1. 30 Mar, 2022 1 commit
    • Jakob Gruber's avatar
      Refactor OptimizationMarker and ConcurrencyMode enums · 57d985a5
      Jakob Gruber authored
      .. with readability and simplicity in mind.
      
      - Rename OptimizationMarker to the (shorter) TieringState. 'Tiering'
        also matches 'TieringManager' terminology.
      - Rename the values:
        kNone -> kNone
        kInOptimizationQueue -> kInProgress
        kCompileFoo_NotConcurrent -> kRequestFoo_Synchronous
        kCompileFoo_Concurrent -> kRequestFoo_Concurrent
      - Likewise rename ConcurrencyMode::kNotConcurrent to kSynchronous.
      - Add predicates to test enum values.
      - Consistent lower case names for accessors on JSFunction and
        FeedbackVector.
      - Instead of having to call HasOptimizationMarker() before using any
        other accessor, simply have optimization_marker() return kNone if
        no feedback vector exists.
      - Drive-by: Enable the Unreachable() in MaybeOptimizeCode()
        unconditionally - this should never happen, there's no reason not
        to protect against this in release builds as well.
      
      Bug: v8:12161
      Change-Id: I67c03e2b7bd0a6b86d0c64f504ad8cb47e9e26ae
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3555774Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
      Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
      Commit-Queue: Jakob Linke <jgruber@chromium.org>
      Auto-Submit: Jakob Linke <jgruber@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#79669}
      57d985a5
  2. 14 Feb, 2022 1 commit
    • Victor Gomes's avatar
      Reland "[runtime] Refactor TransitionsAccessor" · 24ff6e28
      Victor Gomes authored
      This is a reland of c927ada7
      
      Fix: Recalculate encoding after an allocation (that can potentially
      trigger GC) in EnsureHasFullTransitionArray.
      
      Original change's description:
      > [runtime] Refactor TransitionsAccessor
      >
      > Problems:
      > - The class uses a bare Map field, but some methods can trigger GC
      > causing it to have a potential dangling pointer in case of map
      > compaction.
      > - Some methods invalidate the object state and should not be used again.
      > - Complicate logic with a no_gc and a gc aware constructors. Some
      > methods can only be called if the object is constructed with a
      > particular constructor (e.g, Insert and PutPrototypeTransition).
      >
      > Note: Most usages of this class is done by constructing an object and
      > calling a single method:
      > `TransitionAccessor(...).Method(...)`
      > So we can easily change them to a static method.
      >
      > This CL:
      > 1. Adds DISALLOW_GARBAGE_COLLECTION to the class.
      > 2. Makes methods that can trigger GC static.
      > 3. Creates static helper functions that wrap the class in a different
      > scope, since TransitionsAccessor now forces the scope to disallow gc.
      > 4. Removes now unnecessary "Reload" logic.
      >
      > Bug: chromium:1295133, v8:12578
      > Change-Id: I85484e7235fbd5e69894e26f5e1c491c6f69635e
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450416
      > Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
      > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
      > Commit-Queue: Victor Gomes <victorgomes@chromium.org>
      > Cr-Commit-Position: refs/heads/main@{#79051}
      
      Bug: chromium:1295133, v8:12578
      Change-Id: If3880c2480433b78567870c8d14508d6ad9eccbd
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3460405Reviewed-by: 's avatarDominik Inführ <dinfuehr@chromium.org>
      Auto-Submit: Victor Gomes <victorgomes@chromium.org>
      Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
      Commit-Queue: Toon Verwaest <verwaest@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#79069}
      24ff6e28
  3. 11 Feb, 2022 2 commits
    • Deepti Gandluri's avatar
      Revert "[runtime] Refactor TransitionsAccessor" · 7c602011
      Deepti Gandluri authored
      This reverts commit c927ada7.
      
      Reason for revert: GC stress failures: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/37276/overview
      
      Original change's description:
      > [runtime] Refactor TransitionsAccessor
      >
      > Problems:
      > - The class uses a bare Map field, but some methods can trigger GC
      > causing it to have a potential dangling pointer in case of map
      > compaction.
      > - Some methods invalidate the object state and should not be used again.
      > - Complicate logic with a no_gc and a gc aware constructors. Some
      > methods can only be called if the object is constructed with a
      > particular constructor (e.g, Insert and PutPrototypeTransition).
      >
      > Note: Most usages of this class is done by constructing an object and
      > calling a single method:
      > `TransitionAccessor(...).Method(...)`
      > So we can easily change them to a static method.
      >
      > This CL:
      > 1. Adds DISALLOW_GARBAGE_COLLECTION to the class.
      > 2. Makes methods that can trigger GC static.
      > 3. Creates static helper functions that wrap the class in a different
      > scope, since TransitionsAccessor now forces the scope to disallow gc.
      > 4. Removes now unnecessary "Reload" logic.
      >
      > Bug: chromium:1295133, v8:12578
      > Change-Id: I85484e7235fbd5e69894e26f5e1c491c6f69635e
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450416
      > Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
      > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
      > Commit-Queue: Victor Gomes <victorgomes@chromium.org>
      > Cr-Commit-Position: refs/heads/main@{#79051}
      
