The fix is in 630b884f84 not f2223961.
This reverts commit 464ee4b7ad.
Reason for revert: roll to 67.1 after the landing of the fix
Original change's description:
> Revert "Roll ICU from 65.1 to 67.1 (f2223961) & correct tests"
>
> This reverts commit e270b6d615.
>
> Reason for revert: V8 DEPS roll stuck https://crbug.com/v8/10567#c1
>
> Original change's description:
> > Roll ICU from 65.1 to 67.1 (f2223961) & correct tests
> >
> > Rolling to chrome/src is in
> > https://chromium-review.googlesource.com/c/chromium/src/+/2155530
> >
> > Since auto rolling stop after 3/24/2020 and the rolling will cause
> > change of test status, I get this cl ready (but not running trybot due
> > to 1074260) and plan to hand roll after the submission of 2155530.
> >
> > Bug: chromium:1064326, v8:9515, v8:10379, v8:10380, v8:10437
> > Change-Id: I19554f68cfdc5b717dfc7fc4b1222e9dc25b8d69
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2158486
> > Auto-Submit: Frank Tang <ftang@chromium.org>
> > Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> > Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#67493}
>
> TBR=jkummerow@chromium.org,machenbach@chromium.org,jshin@chromium.org,ftang@chromium.org,syg@chromium.org
>
> # Not skipping CQ checks because original CL landed > 1 day ago.
>
> Bug: chromium:1064326, v8:9515, v8:10379, v8:10380, v8:10437
> Change-Id: I3f4233815ed7414f2cde3d4d996696575b5f6e3a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2219334
> Reviewed-by: Zhi An Ng <zhin@chromium.org>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#68051}
TBR=jkummerow@chromium.org,machenbach@chromium.org,jshin@chromium.org,zhin@chromium.org,ftang@chromium.org,syg@chromium.org
# Not skipping CQ checks because this is a reland.
Bug: chromium:1064326, v8:9515, v8:10379, v8:10380, v8:10437
Change-Id: I1de5eb36eff420482a12205682b153a2493d5249
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2220781
Reviewed-by: Frank Tang <ftang@chromium.org>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68160}
This relands commit 76debfda32.
This fix here is to convert the original mjsunit test into a
cctest, where we check for SIMD support, and skip the test.
We don't have lowering for I64x2 yet, so this is the
workaround.
Original change's description:
> [wasm-simd][liftoff] Fix I64x2Mul
>
> The I64x2Mul overwrote the lhs/rhs if they are the same as dst. So when
> deciding if we need temporaries, we should not only check the
> cache_state, but whether they alias dst or not.
>
> Bug: chromium:1088273
> Change-Id: I82efa9b45e0a3d321a06efde60971ce95b21490f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2225796
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#68114}
Bug: chromium:1088273
Change-Id: Ia3fd251998159d9beb581a6af3414921fe968e40
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2227068
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68159}
vroundps assembly is incorrect:
- the signature was wrong, vroundps takes 2 operands and 1 immediate
- when calling vinstr, should always pass xmm0, this wasn't causing
issues because our test cases were restricted enough that it was always
xmm0 anyway
- the macro assembler should use AVX_OP_SSE4_1, since roundps requires
SSE4_1
- drive-by fix for roundss and roundsd to be AVX_OP_SSE4_1
- add disasm for roundps and vroundps, and test them
Bug: v8:10553
Change-Id: I4046eb81a9f18d5af7137bbd46bfa0478e5a9ab2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2227252
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68157}
All subtyping has been removed from the reference-types proposal. This
CL implements this proposal change now in V8.
R=manoskouk@chromium.org
Bug: v8:10556
Change-Id: I08ef064952278e03ea655461fa9f0c96426157c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2222345
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68152}
This ports HeapStatsCollector (former ThreadHeapStatsCollector) from
Blink. The CL only ports accounting of allocated object size which is
needed for a simple growing strategy in a follow up.
HeapStatsCollector is a global dependency for most sub components as
it provides infrastructure for measuring time (through trace scopes)
and space.
The general idea of HeapStatsCollector is to act as sink where all sub
components push time and space information. This information is then
gathered and made available via an event that is implemented as POD.
Time-dependent info is available through regular getters (pull) and
observers (push).
Change-Id: I40b4d76e1a40c56e5df1a7353622318cde730e26
Bug: chromium:1056170
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2225902
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68150}
Even in unreachable code, the targets of br_table have to have matching
types.
