After https://crrev.com/c/2807609 a test has started
failing as parameter_slots was more than 16 bits, hence
we need to load it instead of using it as an immediate value.
Change-Id: I738472634b3e30cbf277959965e72b028f9fb969
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2826231
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/master@{#73956}
Instead of assigning serial numbers when the template infos are
created, this patch creates serial numbers only when they are added to
cache.
This way only the ones that are first instantiated are allocated the
fast template cache. Previously, various accessors and methods that
would almost never get instantiated got assigned to the fast template
cache.
Bug: v8:11284
Change-Id: I8f7578aa0dae48267bbc6303515114eb6e24c1c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2621081
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#73655}
TBR: ulan@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2825592
Cr-Commit-Position: refs/heads/master@{#73951}
.. of the backing store, instead of continuing and silently attempting
to deref nullptr.
Bug: chromium:1198657
Change-Id: I82e51abc4d2f9dfe0de596b082a6f78089af7df8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2824438
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73949}
Similarly to Windows, on macOS we should touch the memory in a page
when allocating stack space that crosses page boundaries.
Change-Id: I8968805c4abe255123a41d0f63f89d4af509b6c8
Bug: v8:11615
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2825588
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73948}
By using RWX memory to write we've likely managed to avoid the largest
part of the cost on Intel CPUs.
Bug: v8:11420
Change-Id: Ibf571abc136fc97b3e6429fe42ebf4cfc423b458
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2824443
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73947}
We add one more member function template to AvxHelper to allow one new
way of calling:
- Andps(x, y, z) -> vandps(x, y, z), andps(x, z) && x == y
Clean up a bunch of places where we need to pass an int literal as a
byte.
Unfortunately we cannot define Movq using AVX_OP. Because of the way
movq is defined in the assembler, using function templates, there are
versions of movq with 1 argument defined. That is not a valid
instruction (but is valid for `dec`). We end up selecting
vmovq(XMMRegister, Register) and movq(XMMRegister), which is not valid.
Bug: v8:11589
Change-Id: I45e3bc213d93ece7f65da8eb1e3fa185aec4c573
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2815560
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73944}
We optimized swizzle with constant mask, but failed to actually swizzle
using the masks...
Bug: v8:10992
Change-Id: If655fdad1e17e92b62e8a2eaabbf1f8d82e4d5e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2822951
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73943}
This is similar in spirit to https://crrev.com/c/2808621, which is to
ensure that no matter what combination of --[no-]enable-{extension} flag
is passed, we end up with a set of supported extensions that make sense.
The 2 rules are:
- If a newer extension is supported (SSE4_2), older extensions are
supported (SSE4_1, SSSE3, SSE3),
- If an older extension is not supported (SSE4_1), new extensions are
not supported (SSE4_2, AVX)
Tests have been added to both ia32 and x64 to check that we follow these
above 2 rules.
We change the ProbeImpl to have a reconciliation step to ensure that we
stick to the 2 rules.
E.g. if --enable-avx --no-enable-sse4-2, we will first set AVX to
supported, then in the second step, fix-up AVX to unsupported. In this
sense, the --no version of the flags take priority. This more accurately
follows the intention of the flags.
Bug: chromium:1195579
Change-Id: I0390f24de9d203fe6bbd4cc02a23771a1f052618
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2818570
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73942}
Added a comparison to throw a TypeError when the "enumerable"
field of the new descriptor doesn't match the one of the old descriptor.
Bug: v8:10782
Change-Id: I2f1acf215e597b85be5d29e22c006cbd79afcb47
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2818067
Commit-Queue: Luis Fernando Pardo Sixtos <lpardosixtos@microsoft.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73941}
- Add %BaselineOsr to manually trigger OSR to Baseline.
- Add flags to %GetOptimizationStatus to check if the topmost frame is
an Interpreter/Baseline frame.
- Add mjsunit test.
Bug: v8:11420
Change-Id: Id80421ad97ee719a67ef299cc700da9c44f23bae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814567
Auto-Submit: Patrick Thier <pthier@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73937}
From the concurrent compiler's perspective, we can perform those
read/writes non-atomically and have wider TSAN coverage. The concurrent
marker, however, needs them to be atomic.
