This CL introduces those codegen changes necessary for JIT-ing using
the WasmCodeManager.
Bug: v8:6876
Change-Id: I6b463b3e278f5e53f8dfa488f76eeaeb5231dbea
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/782261
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49554}
Old instrumentation was designed to collect promise creation stack and
promise scheduled stack together. In DevTools for last 6 months we
show only creation stack for promises. We got strong support from users
for new model. Now we can drop support for scheduled stacks and
simplify implementation.
New promise instrumentation is straightforward:
- we send kDebugPromiseThen when promise is created by .then call,
- we send kDebugPromiseCatch when promise is created by .catch call,
- we send kDebugWillHandle before chained callback and kDebugDidHandle
after chained callback,
- and we send separate kDebugAsyncFunctionPromiseCreated for internal
promise inside async await function.
Advantages:
- we reduce amount of captured stacks (we do not capture stack for
promise that constructed not by .then or .catch),
- we can consider async task related to .then and .catch as one shot
since chained callback is executed once,
- on V8 side we can implement required instrumentation using only
promise hooks,
Disadvantage:
- see await-promise test, sometimes scheduled stack was useful since we
add catch handler in native code,
Implementation details:
- on kInit promise hook we need to figure out why promise was created.
We analyze builtin functions until first user defined function on
current stack. If there is kAsyncFunctionPromiseCreate function then
we send kDebugAsyncFunctionPromiseCreated event. If there is
kPromiseThen or kPromiseCatch then only if this function is bottom
builtin function we send corresponded event to inspector. We need it
because Promise.all internally calls .then and in this case we have
Promise.all and Promise.then on stack at the same time and we do not
need to report this internally created promise to inspector.
Bug: chromium:778796
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I53f47ce8c5c4a9897655c3396c249ea59529ae47
Reviewed-on: https://chromium-review.googlesource.com/765208
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49553}
- Eliminates CommitRegion and UncommitRegion methods, replacing them with
calls to SetPermissions.
- Makes a similar change to the API of VirtualMemory.
- This changes system calls from mmap to mprotect on most POSIX platforms.
Bug: chromium:756050
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ib10f8293c9398c6c1e729cd7d686b7c97e6a5d75
Reviewed-on: https://chromium-review.googlesource.com/769679
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49552}
These functions should only be called in case of a parse error, so speed
of calling them should not be a concern.
In local testing, this saves ~16k of binary size on a release mode build.
Bug: v8:7090
Change-Id: I433df81c2a5811ed922885dbab3ce003427f3d1c
Reviewed-on: https://chromium-review.googlesource.com/780693
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49551}
Reduce the deopt table size by reusing the entry address available in a temp
register to compute the entry id. Saves ~200kB.
Bug:
Change-Id: I3a1baf0e4c8cf19a0aa149da2bea623c1349a9ca
Reviewed-on: https://chromium-review.googlesource.com/774890
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49549}
Both can be used to optionally initialize an object, but with
base::Optional it will be stack-allocated.
R=ahaas@chromium.org
Change-Id: I9977e1b2e0532505f8582cc68e27687aaeebd33d
Reviewed-on: https://chromium-review.googlesource.com/781920
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49548}
Filtering by status file split to four parts:
1. Getting outcomes - reads both variant dependent and
independent outcomes, no more need to do it twice.
2. Checking unused rules - has a switch to check only variant
dependent/independent rules.
3. Reading flags - if outcome starts with '--' it is treated as a flag.
4. Actual filtering.
Outcomes removed from the testcase object, can be accessed
by call to its testsuite.
Bug: v8:6917
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I35762f891010ddda926250452b88656047433daa
Reviewed-on: https://chromium-review.googlesource.com/775160
Commit-Queue: Michał Majewski <majeski@google.com>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49547}
On x64, we optimize out EmbeddedReferences, unless we explicitly
indicate serialization is enabled. We serialize js-to-wasm wrappers,
which include such references.
