- 23 Feb, 2022 1 commit
-
-
Shu-yu Guo authored
This is a reland of 1025bf26 Changes since revert: - TSAN issue fixed by https://crrev.com/c/3475084 - Skip the shared-struct-workers test until shared GC deadlock is fixed, being tracked in v8:12645 Original change's description: > [shared-struct] Prototype JS shared structs > > Unlike the Stage 1 proposal, for simplicity the prototype does not add > any new syntax, instead opting for exposing a SharedStructType > constructor which takes an array of field names. This type constructor > returns constructors for shared structs. > > Shared structs can be shared across Isolates, are fixed layout, have no > prototype, have no .constructor, and can only store primitives and > other shared structs. > > The initial prototype does not have TurboFan support. > > Bug: v8:12547 > Change-Id: I23bdd819940b42139692bcdb53d372099b0d4426 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3390643 > Reviewed-by: Tobias Tebbi <tebbi@chromium.org> > Reviewed-by: Marja Hölttä <marja@chromium.org> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> > Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> > Commit-Queue: Shu-yu Guo <syg@chromium.org> > Cr-Commit-Position: refs/heads/main@{#79156} Bug: v8:12547 Change-Id: Ic1f5cf9fa9791ae2d5d5dc7c110614ca10b5d98e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3475078Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/main@{#79215}
-
- 18 Feb, 2022 1 commit
-
-
Michael Achenbach authored
This reverts commit 1025bf26. Reason for revert: https://crbug.com/v8/12645 Original change's description: > [shared-struct] Prototype JS shared structs > > Unlike the Stage 1 proposal, for simplicity the prototype does not add > any new syntax, instead opting for exposing a SharedStructType > constructor which takes an array of field names. This type constructor > returns constructors for shared structs. > > Shared structs can be shared across Isolates, are fixed layout, have no > prototype, have no .constructor, and can only store primitives and > other shared structs. > > The initial prototype does not have TurboFan support. > > Bug: v8:12547 > Change-Id: I23bdd819940b42139692bcdb53d372099b0d4426 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3390643 > Reviewed-by: Tobias Tebbi <tebbi@chromium.org> > Reviewed-by: Marja Hölttä <marja@chromium.org> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> > Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> > Commit-Queue: Shu-yu Guo <syg@chromium.org> > Cr-Commit-Position: refs/heads/main@{#79156} Bug: v8:12547 Change-Id: I44f2b8bb7487b4d39ba1282585e0b2282501230f No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3474676 Auto-Submit: Michael Achenbach <machenbach@chromium.org> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Owners-Override: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/main@{#79170}
-
- 17 Feb, 2022 1 commit
-
-
Shu-yu Guo authored
Unlike the Stage 1 proposal, for simplicity the prototype does not add any new syntax, instead opting for exposing a SharedStructType constructor which takes an array of field names. This type constructor returns constructors for shared structs. Shared structs can be shared across Isolates, are fixed layout, have no prototype, have no .constructor, and can only store primitives and other shared structs. The initial prototype does not have TurboFan support. Bug: v8:12547 Change-Id: I23bdd819940b42139692bcdb53d372099b0d4426 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3390643Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Marja Hölttä <marja@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/main@{#79156}
-
- 07 Feb, 2022 1 commit
-
-
Thibaud Michaud authored
- Suspender.suspendOnReturnedPromise expects a function with type [ti*]->[externref] and returns a function with the same type. - Suspender.returnPromiseOnSuspend expects a function with type [ti*]->[to] and returns a function with type [ti*]->[externref]. Changes: - Check the wrapped function's return types - Skip type checking of return types when importing a wrapper (and assert that the return type is externref) - Add special case for WebAssembly.Function.type of a WasmExportedFunction: it currently returns the signature declared by the module. Change the return type to externref if this is a stack-switching export. Bug: v8:12191 Change-Id: I6619c306e9613825ad1b021cb3400d73cd684656 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3435190Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/main@{#78973}
-
- 25 Jan, 2022 1 commit
-
-
legendecas authored
1. Expose all the functions to empty builtins. 2. Wire up the basic structure of ShadowRealm and internal slots. Bug: v8:11989 Change-Id: If7545fe18a74b2bd4b70a1a25776e41f03aaff89 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3195532Reviewed-by: Shu-yu Guo <syg@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Chengzhong Wu <legendecas@gmail.com> Cr-Commit-Position: refs/heads/main@{#78757}
-
- 27 Dec, 2021 1 commit
-
-
Patrick Thier authored
This CL splits the TF type for JSFunction into CallableFunction and ClassConstructor. This differentiation allows us to lower calls to the CallFunction Builtin only for functions that we can actually call. Class Constructors are special, as they are callable but should raise an exception if called. By not lowering class constructors to calls to CallFunction (but the more generall Call) builtin, we can remove the checks for class constructors from CallFunction (in a follow-up CL). Bug: chromium:1262750 Change-Id: I399967eb03b2f20d2dcb67aef2243b32c9d3174e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3350457Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Patrick Thier <pthier@chromium.org> Cr-Commit-Position: refs/heads/main@{#78445}
-
- 18 Nov, 2021 1 commit
-
-
Patrick Thier authored
Extend BitsetType of TF's type system from 32 to 64 bit. At the moment all 32 bits are used, so we can't add any new types. This CL only adds support for > 32 types to C++. The bitset is also mirrored in Torque. In the Torque definition, we just expose an unstructured uint32 for the higher bits of the bitfield, because Toruqe can't deal with 64 bit types on 32 bit platforms (yet) and we also can't have multiple 1-bit bitfields within a single class (yet). Bug: v8:12392, chromium:1262750 Change-Id: If571491443e86e4e47eb88d3f15eca485344d12d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3281922Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Patrick Thier <pthier@chromium.org> Cr-Commit-Position: refs/heads/main@{#77962}
