
Bug: v8:10949
Change-Id: I99dfc216b9213838784214c0b65ba863831d5884
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3789507
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82105}
It's difficult to say which structs might in the future have deprecated
fields, so this CL adds tests for two more for now.
Once we add deprecated fields, we then need to define copy/move
constructs and assignment operators via
{ALLOW_COPY_AND_MOVE_WITH_DEPRECATED_FIELDS} (same as for other structs
which are not tested yet).
R=mlippautz@chromium.org
Bug: v8:13092
Change-Id: I89a330661a02d86d3d48e216b69cb6f77f02cff2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3789508
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82098}
This is a reland of commit 07e11a64e4.
The original change removed the fill_thehole_and_call_runtime bailout
in StringBuiltinsAssembler::StringToArray() so when the string
is external and cannot be unpacked, the FixedArray won't be filled
with holes before we call into the runtime, thus failing a
heap verification if a GC happens before the array is filled. This
reland adds back the bailout for this case.
Bug: v8:12718, chromium:1330410
Original change's description:
> [heap] pre-populate the single_character_string_cache
>
> This simplifies the code and removes the runtime overhead of
> spontaneously adding strings to the cache.
>
> Bug: v8:12718
> Change-Id: I2ed49bd82e3baf2563eeb8f463be72c0308c52c5
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3616553
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Joyee Cheung <joyee@igalia.com>
> Cr-Commit-Position: refs/heads/main@{#80803}
Change-Id: I25e8724d511a8d0d971fa2a9b6ba8a0eafce4413
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3793525
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82082}
If we grow memory (out-of-place, so only without trap handling and only
if the maximum is >1GB) and the previous size is close to the maximum,
then the minimum growth we calculate can be bigger than the allowed
maximum. In this situation, the {std::clamp} has undefined behaviour,
since the provided lower limit is bigger then the upper limit.
Thus apply {std::min} and {std::max} in an order such that {max_pages}
has precedence over {min_growth}.
R=thibaudm@chromium.org
Bug: chromium:1348335
Change-Id: I4f9e9ce10a0685892248eaf0e06ffd2e84b9a069
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3793396
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82081}
Due to popular demand.
As a necessary byproduct, this drops our former experimental in-progress
support for accessing struct fields from JS as `.field0` etc. If we need
something similar in the future, we'll have to build a new mechanism for
it that scales to >1020 fields.
Bug: v8:7748
Change-Id: I08b2051bd9f76cf7128f3d4c74910ca891c38130
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3793616
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82079}
Call test functions immediately, and make them print their name before
execution.
R=thibaudm@chromium.org
Change-Id: I2057e2b3c2032c342a86705dbda8992aa54493e5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3793612
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82077}
Table<any> is not allowed any more and may therefore not be generated by
the fuzzer. Instead, the new type is table<externref>.
Bug: chromium:1348437
Change-Id: Ibf788222fc777508e59178db48e6497a18b250d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3793610
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82073}
This is required by the MVP spec. In the future, it might be possible
to pass values for any immutable fields.
Bug: v8:7748
Change-Id: Ie7705b48e9d6ebb87d5e1b0a2a10556302395db6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3793383
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82072}
Currently, we canonicalize types for call_indirect by looking in the
current module for a signature of the same shape. This is not enough
as of wasm-gc. Instead, the canonical identifier representing a type
has to be computed via isorecursive canonicalization.
This change is implemented behind a flag for now.
Future work: Also integrate export wrappers with isorecursive
canonical types. We need to store wrappers in instance-independent
storage.
Drive-by:
- Always emit type check for call_indirect. We did not emit a check
only when typed-function-references was enabled, but not gc. This
is not something that will be possible long-term.
- Fix some wasm cctests.
Bug: v8:7748
Change-Id: I7cced187009ac148c833dff5e720a8bb9a717e68
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3784600
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82064}
This very large changeset adds support for RISCV32.