R=thibaudm@chromium.org
Bug: v8:10556
Change-Id: I2e85df3cb92f7910a6bcb5ac03927c424194660d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2218062
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68148}
Add some abstractions to make it easier to define more tests.
Bug: v8:7748
Change-Id: Ia5605aa10963228eb4bfba37e2b412fc5af860d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2224212
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68147}
Added return value display when tracing function calls in wasm.
The new types handled are I32, I64, F32 and F64.
Only single return value is handled.
R=clemensb@chromium.org
Bug: v8:10559
Change-Id: I726d08fcfdc8bf2c3e43a25ec1932412ff74387b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2225024
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Arnaud Robin <arobin@google.com>
Cr-Commit-Position: refs/heads/master@{#68143}
This is a followup of the cl [1] that fixes a bug where bytecode was
getting flushed when allocating feedback vector. The fix added
IsCompiledScope before allocating a new feedback vector. We now pass
IsCompiledScope to JSFunction::EnsureFeedbackVector. This makes it
explicit that EnsureFeedbackVector expects a function that is compiled
and the bytecode shouldn't be flushed during the allocation.Also adds
a test.
[1] https://chromium-review.googlesource.com/c/v8/v8/+/2218066
Bug: v8:10560
Change-Id: I552c449a57555dffa625b2e4efa04c2c276fc0b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2222347
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68142}
With recent changes to the anyref proposal, null refs now have a type
immediate which declares the type of a null ref constant. Likewise,
the RefIsNull instruction is type aware now. This CL addresses these
proposal changes now.
R=jkummerow@chromium.org
Bug: v8:10556
Change-Id: I810dfa3a4ab4389afc9639f897cee5d43e9b62cb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2215172
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68141}
Now ReadOnlySpace is not a Space, it cannot be upcasted to it, so cast
to BaseSpace as well.
Fixes ubsan failure introduced by
https://chromium-review.googlesource.com/c/v8/v8/+/2209060.
Bug: v8:10454
Change-Id: I2936bfd8349377b441be4a6eedf580d91f1c4ee4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2228723
Commit-Queue: Dan Elphick <delphick@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Auto-Submit: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68140}
This changes ReadOnlySpace to no longer be a PagedSpace but instead it
is now a BaseSpace. BasicSpace is a new base class that Space inherits
from and which has no allocation methods and does not dictate how the
pages should be held.
ReadOnlySpace unlike Space holds its pages as a
std::vector<ReadOnlyPage>, where ReadOnlyPage directly subclasses
BasicMemoryChunk, meaning they do not have prev_ and next_ pointers and
cannot be held in a heap::List. This is desirable since with pointer
compression we would like to remap these pages to different memory
addresses which would be impossible with a heap::List.
Since ReadOnlySpace no longer uses most of the code from the other
Spaces it makes sense to simplify its memory allocation to use a simple
bump pointer and always allocate a new page whenever an allocation
exceeds the remaining space on the final page.
Change-Id: Iee6d9f96cfb174b4026ee671ee4f897909b38418
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2209060
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68137}
Fuzzilli is open source fuzzer by Samuel Groß (saelo@google.com)
that can be used to find bugs in v8 javascript engine. As we want
to automate fuzzing for current versions of v8, we want to merge
fuzzilli toolkit into v8 code, so that fuzzer can automatically
update to the newest version.
So far Fuzzilli has been maintained at
https://github.com/googleprojectzero/fuzzilli .
Bug tracker Id: https://bugs.chromium.org/p/v8/issues/detail?id=10571
Change-Id: I83ddc7e8bb31664c19e4044395bb9044a1c12031
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2201760
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68132}
https://crrev.com/c/2072858 rewrote the implementation of non-unicode
ignore-case matches to comply with the JS spec in some corner
cases. It fixed character matches and character class matches.
We missed a similar bug in the implementation of back references. This
CL fixes that bug.
The main change is in regexp-macro-assembler.cc, where
CaseInsensitiveCompareUC16 is split into CaseInsensitiveCompareUnicode
(which has the same semantics as before) and
CaseInsensitiveCompareNonUnicode (which has the semantics described
here: https://tc39.es/ecma262/#sec-runtime-semantics-canonicalize-ch).
Most of the rest of the patch undoes https://crrev.com/c/2081816 to
once again make the unicode flag available to the macroassembler, so
that we can decide which helper function to call.