-
- 02 Nov, 2021 1 commit
-
-
Milad Fa authored
After https://crrev.com/c/3247035 compilation with gcc may fail with the following error: ``` error: comparison between 'enum v8::internal:: compiler::BitsetType::<unnamed>' and 'enum v8::internal:: TurbofanTypeBits::Flag' ``` Change-Id: I5edf28e335483be66ae46e4359e0a4dc83341adf Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3255303Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Milad Fa <mfarazma@redhat.com> Cr-Commit-Position: refs/heads/main@{#77647}
-
- 28 Oct, 2021 1 commit
-
-
Tobias Tebbi authored
This is a reland of 45227ffd Differences: - Handle one more flags conflict in variants.py. - Disallow %VerifyType without --concurrent-recompilation. Original change's description: > [turbofan] extend type asserts to cover all JS types > > Extend type assertions to all types covering JavaScript values. > This is achieved by allocating type representations on the heap using > newly defined HeapObject subclasses. To allocate these in the compiler, > we disable concurrent compilation for the --assert-types flag for now. > > Fix two type errors that came up with the existing tests: > 1. JSCreateKeyValueArray has type Array (i.e., a JSArray) instead of > OtherObject. > 2. OperationTyper::NumberToString(Type) can type the result as the > HeapConstant Factory::zero_string(). However, NumberToString does > not always produce this string. To avoid regressions, the CL keeps > the HeapConstant type and changes the runtime and builtin code to > always produce the canonical "0" string. > > A few tests were failing because they check for truncations to work > and prevent deoptimization. However, AssertType nodes destroy all > truncations (which is by design), so these tests are incompatible > and now disabled for the assert_types variant. > > Drive-by fix: a few minor Torque issues that came up. > > Change-Id: If03b7851f7e6803a2f69edead4fa91231998f764 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3234717 > Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> > Reviewed-by: Omer Katz <omerkatz@chromium.org> > Commit-Queue: Tobias Tebbi <tebbi@chromium.org> > Cr-Commit-Position: refs/heads/main@{#77565} Change-Id: I5b3c6745c6ad349ff8c2b199d9afdf0a9b5a7392 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3247035 Auto-Submit: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Omer Katz <omerkatz@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Cr-Commit-Position: refs/heads/main@{#77596}
-
- 27 Oct, 2021 2 commits
-
-
Maya Lekova authored
This reverts commit 45227ffd. Reason for revert: Breaks on gc_stress mode, see https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/35988/overview Original change's description: > [turbofan] extend type asserts to cover all JS types > > Extend type assertions to all types covering JavaScript values. > This is achieved by allocating type representations on the heap using > newly defined HeapObject subclasses. To allocate these in the compiler, > we disable concurrent compilation for the --assert-types flag for now. > > Fix two type errors that came up with the existing tests: > 1. JSCreateKeyValueArray has type Array (i.e., a JSArray) instead of > OtherObject. > 2. OperationTyper::NumberToString(Type) can type the result as the > HeapConstant Factory::zero_string(). However, NumberToString does > not always produce this string. To avoid regressions, the CL keeps > the HeapConstant type and changes the runtime and builtin code to > always produce the canonical "0" string. > > A few tests were failing because they check for truncations to work > and prevent deoptimization. However, AssertType nodes destroy all > truncations (which is by design), so these tests are incompatible > and now disabled for the assert_types variant. > > Drive-by fix: a few minor Torque issues that came up. > > Change-Id: If03b7851f7e6803a2f69edead4fa91231998f764 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3234717 > Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> > Reviewed-by: Omer Katz <omerkatz@chromium.org> > Commit-Queue: Tobias Tebbi <tebbi@chromium.org> > Cr-Commit-Position: refs/heads/main@{#77565} Change-Id: Ia779a11fc811846194c7a8d1e40b372b265e7ea4 No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3247034 Auto-Submit: Maya Lekova <mslekova@chromium.org> Owners-Override: Maya Lekova <mslekova@chromium.org> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Cr-Commit-Position: refs/heads/main@{#77566}
-
Tobias Tebbi authored
Extend type assertions to all types covering JavaScript values. This is achieved by allocating type representations on the heap using newly defined HeapObject subclasses. To allocate these in the compiler, we disable concurrent compilation for the --assert-types flag for now. Fix two type errors that came up with the existing tests: 1. JSCreateKeyValueArray has type Array (i.e., a JSArray) instead of OtherObject. 2. OperationTyper::NumberToString(Type) can type the result as the HeapConstant Factory::zero_string(). However, NumberToString does not always produce this string. To avoid regressions, the CL keeps the HeapConstant type and changes the runtime and builtin code to always produce the canonical "0" string. A few tests were failing because they check for truncations to work and prevent deoptimization. However, AssertType nodes destroy all truncations (which is by design), so these tests are incompatible and now disabled for the assert_types variant. Drive-by fix: a few minor Torque issues that came up. Change-Id: If03b7851f7e6803a2f69edead4fa91231998f764 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3234717Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Omer Katz <omerkatz@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/main@{#77565}
-
- 08 Oct, 2021 1 commit
-
-
Frank Tang authored
