The deadlock can happen when two scavenging tasks process two different
pages for their old->new sets and at the same time try to allocate in
old space which triggers sweeping of the other task's page.
Bug: v8:6754
Change-Id: I6087553631e198d5ecfb8ab37925ac41cd6995bd
Reviewed-on: https://chromium-review.googlesource.com/635843
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47610}
The Uint32(limit) conversion can end up transitioning the regexp
instance to slow mode. In this case we need to bail out to runtime while
ensuring that ToUint32 is not observably called a second time. We do
this by passing the already-converted value to runtime.
This particular path was broken and we ended up passing the original
maybe_limit value to runtime instead.
TBR=yangguo@chromium.org
Bug: chromium:758763
Change-Id: If7f23b452d2e134ad9be3d4ef1d78d1c946fcef0
Reviewed-on: https://chromium-review.googlesource.com/635588
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47609}
Change the signature of `Construct` so that no casting is required on
calling it. The casting would fire control flow integrity check if the
class contains virtual members.
Bug: chromium:758925
Change-Id: Iefc711c634b36efd051e245e2df13b28d5563f45
Reviewed-on: https://chromium-review.googlesource.com/635563
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
Cr-Commit-Position: refs/heads/master@{#47608}
Do not allow recursive inlining when function calls itself. i.e.f() -> f()
This is because we only get some static information for the first level
of inlining and it may not be very beneficial to just duplicate the entire
function. However, we still allow indirect recursion f() -> g() -> f() -> g1().
This helps in cases where f() is a small dispatch function. For example,
in rayTrace class.create -> obj.initialize -> class.create -> obj1.initialize.
Bug: chromium:757798
Change-Id: I0a5d9e62eabd7681849f900997b4df061b5f8ed5
Reviewed-on: https://chromium-review.googlesource.com/632622
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47605}
The allocator for determining the location (reg/stack) for parameters
and return values can be constexpr. This avoids lazy initialization,
saving code size and execution time, and simplifying the implementation
significantly.
R=ahaas@chromium.orgCC=titzer@chromium.org
Change-Id: I295623cb1dad0f1537f7292dcf044f3d509588bb
Reviewed-on: https://chromium-review.googlesource.com/635163
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47602}
Compile the module created in trap-location.js with both synchronous and
asynchronous compilation. Thereby I can reuse the test for streaming
compilation later.
R=clemensh@chromium.org
Change-Id: Id2e0c70886ddd1b11d51f614d02757099541aedd
Reviewed-on: https://chromium-review.googlesource.com/635165
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47600}
For wide bytecodes, save the bytecode offset as the offset of the prefix
bytecode, rather than the bytecode itself. This means that any code that reads
the bytecode can explicitly know the width of the bytecode at the offset
without having to iterate through the complete bytecode array.
Also simplifies some code in the bytecode analysis that had to work around
the previous approach.
BUG=chromium:753705
Change-Id: I8a42e7cfff27791e39f3452e2b9e52c0608d28cb
Reviewed-on: https://chromium-review.googlesource.com/634003
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47599}
This makes sure instantiate of asm.js modules fails gracefully on heap
buffers exceeding the uint32_t range supported by WebAssembly.
R=clemensh@chromium.org
TEST=mjsunit/regress/regress-crbug-754175
BUG=chromium:754175
Change-Id: I4a9c6791beaab6da826b5b6b5a495f97e9d3b4e9
Reviewed-on: https://chromium-review.googlesource.com/632618
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47598}
As a first step towards lazy builtin deserialization, this CL moves
builtins to their own dedicated area in the snapshot blob, physically
located after startup data and before context-specific data.
The startup- and partial serializers now serialize all seen builtins as
references, i.e. they only encode the relevant builtin id (taking care
to preserve special behavior around the interpreter trampoline and
CompileLazy). Builtins are later fully serialized by the
BuiltinSerializer. The separate blobs are finally glued together by
CreateSnapshotBlob.
Deserialization takes the same steps: when we see builtin reference
bytecodes before builtins have been deserialized, we push to a list of
deferred builtin references. After builtin deserialization, this list is
iterated and all builtin references are fixed up.
Bug: v8:6624
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Idee42fa9c92bdbe8d5b8c4b8bf3ca9dd39634004
Reviewed-on: https://chromium-review.googlesource.com/610225
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47596}
Tentative fix for the CF crashes in https://crbug.com/754422.