      Bug: chromium:1295133, v8:12578
      Change-Id: Ia567cdcae73bc7fdfaf08b62eeeb899d6a933e21
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3456682
      Auto-Submit: Deepti Gandluri <gdeepti@chromium.org>
      Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
      Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
      Owners-Override: Deepti Gandluri <gdeepti@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#79052}
      7c602011
    • Victor Gomes's avatar
      [runtime] Refactor TransitionsAccessor · c927ada7
      Victor Gomes authored
      Problems:
      - The class uses a bare Map field, but some methods can trigger GC
      causing it to have a potential dangling pointer in case of map
      compaction.
      - Some methods invalidate the object state and should not be used again.
      - Complicate logic with a no_gc and a gc aware constructors. Some
      methods can only be called if the object is constructed with a
      particular constructor (e.g, Insert and PutPrototypeTransition).
      
      Note: Most usages of this class is done by constructing an object and
      calling a single method:
      `TransitionAccessor(...).Method(...)`
      So we can easily change them to a static method.
      
      This CL:
      1. Adds DISALLOW_GARBAGE_COLLECTION to the class.
      2. Makes methods that can trigger GC static.
      3. Creates static helper functions that wrap the class in a different
      scope, since TransitionsAccessor now forces the scope to disallow gc.
      4. Removes now unnecessary "Reload" logic.
      
      Bug: chromium:1295133, v8:12578
      Change-Id: I85484e7235fbd5e69894e26f5e1c491c6f69635e
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450416Reviewed-by: 's avatarDominik Inführ <dinfuehr@chromium.org>
      Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
      Commit-Queue: Victor Gomes <victorgomes@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#79051}
      c927ada7
  4. 13 Jan, 2022 1 commit
    • Jakob Gruber's avatar
      [maps] Lock map_updater_access in CompleteInobjectSlackTracking · 4b8d0489
      Jakob Gruber authored
      CompleteInobjectSlackTracking potentially shrinks multiple maps, and
      the relation between these maps should be preserved in a concurrent
      environment. Thus it is not enough to make each modification
      atomically, but all related map modifications must be within a
      critical section.
      
      We do this by locking the map_updater_access mutex
      CompleteInobjectSlackTracking, and hence moving the function to the
      MapUpdater class.
      
      Bug: chromium:1274445,v8:7990
      Change-Id: If99bb8b55e03180128ee397d845fa4c269c4241e
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3379819Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Commit-Queue: Jakob Gruber <jgruber@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#78597}
      4b8d0489
  5. 18 Nov, 2021 1 commit
  6. 15 Nov, 2021 1 commit
  7. 09 Nov, 2021 1 commit
  8. 28 Sep, 2021 1 commit
  9. 12 Aug, 2021 1 commit
    • Jakob Gruber's avatar
      [compiler] Fix multiple races in Map::FindElementsKindTransitionedMap · 1b22e6fb
      Jakob Gruber authored
      The concurrent version was added recently in crrev.com/c/3085262.
      
      - UnusedPropertyFields requires the MapUpdater lock.
      - instance_descriptors must be read atomically on the bg thread.
      
      Finally, there appears to be a false positive report for the pattern:
      
       x = is_concurrent ? foo(kAcquireLoad) : foo();
      
      Here, clang emits code that executes both the atomic and nonatomic
      reads when is_concurrent is true. Needs more investigation.
      
      Bug: v8:7790, chromium:1239009
      Change-Id: I07d442e72cf0278f79f202a267e8d246f8abca1b
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3090341
      Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
      Auto-Submit: Jakob Gruber <jgruber@chromium.org>
      Reviewed-by: 's avatarSantiago Aboy Solanes <solanes@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#76261}
      1b22e6fb
  10. 11 Aug, 2021 1 commit
  11. 17 May, 2021 1 commit
  12. 03 May, 2021 1 commit
  13. 08 Apr, 2021 1 commit
  14. 06 Apr, 2021 1 commit
  15. 01 Apr, 2021 1 commit
    • Jakob Gruber's avatar
      [compiler] Add the MapUpdater lock · 605f9875
      Jakob Gruber authored
      It's locked exclusively in the MapUpdater API methods, and locked
      shared in ComputePropertyAccessInfo (CPAI).
      
