When a wasm function has a large stack frame, the x64 code generator
performs the stack overflow check before constructing the frame. This
requires using the `address_of_real_stack_limit` external reference, as
well as the `ThrowWasmStackOverflow` runtime function.
`ThrowWasmStackOverflow` is called via a generated trampoline, but it is
not a builtin, so the serializer adds it to the `stub_lookup_` map. This
map is encoded by using a monotonically increasing `stub_id` that starts
at 0.
When the function is serialized, a stub is differentiated from a builtin
by which half of the `i32` bits is used, upper or lower. A stub only
uses the lower 16 bits and a builtin only uses the upper 16 bits.
The deserializer checks whether the lower 16 bits are 0; if so, it is
determined to be a builtin. But if the `stub_id` is 0, then it will be
confused with builtin 0 (`RecordWrite`). Calling the builtin instead of
the stub causes a crash.
This CL starts all `stub_id`s at 1, which prevents the builtin/stub
confusion.
There is an additional bug that is not fixed by this CL:
`ThrowWasmStackOverflow` shouldn't be called at all. Currently it is
called because `address_of_real_stack_limit` is a thread-local value
that is not properly relocated.
Bug: chromium:808848
Change-Id: I06b3e650ea58ad717dcc47a3716443e16582e711
Reviewed-on: https://chromium-review.googlesource.com/981687
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52252}
Also annotate maps with the space, now that this can be RO_SPACE as well
as MAP_SPACE.
Bug: v8:7464
Change-Id: Id597b2195c179b38f93b0e1c6b2ce9ef04e4f0e4
Reviewed-on: https://chromium-review.googlesource.com/980554
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52251}
This reduces time it takes for the compiled module to be reclaimed. It
switches the reference in question from a weak reference with finalizer
to a phantom reference, because the finalizer was only clearing the
reference by now anyways.
R=ahaas@chromium.org
BUG=chromium:824443
Change-Id: I51f0dbd487281184f82fd6c79fcf27514721b819
Reviewed-on: https://chromium-review.googlesource.com/978243
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52247}
This reverts commit 496d05967c.
Reason for revert: https://logs.chromium.org/v/?s=chromium%2Fbb%2Fclient.v8%2FV8_Linux64_-_internal_snapshot%2F14705%2F%2B%2Frecipes%2Fsteps%2FCheck__flakes_%2F0%2Flogs%2FOutOfMemoryIneffectiv..%2F0
Original change's description:
> [heap] Detect ineffective GCs near the heap limit.
>
> Currently V8 can enter CPU thrashing GC loop near the heap limit. In
> such cases it is better to trigger an out-of-memory failure earlier to
> avoid wasting CPU time and to avoid unresponsiveness.
>
> This patch adds a mechanism for tracking consecutive ineffective GCs.
> A GC is considered ineffective if the heap size after the GC is still
> close to the heap limit and if the average mutator utilization dropped
> below a fixed threshold.
>
> V8 execution is aborted after four consecutive ineffective GCs.
>
> Bug: chromium:824214
> Change-Id: I647032707d49e5383e1317c5e7616dd57077ea32
> Reviewed-on: https://chromium-review.googlesource.com/978178
> Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#52244}
TBR=ulan@chromium.org,hpayer@chromium.org
Change-Id: I267d247010a90224be60c27c83eeb37c3878fba5
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:824214
Reviewed-on: https://chromium-review.googlesource.com/982072
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52246}
Since the flags are used for more than just giving hints to the
compiler, the name isn't appropriate anymore.
Change-Id: I4b2f87a117490e7f1e1a693394e46633e751b444
Reviewed-on: https://chromium-review.googlesource.com/982012
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52245}
Currently V8 can enter CPU thrashing GC loop near the heap limit. In
such cases it is better to trigger an out-of-memory failure earlier to
avoid wasting CPU time and to avoid unresponsiveness.
This patch adds a mechanism for tracking consecutive ineffective GCs.
A GC is considered ineffective if the heap size after the GC is still
close to the heap limit and if the average mutator utilization dropped
below a fixed threshold.
V8 execution is aborted after four consecutive ineffective GCs.
Bug: chromium:824214
Change-Id: I647032707d49e5383e1317c5e7616dd57077ea32
Reviewed-on: https://chromium-review.googlesource.com/978178
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52244}
This CL changes the poisoning in the interpreter to use the
infrastructure used in the JIT.
This does not change the original flag semantics:
--branch-load-poisoning enables JIT mitigations as before.
--untrusted-code-mitigation enables the interpreter mitigations
(now realized using the compiler back-end), but does not enable
the back-end based mitigations for the Javascript JIT. So in effect
--untrusted-code-mitigation makes the CSA pipeline for bytecode handlers
use the same mechanics (including changed register allocation) that
--branch-load-poisoning enables for the JIT.