Bug: chromium:754422
Change-Id: I0dcb6b8860cb0bf20b3566ffba08e6772398ee65
Reviewed-on: https://chromium-review.googlesource.com/632176
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47591}
The CPP builtins execute the same piece of code to prepare context before
jumping into CEntryStub. By creating new ASM builtin to execute that common
piece of code, ~7KB code size (tested on x64) of snapshot_blob.bin can be
reduced without any negative performance impact.
BUG=
Change-Id: I744369e8723dcd902b61dc50645db66bea884441
Reviewed-on: https://chromium-review.googlesource.com/595119
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47590}
Change-Id: Id9f60cdafc486de2b04684de84174f9765637c12
Reviewed-on: https://chromium-review.googlesource.com/601328
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47586}
This also removes the IS_GLOBAL macro from macros.py, which did
not work correctly for Remote objects/contexts.
Bug: v8:6413
Change-Id: I90690bdd0d8e8fed581bc4c9f5c60168d785f096
Reviewed-on: https://chromium-review.googlesource.com/633872
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47585}
This flag allows invalid escape sequences in tagged templates, which is
a stage-4 TC39 proposal shipping in other browsers.
Bug: v8:5546
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I3e7c374c9b547f62d5976f76a7208d05fe9decf8
Reviewed-on: https://chromium-review.googlesource.com/581885
Commit-Queue: Kevin Gibbons <bakkot@gmail.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47584}
U+feff is the UTF BOM but if it occurs inside the text, it's a "zero-width
no-break space". However, the UTF-8 decoder in script streaming still thought
it's a BOM and skipped it. The correct way to handle it would be to create a
U+feff code point instead - the Scanner will then handle it as whitespace.
This is a discrepancy between the Blink UTF-8 decoder and the V8 UTF-8 decoder,
and caused the source positions be off by one. This bug went unnoticed, since
normally off-by-one in this situation doesn't make the code to break.
BUG=chromium:758508,chromium:758236
Change-Id: Ib92a3ee65c402e21b77e42537db2a021cff55379
Reviewed-on: https://chromium-review.googlesource.com/632096
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47583}
This timer imposes a high overhead and does not give us the data we'd
like. Disabling for now until we can develop a better solution.
Bug: v8:6514
Change-Id: I73b15131a71d7b6750556f82907cb2a0e6edd321
Reviewed-on: https://chromium-review.googlesource.com/633703
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47582}
This is useful for the RecordWrite stub that can now specify the set
of allocatable registers in its call descriptor interface.
During register allocation a custom register configuration is used to
ensure that the register are allocated from the given set.
This makes calling RecordWrite stub less expensive as we need to save/restore
only the allocatable registers instead all registers.
Bug: chromium:749486
Change-Id: If4d73f1fd525e480970ea92600fb811e63677eb5
Reviewed-on: https://chromium-review.googlesource.com/624734
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
Cr-Commit-Position: refs/heads/master@{#47577}
* Only pass -t to adb if running with stdout as a tty (prevents weird
tty output processing, .e.g replacing '\n' with '\r\n')
* Allow passing a device directory for d8 (useful for testing multiple
builds against each other)
* Allow specifying additional allowed paths (useful for e.g. running
files from /tmp)
Change-Id: I90b8bba6f3c248105927c800b8b5b601692adf6c
Reviewed-on: https://chromium-review.googlesource.com/629079
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47576}
Several stack traces from crash reports in https://crbug.com/754490 have
wrong magic signatures. Even though we're supposed to be failing in a V8_Fatal
the signature doesn't show up on the stack trace.
Change-Id: I35c8f27e36fd2a0ec474095a6cf5557a76fe7d26
Reviewed-on: https://chromium-review.googlesource.com/631878
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47575}
We can avoid the ToString conversion before doing the HasProperty check.
This avoid a costly Smi to String conversion which is unecessary for the
following lookups.
For very large dictionary elements this is a significant slow down as we
will no longer hit the GetNumberStringCache.
Change-Id: I5a0eb13470ab3d3d8a87ee36d28ce7be5cbc2b2e
Reviewed-on: https://chromium-review.googlesource.com/626056
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47574}
The v8_enable_fast_mksnapshot gn flag reduces time spent in mksnapshot
on x64 debug builds from 19s to 6s by disabling far jump rewrites and
register allocation verification. This flag should only be used locally
for development.