Bug: v8:7790
Change-Id: I96897f4f6237c90da018ec89be838aae894c24bc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817538
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73935}
When looking for intersections between the current range and inactive
range, we can stop the search as soon as the inactive range's next start
is past the current range's end position. We know that subsequent
inactive ranges cannot intersect either, because they are ordered by
their next start.
R=sigurds@chromium.org
Bug: chromium:986862
Change-Id: I249a781be281abc7b438f31848f5d6cb3a25303f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821434
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73932}
The method was scheduled for removal in M92, as finaly part of the
fn.displayName support removal.
Fixed: chromium:1177685
Doc: https://bit.ly/devtools-function-displayName-removal
Change-Id: I243dd6c9849a6f39e76dd003300b639bfd8df604
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821954
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73930}
The CanAllocateArray used to be executed during JSCreateLowering,
leading to bailouts when large arrays are passed as arguments to
an async function or a bound function. This meant that
JSCreateAsyncFunctionObject or JSCreateBoundFunction will reach
JSGenericLowering, where they are not lowered. This CL moves
the checks earlier in the pipeline during JSNativeContextSpecialization
and JSCallReducer respectively, so that those operators are not
created at all in such cases and we bail out to the runtime instead.
Bug: v8:11564
Change-Id: I232ce7d9378730ae0cc8690e52fde840a484e069
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2807609
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73928}
Multivalue has been shipped for a while now, so it is time to remove
its experimental feature flag.
Additional change: Set kV8MaxWasmFunctionReturns to the old
kV8MaxWasmFunctionMultiReturns value.
Change-Id: I5c4d33b036e64a7221de17f0e97119bb0a036838
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817790
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73927}
With a shared cage, there's no easy way to recover an Isolate from a
heap pointer. Symbol::Description relies on RO symbols' description slot
being uncompressed so a Handle could point to it. This isn't possible
with a shared cage without going through TLS to get an Isolate for
Handle construction, so deprecate the method in favor of one that takes
an Isolate directly.
Bug: v8:11460
Change-Id: I69b2b7d77f4c00d0f58954cd80e22cba5ff222e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2802860
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73924}
Port 5e0b94c4dc
Original Commit Message:
This CL adds features to pack/unpack map words.
Currently V8 cannot store extra metadata in object headers -- because V8
objects do not have a proper header, but only a map pointer at the start
of the object. To store per-object metadata like marking data, a side
table is required as the per-object metadata storage.
This CL enables V8 to use higher unused bits in a 64-bit map word as
per-object metadata storage. Map pointer stores come with an extra step
to encode the metadata into the pointer (we call it "map packing").
Map pointer loads will also remove the metadata bits as well (we call it
"map packing").
Since the map word is no longer a valid pointer after packing, we also
change the tag of the packed map word to make it looks like a Smi. This
helps various GC and barrier code to correctly skip them instead of
blindly dereferencing this invalid pointer.
A ninja flag `v8_enable_map_packing` is provided to turn this
map-packing feature on and off. It is disabled by default.
* Only works on x64 platform, with `v8_enable_pointer_compression`
set to `false`
R=wenyu.zhao@anu.edu.au, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N
Change-Id: I4a13093e7b20bb38990d947c697008a920cfe715
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821649
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#73923}
It's used when setting up the context snapshot for blink, so we want to
be sure that it doesn't execute script.
Bug: chromium:728583
Change-Id: I46507e18d178e6473dd10348a9f253016a9178b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2807615
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73920}
Finer grained control of platforms that support threads are
enforced by chromium.
Bug: chromium:1167733
Change-Id: Ic34a4950aebf6ba394053b79df97b703af333636
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2810190
Reviewed-by: Lutz Vahl <vahl@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73919}
The existing code assumes that the number of inputs is fixed to 4.
However, the fuzzer says that at least 5 inputs are also possible.
This CL makes the number of inputs more flexible.
CC=sam.parker@arm.com
Bug: chromium:1197393
Change-Id: I487ac96570b96f04b4d0a47065e7b383ba39016f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821435
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73917}
The pointer compression cage is the virtual memory reservation
that all compressed pointers fall within. This CL splits pointer
compression into two modes: a per-Isolate cage and a shared cage
among multiple Isolates.
When multiple Isolates are sharing a cage, they can decompress
each others' pointers and share the same virtual memory range.
Bug: v8:11460
Change-Id: I7b89b7413b8e7ca6b8b6faafd083dc387542a8b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2783674
Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73916}
This CL adds features to pack/unpack map words.
