Since its introduction (behind a compile-time flag), conservative stack
scanning was disabled by default on tests. This CL inverts this logic,
enabling CSS by default for all tests that do not define an explicit
scope to disable it.
Bug: v8:13257
Change-Id: I5ea4249d02f69b0b1e195415c2562daf5d8c0ea9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4100912
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84848}
... and the necessary IR nodes to test a simple
program: `"abc".charCodeAt(1)`
Bug: v8:7700
Change-Id: Ia670d8a44f39f4a0b8312d69d7d3f64cbc2b6831
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4106748
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84847}
With --shared-space the main isolate has to be disposed last, so we
can't really dispose the main isolate while worker isolates are
still running without violating our invariants.
Solve this by not invoking Isolate::Dispose() for `quit()`.
Bug: v8:13267, chromium:1400810
Change-Id: Id9d6288c62d9c03d5c2f40c52efd0ac6422ac822
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4106751
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84846}
Add gen-static-roots.py to conveniently re-generate the static roots
table when it needs changing.
Additionally, ensure the first read-only page is allocated as first page
during mksnapshot, to move static roots closer to start.
Bug: v8:13466
Change-Id: Ie72b64d0ad0dd3e5fccd3b41e8ed00a4a55a0033
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096481
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Olivier Flückiger <olivf@chromium.org>
Commit-Queue: Olivier Flückiger <olivf@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84844}
Since it (currently) needs to find the JumpLoop bytecode.
See comment in line 645.
Fixed: chromium:1400549
Bug: v8:7700
Change-Id: If73a9c8d2f5a85cceded34cdf1aa7b5895937990
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4103683
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84840}
The CL applies multiple changes:
1) Reverts back to using std::vector<> for young nodes. Distinguishing
between young and remembered nodes is still needed to allow fast
filtering.
2) Adds the has-old-host flag to TracedNode, which is used to remember a
node.
3) Adds bailouts for old objects into UnifiedHeapMarkinState and
ConservativeTracedHandlesMarkingVisitor.
Bug: v8:13475
Change-Id: Ib296ece9df6f783bb3d47ffa0794be16e6c1aea8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4080386
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84839}
If the current active tier is already Turbofan, then
we just return to JumpLoopPrologue codegen to deopt.
Fixed: v8:13585
Bug: v8:7700
Change-Id: Idf8f4990e8dfea9e9fd6e3378e15110ec09b1896
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4104623
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84838}
- Force using the isolate from VMState
- Mark all fields as const to allow for better code
Change-Id: I5538f615e22569dc365dbb0d1482138311932575
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4098629
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84837}
We should not enter V8 if it's marked for termination.
Bug: chromium:1382710
Change-Id: Ic58f7c7b32614431dce04e2429c60dd79040ec43
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030476
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84834}
- Both Call and CallKnownJSFunction are now architecture independent.
- Introduced PushReverse to push arguments.
- Added support for iterators to Push/PushReverse.
- Added RepeatIterator helper to push the same value N times.
Drive-by: Implement load/store from/to stack slot and double registers.
Bug: v8:7700
Change-Id: I4f995ded7e95b79d8c8c3d7b2ffd373f51e631d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4085006
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84833}
This CL adds support for BigIntEqual in turbofan and collects type
feedback for small BigInt equal and strict equal in ignition.
Bug: v8:9407
Change-Id: I29cbc4d3bdfe9fcde8c1717afe83654a84c25c36
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096557
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#84832}
With --shared-space we need the write barrier for incremental
marking.
Bug: v8:13267
Change-Id: I7fb6e6de0f793824f3c27b8ec3c29cba39901188
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4103241
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84831}
This is a reland of commit 303facf5e1
This CL fixes DCHECK failures by using BasicMemoryChunk in
RecordOldToSharedSlot.
Original change's description:
> [heap] Also promote strings in large objects into shared heap
>
> With --shared-string-table all in-place internalizable strings are
> directly promoted from new space into the shared heap. However, this
> wasn't the case with large objects. This CL fixes this and adds test
> to guide fuzzers.