Bug: v8:7083
Change-Id: I976da4af74bf7ee3245e1465b8e47f2c042ec3b4
Reviewed-on: https://chromium-review.googlesource.com/780207
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Eric Holk <eholk@chromium.org>
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49546}
Typically the interpreter returns 0xdeadbeef to indicate an exception.
However, for stack overflows a normal exception is used. The interpreter
requires an activation, however, to deal with normal exceptions. With
this CL we start an activation before we execute the fuzzer input in the
interpreter.
R=clemensh@chromium.org
Bug: chromium:781103
Change-Id: I4fc3a18bfc2076aab9ff7d2324a3311fe222954a
Reviewed-on: https://chromium-review.googlesource.com/776835
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49545}
A few coverage tests depend on a GC run that deterministically frees all
dead objects, but Runtime::kCollectGarbage did not explicitly disable
incremental marking. Incremental marking makes liveness detection
timing-dependent and thus should be disabled here.
NOTRY=true
NOPRESUBMIT=true
TBR=mlippautz@chromium.org
Bug: v8:7108
Change-Id: I8bebe612bbc2126b8ad778af15f08442ccc91a35
Reviewed-on: https://chromium-review.googlesource.com/781865
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49544}
The unused properties fields number is calculatable via used in-object
properties count and we can drop it now.
Bug: chromium:774644
Change-Id: I7388af7772a8e793593fabc46527886cf2e36095
Reviewed-on: https://chromium-review.googlesource.com/781465
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49542}
The wasm context will always be stored on the stack, and will be loaded
from there whenever needed (for accessing globals or the memory). We
can still improve this later by caching the context address or specific
information loaded from it.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: Idd7fb1ccff28a73beaf545997e3dfdb74757b686
Reviewed-on: https://chromium-review.googlesource.com/779145
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49540}
This introduces a JSBitwiseNot operator and lowers it either to a
speculative xor with -1 (when we have Number feedback) or to
a stub call. The stub is also new.
Bug: v8:6791
Change-Id: I362e52de8a741dc5db044c406543878e407eb2ed
Reviewed-on: https://chromium-review.googlesource.com/778839
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49539}
This introduces a JSNegate operator and lowers it either to a
speculative multiplication with -1 (when we have Number feedback)
or to a stub call. The stub is also new.
R=jarin@chromium.org
Bug: v8:6791
Change-Id: I8e20333fe49cc6088d2d10777be982e42eed2412
Reviewed-on: https://chromium-review.googlesource.com/774718
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49538}
This works because we pool regular non-executable pages on a lower level. Executable pages are currently not supported by the pooling mechanism. If this regresses we should fix it.
Change-Id: Ief3484d59f1f1f4bc63f8e718482e4174bedc012
Reviewed-on: https://chromium-review.googlesource.com/778939
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49536}
This introduces {Heap::write_protect_code_memory} as a race-free copy of
the underlying {FLAG_write_protect_code_memory} flag. Since this flag is
checked from the parallel sweeper, subsequent flag implications might be
racing against the read. This ensures race-free reads.
R=hpayer@chromium.org
BUG=v8:6792,chromium:774108,v8:7106
Change-Id: I1a1073f11e91bebd60f8d5da440845452ec67c50
Reviewed-on: https://chromium-review.googlesource.com/781662
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49535}
Currently the SourcePositionTableBuilder requires a Zone because it
holds a ZoneVector<byte> of the encoded entries. Since ZoneVector is a
suboptimal data structure anyway, and for Liftoff we don't even have a
Zone allocated currently, this CL replaces the ZoneVector by
std::vector.
R=mstarzinger@chromium.org
Bug: v8:6600
Change-Id: I8010143e917e2351664e2b53746753b597f4407a
Reviewed-on: https://chromium-review.googlesource.com/779181
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49534}
In the case of a corrupted snapshot we fall back to initializing the isolate
from scratch. Howver, we don't ship the full SetupIsolateDelegate. This causes
spurious failures during later initialization.
This CL mostly turns the DCHECKs in SetupIsolateDelegate into hard CHECKs making
it easier to spot these kind of failures.