Bug: chromium:798964
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: If7f6852ae44e32e6e0ad508e9237f24dec7e5b27
Reviewed-on: https://chromium-review.googlesource.com/928881
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52243}
- Allow deserializer to add entries to the StringTable without
causing a gc.
This is a reland of 868ed8eecc
Original change's description:
> [runtime] Decrease StringTable shrink limit
>
> Given that we have not seen any regressions yet we're trying a more aggressive
> limit.
>
> Bug: chromium:818642, v8:5443
> Change-Id: Ic45001ed6c042fc31cbba0d417d5060d2de8fb3a
> Reviewed-on: https://chromium-review.googlesource.com/975126
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#52145}
Bug: chromium:818642, v8:5443
Change-Id: I051c6a79e59ec40cf87cab5bf06c4c449f8113d0
Reviewed-on: https://chromium-review.googlesource.com/975643
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52242}
The instruction scheduler is not supported on these platforms.
Bug: v8:7577
Change-Id: If89494153407c6223e30d856dd0f3152eb0c5817
Reviewed-on: https://chromium-review.googlesource.com/973362
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Cr-Commit-Position: refs/heads/master@{#52241}
--cleanup-code-caches-at-gc flag was removed in
b8b25e1c27,
rendering the test obsolete.
Change-Id: I34331d230102924899c89d3330379df51a489029
Reviewed-on: https://chromium-review.googlesource.com/980937
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52239}
The embedder can get notification when V8 heap size approaches the heap limit
and can extend the heap limit if needed using
- v8::Isolate::AddNearHeapLimitCallback
- v8::Isolate::RemoveNearHeapLimitCallback
This generalizes the exiting v8::debug::SetOutOfMemoryCallback API.
Bug: chromium:824214
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ia444cb7efb6fe85c57fa3785e8fd1d8b654a5224
Reviewed-on: https://chromium-review.googlesource.com/979447
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52238}
I replaced usages in Chromium and other embedders. I think we can safely
deprecate and soon remove.
Drive-by fix: Fixed some typos.
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: Ia8e35adb2abebed3966403af61eda1ede319e5c3
Reviewed-on: https://chromium-review.googlesource.com/980452
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52236}
Port d663614591
Original Commit Message:
Part of ongoing work to remove the construct_stub.
For non-constructable functions, don't use the non-constructable stub,
instead handle non-constructables explicitly in ConstructFunction.
R=petermarshall@chromium.org, joransiu@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: I2e81b03b8fbbde025881fd3b65fe2fa0604f6ff5
Reviewed-on: https://chromium-review.googlesource.com/981116
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#52234}
This reverts commit 3d7ad2e7e5.
Reason for revert: too many regressions to handle for now.
Original change's description:
> Reland "[parser] Remove pretenuring of closures assigned to properties"
>
> The memory gains were significant, so despite the bluebird-doxbee
> regression, we think it's better to have this patch than not.
> See the attached Chromium bug for more discussion.
>
> This is a reland of 20e346bd08.
>
> Original change's description:
> > [parser] Remove pretenuring of closures assigned to properties
> >
> > This pretenuring was added in https://codereview.chromium.org/5220007,
> > back when it was necessary in order to allow use of the closure
> > as a "constant function" property. This should no longer be the case,
> > and the pretenuring causes some unfortunate downstream effects.
> >
> > This patch removes the parser's setting of this bit. If it doesn't
> > cause regressions on the perf bots, followup CLs will remove the
> > rest of the support for this feature.
> >
> > Bug: v8:7442
> > Change-Id: I27c43dd4293ce5de921be6c78571e712778d138a
> > Reviewed-on: https://chromium-review.googlesource.com/914610
> > Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> > Commit-Queue: Adam Klein <adamk@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#51254}
>
> Bug: v8:7442, chromium:814182
> Change-Id: I228c59dccef3844803f115749e72ae6c5f286eda
> Reviewed-on: https://chromium-review.googlesource.com/938241
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Commit-Queue: Adam Klein <adamk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51668}
Tbr: gsathya@chromium.org
Bug: v8:7442, v8:7524, chromium:814182, chromium:818627, chromium:818672, chromium:819994, chromium:821788
Change-Id: Ib760d63f879613f3b874889c5cb29ba2a77ba430
Reviewed-on: https://chromium-review.googlesource.com/980795
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52233}
FixedDoubleArray can be left-trimmed and should be treated similar to
FixedArray in concurrent marker.
Bug: v8:7595
Change-Id: I4046209b66d7ed8e649355f62296607234146793
Reviewed-on: https://chromium-review.googlesource.com/980874
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52232}
This is done now while embedders have yet to adapt to the new API before
it becomes hard to migrate.
Also renamed variable/methods to use "worker threads" rather than
"background" nomenclature.
Extracted from https://chromium-review.googlesource.com/c/v8/v8/+/978443/7
while resolving the more contentious bits around using task runners.
