Code objects are linked in a custom per-native-context weak list of
optimized code (previously there was also a list of deoptimized code,
but this was recently removed).
There used to be reasons for this list, but at this point it is only
used by the debugger to mark code for deoptimization. The debugger can
do this with a heap walk instead, so we can remove this list and indeed
the next_code_links from Code objects themselves.
Change-Id: Iebbed4adacd31b8ddc442ae6355ea45c691cc856
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4061515
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84804}
The "negative" instructions `br_on_non_*` & `br_on_cast_fail` created
the `TypeGuard` node for the successful branch using the effect /
control chain o fthe wrong branch.
As `TypeGuard`s do not generate code, these instructions are for the
Turbofan type system.
Bug: v8:7748
Change-Id: I12de7421a6d16e24d91336457443ab6f646ab309
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4097425
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84802}
We received feedback that the [[Scopes]] property has some legitimate
use-cases not covered by the Scopes View during pause.
We re-enable the feature for now and will remove the flag in a
follow-up.
R=bmeurer@chromium.org
Bug: chromium:1365858
Change-Id: Ibf279ae6c4f5ae492d03e9b4ee7316f6500508d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4099385
Auto-Submit: Simon Zünd <szuend@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84800}
In case a JSArrayBuffer is empty but has an extension installed, the
previous code would not clear the extension prior to serialization. This
would then cause a DCHECK failure right after serialization when
restoring the extension pointer because we only allow changing from
nullptr to a non-null extension pointer.
Bug: chromium:1335043
Change-Id: I9276da0ebb7ecf0d22949c3d1294cfa90bad7a7e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096479
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84798}
This patch moves the stop method from context group to session to enable
stopping each session independently. This is useful for testing that
stopping does not interact badly with other sessions.
Bug: chromium:1354043
Change-Id: I885cf49f2d4cf006fa5228edf2954099e45cfc6b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4100484
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84797}
When loading a 32-bit value from the stack, just load 32 bit and
zero-extend them into the target register, instead of loading the full
64 bits.
As there are things to fix (see https://crbug.com/1356461), we only
enable this optimization for Wasm for now.
R=jkummerow@chromium.org
Bug: chromium:1395604, chromium:1356461, v8:13581
Change-Id: Ibdd2d80704973362906aec9b38faa762d3b43f3f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4097424
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84796}
gcc versions < 9 may produce the following compilation error due
to passing/initializing an empty struct as a parameter:
> '<anonymous>' is used uninitialized in this function
A reproducible code sample can be seen here:
https://godbolt.org/z/PfanPrEGG
This issues seems to have come up in gcc in various ways,
here is a related bug:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86465
A simple workaround here it to add a 0 initialized value to
the empty struct.
More information can be found at the comment section of this CL: crrev.com/c/4057111
Bug: v8:12783
Change-Id: Iee8fec73610fa2525530db431daf5fa285c09a3f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4097624
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#84795}
This CL fixes two bugs:
- The monotonicity violation in the typers of ToBigIntConvertNumber and
Integral32OrMinusZeroToBigInt.
- The missing handling of conversion from Tagged output with the type
DoubleRepresentableInt64OrMinusZero to Word64.
Bug: v8:9407, v8:13580, chromium:1399951, chromium:1400053
Change-Id: I669820b52e5b82bddc9853cfd97a2361c344a2cb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096990
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#84793}
We already exclusively use the WasmEngine's AccountingAllocator for all
decoded Wasm modules. Except for tests, the same allocator will also be
used for validation. Thus do not pass it down explicitly, but get it
from the WasmEngine when needed.
R=ahaas@chromium.org
Bug: v8:13447
Change-Id: Idaa9d6c3e0ab0051bf85bb2667accac89e8b5607
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4092738
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84792}
In synchronous mode, a TF compilation can trigger a lazy
deopt of the Maglev code.
Instead, if in synchronous mode, we eager deopt to Ignition
and OSR from there.
Fixed: chromium:1394279
Bug: v8:7700
Change-Id: I4db2ac561d5626ab5f04b167e50025013490a4a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096878
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84790}
This replaces the dummy values for the crash analysis. We use the
stack parser from ClusterFuzz to extract the crash type and state from
the stderr of the output and we store it in the test results. We also
added some tests to check the functionality with some example stderrs.