Bug: v8:13025
Change-Id: Ieacc857131e6620f0fcfd7daa88a0f8d77056aa9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3736732
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82053}
It was delegating to GetDerivedMap but not handling the possible
error coming from it.
Bug: v8:11111,chromium:1347722
Change-Id: I348ed721281d8edd324f0e364d8ed45602cb9f54
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3791063
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Marja Hölttä <marja@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82046}
This is a reland of commit e895b7af73
The unit test has been updated to work correctly when
--stress-incremental-marking is enabled.
Original change's description:
> Background merging of deserialized scripts
>
> Recently, https://crrev.com/c/v8/v8/+/3681880 added new API functions
> with which an embedder could request that V8 merge newly deserialized
> script data into an existing Script from the Isolate's compilation
> cache. This change implements those new functions. This functionality is
> still disabled by default due to the flag
> merge_background_deserialized_script_with_compilation_cache.
>
> The goal of this new functionality is to reduce memory usage when
> multiple frames load the same script with a long delay between (long
> enough for the script to have been evicted from Blink's in-memory cache
> and for the top-level SharedFunctionInfo to be flushed). In that case,
> there are two Script objects for the same script: one which was found in
> the Isolate compilation cache (the "old" script), and one which was
> recently deserialized (the "new" script). The new script's object graph
> is essentially standalone: it may point to internalized strings and
> readonly objects such as the empty feedback metadata, but otherwise
> it is unconnected to the rest of the heap. The merging logic takes any
> useful data from the new script's object graph and attaches it into the
> old script's object graph, so that the new Script object and any other
> duplicated objects can be discarded. More specifically:
>
> 1. If the new Script has a SharedFunctionInfo for a particular function
> literal, and the old Script does not, then the old Script is updated
> to refer to the new SharedFunctionInfo.
> 2. If the new Script has a compiled SharedFunctionInfo for a particular
> function literal, and the old Script has an uncompiled
> SharedFunctionInfo, then the old SharedFunctionInfo is updated to
> point to the function_data and feedback_metadata from the new
> SharedFunctionInfo.
> 3. If any used object from the new object graph points to a
> SharedFunctionInfo, where the old object graph contains a matching
> SharedFunctionInfo for the same function literal, then that pointer
> is updated to point to the old SharedFunctionInfo.
>
> The document at [0] includes diagrams showing an example merge on a very
> small script.
>
> Steps 1 and 2 above are pretty simple, but step 3 requires walking a
> possibly large set of objects, so this new API lets the embedder run
> step 3 from a background thread. Steps 1 and 2 are performed later, on
> the main thread.
>
> The next important question is: in what ways can the old script's object
> graph be modified during the background execution of step 3, or during
> the time after step 3 but before steps 1 and 2?
>
> A. SharedFunctionInfos can go from compiled to uncompiled due to
> flushing. This is okay; the worst outcome is that the function would
> need to be compiled again later. Such a risk is already present,
> since V8 doesn't keep IsCompiledScopes for every compiled function in
> a background-deserialized script.
> B. SharedFunctionInfos can go from uncompiled to compiled due to lazy
> compilation. This is also okay; the merge completion logic on the
> main thread will just keep this lazily compiled data rather than
> inserting compiled data from the newly deserialized object graph.
> C. SharedFunctionInfos can be cleared from the Script's weak array if
> they are no longer referenced. This is mostly okay, because any
> SharedFunctionInfo that is needed by the background merge is strongly
> referenced and therefore can't be cleared. The only problem arises if
> the top-level SharedFunctionInfo gets cleared, so the merge task must
> deliberately keep a reference to that one.
> D. SharedFunctionInfos can be created if they are needed due to lazy
> compilation of a parent function. This change is somewhat troublesome
> because it invalidates the background thread's work and requires a
> re-traversal on the main thread to update any pointers that should
> point to this lazily compiled SharedFunctionInfo.
