marking_barrier_type_ wasn't initialized in MarkingBarrier's ctor.
With --shared-space and enabling incremental marking in the shared
heap this could lead to the load of an uninitialized value in
`is_minor` in the DescriptorArray write barrier.
The write barrier was also not using the right value for old_marked
when both minor and shared incremental marking were enabled.
Bug: v8:13267, chromium:1400730
Change-Id: Ibd682b9baba333ce16af028e4f66aefb6c8aaea7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4108028
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84855}
The comparison of an external pointer used `kRef` here which is the
ValueKind for Wasm GC references. As those references are only 32 bits
on pointer-compressed builds, a 32-bit-comparison is used.
(This was introduced with change https://crrev.com/c/4016816.)
If the pointer has the 32 least signficant bits zeroed out, it assumes
that the callref target is a WasmJSFunction looking in the code table
for this index for the JS function. As it is a wasm function, it has a
trap handler registered there causing the call to trap instead.
Fix: v8:13534
Change-Id: I35474e1eaeeefff3cbe5bec9c6ede470688a0ce6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4106850
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84853}
MSVC does not have cxxabi.h. Also, MSVC does not need demangling in this case.
Bug: v8:10572
Change-Id: I27f2335ba6cb2bb35132bad23ce95b78b66cd3fa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4103520
Commit-Queue: Choongwoo Han <choongwoo.han@microsoft.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84851}
Add paths to named and keyed loads with empty feedback (distinct from
insufficient feedback), which signals that this is a megamorphic load
(cf. ShouldUseMegamorphicLoadBuiltin in js-generic-lowering.cc).
Bug: v8:7700
Change-Id: Ic32980f9217a7f1a3e44cc40444edf002cf4e6f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4106848
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84849}
... and the necessary IR nodes to test a simple
program: `"abc".charCodeAt(1)`
Bug: v8:7700
Change-Id: Ia670d8a44f39f4a0b8312d69d7d3f64cbc2b6831
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4106748
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84847}
With --shared-space the main isolate has to be disposed last, so we
can't really dispose the main isolate while worker isolates are
still running without violating our invariants.
Solve this by not invoking Isolate::Dispose() for `quit()`.
Bug: v8:13267, chromium:1400810
Change-Id: Id9d6288c62d9c03d5c2f40c52efd0ac6422ac822
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4106751
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84846}
Add gen-static-roots.py to conveniently re-generate the static roots
table when it needs changing.
Additionally, ensure the first read-only page is allocated as first page
during mksnapshot, to move static roots closer to start.
Bug: v8:13466
Change-Id: Ie72b64d0ad0dd3e5fccd3b41e8ed00a4a55a0033
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096481
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Olivier Flückiger <olivf@chromium.org>
Commit-Queue: Olivier Flückiger <olivf@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84844}
Since it (currently) needs to find the JumpLoop bytecode.
See comment in line 645.
Fixed: chromium:1400549
Bug: v8:7700
Change-Id: If73a9c8d2f5a85cceded34cdf1aa7b5895937990
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4103683
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84840}
The CL applies multiple changes:
1) Reverts back to using std::vector<> for young nodes. Distinguishing
between young and remembered nodes is still needed to allow fast
filtering.
2) Adds the has-old-host flag to TracedNode, which is used to remember a
node.
3) Adds bailouts for old objects into UnifiedHeapMarkinState and
ConservativeTracedHandlesMarkingVisitor.
Bug: v8:13475
Change-Id: Ib296ece9df6f783bb3d47ffa0794be16e6c1aea8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4080386
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84839}
If the current active tier is already Turbofan, then
we just return to JumpLoopPrologue codegen to deopt.
Fixed: v8:13585
Bug: v8:7700
Change-Id: Idf8f4990e8dfea9e9fd6e3378e15110ec09b1896
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4104623
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84838}
- Force using the isolate from VMState
- Mark all fields as const to allow for better code
Change-Id: I5538f615e22569dc365dbb0d1482138311932575
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4098629
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84837}
We should not enter V8 if it's marked for termination.