This is a reland of 0adc1410 1. Fork out test/mjsunit/temporal/function-exist.js test to test/mjsunit/temporal/function-exist-no-i18n.js and mark function-exist FAIL in no_i18n build. Original change's description: > [Temporal] Part 1 - Skeleton > > 1. Expose all the functions to empty buildins. > 2. Wire up basic structure of classes and internal slots. > > Design Doc: https://docs.google.com/document/d/1Huu2OUlmveBh4wjgx0D7ouC9O9vSdiZWaRK3OwkQZU0/ > > This is just a CL to establish a skeleton for Temporal. > The Temporal is very big. The prototype CL is in > https://chromium-review.googlesource.com/c/v8/v8/+/2967755 > but too big to be reviewed so I break up the basic structure here first. > > Cq-Include-Trybots: luci.v8.try:v8_linux64_bazel > Bug: v8:11544 > Change-Id: I10d09e3c2530e5b1a6ba60014a2294e138879ff3 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3092561 > Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> > Reviewed-by: Shu-yu Guo <syg@chromium.org> > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > Commit-Queue: Frank Tang <ftang@chromium.org> > Cr-Commit-Position: refs/heads/main@{#76819} Bug: v8:11544 Change-Id: I60eaface94ba9b3408cb235cd1ae425151a36732 Cq-Include-Trybots: luci.v8.try:v8_linux64_bazel Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3160324Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#77303}
-
- 29 Sep, 2021 1 commit
-
-
Patrick Thier authored
Class Constructors are special, because they are callable but [[Call]] raises an exception. Instead of checking if a JS function is a class constructor for every JS function call, this CL adds a new instance type for class constructors. This way we can use a fast instance type range check for the common case, and only check for class constructors in the uncommon case were a class constructor is called and when we need to raise an exception. Change-Id: Ic6fdd9829722d05559fdfd01f6100c61873a0872 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3186434Reviewed-by: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Patrick Thier <pthier@chromium.org> Cr-Commit-Position: refs/heads/main@{#77140}
-
- 14 Sep, 2021 2 commits
-
-
Deepti Gandluri authored
This reverts commit 0adc1410. Reason for revert: Reverting due to fail on V8 Linux - noi18n - debug https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket/8836095186331011153/+/u/Check_-_default/function-exist Original change's description: > [Temporal] Part 1 - Skeleton > > 1. Expose all the functions to empty buildins. > 2. Wire up basic structure of classes and internal slots. > > Design Doc: https://docs.google.com/document/d/1Huu2OUlmveBh4wjgx0D7ouC9O9vSdiZWaRK3OwkQZU0/ > > This is just a CL to establish a skeleton for Temporal. > The Temporal is very big. The prototype CL is in > https://chromium-review.googlesource.com/c/v8/v8/+/2967755 > but too big to be reviewed so I break up the basic structure here first. > > Cq-Include-Trybots: luci.v8.try:v8_linux64_bazel > Bug: v8:11544 > Change-Id: I10d09e3c2530e5b1a6ba60014a2294e138879ff3 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3092561 > Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> > Reviewed-by: Shu-yu Guo <syg@chromium.org> > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > Commit-Queue: Frank Tang <ftang@chromium.org> > Cr-Commit-Position: refs/heads/main@{#76819} Bug: v8:11544 Change-Id: I358f671452a986c8e87d1f831ab5eb1550a38441 Cq-Include-Trybots: luci.v8.try:v8_linux64_bazel No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3160467 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Deepti Gandluri <gdeepti@chromium.org> Auto-Submit: Deepti Gandluri <gdeepti@chromium.org> Owners-Override: Deepti Gandluri <gdeepti@chromium.org> Cr-Commit-Position: refs/heads/main@{#76821}
-
Frank Tang authored
1. Expose all the functions to empty buildins. 2. Wire up basic structure of classes and internal slots. Design Doc: https://docs.google.com/document/d/1Huu2OUlmveBh4wjgx0D7ouC9O9vSdiZWaRK3OwkQZU0/ This is just a CL to establish a skeleton for Temporal. The Temporal is very big. The prototype CL is in https://chromium-review.googlesource.com/c/v8/v8/+/2967755 but too big to be reviewed so I break up the basic structure here first. Cq-Include-Trybots: luci.v8.try:v8_linux64_bazel Bug: v8:11544 Change-Id: I10d09e3c2530e5b1a6ba60014a2294e138879ff3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3092561Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Shu-yu Guo <syg@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Frank Tang <ftang@chromium.org> Cr-Commit-Position: refs/heads/main@{#76819}
-
- 29 Jul, 2021 1 commit
-
-
Thibaud Michaud authored
The JS API constructor was renamed to "WebAssembly.Tag" to match the spec: https://github.com/WebAssembly/exception-handling/issues/159 Rename "exception" to "tag" throughout the codebase for consistency with the JS API, and to match the spec terminology (e.g. "tag section"). R=clemensb@chromium.org,nicohartmann@chromium.org Bug: v8:11992 Change-Id: I63f9f3101abfeefd49117461bd59c594ca5dab70 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3053583Reviewed-by: Clemens Backes <clemensb@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#75994}
-
- 17 Jun, 2021 1 commit
-
-
Igor Sheludko authored
This CL adds - CodeT type - an alias for CodeDataContainer or Code depending on whether the v8_enable_external_code_space is enabled or not, - a set of conversion functions from CodeT to Code or CodeDataContainer and back (both in C++ and CodeStubAssembler), - masm support for calling/tailcalling via CallDataContainer which contain the code entry point address, - masm support for calling/tailcalling via CodeT. Bug: v8:11880 Change-Id: Ib36f4c6db69ec49aaea29412647e59ada95da19b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2967463 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#75207}
-
- 19 May, 2021 1 commit
-
-
Jakob Gruber authored
Using kAssumeMemoryFence works around the fact that the graph stores handles (and not refs). The assumption is that any handle inserted into the graph is safe to read; but we don't preserve the reason why it is safe to read. Thus we must over-approximate here and assume the existence of a memory fence. Note this is only valid if all spots that insert handles into the graph ensure that the handle can safely be read. In the future, we should consider having the graph store ObjectRefs or ObjectData pointer instead, which would make new ref construction here unnecessary. Bug: v8:7790,chromium:1209798 Change-Id: Ic22340ea9f34a24be530a3c62c8309d25e108f3f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2902742Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#74653}
-
- 18 May, 2021 1 commit
-
-
Sathya Gunasekaran authored