>
> Bug: v8:13267, chromium:1400048
> Change-Id: I6f850d480956c63bfbe1a7060140df850e284933
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096818
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84805}
Bug: v8:13267, chromium:1400048, v8:13588
Change-Id: I221592ec723d2b5e92094ff2598a99576d72a677
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4098831
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84830}
Reflect the code attribution (in particular, "attribute non-functions to
JS functions") in the timeline view, which visualises the distribution
of each code kind. This allows easier visualisation of which tiers are
active, ignoring stubs that are shared between tiers (like ICs).
Change-Id: I1f2818ffd4e466ce18c01627865186e6a94e2bed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4105021
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84829}
After computing the branch offset but before emitting the actual branch,
we should not emit a constant pool. Otherwise the previously computed
offset would be off.
Instead of handling this indirectly via the Assembler::branch_offset
method, do this directly in the Assembler::b method (and friends), so it
is not missed on other call sites.
R=jkummerow@chromium.org
Bug: chromium:1399424
Change-Id: I0cbb219ced5b671001a296b1cc7c339f395abffe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4102800
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84828}
Currently, any session can resume instrumentation breaks by sending
Debugger.resume command. That can lead to unreliable breakpoint
placement because sessions can resume too early.
The early resumption can happen in two ways:
- When we have two instrumented sessions, the first one to resume
can prevent the other one from setting its breakpoints
before executing the code.
- With one instrumented session and one without instrumentation
breakpoints, the uninstrumented session's Debugger.resume
command can resume the instrumentation pause before the
instrumented session can set its breakpoints.
This patch fixes both of these issues by changing the instrumentation
pause resumption logic to take note of the sessions that were notified
about the instrumentation breakpoints. The debugger will only resume
once all those sessions resume (or disconnect).
Bug: chromium:1354043
Change-Id: I84cf16b57187dbb40645b2f7ec2e08f0078539dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4100466
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84827}
This CL adds v8::ArrayBuffer::NewResizableBackingStore.
This API is needed to support Mojo cross-process serialization of
resizable buffers. See https://chromium-review.googlesource.com/c/chromium/src/+/4086949
Bug: chromium:1396361, v8:11111
Change-Id: I1d3ad367f28015184fd80fd2f05a37a3659d3a66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4093555
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84826}
Asm.js code (translated to Wasm) is valid by design, do not try to
validate it.
This is achieved by fully populating the {validated_functions} bitset
for asm.js modules. To make this safe(r) we do not allow to change the
origin or a WasmModule after initialization, which requires some
refactoring mostly in tests.
R=ahaas@chromium.org
Bug: v8:13447, v8:13565
Change-Id: I174c01f13185ff4117b02882b953c6ba29a3644d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4100686
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84824}
There were compile errors when building v8 with v8_enable_precise_zone_stats = true.
../../src/zone/type-stats.cc:30:24: error: no type named 'Free' in namespace 'v8::base'
if (buffer_) base::Free(buffer_);
../../src/zone/zone.h:255:3: error: use of undeclared identifier 'stdd'; did you mean 'std'?
stdd::atomic<size_t> freed_size_for_tracing_ = {0};
Bug: v8:10572
Change-Id: If1035edc99eff05c418e0bc65de8a8729f75e30f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4098379
Commit-Queue: Choongwoo Han <choongwoo.han@microsoft.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84822}
This is necessary to allow running GC epilogue callbacks after a
GC in the safepoint. Handle dereferences are allowed even if that
particular thread is parked. They may generally also happen from a
different thread than expected by DCHECKs in the case shared GCs
combined with multiple main threads.
This CL solves this issue by adding an additional assertion scope
that can temporarily allow such derefs for running the callbacks.
Unlike other assert scopes the new assert scope is disabled by
default.
Bug: v8:13267, chromium:1399379
Change-Id: Ibc741ad6bebb740cf24ae8be116d770f62ae6481
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4100826
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84821}
According to the style guide, field definitions should be the last thing
in the private section.
R=ahaas@chromium.org
Change-Id: I2b0890b7f5f5c8a9a19213a80c400bd9db080a05
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4097429
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84820}
AffectedFile.LocalPath returns a path with backward slashes in Windows. Update the presubmit script to handle this case properly.