>
> At a high level, this change implements three previously unimplemented
> functions in BackgroundDeserializeTask (in compiler.cc) and updates one:
>
> - BackgroundDeserializeTask::SourceTextAvailable, run on the main
> thread, checks whether there is a matching Script in the Isolate
> compilation cache which doesn't already have a top-level
> SharedFunctionInfo. If so, it saves that Script in a persistent
> handle.
> - BackgroundDeserializeTask::ShouldMergeWithExistingScript checks
> whether the persistent handle from the first step exists (a fast
> operation which can be called from any thread).
> - BackgroundDeserializeTask::MergeWithExistingScript, run on a
> background thread, performs step 3 of the merge described above and
> generates lists of persistent data describing how the main thread can
> complete the merge.
> - BackgroundDeserializeTask::Finish is updated to perform the merge
> steps 1 and 2 listed above, as well as a possible re-traversal of the
> graph if required due to newly created SharedFunctionInfos in the old
> Script.
>
> The merge logic has nothing to do with deserialization, and indeed I
> hope to reuse it for background compilation tasks as well, so it is all
> contained within a new class BackgroundMergeTask (in compiler.h,cc). It
> uses a second class, ForwardPointersVisitor (in compiler.cc) to perform
> the object visitation that updates pointers to SharedFunctionInfos.
>
> [0] https://docs.google.com/document/d/1UksB5Vm7TT1-f3S9W1dK_rP9jKn_ly0WVm_UDPpWuBw/edit
>
> Bug: v8:12808
> Change-Id: Id405869e9d5b106ca7afd9c4b08cb5813e6852c6
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3739232
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Cr-Commit-Position: refs/heads/main@{#81941}
Bug: v8:12808
Change-Id: Id2036dfa4eba8670cac899773d7a906825fa2c50
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3787266
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#82045}
Memory64 currently does not use trap handling, so we should not allocate
a guard region (10GB total reservation).
This is implemented by adding a {WasmMemoryFlag} enum in the backing
store header, which replaces the previous {MemoryIndexType}. The flag is
not stored with the backing store, as the backing store does not care
about the index type, and we might want to share the same backing store
for memory32 and memory64 (if sizes permit this).
Instead, we (still) store the flag with the WasmMemoryObject and pass it
to the backing store methods.
R=jkummerow@chromium.org
Bug: v8:10949
Change-Id: I284b85b98d181ba5e8d454b24bfa48f6ac201be5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3789506
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82038}
This is a reland of commit 8cb027531c
Original change's description:
> [wasm] Materialize suspender in JS-to-wasm wrapper
>
> Instead of creating the Suspender object in JS and passing it to the
> stack-switching js-to-wasm wrapper, the wrapper now automatically
> creates the Suspender object and forwards it as an extra parameter to
> the wasm function. See:
> https://github.com/WebAssembly/js-promise-integration/pull/1/files
>
> R=ahaas@chromium.org
>
> Bug: v8:12191
> Change-Id: I2badee823f4223a293632f93e7e59f24c49d0820
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3779688
> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81890}
Bug: v8:12191
Change-Id: Iea233e30aa269279d2fe17f5230c87285c33e232
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3780817
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82009}
This CL implements MemoryAllocator::LookupChunkContainingAddress, which
will be used for conservative stack scanning. The method determines
whether an address that may be an inner pointer is contained in some
allocated (normal or large) page. To achieve this, the CL introduces a
page database in the memory allocator.
Bug: v8:12851
Change-Id: I8b719a5f1b6e6b374ccf0666c91c2341c5f9856a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3784986
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82004}
The RTT type can not be used directly in WebAssembly any more and is treated
as a compiler-internal type for the GC MVP.
Bug: v8:7748
Change-Id: I97cb241e6c46446149cc6ae2b1d535b93402fa76
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3787877
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82000}
This is a reland of commit 4e935c7ffb
fix a bug on mac for not return correct memory protection key support.
Please see details in comments.
Original change's description:
> [pku][wasm] Refactor PKU usage in Wasm
>
> RwxMemoryWriteScope becomes the bottleneck for both MAP_JIT and PKU
> machinery.