Bug: v8:6688
Change-Id: I02e8546a6a329b9cb377b95ab586d5857a3c6731
Reviewed-on: https://chromium-review.googlesource.com/632258
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47573}
In case of LAP(lazy accessor pair), the function's creation context
must be equal to the accessor holder's creation context, so this CL
changes the current context to the accessor holder's creation context.
Note that this is the second attempt after https://crrev.com/2770003002
The change from the previous attempt is to skip looking for the
object's constructor if the object itself is a function.
Also some of Blink's LAP-context-sensitive tests got updated at
https://crrev.com/c/597990 and the rest of the tests will get
temporarily disabled at https://crrev.com/c/605408 .
TBR=verwaest@chromium.org
Bug: v8:6156
Change-Id: I09709a90995d82a03996d0347e5a1d8425b5db9c
Reviewed-on: https://chromium-review.googlesource.com/563152
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47572}
This further reduces the footprint of the deferred blocks used as part
of our CSA-asserts by marking the {DebugAbort} calls as unreachable.
This allows us to elide (un)spilling because re-entry into the normal
instruction stream is removed.
R=jgruber@chromium.org
BUG=v8:6688
Change-Id: Ib00362fbe34427b3c8f8c8f5fcea0b83028f81b2
Reviewed-on: https://chromium-review.googlesource.com/632056
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47571}
We no longer include hydrogen stubs in the snapshot.
R=jgruber@chromium.org
Change-Id: Id268b416ed839f55d297a1888444ef6323ec9dd9
Reviewed-on: https://chromium-review.googlesource.com/631956
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47570}
This introduces a {DebugAbort} machine-level operator as well as the
corresponding {ArchDebugAbort} backend instruction. The goal of this is
to speed up snapshot generation due to cheaper "CSA-asserts".
R=jgruber@chromium.org
BUG=v8:6688
Bug: v8:6688
Change-Id: If45f7da0652d4bb920c51ab7a7c41f9670434bbb
Also-By: jgruber@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/628560
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47568}
Since the AST graph builder is gone, no variable should be named osr_ast_id.
This CL replaces it with osr_offset. It designates the offset of the bytecode
where the OSRing was triggered.
Bug:
Change-Id: Ia53a83b09f917fcd0174da685a18edd3ee3aa01f
Reviewed-on: https://chromium-review.googlesource.com/621008
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47566}
DEBUG builds pull in all sorts of instrumentation infrastructure that
leads to larger heaps. The check for intial size is only useful for
release builds.
Bug: v8:6746
Change-Id: I5ab220d21167e69d7fb32c9db68045368c4ef178
R: ulan@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/631876
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47565}
This reverts commit 8bbc224243.
Reason for revert: On Canary 3195.
Original change's description:
> [heap] Enable concurrent marking for x86 and x64.
>
> This is an experiment and will be reverted after getting canary
> coverage.
>
> Bug: chromium:694255
> Change-Id: I40388d8c6db0e46e2ce64e88aba04c5ac8822e94
> Reviewed-on: https://chromium-review.googlesource.com/625959
> Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47541}
TBR=ulan@chromium.org,mlippautz@chromium.org
Change-Id: I642c1f778267a795bf1e1a6bba863552394ad1d4
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:694255
Reviewed-on: https://chromium-review.googlesource.com/631717
Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47564}
The {WireBytesRef} constructor checks that {offset + length} does not
overflow. Hence we need to check for illegal sizes before constructing
the {WireBytesRef}.
The {consume_bytes} function already does that, so remove the
redundant hand-written checking.
R=titzer@chromium.org
Bug: chromium:752781
Change-Id: If3a2946a62fa38cc668695ed7186b9751a1f356f
Reviewed-on: https://chromium-review.googlesource.com/605894
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47563}
API resolves functions to its .prototype property to make possible
queries like queryObjects(Object), queryObjects(HTMLElement), e.t.c.
R=dgozman@chromium.org
Bug: v8:6732
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ie8dc2288fa7e59c69f9b2647a9d5e35f0ac9215f
Reviewed-on: https://chromium-review.googlesource.com/630244
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47561}