Bug: v8:12313
Change-Id: I67994a752a7aa01cacfb7ebfe7e9d3d61820a4dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4067428
Reviewed-by: Liviu Rau <liviurau@google.com>
Commit-Queue: Almothana Athamneh <almuthanna@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84789}
JetStream2:ARES:Basic regresses with the Float64Exponentiate.
It seems that calling the builtin directly is cheaper than
unboxing both inputs and calling the C++ stub.
Bug: v8:7700, v8:1393643
Change-Id: Ib2c1523ed57eea048bb269fc16992349687cbb73
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4084764
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84786}
A new test added in https://crrev.com/c/4092575 times out on ASan
windows builds and is slow.
Superseeds https://crrev.com/c/4096677.
No-Tree-Checks: true
No-Try: true
Bug: v8:13466
Change-Id: I40d61459437434cf739fbff8c223871012a23010
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096817
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Olivier Flückiger <olivf@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84784}
The current reduction of blocks that are branch targets with a known
condition assumes that this is the first time we're seeing the given
condition with the given value. That's no longer the case, so updating
the expectation accordingly.
Bug: chromium:1399627
Change-Id: Id84d80a38801cf6178b476e62160d616b948d8d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096984
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84780}
This is required to be spec-compliant.
The previously implemented behavior was more relaxed allowing one to use
`ref.cast null` on non-nullable inputs and still getting a non-nullable
result on cast success.
Bug: v8:7748
Change-Id: I1297314389b0445a7c8d5a74f37d07a723d7a133
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4091549
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84776}
Since Maglev can OSR to TF, we only need to remove the checks.
Bug: v8:7700
Change-Id: I2d3c5ede4c3611bb1830b0c16a480585c123586d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4084793
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84774}
This is a reland of commit 331c577e1d
Fix DCHECK for single generation builds.
Original change's description:
> [static-roots] Allow creating isolates from existing r/o snapshot
>
> This adds the ability to create an isolate from scratch, except the
> read only roots, which are initialized from a read_only_data snapshot.
> To do this we split the heap setup in a read/only part and the rest.
> The goal of these changes is to later support writing serializer tests,
> even if the read only roots are static and have to be loaded from a
> fixed snapshot.
>
> Bug: v8:13466
> Change-Id: I078695b95710e5281da013ca0c08af0e153b4725
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4037271
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Olivier Flückiger <olivf@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84750}
Bug: v8:13466
Change-Id: Ic680b7620fc3176260c5d550e474412afef5f598
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4092575
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Olivier Flückiger <olivf@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84773}
We check if kReturnRegister is in the live register of the node snapshot,
but this does not include the eager extended deopt registers added
by AddDeoptRegistersToSnapshot.
This CL makes sure we do the proper check.
Fixed: chromium:1399805
Bug: v8:7700
Change-Id: I6eba5d7ec81ce6f4137aaeeda925029484824920
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096558
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84772}
The previous fix was using the wrong getter for accessing the length.
It also threw an error when the created TA was length-tracking but in
bounds.
Bug: v8:11111,chromium:1399799
Change-Id: I5a94b1b49b2e30cf33999be7ff0ee8e4f5323849
Fixed: chromium:1399799
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4090984
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84771}
I originally thought MaxByteLength would only be needed for
v8::ArrayBuffer and v8::SharedArrayBuffer, but it is also needed on
v8::BackingStore.
In particular, blink uses Mojo to serialize ArrayBuffers' contents via
v8::BackingStore when doing cross-process postMessage.
Bug: chromium:1396361, v8:11111
Change-Id: I86d44829175ad760fb43294d386483a16044fc3b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4090708
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84767}
Array.toReversed always creates properties even for holes, but the
optimization paths for HOLEY_* arrays did not respect the spec. This CL
fixes the fast paths to set `undefined` value instead of the hole.
Bug: chromium:1395672
Change-Id: I51584829caf312a1864f93928315782bb120ee14
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4081689
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Choongwoo Han <choongwoo.han@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#84766}
This doesn’t have much practical effect, since the actual
byte contents referred to by `StartupData` are already marked
`const`, but adding the qualifier communicates more clearly
to users that V8 does not perform modifications on the object.
Practically speaking, this also allows for cases in which the
startup data is included as readonly data in the current executable
without requiring a `const_cast`.