Bug: chromium:1382710
Change-Id: Ic58f7c7b32614431dce04e2429c60dd79040ec43
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030476
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84834}
- Both Call and CallKnownJSFunction are now architecture independent.
- Introduced PushReverse to push arguments.
- Added support for iterators to Push/PushReverse.
- Added RepeatIterator helper to push the same value N times.
Drive-by: Implement load/store from/to stack slot and double registers.
Bug: v8:7700
Change-Id: I4f995ded7e95b79d8c8c3d7b2ffd373f51e631d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4085006
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84833}
This CL adds support for BigIntEqual in turbofan and collects type
feedback for small BigInt equal and strict equal in ignition.
Bug: v8:9407
Change-Id: I29cbc4d3bdfe9fcde8c1717afe83654a84c25c36
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096557
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#84832}
With --shared-space we need the write barrier for incremental
marking.
Bug: v8:13267
Change-Id: I7fb6e6de0f793824f3c27b8ec3c29cba39901188
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4103241
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84831}
This is a reland of commit 303facf5e1
This CL fixes DCHECK failures by using BasicMemoryChunk in
RecordOldToSharedSlot.
Original change's description:
> [heap] Also promote strings in large objects into shared heap
>
> With --shared-string-table all in-place internalizable strings are
> directly promoted from new space into the shared heap. However, this
> wasn't the case with large objects. This CL fixes this and adds test
> to guide fuzzers.
>
> Bug: v8:13267, chromium:1400048
> Change-Id: I6f850d480956c63bfbe1a7060140df850e284933
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096818
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84805}
Bug: v8:13267, chromium:1400048, v8:13588
Change-Id: I221592ec723d2b5e92094ff2598a99576d72a677
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4098831
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84830}
After computing the branch offset but before emitting the actual branch,
we should not emit a constant pool. Otherwise the previously computed
offset would be off.
Instead of handling this indirectly via the Assembler::branch_offset
method, do this directly in the Assembler::b method (and friends), so it
is not missed on other call sites.
R=jkummerow@chromium.org
Bug: chromium:1399424
Change-Id: I0cbb219ced5b671001a296b1cc7c339f395abffe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4102800
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84828}
Currently, any session can resume instrumentation breaks by sending
Debugger.resume command. That can lead to unreliable breakpoint
placement because sessions can resume too early.
The early resumption can happen in two ways:
- When we have two instrumented sessions, the first one to resume
can prevent the other one from setting its breakpoints
before executing the code.
- With one instrumented session and one without instrumentation
breakpoints, the uninstrumented session's Debugger.resume
command can resume the instrumentation pause before the
instrumented session can set its breakpoints.
This patch fixes both of these issues by changing the instrumentation
pause resumption logic to take note of the sessions that were notified
about the instrumentation breakpoints. The debugger will only resume
once all those sessions resume (or disconnect).
Bug: chromium:1354043
Change-Id: I84cf16b57187dbb40645b2f7ec2e08f0078539dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4100466
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84827}
This CL adds v8::ArrayBuffer::NewResizableBackingStore.
This API is needed to support Mojo cross-process serialization of
resizable buffers. See https://chromium-review.googlesource.com/c/chromium/src/+/4086949
Bug: chromium:1396361, v8:11111
Change-Id: I1d3ad367f28015184fd80fd2f05a37a3659d3a66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4093555
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84826}
Asm.js code (translated to Wasm) is valid by design, do not try to
validate it.
This is achieved by fully populating the {validated_functions} bitset
for asm.js modules. To make this safe(r) we do not allow to change the
origin or a WasmModule after initialization, which requires some
refactoring mostly in tests.
R=ahaas@chromium.org
Bug: v8:13447, v8:13565
Change-Id: I174c01f13185ff4117b02882b953c6ba29a3644d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4100686
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84824}
There were compile errors when building v8 with v8_enable_precise_zone_stats = true.