Bug: chromium:767846
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ibe8a5beece27433439b1b09412f6110be703ff86
Reviewed-on: https://chromium-review.googlesource.com/779189
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49533}
This makes sure the {CodeSpaceMemoryModificationScope} for the common
allocation path is inside the {Heap} component. This will in turn enable
finer-grained control of the modification scope in the future.
R=hpayer@chromium.org
BUG=v8:6792
Change-Id: I6c3bc457bac641e79b2786cf78557b26aa2027e7
Reviewed-on: https://chromium-review.googlesource.com/779399
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49532}
This is a reland of 712fa67554.
Original change's description:
> [test] Add Liftoff variant
>
> Add a variant for testing the current state of the Liftoff
> implementation.
> This variant will only run on a subset of the bots, just like the
> --future variant.
>
> R=machenbach@chromium.org, hablich@chromium.org
>
> Bug: v8:7088, v8:6600
> Change-Id: If49fad3a8ed579356504b821a787326754f24e78
> Reviewed-on: https://chromium-review.googlesource.com/779420
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49504}
TBR=machenbach@chromium.orgCC=hablich@chromium.org
Bug: v8:7088, v8:6600
Change-Id: Ieb20020f07c70acaa64bb421763a41aa163a261b
Reviewed-on: https://chromium-review.googlesource.com/781499
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49531}
The integer value denoting the number of captures (and thus the size
of the list of captures created in @@replace [0]) can be controlled by
the user. This CL ensures we don't overflow and respect
Code::kMaxArguments, but note that it is still possible to trigger
OOMs through large lists.
Bug: chromium:786573
Change-Id: I19c88908c594487818d083b2ba423764ef91eae0
Reviewed-on: https://chromium-review.googlesource.com/779001
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49530}
The index of a function in the WasmModule data structure is offset by
the number of imported functions in the module. The {DecodeFunctionBody}
function of the module decoder, however, requires the function index
without this offset. The streaming processor mixed up these two ranges
of function indices. This is fixed in this CL.
R=clemensh@chromium.org
Bug: chromium:781507
Change-Id: Ie3e0c4703b06ecb923c98ffb961844915323197c
Reviewed-on: https://chromium-review.googlesource.com/776680
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49523}
V8 passes the command explicitly to each swarming task, hence it's
not necessary to store the command in the isolate.
This drops the Chromium-specific code in MB that creates the
swarming command based on Chromium test features.
This also makes the swarming targets option a no-op to allow
activating it on the infra side without disruption.
Bug: chromium:669910
Change-Id: I6cb03f05d034092a25d879d52b4d64952493f55b
Reviewed-on: https://chromium-review.googlesource.com/779148
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49520}
Currently the size of compaction spaces is not taken into account in
the Heap::CanExpandOldGeneration predicate. This can push the heap size
over the hard limit in some cases.
This patch makes Heap::CanExpandOldGeneration stricter and also fixes
the SelectGarbageCollector to prefer Mark-Compact near the hard limit.
Bug: chromium:784077
Change-Id: I00c7295eba8794a342dd6277a45f995529054b64
Reviewed-on: https://chromium-review.googlesource.com/779265
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49519}
This code was confusing, since "target" declared in one of the subscopes
shadowed a parameter with the same name.
Change-Id: Ibf694c94f0a26ca65609cb80d22c40a8fa98f4f3
Reviewed-on: https://chromium-review.googlesource.com/779261
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49518}
Not resetting the ticks regresses optimization time without substantial
performance benenfits on twitter, facebook, youtube, linkedin and wikipedia.
There was no net positive effect visible otherwise.
Bug: chromium:786908
Change-Id: I98237dee170e7a387f09ccfbad178793361d4a67
Reviewed-on: https://chromium-review.googlesource.com/779435
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49516}
The strex (Store Exclusive) instruction has the form:
strex rd, rt, [rn]
It stores the value in register rt at the address in register rn. If the
store succeeds, then 0 is stored in rd, otherwise 1 is stored. The ARM
manual says that behavior is "unpredictable" if d == n || d == t (i.e.
those registers are aliased).