Refs: https://github.com/nodejs/node/pull/45786#discussion_r1043489245
Change-Id: I53075ebb493c3617e470decb601b803f5294848d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4089203
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84764}
Make the separation between Operands pointing to Label locations and
standard memory operands more clear.
Also provide a separate method for emitting "label operands", so this
does not get inlined everywhere (label operands are used much less often
than memory operands).
R=jkummerow@chromium.org
Bug: v8:13570
Change-Id: I3482598cbf47eea878e06acc1ce2465325a597e0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4088644
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84763}
My previous change https://crrev.com/c/4071249 reduced the size of
translation arrays, but caused substantial speed regressions for code
that needs to read those arrays. This is because each translation could
use MATCH_PREVIOUS_TRANSLATION instructions to indicate areas where it
was unchanged from the preceding translation, but that preceding
translation might also use MATCH_PREVIOUS_TRANSLATION because it was
similar to its preceding translation, and so forth up to the limit
imposed by kMaxLookback.
This change is a proposal to fix the decoding speed while keeping most
of the size benefit from the previous change, by imposing a rule that
the "previous" translation referred to by a MATCH_PREVIOUS_TRANSLATION
instruction must not also use MATCH_PREVIOUS_TRANSLATION. A simple way
to accomplish this would be to decrease kMaxLookback to 1 and keep the
rest of the encoder unchanged, but we can do somewhat better by letting
several translations in a row refer to the same "basis" translation, as
long as they're successfully finding matching content.
Total size of translation arrays generated in an Octane run:
- Before my previous change: 2.6 MB
- Current code (kMaxLookback=10): 1.1 MB
- This CL: 1.4 MB
- Setting kMaxLookback=1: 1.8 MB
Bug: chromium:1399556, chromium:1396229
Change-Id: I077da8aae93ec667ff587a1db1bff483de76cf34
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4089944
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#84762}
This CL introduces two JS operators JSToBigInt and
JSToBigIntConvertNumber and one simplified operator
Integral32OrMinusZeroToBigInt.
- BigInt constructors are lowered to JSToBigIntConvertNumber in the
inlining phase.
- JSToBigIntConvertNumber is replaced with
Integral32OrMinusZeroToBigInt if the input is typed as Integral32
in typed lowering.
- In simplified lowering, Integral32OrMinusZeroToBigInt is lowered
to conversion to word64 accordingly.
- If the input is not Integral32 or BigInt, JSToBigIntConvertNumber
is lowered to a builtin call in generic lowering.
Bug: v8:9407
Change-Id: I8539d742e82cce515bd9350797f5f9b0876ee6f2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055670
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#84761}
Similar to the `AsyncFunctionReject` builtin, the
`AsyncGeneratorReject` should also mark the promise rejection as a
non-debuggable event.
That is because the initial throw that causes the generator rejection
downstream alreay triggered the debuggable event.
We can re-use one of the existing tests as a regression test here:
If we wait for the Runtime.evaluate promise to resolve after the first
pause, we ensure that we already paused once. The test in its current
form swallowed the second pause implicitly by disabling the debugger.
R=bmeurer@chromium.org
Bug: chromium:1270780
Change-Id: I97ab08934804fefd097e9bd01081469da5379154
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4084925
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84756}
This reverts commit e5dbd05dcf.
Reason for revert: Causes failures with --shared-string-table
https://bugs.chromium.org/p/chromium/issues/detail?id=1399489https://bugs.chromium.org/p/chromium/issues/detail?id=1399491https://bugs.chromium.org/p/chromium/issues/detail?id=1399488https://bugs.chromium.org/p/v8/issues/detail?id=13574
Original change's description:
> [heap] Fix crash in promoted pages iteration
>
> Iterating promoted pages uses a snapshot of the allocated pages to avoid
> using locks (which locally resulted in regressions). Large pages may
> have been freed between taking the snapshot and concurrent sweeping.
> If that page is found by LookupChunkContainingAddress as the closest
> page, we will try to access it and crash.
>
> Fix by refresshing the snapshot after all pages have been freed.
>
> Bug: v8:12612, chromium:1399331, chromium:1399328, chromium:1399330
> Change-Id: I01a1dbcb9efde3a34a99d01260b0529dcf04c37a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4088363
> Commit-Queue: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84740}
Bug: v8:12612, chromium:1399331, chromium:1399328, chromium:1399330
Change-Id: Id7e4c057493478956108e4ae4f28ca91cc20f406
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4092594
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#84755}