> Wasm and V8 code space will use the same memory protection key.
>
> This is a next step towards adding PKU support for V8 code space.
>
> Bug: v8:13023
> Change-Id: I647f8c09bc41e5ef8a1d74b58a48a43e08454e0d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3702213
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Wenqin Yang <wenqin.yang@intel.com>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81947}
Bug: v8:13023
Change-Id: I5b5cc81e7c1502229ce0d2a5574ca34dc23d19d9
Cq-Include-Trybots: luci.v8.try:v8_mac_arm64_rel_ng,v8_mac_arm64_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3787320
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Wenqin Yang <wenqin.yang@intel.com>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81994}
Drive-by-fix:
- Rename baseline to sparkplug for consistency
- Add request timeouts for the local symbol server
- Add script to start a local symbol server
- Fix -h/--help support for linux-perf-chrome-renderer-cmd.sh
Change-Id: I4c2fc3595d672871f20fc5c4065ba45e801a1111
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3769699
Auto-Submit: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81992}
After some solid bike shedding, we decided to rename one part of the
API.
R=jarin@chromium.org
Bug: chromium:1334585
Change-Id: Ie967f9f4947b2c328433e4c4a9d748ad15ae7175
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3788095
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81987}
Remove the range check of formatRange, formatRangeToParts on
NumberFormat and selectRange on PluralRules
Bug: v8:10776
Change-Id: Ifede7d61db6414d5b338b22bd188406e5f7d98b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3779041
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81984}
Call Intl function which call ICU TimeZone for the calculation
of timezone other than UTC
Bug: v8:11544
Change-Id: Idc355aaeccc0bed026a7117bb366ee914fa29733
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3783074
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81983}
Handle the case where getting a value in the iterable object that
encodes the values throws an exception.
R=ahaas@chromium.org
Bug: chromium:1347073
Change-Id: Ie660ab04148d5fd3508397ae6e08130496f61b74
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3788097
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81974}
The implicit copy constructor triggers a deprecation warning if the
struct contains a deprecated field. We can fix this by explicitly
declaring the copy and move constructors and assignment operators
with the deprecation warning disabled.
This CL also adds a test to check that we can indeed call the
constructors and assignment operators, which did not work before.
R=leszeks@chromium.org
Bug: v8:13092
Change-Id: Ia63ff9375de13fc6e5b5a8d59d827a742c99fb39
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3785145
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81962}
This CL refactors the mechanism for testing the implementation of inner
pointer resolution using the marking bitmap. It allows for more than one
page, where objects can be allocated. It also keeps a list of allocated
objects that are automatically tested.
Bug: v8:12851
Change-Id: I470dc1154aca1ebc3d8526872717747829f83396
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3784605
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81952}
The intial version of the API was replaced with a more ergonomic one
recently.
We can also safely remove the test as the new API guarantees that
tasks are always finished and cancelled.
Bug: chromium:1334585
Change-Id: I9ff8b92fcd73ef821c86de52c40a1d04b15ea918
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3780539
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81950}
This reverts commit 4e935c7ffb.
Reason for revert: Breaking on mac arm64: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Mac%20-%20arm64%20-%20release/10926/overview
Original change's description:
> [pku][wasm] Refactor PKU usage in Wasm
>
> RwxMemoryWriteScope becomes the bottleneck for both MAP_JIT and PKU
> machinery.
> Wasm and V8 code space will use the same memory protection key.
>
> This is a next step towards adding PKU support for V8 code space.
>
> Bug: v8:13023
> Change-Id: I647f8c09bc41e5ef8a1d74b58a48a43e08454e0d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3702213
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Wenqin Yang <wenqin.yang@intel.com>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81947}
Bug: v8:13023
Change-Id: I11c52ac101804ab75b1bb1d4814f083cb1083d5b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3780498
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#81949}
RwxMemoryWriteScope becomes the bottleneck for both MAP_JIT and PKU
machinery.