We were not checking for this behavior in the assembler or simulator,
and as a result were generating output where it occurred. This didn't
always break; the tests we run on ARM hardware run this instruction and
pass.
BUG: chromium:786168
Change-Id: I57fe3a1db406eac96eb04ef2246f6970548d3cf9
Reviewed-on: https://chromium-review.googlesource.com/777777
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49513}
This is a reland of c71fd20cf9
Original change's description:
> [wasm] Data structures for JIT-ing wasm to native memory.
>
> This CL introduces the structures for JIT-ing wasm on the native heap.
> They are described in detail at go/wasm-on-native-heap-stage-1
>
> Briefly:
> - WasmCodeManager manages memory for modules and offers an interior
> pointer lookup (i.e. PC -> WasmCode)
> - WasmCode represents code, including reloc info. It holds wasm
> specific data, like function index, and runtime information, like trap
> handler info.
> - NativeModule manages memory for one module.
>
> Tests cover the allocation and lookup aspects, following that current
> regression tests cover the JITed code. A separate CL will enable
> JITing using the new data structures.
>
> Bug: v8:6876
> Change-Id: I1731238409001fe97c97eafb7a12fd3922da6a42
> Reviewed-on: https://chromium-review.googlesource.com/767581
> Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49501}
Bug: v8:6876
Change-Id: Ifd1a4c23de8150dbdc75f059cd657e9670b15c9b
Reviewed-on: https://chromium-review.googlesource.com/779680
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49512}
This adds a bigint branch to the typed-optimization of the TypeOf
bytecode. The implementation of the TestTypeOf bytecode already supports
bigints, as does the Typeof stub.
R=jarin@chromium.org
Bug: v8:6791
Change-Id: Ib9a21f3fc48d57873b014a01c68a143bfb8ac6c6
Reviewed-on: https://chromium-review.googlesource.com/778880
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49509}
This is a reland of 236298acbf.
Original change's description:
> [wasm] Unify deoptimization data
>
> Add methods to add deoptimization data and use them from all the places
> where we currently add them manually. Also add them to wasm-to-wasm
> wrappers compiled on table set, which was missing before, leading to
> the referenced bug.
>
> R=ahaas@chromium.org
>
> Bug: chromium:779292
> Change-Id: Ib9132d9faeb1092c46e22dd8196d201ce5c0942f
> Reviewed-on: https://chromium-review.googlesource.com/774838
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49452}
Bug: chromium:779292
Change-Id: I8219305fc894c50904db57e51245733f6613dcd3
Reviewed-on: https://chromium-review.googlesource.com/778159
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49508}
This reverts commit 712fa67554.
Reason for revert: Infra side change was reverted. Please reland
after it stays in for a bot cycle...
Original change's description:
> [test] Add Liftoff variant
>
> Add a variant for testing the current state of the Liftoff
> implementation.
> This variant will only run on a subset of the bots, just like the
> --future variant.
>
> R=machenbach@chromium.org, hablich@chromium.org
>
> Bug: v8:7088, v8:6600
> Change-Id: If49fad3a8ed579356504b821a787326754f24e78
> Reviewed-on: https://chromium-review.googlesource.com/779420
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49504}
TBR=machenbach@chromium.org,hablich@chromium.org,clemensh@chromium.org
Change-Id: Ib6b2e79cea5d9f99f8933c72bbb9d9dddbd6ae07
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7088, v8:6600
Reviewed-on: https://chromium-review.googlesource.com/779719
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49507}
Free ArrayBuffer backing stores on a background thread, rather than
blocking the main thread after processing. Could potentially cause
contention with the array buffer allocator once JS execution resumes.
The new ArrayBufferCollector class tracks these dead allocations.
Later, the processing of array buffers can happen in parallel.
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng;master.tryserver.v8:v8_linux64_tsan_rel;master.tryserver.v8:v8_linux64_tsan_concurrent_marking_rel_ng;master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel
Bug: v8:6992
Change-Id: I2b74f008f79521414374f607ed510f66508af160
Reviewed-on: https://chromium-review.googlesource.com/779182
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49505}