The testcase is a version of test/intl/regress-10248.js, modified to
test backreferences.
Bug: v8:10573
Change-Id: I70ef7d134d37f99b1f75a5eba17020e82d59f1b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2219284
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68129}
This CL makes the test stricter by requiring specific string shapes;
before it was possible to skip verification if strings were
short-circuited, which I believe is no longer possible due to thin
strings.
I also added a regression test for the linked bug, which requires
a String.p.split call on a two-byte-in-one-byte string with an empty
string separator argument.
Bug: chromium:1088179
Change-Id: Ibb3180afe612a64fcf6a506d18bbc415840526a8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2228609
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68128}
This fixes the gcov build.
Bug: chromium:1056170
Change-Id: I40ac42b6fce77367c6a366544abf89fc21075cdc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2228510
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68125}
Since the interpreter cannot call out to JS any more, there cannot be
more than one activation at a time. Hence remove the concept of
activations.
R=ahaas@chromium.org
Bug: v8:10389
Change-Id: Ifda5624e192464a1aed2943787bc6860d1917719
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2219942
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68118}
This reverts commit 76debfda32.
Reason for revert: Nullptr access in new test: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux/37265
Original change's description:
> [wasm-simd][liftoff] Fix I64x2Mul
>
> The I64x2Mul overwrote the lhs/rhs if they are the same as dst. So when
> deciding if we need temporaries, we should not only check the
> cache_state, but whether they alias dst or not.
>
> Bug: chromium:1088273
> Change-Id: I82efa9b45e0a3d321a06efde60971ce95b21490f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2225796
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#68114}
TBR=clemensb@chromium.org,zhin@chromium.org
Change-Id: I5fd337b71d82d262d36ff410077a11c17b50036b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:1088273
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2226756
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68117}
In production, we will always pass a pointer to the decoded module. The
only reason for the existance of the nullptr checks is that tests
sometimes don't pass a module here. Hence we pay in production code for
a test-only feature.
This CL fixes this by always passing a module pointer from the decoder
tests. This even simplifies the code a lot by removing redundant code.
The {TestModuleBuilder} class was moved before the definitions of the
{FunctionBodyDecoderTest} class in order to be able to reuse it there.
It's unmodified otherwise.
R=ahaas@chromium.org
Bug: v8:10576
Change-Id: I7d876bfc8a27b50fe713afb8848fb4f642287cfa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2226749
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68116}
The I64x2Mul overwrote the lhs/rhs if they are the same as dst. So when
deciding if we need temporaries, we should not only check the
cache_state, but whether they alias dst or not.
Bug: chromium:1088273
Change-Id: I82efa9b45e0a3d321a06efde60971ce95b21490f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2225796
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68114}
The SourcePositionTableBuilder unconditionally allocates heap memory for
every Liftoff compilation. This shows up with 1-2% of compilation time
in profiles. Hence move the vector contained in the
SourcePositionTableBuilder into the compilation zone. Such a zone
already exists for both Liftoff and TurboFan, so we can easily save
allocations this way.
R=thibaudm@chromium.org
Bug: v8:10576
Change-Id: Ia83d05cc8c36c775ebff6ec2064e9c3f8cc4d384
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2224221
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68112}
All tests pass now with --concurrent-allocation and --local-heaps flags
set to true.
Bug: v8:10315
Change-Id: I03a70933aa0db4d9e74933ad2fc4cb81105cb889
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2218061
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68111}
We need to reserve two pages for young objects and objects on
the evacuation candidate page.
Change-Id: I0c4e8f85971676c0b50dfd947678a33dd1b56084
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2224364
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68110}
If --turbo-nci is enabled, use compare op builtins with feedback
collection during generic lowering.
Bug: v8:8888
Change-Id: I886020e2ee280f65388d9987c70958546f99e0f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2215821
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68100}
This adds support for multiple isolates sharing the same module but
setting different breakpoints. This is simulated by having a debugger
test that runs in the "--isolates" variant, i.e. two isolates running
the same test at the same time. Both isolates will set and remove
breakpoints.
The DebugInfo will keep a separate list of breakpoints per isolate, and
when recompiling a function for debugging it will respect all
breakpoints in all isolates.
In order to ensure consistency if multiple isolates are setting or
removing breakpoints simultaneously, we go back to a more coarse-grained
locking scheme, where the DebugInfo lock is held while re-compiling
Liftoff functions.