Bug: v8:13582
Change-Id: Iabc46ded5a8448e5d373679162108f94846c06e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4099007
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Choongwoo Han <choongwoo.han@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#84819}
Build mode for serializing the read only heap as a memory dump in the
startup snapshot. This makes compressed pointers of root objects
statically known at mksnapshot time.
This CL also adds a feature to mksnapshot to dump the static addresses
to a C++ header file. This will allow us to use these addresses in the
future.
The mode is disabled for now since we need some build infrastructure
first to conveniently re-generate the table when the layout changes.
Bug: v8:13466
Change-Id: I975b15bd89fedf713fb7d12b4929935ece78139d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4056181
Commit-Queue: Olivier Flückiger <olivf@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84815}
This reverts commit 303facf5e1.
Reason for revert: Causes failures with fuzzers.
Original change's description:
> [heap] Also promote strings in large objects into shared heap
>
> With --shared-string-table all in-place internalizable strings are
> directly promoted from new space into the shared heap. However, this
> wasn't the case with large objects. This CL fixes this and adds test
> to guide fuzzers.
>
> Bug: v8:13267, chromium:1400048
> Change-Id: I6f850d480956c63bfbe1a7060140df850e284933
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096818
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84805}
Bug: v8:13267, chromium:1400048
Change-Id: If20528bbf804b73ce8ad10f8addc9a1f11b50d96
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4101261
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84813}
This will allow bugs such as crbug.com/1394403 to be found much easier
by fuzzers as it will cause d8 to compile every function twice and to
verify that the resulting bytecode is the same.
In order to not lose fuzzer coverage of e.g. lazy compilation, this CL
also adds --lazy and --no-stress-lazy-source-positions to the fuzzer
configurations to be chosen with a small probability.
Bug: chromium:1394403
Change-Id: I172ac483b45978a669c9787e5f851daa985fd1f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096480
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84811}
The "is there enough data" check has to be done *after* reading
maxByteLength.
Bug: v8:11111, chromium:1400431
Change-Id: I7c2eddaeb998f3cd3919e118c093a5d036fca408
Fixed: chromium:1400431
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4100468
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84809}
The {Assembler::emit_operand} method is basically just copying 1-6 bytes
from {Operand::Data::buf} into the assembler buffer. This showed up with
>5% of Liftoff compilation time in a performance profile.
This CL makes this >2x faster by using an optimized copying routine
(using the same trick that libc's memcpy uses).
R=jkummerow@chromium.org
Bug: v8:13570
Change-Id: I525a94989c271b56ad7c148d21f234d05a25842a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4088606
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84807}
With --shared-string-table all in-place internalizable strings are
directly promoted from new space into the shared heap. However, this
wasn't the case with large objects. This CL fixes this and adds test
to guide fuzzers.
Bug: v8:13267, chromium:1400048
Change-Id: I6f850d480956c63bfbe1a7060140df850e284933
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096818
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84805}
Code objects are linked in a custom per-native-context weak list of
optimized code (previously there was also a list of deoptimized code,
but this was recently removed).
There used to be reasons for this list, but at this point it is only
used by the debugger to mark code for deoptimization. The debugger can
do this with a heap walk instead, so we can remove this list and indeed
the next_code_links from Code objects themselves.
Change-Id: Iebbed4adacd31b8ddc442ae6355ea45c691cc856
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4061515
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84804}
The "negative" instructions `br_on_non_*` & `br_on_cast_fail` created
the `TypeGuard` node for the successful branch using the effect /
control chain o fthe wrong branch.
As `TypeGuard`s do not generate code, these instructions are for the
Turbofan type system.
Bug: v8:7748
Change-Id: I12de7421a6d16e24d91336457443ab6f646ab309
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4097425
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84802}
We received feedback that the [[Scopes]] property has some legitimate
use-cases not covered by the Scopes View during pause.
We re-enable the feature for now and will remove the flag in a
follow-up.
R=bmeurer@chromium.org
Bug: chromium:1365858
Change-Id: Ibf279ae6c4f5ae492d03e9b4ee7316f6500508d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4099385
Auto-Submit: Simon Zünd <szuend@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84800}