This reverts commit 59bb4325. Reason for revert: 4683d6fe broke TSAN, reverting all its dependencies first (including this) https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN/36744/overview Original change's description: > [compiler] Remove one ObjectRef constructor > > Remove the handle-taking ObjectRef constructor in favor of > (Try)MakeRef as bottleneck. > > Bug: v8:7790 > Change-Id: I3cc3a1dcef4bac53a91c573d1a532332b88c6eb4 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2883664 > Commit-Queue: Georg Neis <neis@chromium.org> > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > Cr-Commit-Position: refs/heads/master@{#74593} Bug: v8:7790 Change-Id: Ifdecf93a3a8c09a3da7118a269fc66c2ae0f1a09 No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2901988Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#74618}
-
- 17 May, 2021 1 commit
-
-
Georg Neis authored
Remove the handle-taking ObjectRef constructor in favor of (Try)MakeRef as bottleneck. Bug: v8:7790 Change-Id: I3cc3a1dcef4bac53a91c573d1a532332b88c6eb4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2883664 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#74593}
-
- 04 May, 2021 1 commit
-
-
Clemens Backes authored
cpplint rules change over time, and we change the exact rules we enable for v8. This CL removes NOLINT annotations which are not needed according to the currently enabled rules. R=mslekova@chromium.org Bug: v8:11717 Change-Id: Ib7dc2c9dbb1710f4fe47e083df7e373e8b8aef27 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2859956Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#74353}
-
- 04 Mar, 2021 1 commit
-
-
Clemens Backes authored
This removes many wasm-specific code paths from codegen, such that includes from src/wasm can be removed. After src/wasm is fully excluded from no-wasm builds, we can also clean up unused enum values, but for now they are still being referenced. R=mslekova@chromium.org Bug: v8:11238 Change-Id: I526ac931f023a57f70b5248befa2733ad10ce9ce Cq-Include-Trybots: luci.v8.try:v8_linux64_no_wasm_compile_rel Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2732011 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Cr-Commit-Position: refs/heads/master@{#73189}
-
- 02 Mar, 2021 1 commit
-
-
Clemens Backes authored
This removes all wasm includes from src/debug and src/inspector if webassembly is disabled (v8_enable_webassembly=false). It also removes the definition of {WasmValueObject} and {v8::debug::WasmScript}. This will allow to later fully exclude the src/wasm directory from compilation (once other components are fixed). R=bmeurer@chromium.org, machenbach@chromium.org Bug: v8:11238 Change-Id: I41a1d83d01fbb6c015cdfd6cc063bad90052505d Cq-Include-Trybots: luci.v8.try:v8_linux64_no_wasm_compile_rel Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2726506Reviewed-by: Michael Achenbach <machenbach@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#73138}
-
- 09 Feb, 2021 1 commit
-
-
Benedikt Meurer authored
BREAKING CHANGE: The values of Wasm locals, stack, and globals are now represented as objects instead of holding the (primitive) values directly, and SIMD128 values are no longer represented as Uint8Arrays. The DWARF extension has been prepared for this breaking change. The new `WasmValue` comes with `type` and `value` properties that hold its contents. The motivation here is that this is a more extensible approach. In case of SIMD128, the `value` property holds the canonical string representation, which has the additional advantage that these values can be compared with `===` (and `==`). This partially reverts https://crrev.com/c/2614428, the main difference here being that WasmValue is now a proper JSObject that can be exposed on the DebugEvaluate proxy API. Screenshot: https://imgur.com/rcahNKM.png Bug: chromium:1170282, chromium:1071432, chromium:1159402 Change-Id: Iea304e3680775123c41deb4c3d172ac949da1b98 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2643384Reviewed-by: Philip Pfaffe <pfaffe@chromium.org> Reviewed-by: Zhi An Ng <zhin@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#72570}
-
- 04 Feb, 2021 1 commit
-
-
Jakob Gruber authored
... and mark it as never-serialized wrt turbofan serialization. Until this CL, the JSRegExp type was used as both for plain user-visible regexp objects, and for internal regexp boilerplate descriptions. Boilerplates are special: they are never exposed to the user, they are only referenced from the feedback vector, they are immutable. To clarify this distinction, this CL introduces a dedicated struct type RegExpBoilerplateDescription to hold the regexp boilerplate description. This makes Turbofan serialization simpler: boilerplates can be accessed through direct reads since they are immutable. TF has no special requirements on JSRegExp objects (it never reads into these objects) and thus serializing only the references as a JSObjectRef is fine. Bug: v8:7790 Change-Id: I33b337fcfcf861a02bc6be6d0c6311d07cf05718 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2656257Reviewed-by: Mythri Alle <mythria@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#72522}
-
- 19 Jan, 2021 1 commit
-
-
Sathya Gunasekaran authored
This will allow us optimize the protector cell checks in the fast path from checking against the function object in every context to just doing a range check against the instance type. This patch adds new instance types for constructor functions that require such protector cell checks. Bug: v8:11256 Change-Id: Iea722f9c6326dfa470149dd02e689a23942097f4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2595442Reviewed-by: Mythri Alle <mythria@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#72146}
-
- 15 Jan, 2021 1 commit
-
-
Santiago Aboy Solanes authored
This reverts commit b3d09001. Reason for revert: https://chromium-review.googlesource.com/c/v8/v8/+/2565511 has to be reverted, and this was a follow-up to that Original change's description: > [objects] Remove uncached internal external string type > > We shouldn't be creating those anymore since they are not thread-safe. > > Bug: v8:7790 > Change-Id: I4546d995fa32eb076c8dfe9d95301fad719c9e07 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2615347 > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> > Cr-Commit-Position: refs/heads/master@{#72006} TBR=rmcilroy@chromium.org,leszeks@chromium.org,solanes@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: v8:7790 Change-Id: I4eb1a6b8446fa602eeb5bf29fbf1fe57182cdbf3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2627605Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Cr-Commit-Position: refs/heads/master@{#72122}
-
- 11 Jan, 2021 1 commit
-
-
Santiago Aboy Solanes authored