Wasm and V8 code space will use the same memory protection key.
This is a next step towards adding PKU support for V8 code space.
Bug: v8:13023
Change-Id: I647f8c09bc41e5ef8a1d74b58a48a43e08454e0d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3702213
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Wenqin Yang <wenqin.yang@intel.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81947}
This reverts commit e895b7af73.
Reason for revert: TSAN failures: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20stress-incremental-marking/8468/overview
Original change's description:
> Background merging of deserialized scripts
>
> Recently, https://crrev.com/c/v8/v8/+/3681880 added new API functions
> with which an embedder could request that V8 merge newly deserialized
> script data into an existing Script from the Isolate's compilation
> cache. This change implements those new functions. This functionality is
> still disabled by default due to the flag
> merge_background_deserialized_script_with_compilation_cache.
>
> The goal of this new functionality is to reduce memory usage when
> multiple frames load the same script with a long delay between (long
> enough for the script to have been evicted from Blink's in-memory cache
> and for the top-level SharedFunctionInfo to be flushed). In that case,
> there are two Script objects for the same script: one which was found in
> the Isolate compilation cache (the "old" script), and one which was
> recently deserialized (the "new" script). The new script's object graph
> is essentially standalone: it may point to internalized strings and
> readonly objects such as the empty feedback metadata, but otherwise
> it is unconnected to the rest of the heap. The merging logic takes any
> useful data from the new script's object graph and attaches it into the
> old script's object graph, so that the new Script object and any other
> duplicated objects can be discarded. More specifically:
>
> 1. If the new Script has a SharedFunctionInfo for a particular function
> literal, and the old Script does not, then the old Script is updated
> to refer to the new SharedFunctionInfo.
> 2. If the new Script has a compiled SharedFunctionInfo for a particular
> function literal, and the old Script has an uncompiled
> SharedFunctionInfo, then the old SharedFunctionInfo is updated to
> point to the function_data and feedback_metadata from the new
> SharedFunctionInfo.
> 3. If any used object from the new object graph points to a
> SharedFunctionInfo, where the old object graph contains a matching
> SharedFunctionInfo for the same function literal, then that pointer
> is updated to point to the old SharedFunctionInfo.
>
> The document at [0] includes diagrams showing an example merge on a very
> small script.
>
> Steps 1 and 2 above are pretty simple, but step 3 requires walking a
> possibly large set of objects, so this new API lets the embedder run
> step 3 from a background thread. Steps 1 and 2 are performed later, on
> the main thread.
>
> The next important question is: in what ways can the old script's object
> graph be modified during the background execution of step 3, or during
> the time after step 3 but before steps 1 and 2?
>
> A. SharedFunctionInfos can go from compiled to uncompiled due to
> flushing. This is okay; the worst outcome is that the function would
> need to be compiled again later. Such a risk is already present,
> since V8 doesn't keep IsCompiledScopes for every compiled function in
> a background-deserialized script.
> B. SharedFunctionInfos can go from uncompiled to compiled due to lazy
> compilation. This is also okay; the merge completion logic on the
> main thread will just keep this lazily compiled data rather than
> inserting compiled data from the newly deserialized object graph.
> C. SharedFunctionInfos can be cleared from the Script's weak array if
> they are no longer referenced. This is mostly okay, because any
> SharedFunctionInfo that is needed by the background merge is strongly
> referenced and therefore can't be cleared. The only problem arises if
> the top-level SharedFunctionInfo gets cleared, so the merge task must
> deliberately keep a reference to that one.
> D. SharedFunctionInfos can be created if they are needed due to lazy
> compilation of a parent function. This change is somewhat troublesome
> because it invalidates the background thread's work and requires a
> re-traversal on the main thread to update any pointers that should
> point to this lazily compiled SharedFunctionInfo.
>
> At a high level, this change implements three previously unimplemented
> functions in BackgroundDeserializeTask (in compiler.cc) and updates one:
>
> - BackgroundDeserializeTask::SourceTextAvailable, run on the main
> thread, checks whether there is a matching Script in the Isolate
> compilation cache which doesn't already have a top-level
> SharedFunctionInfo. If so, it saves that Script in a persistent
> handle.