../../src/zone/type-stats.cc:30:24: error: no type named 'Free' in namespace 'v8::base'
if (buffer_) base::Free(buffer_);
../../src/zone/zone.h:255:3: error: use of undeclared identifier 'stdd'; did you mean 'std'?
stdd::atomic<size_t> freed_size_for_tracing_ = {0};
Bug: v8:10572
Change-Id: If1035edc99eff05c418e0bc65de8a8729f75e30f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4098379
Commit-Queue: Choongwoo Han <choongwoo.han@microsoft.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84822}
This is necessary to allow running GC epilogue callbacks after a
GC in the safepoint. Handle dereferences are allowed even if that
particular thread is parked. They may generally also happen from a
different thread than expected by DCHECKs in the case shared GCs
combined with multiple main threads.
This CL solves this issue by adding an additional assertion scope
that can temporarily allow such derefs for running the callbacks.
Unlike other assert scopes the new assert scope is disabled by
default.
Bug: v8:13267, chromium:1399379
Change-Id: Ibc741ad6bebb740cf24ae8be116d770f62ae6481
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4100826
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84821}
According to the style guide, field definitions should be the last thing
in the private section.
R=ahaas@chromium.org
Change-Id: I2b0890b7f5f5c8a9a19213a80c400bd9db080a05
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4097429
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84820}
Build mode for serializing the read only heap as a memory dump in the
startup snapshot. This makes compressed pointers of root objects
statically known at mksnapshot time.
This CL also adds a feature to mksnapshot to dump the static addresses
to a C++ header file. This will allow us to use these addresses in the
future.
The mode is disabled for now since we need some build infrastructure
first to conveniently re-generate the table when the layout changes.
Bug: v8:13466
Change-Id: I975b15bd89fedf713fb7d12b4929935ece78139d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4056181
Commit-Queue: Olivier Flückiger <olivf@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84815}
This reverts commit 303facf5e1.
Reason for revert: Causes failures with fuzzers.
Original change's description:
> [heap] Also promote strings in large objects into shared heap
>
> With --shared-string-table all in-place internalizable strings are
> directly promoted from new space into the shared heap. However, this
> wasn't the case with large objects. This CL fixes this and adds test
> to guide fuzzers.
>
> Bug: v8:13267, chromium:1400048
> Change-Id: I6f850d480956c63bfbe1a7060140df850e284933
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096818
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84805}
Bug: v8:13267, chromium:1400048
Change-Id: If20528bbf804b73ce8ad10f8addc9a1f11b50d96
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4101261
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84813}
This will allow bugs such as crbug.com/1394403 to be found much easier
by fuzzers as it will cause d8 to compile every function twice and to
verify that the resulting bytecode is the same.
In order to not lose fuzzer coverage of e.g. lazy compilation, this CL
also adds --lazy and --no-stress-lazy-source-positions to the fuzzer
configurations to be chosen with a small probability.
Bug: chromium:1394403
Change-Id: I172ac483b45978a669c9787e5f851daa985fd1f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096480
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84811}
The "is there enough data" check has to be done *after* reading
maxByteLength.
Bug: v8:11111, chromium:1400431
Change-Id: I7c2eddaeb998f3cd3919e118c093a5d036fca408
Fixed: chromium:1400431
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4100468
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84809}
The {Assembler::emit_operand} method is basically just copying 1-6 bytes
from {Operand::Data::buf} into the assembler buffer. This showed up with
>5% of Liftoff compilation time in a performance profile.
This CL makes this >2x faster by using an optimized copying routine
(using the same trick that libc's memcpy uses).
R=jkummerow@chromium.org
Bug: v8:13570
Change-Id: I525a94989c271b56ad7c148d21f234d05a25842a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4088606
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84807}
With --shared-string-table all in-place internalizable strings are
directly promoted from new space into the shared heap. However, this
wasn't the case with large objects. This CL fixes this and adds test
to guide fuzzers.