TBR=rmcilroy@chromium.org
Bug: chromium:817421
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: Ie3ddf15a708e829c0f718d89bebf3e96d1990c16
Reviewed-on: https://chromium-review.googlesource.com/980953
Commit-Queue: Gabriel Charette <gab@chromium.org>
Reviewed-by: Gabriel Charette <gab@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52231}
This has been made possible when custom builtin constructors were
removed.
R=jgruber@chromium.org
Bug: v8:178, v8:7518
Change-Id: I7ee064c3b899732ebe9381ea004f231fa6c0cef0
Reviewed-on: https://chromium-review.googlesource.com/975541
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52229}
JSRegex does not have custom body descriptor and uses JSObject body
descriptor, so it should just use JSObject visitor id.
Bug: chromium:825828
Change-Id: Iae22315da7ab83bb4ac919586c883120621761c8
Reviewed-on: https://chromium-review.googlesource.com/980752
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52228}
We don't want to run into the situation of breaking inside of
debug-evaluate. That would get even more confusing with throw-on-side-effect.
R=kozyatinskiy@chromium.org
Bug: v8:7592
Change-Id: I93f5de63d8943792ff000dbf7c6311df655d3793
Reviewed-on: https://chromium-review.googlesource.com/978164
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52227}
Fixed register d27 wasn't used in code generation, so remove it and rename the
remaining fixed registers. Also, remove some left over Crankshaft comments.
Change-Id: I971069c668a597900b1a0c4b64736103a78dab14
Reviewed-on: https://chromium-review.googlesource.com/968426
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/master@{#52225}
The mutator utilizaton is computed for each mark-compact GC cycle as
mutator_time / total_time, where
- total_time is the time from the end of the previous GC to the end of
the current GC
- mutator_time = total_time - incremental_steps_duration - gc_time.
Bug: chromium:824214
Change-Id: Ie1814f22f0816a3c9c579107f4950f6fc8c8a72d
Reviewed-on: https://chromium-review.googlesource.com/978215
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52221}
Currently they are using a generic IterateBody(ObjectVisit*), which has
an overhead of virtual table lookup for each visited pointer.
Change-Id: I97268bf7fe63f8c99834d5fc31b4ce18a0fa5655
Reviewed-on: https://chromium-review.googlesource.com/979437
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52220}
Almost all callers of BodyDescriptor already have the map of the object
and should pass it to IterateBody and IsValidSlot functions.
This removes redundant load and makes the function consistent with the
SizeOf function.
Change-Id: Ie47a9bb05af23fbf0576dff99f2ec69625e057fc
Reviewed-on: https://chromium-review.googlesource.com/979436
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52218}
The optimization was replacing
String.fromCharCode(x) == "y"
with x == y instead of (x & 0xFFFF) == y if x was outside
of uint16 range.
Bug: v8:7340, v8:7531
Change-Id: I967306cc2e05c28de82e16cf1b2312fe47396a7d
Reviewed-on: https://chromium-review.googlesource.com/979808
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52214}
This removes one level of indirection from loading external
references, which can now be accesses through the root pointer with a
single load:
[kRootPointer + <offset from root list to desired offset in table>]
Bug: v8:6666
Change-Id: I927634993920828ff48621a0e17e5f3099782917
Reviewed-on: https://chromium-review.googlesource.com/971041
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52211}
Access to the constant pool of off-heap builtins must use
Instruction{Start,Size} instead of the raw instruction_{start,size}
accessors, and we need to copy the constant_pool_offset field when
creating trampolines.
This in turn required access to the embedded blob without an
associated isolate, which is now implemented by global variable set by
each isolate. Both writes and reads are relaxed, as races do not
matter since each isolate will attempt to set the same value of the
blob and its size.
Drive-by: Support off-heap code disassembly.
Bug: v8:6666,v8:7575
Change-Id: I4f203acd4dc128339cf2dd54b3253d9552616649
Reviewed-on: https://chromium-review.googlesource.com/973442
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52209}
This adds runtime dependencies for windows component builds to be
isolated with swarming targets.
Documentation for data dependencies:
https://chromium.googlesource.com/chromium/src/+/master/tools/gn/docs/reference.md#data
Bug: chromium:669910
Change-Id: I4817b707e3fbc4cf664be319c4dac4668e37f14a
Reviewed-on: https://chromium-review.googlesource.com/979794
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52208}
Now that WebAssembly code has moved off the garbage collected heap, it
is no longer subject to relocation and support for updating the base
address for the purposes of trap handling can be removed.
R=eholk@chromium.org
BUG=v8:7549
Change-Id: I7a98f192e0c91274fa2ccdb59cdd106da6217948
Reviewed-on: https://chromium-review.googlesource.com/978248
Reviewed-by: Eric Holk <eholk@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52207}
This param is no longer used to construct the SFI.
Bug: v8:7503
Change-Id: Ic93c91ce0ad9acf84da7f382c9a170c732db7176
Reviewed-on: https://chromium-review.googlesource.com/977926
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52205}