> - BackgroundDeserializeTask::ShouldMergeWithExistingScript checks
> whether the persistent handle from the first step exists (a fast
> operation which can be called from any thread).
> - BackgroundDeserializeTask::MergeWithExistingScript, run on a
> background thread, performs step 3 of the merge described above and
> generates lists of persistent data describing how the main thread can
> complete the merge.
> - BackgroundDeserializeTask::Finish is updated to perform the merge
> steps 1 and 2 listed above, as well as a possible re-traversal of the
> graph if required due to newly created SharedFunctionInfos in the old
> Script.
>
> The merge logic has nothing to do with deserialization, and indeed I
> hope to reuse it for background compilation tasks as well, so it is all
> contained within a new class BackgroundMergeTask (in compiler.h,cc). It
> uses a second class, ForwardPointersVisitor (in compiler.cc) to perform
> the object visitation that updates pointers to SharedFunctionInfos.
>
> [0] https://docs.google.com/document/d/1UksB5Vm7TT1-f3S9W1dK_rP9jKn_ly0WVm_UDPpWuBw/edit
>
> Bug: v8:12808
> Change-Id: Id405869e9d5b106ca7afd9c4b08cb5813e6852c6
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3739232
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Cr-Commit-Position: refs/heads/main@{#81941}
Bug: v8:12808
Change-Id: I82a080e6287828445293cb6b4b94a5e8f15eb8f3
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3787213
Auto-Submit: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Deepti Gandluri <gdeepti@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#81943}
Recently, https://crrev.com/c/v8/v8/+/3681880 added new API functions
with which an embedder could request that V8 merge newly deserialized
script data into an existing Script from the Isolate's compilation
cache. This change implements those new functions. This functionality is
still disabled by default due to the flag
merge_background_deserialized_script_with_compilation_cache.
The goal of this new functionality is to reduce memory usage when
multiple frames load the same script with a long delay between (long
enough for the script to have been evicted from Blink's in-memory cache
and for the top-level SharedFunctionInfo to be flushed). In that case,
there are two Script objects for the same script: one which was found in
the Isolate compilation cache (the "old" script), and one which was
recently deserialized (the "new" script). The new script's object graph
is essentially standalone: it may point to internalized strings and
readonly objects such as the empty feedback metadata, but otherwise
it is unconnected to the rest of the heap. The merging logic takes any
useful data from the new script's object graph and attaches it into the
old script's object graph, so that the new Script object and any other
duplicated objects can be discarded. More specifically:
1. If the new Script has a SharedFunctionInfo for a particular function
literal, and the old Script does not, then the old Script is updated
to refer to the new SharedFunctionInfo.
2. If the new Script has a compiled SharedFunctionInfo for a particular
function literal, and the old Script has an uncompiled
SharedFunctionInfo, then the old SharedFunctionInfo is updated to
point to the function_data and feedback_metadata from the new
SharedFunctionInfo.
3. If any used object from the new object graph points to a
SharedFunctionInfo, where the old object graph contains a matching
SharedFunctionInfo for the same function literal, then that pointer
is updated to point to the old SharedFunctionInfo.
The document at [0] includes diagrams showing an example merge on a very
small script.
Steps 1 and 2 above are pretty simple, but step 3 requires walking a
possibly large set of objects, so this new API lets the embedder run
step 3 from a background thread. Steps 1 and 2 are performed later, on
the main thread.
The next important question is: in what ways can the old script's object
graph be modified during the background execution of step 3, or during
the time after step 3 but before steps 1 and 2?
A. SharedFunctionInfos can go from compiled to uncompiled due to
flushing. This is okay; the worst outcome is that the function would
need to be compiled again later. Such a risk is already present,
since V8 doesn't keep IsCompiledScopes for every compiled function in
a background-deserialized script.