Bug: v8:13267, chromium:1400048
Change-Id: I6f850d480956c63bfbe1a7060140df850e284933
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096818
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84805}
Code objects are linked in a custom per-native-context weak list of
optimized code (previously there was also a list of deoptimized code,
but this was recently removed).
There used to be reasons for this list, but at this point it is only
used by the debugger to mark code for deoptimization. The debugger can
do this with a heap walk instead, so we can remove this list and indeed
the next_code_links from Code objects themselves.
Change-Id: Iebbed4adacd31b8ddc442ae6355ea45c691cc856
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4061515
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84804}
The "negative" instructions `br_on_non_*` & `br_on_cast_fail` created
the `TypeGuard` node for the successful branch using the effect /
control chain o fthe wrong branch.
As `TypeGuard`s do not generate code, these instructions are for the
Turbofan type system.
Bug: v8:7748
Change-Id: I12de7421a6d16e24d91336457443ab6f646ab309
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4097425
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84802}
We received feedback that the [[Scopes]] property has some legitimate
use-cases not covered by the Scopes View during pause.
We re-enable the feature for now and will remove the flag in a
follow-up.
R=bmeurer@chromium.org
Bug: chromium:1365858
Change-Id: Ibf279ae6c4f5ae492d03e9b4ee7316f6500508d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4099385
Auto-Submit: Simon Zünd <szuend@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84800}
In case a JSArrayBuffer is empty but has an extension installed, the
previous code would not clear the extension prior to serialization. This
would then cause a DCHECK failure right after serialization when
restoring the extension pointer because we only allow changing from
nullptr to a non-null extension pointer.
Bug: chromium:1335043
Change-Id: I9276da0ebb7ecf0d22949c3d1294cfa90bad7a7e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096479
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84798}
When loading a 32-bit value from the stack, just load 32 bit and
zero-extend them into the target register, instead of loading the full
64 bits.
As there are things to fix (see https://crbug.com/1356461), we only
enable this optimization for Wasm for now.
R=jkummerow@chromium.org
Bug: chromium:1395604, chromium:1356461, v8:13581
Change-Id: Ibdd2d80704973362906aec9b38faa762d3b43f3f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4097424
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84796}
gcc versions < 9 may produce the following compilation error due
to passing/initializing an empty struct as a parameter:
> '<anonymous>' is used uninitialized in this function
A reproducible code sample can be seen here:
https://godbolt.org/z/PfanPrEGG
This issues seems to have come up in gcc in various ways,
here is a related bug:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86465
A simple workaround here it to add a 0 initialized value to
the empty struct.
More information can be found at the comment section of this CL: crrev.com/c/4057111
Bug: v8:12783
Change-Id: Iee8fec73610fa2525530db431daf5fa285c09a3f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4097624
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#84795}
This CL fixes two bugs:
- The monotonicity violation in the typers of ToBigIntConvertNumber and
Integral32OrMinusZeroToBigInt.
- The missing handling of conversion from Tagged output with the type
DoubleRepresentableInt64OrMinusZero to Word64.
Bug: v8:9407, v8:13580, chromium:1399951, chromium:1400053
Change-Id: I669820b52e5b82bddc9853cfd97a2361c344a2cb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096990
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#84793}
We already exclusively use the WasmEngine's AccountingAllocator for all
decoded Wasm modules. Except for tests, the same allocator will also be
used for validation. Thus do not pass it down explicitly, but get it
from the WasmEngine when needed.
R=ahaas@chromium.org
Bug: v8:13447
Change-Id: Idaa9d6c3e0ab0051bf85bb2667accac89e8b5607
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4092738
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84792}
In synchronous mode, a TF compilation can trigger a lazy
deopt of the Maglev code.
Instead, if in synchronous mode, we eager deopt to Ignition
and OSR from there.
Fixed: chromium:1394279
Bug: v8:7700
Change-Id: I4db2ac561d5626ab5f04b167e50025013490a4a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096878
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84790}
JetStream2:ARES:Basic regresses with the Float64Exponentiate.