We shouldn't be creating those anymore since they are not thread-safe. Bug: v8:7790 Change-Id: I4546d995fa32eb076c8dfe9d95301fad719c9e07 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2615347Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Cr-Commit-Position: refs/heads/master@{#72006}
-
- 16 Dec, 2020 2 commits
-
-
Sathya Gunasekaran authored
Previously, we were looking up the prototype of the receiver and checking that against %TypedArrayPrototype% before invalidating the protector cell. This is incorrect as it's possible to patch the prototype and then change the constructor property, bypassing this check. This CL adds a new instance type to prototype of all TypedArray constructors and checks the receiver against this instance type. TBR: tebbi@chromium.org Bug: v8:11274, v8:11256 Change-Id: I2ff6280e4cf820b06c5593fe4addd36f7ac656c4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2594776 Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#71799}
-
Sathya Gunasekaran authored
In the future, these instance types will be used for fast range checks rather than the current slow individual map checks. Bug: v8:11256 Change-Id: I4ad7d5259fbd46c3272a80996a5ac45a400d1f5e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2590040 Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#71791}
-
- 20 Nov, 2020 1 commit
-
-
Leszek Swirski authored
Because of LocalHeap safepoints, our existing assert scopes don't necessarily maintain the same guarantees as desired. In particular, DisallowHeapAllocation no longer guarantees that objects don't move. This patch transitions DisallowHeapAllocation to DisallowGarbageCollection, to ensure that code using this scope is also protected against safepoints. Change-Id: I0411425884f6849982611205fb17bb072881c722 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2540547 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#71319}
-
- 10 Nov, 2020 2 commits
-
-
Tobias Tebbi authored
Bug: v8:7793 TBR=hpayer@chromium.org Change-Id: I88644c9476b74f57d3cf7a3056a9b70f1467b96d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2489689 Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Cr-Commit-Position: refs/heads/master@{#71079}
-
Daniel Clark authored
This change plumbs import assertions from SourceTextModuleDescriptor's ModuleRequestMap into SourceTextModuleInfo via a new ModuleRequest type, where previously there had been only the specifier. SourceTextModuleDescriptor::module_map now deduplicates module requests using the specifier and the import assertions. Continuing to use the specifier alone would cause a loss of information in the event that a module imports from the same specifier multiple times using different sets of assertions. Failing to deduplicate at all would result in multiple requests for statements like `import {a,b,c} from "foo.js"`, which would be a potential performance issue. See design doc at https://docs.google.com/document/d/1yuXgNHSbTAPubT1Mg0JXp5uTrfirkvO1g5cHHCe-LmY for more detail on this decision. v8::internal::ModuleRequest holds the assertions as an array of the form [key1, value1, position1, key2, value2, assertion2, ...]. However the parser still needs to use a map, since duplicate assertion keys need to be detected at parse time. A follow-up change will ensure that assertions are sorted using a proper lexicographic sort. Bug: v8:10958 Change-Id: Iff13fb9a37d58fc1622cd3cce78925ad2b7a14bb Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2493060 Commit-Queue: Dan Clark <daniec@microsoft.com> Reviewed-by: Adam Klein <adamk@chromium.org> Reviewed-by: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#71066}
-
- 09 Nov, 2020 1 commit
-
-
Tobias Tebbi authored
This is a reland of 26f10ecd Change compared to original CL: The deserializer changes StrongDescriptorArray to DescriptorArray. Since this CL uses separate BodyDescriptors for the two kinds of descriptor arrays, this caused a DCHECK failure when the deserializer changes the map while the object is visited from the concurrent marking thread. Fix this by disabling the corresponding checks. Original change's description: > [torque] allow exported classes with custom C++ class > > Introduce a new annotation @customCppClass that can be used for > non-extern @export classes, that is, generate everything, remove > boilerplate from all the internal lists and switches, but allow > a custom C++ class, which in turn also allows overwriting the generated > print and verify functions. > > Port DescriptorArray and StrongDescriptorArray as an example. > > Bug: v8:7793 > Change-Id: I744e52fb4102ac49c0097f1c95bb17d301975bf0 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2489687 > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> > Reviewed-by: Seth Brenith <seth.brenith@microsoft.com> > Commit-Queue: Tobias Tebbi <tebbi@chromium.org> > Cr-Commit-Position: refs/heads/master@{#70989} Bug: v8:7793 Change-Id: I7505fb111896991d16d7d113704c8c3676669f34 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2526383Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#71048}
-
- 05 Nov, 2020 2 commits
-
-
Michael Achenbach authored
This reverts commit 26f10ecd. Reason for revert: GC stress failures: https://crbug.com/v8/11114 Original change's description: > [torque] allow exported classes with custom C++ class > > Introduce a new annotation @customCppClass that can be used for > non-extern @export classes, that is, generate everything, remove > boilerplate from all the internal lists and switches, but allow > a custom C++ class, which in turn also allows overwriting the generated > print and verify functions. > > Port DescriptorArray and StrongDescriptorArray as an example. > > Bug: v8:7793 > Change-Id: I744e52fb4102ac49c0097f1c95bb17d301975bf0 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2489687 > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> > Reviewed-by: Seth Brenith <seth.brenith@microsoft.com> > Commit-Queue: Tobias Tebbi <tebbi@chromium.org> > Cr-Commit-Position: refs/heads/master@{#70989} TBR=ulan@chromium.org,tebbi@chromium.org,seth.brenith@microsoft.com,nicohartmann@chromium.org Change-Id: I4631db66a76f41cf62b400e8ee64df27e641a320 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:7793,v8:11114 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2521911Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#70994}
-
Tobias Tebbi authored