B. SharedFunctionInfos can go from uncompiled to compiled due to lazy
compilation. This is also okay; the merge completion logic on the
main thread will just keep this lazily compiled data rather than
inserting compiled data from the newly deserialized object graph.
C. SharedFunctionInfos can be cleared from the Script's weak array if
they are no longer referenced. This is mostly okay, because any
SharedFunctionInfo that is needed by the background merge is strongly
referenced and therefore can't be cleared. The only problem arises if
the top-level SharedFunctionInfo gets cleared, so the merge task must
deliberately keep a reference to that one.
D. SharedFunctionInfos can be created if they are needed due to lazy
compilation of a parent function. This change is somewhat troublesome
because it invalidates the background thread's work and requires a
re-traversal on the main thread to update any pointers that should
point to this lazily compiled SharedFunctionInfo.
At a high level, this change implements three previously unimplemented
functions in BackgroundDeserializeTask (in compiler.cc) and updates one:
- BackgroundDeserializeTask::SourceTextAvailable, run on the main
thread, checks whether there is a matching Script in the Isolate
compilation cache which doesn't already have a top-level
SharedFunctionInfo. If so, it saves that Script in a persistent
handle.
- BackgroundDeserializeTask::ShouldMergeWithExistingScript checks
whether the persistent handle from the first step exists (a fast
operation which can be called from any thread).
- BackgroundDeserializeTask::MergeWithExistingScript, run on a
background thread, performs step 3 of the merge described above and
generates lists of persistent data describing how the main thread can
complete the merge.
- BackgroundDeserializeTask::Finish is updated to perform the merge
steps 1 and 2 listed above, as well as a possible re-traversal of the
graph if required due to newly created SharedFunctionInfos in the old
Script.
The merge logic has nothing to do with deserialization, and indeed I
hope to reuse it for background compilation tasks as well, so it is all
contained within a new class BackgroundMergeTask (in compiler.h,cc). It
uses a second class, ForwardPointersVisitor (in compiler.cc) to perform
the object visitation that updates pointers to SharedFunctionInfos.
[0] https://docs.google.com/document/d/1UksB5Vm7TT1-f3S9W1dK_rP9jKn_ly0WVm_UDPpWuBw/edit
Bug: v8:12808
Change-Id: Id405869e9d5b106ca7afd9c4b08cb5813e6852c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3739232
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#81941}
The new method is not implemented in Chrome or Node, and the issue has
no activity since 2018, so let's rip out the incomplete new API.
Drive-by: Sprinke a few V8_LIKELY and V8_UNLIKELY.
R=mlippautz@chromium.org
Bug: chromium:634547
Change-Id: I0dabad520d459277d7196fa69c1bbceaf4d53596
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3780528
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81923}
Sometimes the second Wasm instantiation fails because we run out of
memory. This raises a RangeError, which is not recognized by ClusterFuzz
as OOM.
Thus turn it into a proper OOM crash.
R=ahaas@chromium.org
Bug: chromium:1347024
Change-Id: I39f7789cc85a9ba9b4217764fbbcef15c6c6ed76
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3784602
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81920}
Whenever PagedNewSpace allocates a page, the page is added to the free
list. Preallocating pages on space initialization means the pages are
added to the free list before the map for free space is initialized.
Then, when allocating from the free list, a DCHECK fails
(free-list.cc:508).
This CL delays page preallocation until `EnsureCurrentCapacity` is
called. When using PagedNewSpace, we will call this method from
`Heap::CreateHeapObjects` after the maps are allocated and before any
allocations in new space are attempted.
Bug: v8:12612
Change-Id: I33f825ddd831640b12e4c0f7b849262a335df51e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3780541
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81919}
All embedders override this method now, so it can be abstract.
R=mlippautz@chromium.org
Bug: v8:12425
Change-Id: I4db5d74341c9519222592a88d247bc2aa2be03a9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3780538
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81910}
This is a follow up to Iadf73c294904ec20cefe1053a2969aa1dbb91a39.