It seems that calling the builtin directly is cheaper than
unboxing both inputs and calling the C++ stub.
Bug: v8:7700, v8:1393643
Change-Id: Ib2c1523ed57eea048bb269fc16992349687cbb73
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4084764
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84786}
The current reduction of blocks that are branch targets with a known
condition assumes that this is the first time we're seeing the given
condition with the given value. That's no longer the case, so updating
the expectation accordingly.
Bug: chromium:1399627
Change-Id: Id84d80a38801cf6178b476e62160d616b948d8d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096984
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84780}
This is required to be spec-compliant.
The previously implemented behavior was more relaxed allowing one to use
`ref.cast null` on non-nullable inputs and still getting a non-nullable
result on cast success.
Bug: v8:7748
Change-Id: I1297314389b0445a7c8d5a74f37d07a723d7a133
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4091549
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84776}
Since Maglev can OSR to TF, we only need to remove the checks.
Bug: v8:7700
Change-Id: I2d3c5ede4c3611bb1830b0c16a480585c123586d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4084793
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84774}
This is a reland of commit 331c577e1d
Fix DCHECK for single generation builds.
Original change's description:
> [static-roots] Allow creating isolates from existing r/o snapshot
>
> This adds the ability to create an isolate from scratch, except the
> read only roots, which are initialized from a read_only_data snapshot.
> To do this we split the heap setup in a read/only part and the rest.
> The goal of these changes is to later support writing serializer tests,
> even if the read only roots are static and have to be loaded from a
> fixed snapshot.
>
> Bug: v8:13466
> Change-Id: I078695b95710e5281da013ca0c08af0e153b4725
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4037271
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Olivier Flückiger <olivf@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84750}
Bug: v8:13466
Change-Id: Ic680b7620fc3176260c5d550e474412afef5f598
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4092575
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Olivier Flückiger <olivf@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84773}
We check if kReturnRegister is in the live register of the node snapshot,
but this does not include the eager extended deopt registers added
by AddDeoptRegistersToSnapshot.
This CL makes sure we do the proper check.
Fixed: chromium:1399805
Bug: v8:7700
Change-Id: I6eba5d7ec81ce6f4137aaeeda925029484824920
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096558
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84772}
The previous fix was using the wrong getter for accessing the length.
It also threw an error when the created TA was length-tracking but in
bounds.
Bug: v8:11111,chromium:1399799
Change-Id: I5a94b1b49b2e30cf33999be7ff0ee8e4f5323849
Fixed: chromium:1399799
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4090984
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84771}
I originally thought MaxByteLength would only be needed for
v8::ArrayBuffer and v8::SharedArrayBuffer, but it is also needed on
v8::BackingStore.
In particular, blink uses Mojo to serialize ArrayBuffers' contents via
v8::BackingStore when doing cross-process postMessage.
Bug: chromium:1396361, v8:11111
Change-Id: I86d44829175ad760fb43294d386483a16044fc3b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4090708
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84767}
Array.toReversed always creates properties even for holes, but the
optimization paths for HOLEY_* arrays did not respect the spec. This CL
fixes the fast paths to set `undefined` value instead of the hole.
Bug: chromium:1395672
Change-Id: I51584829caf312a1864f93928315782bb120ee14
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4081689
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Choongwoo Han <choongwoo.han@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#84766}
This doesn’t have much practical effect, since the actual
byte contents referred to by `StartupData` are already marked
`const`, but adding the qualifier communicates more clearly
to users that V8 does not perform modifications on the object.
Practically speaking, this also allows for cases in which the
startup data is included as readonly data in the current executable
without requiring a `const_cast`.
Refs: https://github.com/nodejs/node/pull/45786#discussion_r1043489245
Change-Id: I53075ebb493c3617e470decb601b803f5294848d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4089203
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84764}
Make the separation between Operands pointing to Label locations and
standard memory operands more clear.
Also provide a separate method for emitting "label operands", so this
does not get inlined everywhere (label operands are used much less often
than memory operands).