Introduce a new annotation @customCppClass that can be used for non-extern @export classes, that is, generate everything, remove boilerplate from all the internal lists and switches, but allow a custom C++ class, which in turn also allows overwriting the generated print and verify functions. Port DescriptorArray and StrongDescriptorArray as an example. Bug: v8:7793 Change-Id: I744e52fb4102ac49c0097f1c95bb17d301975bf0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2489687Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Seth Brenith <seth.brenith@microsoft.com> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#70989}
-
- 02 Nov, 2020 1 commit
-
-
Tobias Tebbi authored
Drive-by fixes: - Use constexpr types to determine C++ type names. - Fix factory constructors to not skip write barriers in old generation. Change-Id: I0ebbfd56c06ad41d02836fb48531ae7eded166bf Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2400994Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#70921}
-
- 07 Oct, 2020 1 commit
-
-
Leszek Swirski authored
This relands commit 3f4e9bbe. which was a reland of c4a062a9 which was a reland of 28a30c57 which was a reland of 5d7a29c9 The change had an issue that embedders implementing heap tracing (e.g. Unified Heap with Blink) could be passed an uninitialized pointer if marking happened during deserialization of an object containing such a pointer. Because of the 0xdeadbed0 uninitialized filler value, these embedders would then receive the value 0xdeadbed0deadbed0 as the 'pointer', and crash on dereference. There is, however, special handling already for null pointers in heap tracing, also for dealing with not-yet initialized values. So, we can make the uninitialized Smi filler be 0x00000000, and that will make such embedded fields have a nullptr representation, making them follow the normal uninitialized value bailouts. In addition, it relands the following dependent changes, which are relanding unchanged and are followup performance improvements. Relanding them in the same change should allow for cleaner reverts should they be needed. This relands commit 76ad3ab5 [identity-map] Change resize heuristic This relands commit 77cc96aa [identity-map] Cache the calculated Hash This relands commit bee5b996 [serializer] Remove Deserializer::Initialize This relands commit c8f73f22 [serializer] Cache instance type in PostProcessNewObject This relands commit 4e7c99ab [identity-map] Remove double-lookups in IdentityMap Original change's description: > Reland^3 "[serializer] Allocate during deserialization" > > This is a reland of c4a062a9 > which was a reland of 28a30c57 > which was a reland of 5d7a29c9 > > Fixes TSAN errors from non-atomic writes in the deserializer. Now all > writes are (relaxed) atomic. > > Original change's description: > > Reland^2 "[serializer] Allocate during deserialization" > > > > This is a reland of 28a30c57 > > which was a reland of 5d7a29c9 > > > > The crashes were from calling RegisterDeserializerFinished on a null > > Isolate pointer, for a deserializer that was never initialised > > (specifically, ReadOnlyDeserializer when ROHeap is shared). > > > > Original change's description: > > > Reland "[serializer] Allocate during deserialization" > > > > > > This is a reland of 5d7a29c9 > > > > > > This reland shuffles around the order of checks in Heap::AllocateRawWith > > > to not check the new space addresses until it's known that this is a new > > > space allocation. This fixes an UBSan failure during read-only space > > > deserialization, which happens before the new space is initialized. > > > > > > It also fixes some issues discovered by --stress-snapshot, around > > > serializing ThinStrings (which are now elided as part of serialization), > > > handle counts (I bumped the maximum handle count in that check), and > > > clearing map transitions (the map backpointer field needed a Smi > > > uninitialized value check). > > > > > > Original change's description: > > > > [serializer] Allocate during deserialization > > > > > > > > This patch removes the concept of reservations and a specialized > > > > deserializer allocator, and instead makes the deserializer allocate > > > > directly with the Heap's Allocate method. > > > > > > > > The major consequence of this is that the GC can now run during > > > > deserialization, which means that: > > > > > > > > a) Deserialized objects are visible to the GC, and > > > > b) Objects that the deserializer/deserialized objects point to can > > > > move. > > > > > > > > Point a) is mostly not a problem due to previous work in making > > > > deserialized objects "GC valid", i.e. making sure that they have a valid > > > > size before any subsequent allocation/safepoint. We now additionally > > > > have to initialize the allocated space with a valid tagged value -- this > > > > is a magic Smi value to keep "uninitialized" checks simple. > > > > > > > > Point b) is solved by Handlifying the deserializer. This involves > > > > changing any vectors of objects into vectors of Handles, and any object > > > > keyed map into an IdentityMap (we can't use Handles as keys because > > > > the object's address is no longer a stable hash). > > > > > > > > Back-references can no longer be direct chunk offsets, so instead the > > > > deserializer stores a Handle to each deserialized object, and the > > > > backreference is an index into this handle array. This encoding could > > > > be optimized in the future with e.g. a second pass over the serialized > > > > array which emits a different bytecode for objects that are and aren't > > > > back-referenced. > > > > > > > > Additionally, the slot-walk over objects to initialize them can no > > > > longer use absolute slot offsets, as again an object may move and its > > > > slot address would become invalid. Now, slots are walked as relative > > > > offsets to a Handle to the object, or as absolute slots for the case of > > > > root pointers. A concept of "slot accessor" is introduced to share the > > > > code between these two modes, and writing the slot (including write > > > > barriers) is abstracted into this accessor. > > > > > > > > Finally, the Code body walk is modified to deserialize all objects > > > > referred to by RelocInfos before doing the RelocInfo walk itself. This > > > > is because RelocInfoIterator uses raw pointers, so we cannot allocate > > > > during a RelocInfo walk. > > > > > > > > As a drive-by, the VariableRawData bytecode is tweaked to use tagged > > > > size rather than byte size -- the size is expected to be tagged-aligned > > > > anyway, so now we get an extra few bits in the size encoding. > > > > > > > > Bug: chromium:1075999 > > > > Change-Id: I672c42f553f2669888cc5e35d692c1b8ece1845e > > > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2404451 > > > > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > > > > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > > > > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > > > > Cr-Commit-Position: refs/heads/master@{#70229} Bug: chromium:1075999 Change-Id: Ib514a4ef16bd02bfb60d046ecbf8fae1ead64a98 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2452689 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#70366}