Bug: v8:7748
Change-Id: I59390b8c82c4ebed58f2d3130cd9b1578bffdd4b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3780535
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Cr-Commit-Position: refs/heads/main@{#81908}
Avoid most of the {is_inline()} checks by having a {data_begin_} pointer
which either points at the inline storage or at the zone-allocated
memory.
This replaces a dynamic branch by a memory indirection, which is
beneficial for big (non-inline) BitVectors. For small BitVectors we will
have to see what the bots say; the hypothesis is that a memory load is
still faster than a dynamic branch.
Apart from better performance, this change allows for simpler code in
many places, including the iterator implementation.
R=jkummerow@chromium.org
Bug: v8:13063
Change-Id: I1e28279d1a438598e0b8403a6a4078c2cd2a4c48
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3776685
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81902}
Drive-by fixes:
* categorize CodeDataContainer objects as kCode,
* when external code space is enabled report CodeDataContainers as
(%s builtin handle),
* replace a sequence of obj.IsXXX() with a respective sequence of
InstanceTypeChecker::IsXXX().
Bug: v8:11880
Change-Id: Ib50b168eb28af5f8388be7f9b9f4feba2ee784af
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3780534
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81898}
Make sure AddAllSequenceSlowCallback works on arrays where some
elements cannot be accessed.
Bug: chromium:1338877
Change-Id: Icdf61a305fb208a91832d03ebc47201d8941e41a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3778410
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81896}
Instead of creating the Suspender object in JS and passing it to the
stack-switching js-to-wasm wrapper, the wrapper now automatically
creates the Suspender object and forwards it as an extra parameter to
the wasm function. See:
https://github.com/WebAssembly/js-promise-integration/pull/1/filesR=ahaas@chromium.org
Bug: v8:12191
Change-Id: I2badee823f4223a293632f93e7e59f24c49d0820
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3779688
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81890}
The DevTools frontend doesn't want the Wasm module's understanding of
function body offsets (i.e. including locals), but the ranges of
offsets where breakpoints can be set (i.e. only where instructions are).
This patch adjusts the reported offsets accordingly.
A consequence is that we have to report full (start,end) pairs for each
function, instead of being able to dedupe end1==start2 etc.
Bug: v8:12917
Change-Id: I0c7d2d96435cdac2c4553647b7bcc8783bc1798b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3780526
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Philip Pfaffe <pfaffe@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81887}
This CL adds Uint8Array as supported arguments for fast API calls.
It introduces a kUint8 variant to CTypeInfo for use with TypedArrays
only.
Bug: v8:13080
Change-Id: Ie65206078a18acabaafa9c95793f400b8e95373d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3767098
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81886}
This CL adds a new method to the `console` that is available
when DevTools is open. In TypeScript notation the API is:
```
namespace console {
// Creates a new `Task` and associates the current async
// stack trace with the created `Task`.
scheduleTask(name: string): Task;
}
interface Task {
// Executes an arbitrary payload and forwards the return value
// back to the caller. Any async stack trace captured during
// 'f' has the site of the corresponding `scheduleTask` as
// its parent.
run<T>(f: () => T): T;
}
```
The API is a saner user-facing API for our async stack trace
mechanism:
* scheduleAsyncTask corresponds to scheduleTask
* startAsyncTask/stopAsyncTask are called implicitly before `f`
is executed.
* cancelAsyncTask is called implicitly when `Task` is GC'ed
The API is behind the flag --experimental-async-stack-tagging-api
Bug: chromium:1334585
Change-Id: Ic6054279a108756caed6b4b5f2d1fe4a1bdbaf78
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3776678
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81881}
Add a second implementation of BalanceDuration which
the nanoseconds could be very large and beyong the precision
could be handled by double and passed in by BigInt, and values
of other time fields are 0.
Bug: v8:11544
Change-Id: Ib794c6c78b81b8338434314fa5033cf1e991d32b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3781117
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81876}