R=jkummerow@chromium.org
Bug: v8:13570
Change-Id: I3482598cbf47eea878e06acc1ce2465325a597e0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4088644
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84763}
My previous change https://crrev.com/c/4071249 reduced the size of
translation arrays, but caused substantial speed regressions for code
that needs to read those arrays. This is because each translation could
use MATCH_PREVIOUS_TRANSLATION instructions to indicate areas where it
was unchanged from the preceding translation, but that preceding
translation might also use MATCH_PREVIOUS_TRANSLATION because it was
similar to its preceding translation, and so forth up to the limit
imposed by kMaxLookback.
This change is a proposal to fix the decoding speed while keeping most
of the size benefit from the previous change, by imposing a rule that
the "previous" translation referred to by a MATCH_PREVIOUS_TRANSLATION
instruction must not also use MATCH_PREVIOUS_TRANSLATION. A simple way
to accomplish this would be to decrease kMaxLookback to 1 and keep the
rest of the encoder unchanged, but we can do somewhat better by letting
several translations in a row refer to the same "basis" translation, as
long as they're successfully finding matching content.
Total size of translation arrays generated in an Octane run:
- Before my previous change: 2.6 MB
- Current code (kMaxLookback=10): 1.1 MB
- This CL: 1.4 MB
- Setting kMaxLookback=1: 1.8 MB
Bug: chromium:1399556, chromium:1396229
Change-Id: I077da8aae93ec667ff587a1db1bff483de76cf34
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4089944
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#84762}
This CL introduces two JS operators JSToBigInt and
JSToBigIntConvertNumber and one simplified operator
Integral32OrMinusZeroToBigInt.
- BigInt constructors are lowered to JSToBigIntConvertNumber in the
inlining phase.
- JSToBigIntConvertNumber is replaced with
Integral32OrMinusZeroToBigInt if the input is typed as Integral32
in typed lowering.
- In simplified lowering, Integral32OrMinusZeroToBigInt is lowered
to conversion to word64 accordingly.
- If the input is not Integral32 or BigInt, JSToBigIntConvertNumber
is lowered to a builtin call in generic lowering.
Bug: v8:9407
Change-Id: I8539d742e82cce515bd9350797f5f9b0876ee6f2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055670
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#84761}
Similar to the `AsyncFunctionReject` builtin, the
`AsyncGeneratorReject` should also mark the promise rejection as a
non-debuggable event.
That is because the initial throw that causes the generator rejection
downstream alreay triggered the debuggable event.
We can re-use one of the existing tests as a regression test here:
If we wait for the Runtime.evaluate promise to resolve after the first
pause, we ensure that we already paused once. The test in its current
form swallowed the second pause implicitly by disabling the debugger.
R=bmeurer@chromium.org
Bug: chromium:1270780
Change-Id: I97ab08934804fefd097e9bd01081469da5379154
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4084925
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84756}
This reverts commit e5dbd05dcf.
Reason for revert: Causes failures with --shared-string-table
https://bugs.chromium.org/p/chromium/issues/detail?id=1399489https://bugs.chromium.org/p/chromium/issues/detail?id=1399491https://bugs.chromium.org/p/chromium/issues/detail?id=1399488https://bugs.chromium.org/p/v8/issues/detail?id=13574
Original change's description:
> [heap] Fix crash in promoted pages iteration
>
> Iterating promoted pages uses a snapshot of the allocated pages to avoid
> using locks (which locally resulted in regressions). Large pages may
> have been freed between taking the snapshot and concurrent sweeping.
> If that page is found by LookupChunkContainingAddress as the closest
> page, we will try to access it and crash.
>
> Fix by refresshing the snapshot after all pages have been freed.
>
> Bug: v8:12612, chromium:1399331, chromium:1399328, chromium:1399330
> Change-Id: I01a1dbcb9efde3a34a99d01260b0529dcf04c37a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4088363
> Commit-Queue: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84740}
Bug: v8:12612, chromium:1399331, chromium:1399328, chromium:1399330
Change-Id: Id7e4c057493478956108e4ae4f28ca91cc20f406
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4092594
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#84755}
On Mac, we spend around 30% of lazy compile time in {ThreadTicks::Now}.