Currently V8 cannot store extra metadata in object headers -- because V8
objects do not have a proper header, but only a map pointer at the start
of the object. To store per-object metadata like marking data, a side
table is required as the per-object metadata storage.
This CL enables V8 to use higher unused bits in a 64-bit map word as
per-object metadata storage. Map pointer stores come with an extra step
to encode the metadata into the pointer (we call it "map packing").
Map pointer loads will also remove the metadata bits as well (we call it
"map packing").
Since the map word is no longer a valid pointer after packing, we also
change the tag of the packed map word to make it looks like a Smi. This
helps various GC and barrier code to correctly skip them instead of
blindly dereferencing this invalid pointer.
A ninja flag `v8_enable_map_packing` is provided to turn this
map-packing feature on and off. It is disabled by default.
* Only works on x64 platform, with `v8_enable_pointer_compression`
set to `false`
Bug: v8:11624
Change-Id: Ia2bdf79553945e5fc0b0874c87803d2cc733e073
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2247561
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73915}
We have to have special rules for bit_fields since we multiple accesors
touch the same field. I used:
* If the accessor is set at map initalization time only and:
* only the main thread accesses it: non-atomic write/read
* bg accesses it too: non-atomic write, relaxed read (read has to be
relaxed due to the whole bit_field being modified concurrently via
other bit_field3 accessors)
* If the accessor is set after map initialization:
* but it is not necessary for synchronization: relaxed write/read
* If the accessor is needed for synchronization: release/acquire
As a note, Map::NumberOfOwnDescriptors are the bits accessed by the
concurrent marker. For concurrent marker reasons it can be relaxed, but
we would like it to be release/acquire for the compiler since that's
where we synchronize Maps with adding descriptors to the descriptor
array.
Bug: v8:7790, chromium:1150811
Change-Id: I0ba7d2f8cb81d65a487970b4ea0bfa2a4cb3a975
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773286
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73911}
Make runtime-call-stats a compile-time flag. Disabling RCS saves roughly
1MB binary size on 64bit systems and yields minor performance
improvements.
Bug: v8:11299
Change-Id: Ia1db75e330a665db5251b685c164b96857e38d2d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2799766
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73910}
We have to respect the TypeCheckKind.
Bug: chromium:1195777
Change-Id: If1eed719fef79b7c61d99c29ba869ddd7985c413
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817791
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73909}
Skip wasm/simd test for riscv64
Add buitin info when call a builtin.
Port 064ca18ca2
Change-Id: I1150de98a95231abf9d5def9e95ad38a8a42bbb3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814128
Reviewed-by: Brice Dobry <brice.dobry@futurewei.com>
Commit-Queue: Brice Dobry <brice.dobry@futurewei.com>
Cr-Commit-Position: refs/heads/master@{#73908}
If a loop is removed in dead code elimination, we may have a dead node
in the control chain. This wasn't expected, and endless recursion could
result.
Bug: chromium:1196185
Change-Id: Id6d69d0eaed11b0c6158b5643d3433b11611af59
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817792
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73906}
This CL makes more assumptions in the fast-api-call mjsunit test
explicit and specifies --deopt-every-n-times=0 for it, as it relies
on particular optimization/deoptimization sequences. It also fixes an
inconsistency between the fast/slow path results.
Bug: v8:11620
Change-Id: I385949a04534cd1658236878875efa6622936bc5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817607
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73905}
In Isolate::UnwindAndFindHandler(), the thread-in-wasm flag was set
before the destructor of some objects in that function got executed,
e.g. the destructor of {WasmCodeRefScope}. On Windows-asan, these
destructors could throw exceptions (asan on Windows uses exceptions for
its memory access tracking), which get handled initially by the wasm
trap handler, and would thereby invalidate the thread-in-wasm flag.
With this CL a new scope gets introduced which makes sure that setting
the thread-in-wasm flag is the last thing that happens in
Isolate::UnwindAndFindHandler().
Bug: chromium:1195595
Change-Id: If9f5f486c55b3bc2718a1d5aee3e3bd290d0ff35
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817598
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73904}
Several spots in arm codegen require 24-bit integers; since getting
this wrong is usually a security problem, let's change these DCHECKs
into CHECKs.
Bug: chromium:1197363
Change-Id: I277dc8fe4771adae89375adbe19a33d2c9f6783c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2820972
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73902}