While recompilation will install the code in the module-global code
table and jump table (and hence all isolates will use it for future
calls), only the stack of the requesting isolate is rewritten to
immediately use new code. This is OK, because other isolates are not
interested in the new breakpoint(s) anyway.
On {SetBreakpoint}, we always need to rewrite the stack of the
requesting isolate though, even if the breakpoint was set before by
another isolate.
Drive-by: Some fixes in SharedFunctionInfo in order to support setting
breakpoints via the Debug mirror.
R=thibaudm@chromium.org
Bug: v8:10359
Change-Id: If659afb273260fc5e8124b4b617fb4322de473c7
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_isolates_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2218059
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68096}
Unreachable code may consume values from an empty stack as needed, known
as stack polymorphism. After consuming the values, the stack height
should still be 0, which was incorrectly handled by multi-value blocks.
R=ahaas@chromium.org
Bug: chromium:1085507
Change-Id: Ibf5f2d05bec0fbe029cfa66ee2d07540a370934a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2218033
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68070}
This is a reland of dfdef88547
Original change's description:
> [wasm-simd] Fix extract lane unsigned extend
>
> The interpreter is missing a static cast when extracting lanes smaller
> than int32_t and doing an unsigned extend. The array in Simd128 is
> signed, so a direct cast to uint32_t will be a signed extension. The fix
> is to, in the unsigned case, cast to unsigned (of the appropriate size)
> first, then cast to uint32_t.
>
> Change-Id: Ifabb5b9690f08ad505ac94b84908db0970581818
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2216721
> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#68029}
Change-Id: Ica7974a2f1f2a4f07b54cc68f9abcf5e121a9262
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2219414
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68063}
Split platform into a process-global initialization part and per-heap
platform objects.
These platform objects still contain allocators and executors. With
per-heap platforms GetForegroundTaskRunner() returns by definition the
correct runner.
In future, when initialized throuhg V8, an adapter can be used to
translate between the different platforms, avoiding the needed for V8
embedders to provide additional information.
Bug: chromium:1056170
Change-Id: I11bdd15e945687cfbdf38cae4137facb02559e0a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2218030
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68059}
Allocating a new feedback vector happens in two steps: We create an
empty structure and then initialize the array based on the
FeedbackMetadata.When allocating a new feedback array we could trigger
a GC which might flush the bytecode and associated feedback metadata.
This shouldn't happen in normal cases, because we either allocate
feedback vector after compilation or when we reach the expected budget.
In both cases, the age of the feedback vector should be 0 and hence
bytecode shouldn't be flushed. However, with debugger enabled we may
allocate feedback vectors even when the bytecode array is old
for example: when we enable precise invocation counters. This also
causes issues in tests with --stress-flush-bytecode. In the stress mode
we flush bytecode without considering the age. Holding on to the
feedback metadata prevents crashes in such cases.
Bug: v8:10560
Change-Id: Ie806ff4102cb5fcf257c8683d5ca957853e38c05
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2218066
Commit-Queue: Mythri Alle <mythria@chromium.org>
Auto-Submit: Mythri Alle <mythria@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68052}
This reverts commit e270b6d615.
Reason for revert: V8 DEPS roll stuck https://crbug.com/v8/10567#c1
Original change's description:
> Roll ICU from 65.1 to 67.1 (f2223961) & correct tests
>
> Rolling to chrome/src is in
> https://chromium-review.googlesource.com/c/chromium/src/+/2155530
>
> Since auto rolling stop after 3/24/2020 and the rolling will cause
> change of test status, I get this cl ready (but not running trybot due
> to 1074260) and plan to hand roll after the submission of 2155530.
>
> Bug: chromium:1064326, v8:9515, v8:10379, v8:10380, v8:10437
> Change-Id: I19554f68cfdc5b717dfc7fc4b1222e9dc25b8d69
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2158486
> Auto-Submit: Frank Tang <ftang@chromium.org>
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#67493}
TBR=jkummerow@chromium.org,machenbach@chromium.org,jshin@chromium.org,ftang@chromium.org,syg@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: chromium:1064326, v8:9515, v8:10379, v8:10380, v8:10437
Change-Id: I3f4233815ed7414f2cde3d4d996696575b5f6e3a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2219334
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68051}
Temporarily disable stress-bytecode-flush on
mjsunit/regress/regress-786784 while we investigate failures related
to bytecode flushing.