On Linux it's less severe, but still around 10%.
That's too much overhead for measurements that only show up in UKM, so
remove that.
The unused fields will be removed from the UKM events after the plumbing
on the chromium side has been removed.
R=ahaas@chromium.org, mlippautz@chromium.org
CC=ecmziegler@chromium.org
Bug: v8:13565
Change-Id: I2dad88d899482801888940499d2d1761ff075578
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4078966
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84754}
We introduce V8InspectorSession::stop API to enable safe
detach from the session. In particular, after calling 'stop',
the session will leave any instrumentation pause it might
be in and disarm all its instrumentation breakpoints.
This is useful when the session disconnect request is registered
on V8 interrupt (so it is unsafe to disconnect at that point),
and the execution should first get to the message loop
where the disconnect can be handled safely.
Bug: chromium:1354043
Change-Id: I3caab12a21b123229835e8374efadc1f4c9954c2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4085143
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84753}
This reverts commit 331c577e1d.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20-%20debug%20-%20single%20generation%20-%20builder/9912/overview
Original change's description:
> [static-roots] Allow creating isolates from existing r/o snapshot
>
> This adds the ability to create an isolate from scratch, except the
> read only roots, which are initialized from a read_only_data snapshot.
> To do this we split the heap setup in a read/only part and the rest.
> The goal of these changes is to later support writing serializer tests,
> even if the read only roots are static and have to be loaded from a
> fixed snapshot.
>
> Bug: v8:13466
> Change-Id: I078695b95710e5281da013ca0c08af0e153b4725
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4037271
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Olivier Flückiger <olivf@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84750}
Bug: v8:13466
Change-Id: I91512140abb98993578d27e65e6080e1d3f317e6
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4089967
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84751}
This adds the ability to create an isolate from scratch, except the
read only roots, which are initialized from a read_only_data snapshot.
To do this we split the heap setup in a read/only part and the rest.
The goal of these changes is to later support writing serializer tests,
even if the read only roots are static and have to be loaded from a
fixed snapshot.
Bug: v8:13466
Change-Id: I078695b95710e5281da013ca0c08af0e153b4725
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4037271
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Olivier Flückiger <olivf@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84750}
This reverts commit 36bac1bcae.
Reason for revert: This possibly caused clusterfuzz issues and test flakiness.
Original change's description:
> [heap] Fix conservative stack scanning for client isolates
>
> With this CL, the context of stacks corresponding to all client isolates
> are saved, so that conservative stack scanning can be used correctly
> during a shared garbage collection. This happens:
>
> 1) in Heap::PerformSharedGarbageCollection, for the stacks of the shared
> isolate and the initiator;
> 2) when an isolate's main thread is waiting in a safepoint; and
> 3) when an isolate's main thread is parked.
>
> Bug: v8:13257
> Change-Id: I9ff060f2c0c1ec12977c70d67d65d9c543e2d165
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4027210
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84712}
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:13257
Change-Id: I7eb50b24243084d45b3f1bcc37a559b9f92e0318
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4092363
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Owners-Override: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84749}
Resolve a data race between concurrent sweeping and writing fillers by
the main thread.
Bug: v8:13554, v8:12612
Change-Id: I00bbceca92b4729b2d2bb32be0916a981cfde3e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4084762
Auto-Submit: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84747}
The last CL created an array with length zero and enough capacity, and let FastCreateDataProperty to append values. But, there are unnecessary checks in FastCreateDataProperty when appending values. Thus, it's more efficient to create an array filled with smi zero, and fill the values.
Bug: chromium:1395728
Change-Id: Ibe52c688c260637993983ab25f069ee80b212895
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4086126
Commit-Queue: Choongwoo Han <choongwoo.han@microsoft.com>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84745}