-
- 05 Oct, 2020 1 commit
-
-
Adam Klein authored
This reverts commit 3f4e9bbe, along with the following dependent changes (reverted to make this a clean revert): 76ad3ab5 [identity-map] Change resize heuristic 77cc96aa [identity-map] Cache the calculated Hash bee5b996 [serializer] Remove Deserializer::Initialize c8f73f22 [serializer] Cache instance type in PostProcessNewObject 4e7c99ab [identity-map] Remove double-lookups in IdentityMap Reason for revert: major crash spike on Canary (https://crbug.com/1135027) Original change's description: > Reland^3 "[serializer] Allocate during deserialization" > > This is a reland of c4a062a9 > which was a reland of 28a30c57 > which was a reland of 5d7a29c9 > > Fixes TSAN errors from non-atomic writes in the deserializer. Now all > writes are (relaxed) atomic. > > Original change's description: > > Reland^2 "[serializer] Allocate during deserialization" > > > > This is a reland of 28a30c57 > > which was a reland of 5d7a29c9 > > > > The crashes were from calling RegisterDeserializerFinished on a null > > Isolate pointer, for a deserializer that was never initialised > > (specifically, ReadOnlyDeserializer when ROHeap is shared). > > > > Original change's description: > > > Reland "[serializer] Allocate during deserialization" > > > > > > This is a reland of 5d7a29c9 > > > > > > This reland shuffles around the order of checks in Heap::AllocateRawWith > > > to not check the new space addresses until it's known that this is a new > > > space allocation. This fixes an UBSan failure during read-only space > > > deserialization, which happens before the new space is initialized. > > > > > > It also fixes some issues discovered by --stress-snapshot, around > > > serializing ThinStrings (which are now elided as part of serialization), > > > handle counts (I bumped the maximum handle count in that check), and > > > clearing map transitions (the map backpointer field needed a Smi > > > uninitialized value check). > > > > > > Original change's description: > > > > [serializer] Allocate during deserialization > > > > > > > > This patch removes the concept of reservations and a specialized > > > > deserializer allocator, and instead makes the deserializer allocate > > > > directly with the Heap's Allocate method. > > > > > > > > The major consequence of this is that the GC can now run during > > > > deserialization, which means that: > > > > > > > > a) Deserialized objects are visible to the GC, and > > > > b) Objects that the deserializer/deserialized objects point to can > > > > move. > > > > > > > > Point a) is mostly not a problem due to previous work in making > > > > deserialized objects "GC valid", i.e. making sure that they have a valid > > > > size before any subsequent allocation/safepoint. We now additionally > > > > have to initialize the allocated space with a valid tagged value -- this > > > > is a magic Smi value to keep "uninitialized" checks simple. > > > > > > > > Point b) is solved by Handlifying the deserializer. This involves > > > > changing any vectors of objects into vectors of Handles, and any object > > > > keyed map into an IdentityMap (we can't use Handles as keys because > > > > the object's address is no longer a stable hash). > > > > > > > > Back-references can no longer be direct chunk offsets, so instead the > > > > deserializer stores a Handle to each deserialized object, and the > > > > backreference is an index into this handle array. This encoding could > > > > be optimized in the future with e.g. a second pass over the serialized > > > > array which emits a different bytecode for objects that are and aren't > > > > back-referenced. > > > > > > > > Additionally, the slot-walk over objects to initialize them can no > > > > longer use absolute slot offsets, as again an object may move and its > > > > slot address would become invalid. Now, slots are walked as relative > > > > offsets to a Handle to the object, or as absolute slots for the case of > > > > root pointers. A concept of "slot accessor" is introduced to share the > > > > code between these two modes, and writing the slot (including write > > > > barriers) is abstracted into this accessor. > > > > > > > > Finally, the Code body walk is modified to deserialize all objects > > > > referred to by RelocInfos before doing the RelocInfo walk itself. This > > > > is because RelocInfoIterator uses raw pointers, so we cannot allocate > > > > during a RelocInfo walk. > > > > > > > > As a drive-by, the VariableRawData bytecode is tweaked to use tagged > > > > size rather than byte size -- the size is expected to be tagged-aligned > > > > anyway, so now we get an extra few bits in the size encoding. > > > > > > > > Bug: chromium:1075999 > > > > Change-Id: I672c42f553f2669888cc5e35d692c1b8ece1845e > > > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2404451 > > > > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > > > > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > > > > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > > > > Cr-Commit-Position: refs/heads/master@{#70229} > > > > > > Bug: chromium:1075999 > > > Change-Id: Ibc77cc48b3440b4a28b09746cfc47e50c340ce54 > > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2440828 > > > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > > > Auto-Submit: Leszek Swirski <leszeks@chromium.org> > > > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > > > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > > > Cr-Commit-Position: refs/heads/master@{#70267} > > > > Tbr: jgruber@chromium.org,ulan@chromium.org > > Bug: chromium:1075999 > > Change-Id: Iaa8dc54895866ada0e34a7c9e8fff9ae1cb13f2d > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2444991 > > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > > Cr-Commit-Position: refs/heads/master@{#70279} > > Tbr: jgruber@chromium.org,ulan@chromium.org > Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel_ng,v8_linux64_tsan_no_cm_rel_ng,v8_linux64_tsan_isolates_rel_ng > Bug: chromium:1075999 > Change-Id: I0b9b11644aebc4cc8b07c62a0f765b24e4d73d89 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2445872 > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > Auto-Submit: Leszek Swirski <leszeks@chromium.org> > Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> > Cr-Commit-Position: refs/heads/master@{#70288} TBR=ulan@chromium.org,jgruber@chromium.org,leszeks@chromium.org,dinfuehr@chromium.org Bug: chromium:1075999, chromium:1135027 Change-Id: I5d0d9e49c0302d94ff7291834f5f18e7a0839eb7 Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel_ng,v8_linux64_tsan_no_cm_rel_ng,v8_linux64_tsan_isolates_rel_ng Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2451030Reviewed-by: Adam Klein <adamk@chromium.org> Commit-Queue: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/heads/master@{#70328}
-
- 02 Oct, 2020 1 commit
-
-
Leszek Swirski authored
This is a reland of c4a062a9 which was a reland of 28a30c57 which was a reland of 5d7a29c9 Fixes TSAN errors from non-atomic writes in the deserializer. Now all writes are (relaxed) atomic. Original change's description: > Reland^2 "[serializer] Allocate during deserialization" > > This is a reland of 28a30c57 > which was a reland of 5d7a29c9 > > The crashes were from calling RegisterDeserializerFinished on a null > Isolate pointer, for a deserializer that was never initialised > (specifically, ReadOnlyDeserializer when ROHeap is shared). > > Original change's description: > > Reland "[serializer] Allocate during deserialization" > > > > This is a reland of 5d7a29c9 > > > > This reland shuffles around the order of checks in Heap::AllocateRawWith > > to not check the new space addresses until it's known that this is a new > > space allocation. This fixes an UBSan failure during read-only space > > deserialization, which happens before the new space is initialized. > > > > It also fixes some issues discovered by --stress-snapshot, around > > serializing ThinStrings (which are now elided as part of serialization), > > handle counts (I bumped the maximum handle count in that check), and > > clearing map transitions (the map backpointer field needed a Smi > > uninitialized value check). > > > > Original change's description: > > > [serializer] Allocate during deserialization > > > > > > This patch removes the concept of reservations and a specialized > > > deserializer allocator, and instead makes the deserializer allocate > > > directly with the Heap's Allocate method. > > > > > > The major consequence of this is that the GC can now run during > > > deserialization, which means that: > > > > > > a) Deserialized objects are visible to the GC, and > > > b) Objects that the deserializer/deserialized objects point to can > > > move. > > > > > > Point a) is mostly not a problem due to previous work in making > > > deserialized objects "GC valid", i.e. making sure that they have a valid > > > size before any subsequent allocation/safepoint. We now additionally > > > have to initialize the allocated space with a valid tagged value -- this > > > is a magic Smi value to keep "uninitialized" checks simple. > > > > > > Point b) is solved by Handlifying the deserializer. This involves > > > changing any vectors of objects into vectors of Handles, and any object > > > keyed map into an IdentityMap (we can't use Handles as keys because > > > the object's address is no longer a stable hash). > > > > > > Back-references can no longer be direct chunk offsets, so instead the > > > deserializer stores a Handle to each deserialized object, and the > > > backreference is an index into this handle array. This encoding could > > > be optimized in the future with e.g. a second pass over the serialized > > > array which emits a different bytecode for objects that are and aren't > > > back-referenced. > > > > > > Additionally, the slot-walk over objects to initialize them can no > > > longer use absolute slot offsets, as again an object may move and its > > > slot address would become invalid. Now, slots are walked as relative > > > offsets to a Handle to the object, or as absolute slots for the case of > > > root pointers. A concept of "slot accessor" is introduced to share the > > > code between these two modes, and writing the slot (including write > > > barriers) is abstracted into this accessor. > > > > > > Finally, the Code body walk is modified to deserialize all objects > > > referred to by RelocInfos before doing the RelocInfo walk itself. This > > > is because RelocInfoIterator uses raw pointers, so we cannot allocate > > > during a RelocInfo walk. > > > > > > As a drive-by, the VariableRawData bytecode is tweaked to use tagged > > > size rather than byte size -- the size is expected to be tagged-aligned > > > anyway, so now we get an extra few bits in the size encoding. > > > > > > Bug: chromium:1075999 > > > Change-Id: I672c42f553f2669888cc5e35d692c1b8ece1845e > > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2404451 > > > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > > > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > > > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > > > Cr-Commit-Position: refs/heads/master@{#70229} > > > > Bug: chromium:1075999 > > Change-Id: Ibc77cc48b3440b4a28b09746cfc47e50c340ce54 > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2440828 > > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > > Auto-Submit: Leszek Swirski <leszeks@chromium.org> > > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > > Cr-Commit-Position: refs/heads/master@{#70267} > > Tbr: jgruber@chromium.org,ulan@chromium.org > Bug: chromium:1075999 > Change-Id: Iaa8dc54895866ada0e34a7c9e8fff9ae1cb13f2d > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2444991 > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > Cr-Commit-Position: refs/heads/master@{#70279} Tbr: jgruber@chromium.org,ulan@chromium.org Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel_ng,v8_linux64_tsan_no_cm_rel_ng,v8_linux64_tsan_isolates_rel_ng Bug: chromium:1075999 Change-Id: I0b9b11644aebc4cc8b07c62a0f765b24e4d73d89 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2445872 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/master@{#70288}
-