Bug: v8:10560
Change-Id: Ieb5cc7ba87da04133e98c6be25c9a499d79543e0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2218038
Reviewed-by: Marja Hölttä <marja@chromium.org>
Auto-Submit: Mythri Alle <mythria@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68046}
Instead of keeping a single {stepping_frame_} per native module, we now
keep one frame id per isolate. Hence, each isolate can step through a
different frame, independent of other isolates.
The on-stack-replacement of the stepping frame already works on a
per-isolate basis, since we only replace the return address of a single
frame, part of the isolate that requested stepping.
The new test (which also executes in a variant with two concurrent
isolates) revealed some more data races to fix.
R=thibaudm@chromium.org
Bug: v8:10359
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_isolates_rel_ng
Change-Id: I0bb013737162bd09b9f4be9c08990bca7bf736ac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2214838
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68045}
Make sure that any GCs required for off-thread heap merging happen
before any off-thread handle transferring (both transferring using
OffThreadTransferHandle, and the handles created for the string slot
fixups). This is to avoid the marker from walking Handle roots that
point into off-thread pages which the sweeper doesn't see (and can't
clear mark bits on)
Now, the merging and handle creation is atomic as far as the GC is
concerned. The merging is done before handle creation to avoid the
incremental marker from entering off-thread pages, but we ensure that
the raw objects pointers that point into the off-thread pages (which
are used for creating the main-thread handles) stay valid until the
handle creation completes.
Since handle transfer now happens in the middle of publishing, this
patch also moves the OffThreadTransferHandleStorage ownership over to
OffThreadHeap. This requires some header juggling to avoid leaking
OffThreadTransferHandleStorage into the off-thread-isolate header.
Bug: chromium:1086478, chromium:1011762
Change-Id: Id5e7622d6b5520400a4872c5f6ad396c74b30ca6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2218058
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68043}
In BinaryOpAssembler::Generate_BinaryOperationWithFeedback, the
feedback is stored only after the respective builtin/runtime call.
If this call throws an exception, the feedback is lost, leading
to a deopt loop in some cases. This CL fixes that issue by writing
the gathered feedback before passing control to the builtin.
Bug: chromium:1077197, v8:9441
Change-Id: I20e4b14815520224e2c6f8af1af6a89f754ccddf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2202904
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68038}
This is a reland of 6204768bab
The original issue exposed the problem that NumberEqual performs
implicit conversion of oddballs to numbers, which is incorrect for
abstract equality comparison (i.e. 0 == null must not be true).
This reland fixes this by applying the following steps:
* Introduced a new kNumberOrBoolean value for CompareOperationFeedback,
CompareOperationHint, TypeCheckKind and CheckedTaggedInputMode.
* In CodeStubAssembler::Equal: Further distinguish between boolean and
non-boolean oddballs and set feedback accoringly.
* In JSTypedLowering: Construct [Speculative]NumberEqual operator with
CompareOperationHint::kNumberOrBoolean, when this feedback is present.
JSOperatorBuilder and operator cache are extended accordingly.
* In SimplifiedLowering: Propagate a UseInfo with new
TypeCheckKind::kNumberOrBoolean.
* This leads to the generation of CheckedTaggedToFloat64 in
RepresentationChanger with new CheckedTaggedInputMode::kNumberOrBoolean.
* In EffectControlLinearizer: Handle this new mode. Accept and convert
number and boolean and deopt for rest.
Original change's description:
> [turbofan] Improve equality on NumberOrOddball
>
> This CL cleans up CompareOperationFeedback by replacing it with a
> composable set of flags. The interpreter is changed to collect
> more specific feedback for abstract equality, especially if oddballs
> are involved.
>
> TurboFan is changed to construct SpeculativeNumberEqual operator
> instead of the generic JSEqual in many more cases. This change has
> shown a local speedup of a factor of 3-10, because the specific
> operator is way faster than calling into the generic builtin, but
> it also enables additional optimizations, further improving
> runtime performance.
>
> Bug: v8:5660
> Change-Id: I856752caa707e9a4f742c6e7a9c75552fb431d28
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2162854
> Reviewed-by: Mythri Alle <mythria@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#67645}
TBR: tebbi@chromium.org
Bug: v8:5660
Change-Id: I12e733149a1d2773cafb781a1d4b10aa1eb242a7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2193713
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68037}