      This lock is a step towards running CPAI on background threads. The
      simple lock portion is landed separately in this CL to get an early
      signal on potential lock overhead perf impact.
      
      The lock is implemented and used very conservatively at the moment:
      
      - it's a single global lock (and not e.g. per-map).
      - it's locked for the entire method call duration (instead of only in
        relevant parts).
      
      Both points can potentially be improved in the future.
      
      Bug: v8:7790
      Change-Id: I073423497e01b4901101973387a19962f953a576
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2797286Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Commit-Queue: Jakob Gruber <jgruber@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#73773}
      605f9875
  16. 08 Mar, 2021 2 commits
  17. 05 Mar, 2021 1 commit
  18. 23 Feb, 2021 1 commit
  19. 11 Feb, 2021 1 commit
  20. 20 Nov, 2020 1 commit
  21. 12 Nov, 2020 1 commit
  22. 30 Oct, 2020 1 commit
  23. 29 Oct, 2020 1 commit
  24. 05 Oct, 2020 1 commit
  25. 19 Jun, 2020 1 commit
  26. 11 Oct, 2019 1 commit
  27. 28 Aug, 2019 1 commit
    • Z Nguyen-Huu's avatar
      Add new nonextensible element kinds · 1f4bec27
      Z Nguyen-Huu authored
      Currently the backing store and elements kind might not aligned aka
      backing store can be dictionary where elements kind is frozen/sealed
      element kinds or the other way around. The reason is that
      Object.preventExtensions change elements kind to DICTIONARY while
      Object.seal/freeze change elements kind to SEALED/FROZEN element kind.
      Apply both these operations can lead to that problem as in
      chromium:992914
      
      To solve this issue, we avoid Object.preventExtensions to change backing
      store to dictionary by introducing new nonextensible elements kind.
      These new nonextensible elements kind are handled similar to frozen,
      sealed element kinds. This change not only fixes the problem but also
      optimize the performance of nonextensible objects.
      
      Change-Id: Iffc7f14eb48223c11abf3c577f305d2d072eb65b
      Bug: chromium:992914, v8:6831
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1760976
      Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
      Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
      Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63432}
      1f4bec27
  28. 19 Jun, 2019 1 commit
  29. 28 May, 2019 1 commit
  30. 27 May, 2019 3 commits
    • Benedikt Meurer's avatar
      Reland "[typedarray] Move external/data pointer to JSTypedArray." · 70bd7cf0
      Benedikt Meurer authored
      This is a reland of 4b86fea5 with
      copy&paste typo in CodeStubAssembler::AllocateByteArray() fixed
      (bug led to holes in new space, which was crashing reproducibly
      on the ia32 bot).
      
      Original change's description:
      > [typedarray] Move external/data pointer to JSTypedArray.
      >
      > As the next step in supporting huge typed arrays in V8, this moves the
      > external/data pointer from the FixedTypedArrayBase backing store to the
      > JSTypedArray instance itself, and replaces the special backing stores
      > with a plain ByteArray (removing all the code for the FixedTypedArrayBase
      > class hierarchy). By doing so, we can drastically simplify the system
      > around typed arrays.
      >
      > Note: Several places in the code base used to check the instance type
      > of the elements backing store of a JSTypedArray instead of checking the
      > elements kind on the JSTypedArray map directly. Those had to be fixed,
      > since the backing store is now always a ByteArray.
      >
      > Drive-by-fix: Move all the typed elements access related code into the
      > elements.cc file to properly encapsulate the accesses.
      >
      > Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
      > Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
      > Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646
      > Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535
      > Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > Reviewed-by: Simon Zünd <szuend@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#61855}
      
      Tbr: petermarshall@chromium.org
      Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
      Change-Id: I87fcdb28532c5f08cc227332a4d59546cb423810
      Cq-Include-Trybots: luci.chromium.try:linux-rel, win7-rel
      Cq-Include-Trybots: luci.v8.try:v8_linux_shared_compile_rel
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631592Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#61864}
      70bd7cf0
    • Clemens Hammacher's avatar
      Revert "[typedarray] Move external/data pointer to JSTypedArray." · e4db146a
      Clemens Hammacher authored
      This reverts commit 4b86fea5.
      
      Reason for revert: Fails on linux shared: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20shared/31045
      
      Original change's description:
      > [typedarray] Move external/data pointer to JSTypedArray.
      > 
      > As the next step in supporting huge typed arrays in V8, this moves the
      > external/data pointer from the FixedTypedArrayBase backing store to the
      > JSTypedArray instance itself, and replaces the special backing stores
      > with a plain ByteArray (removing all the code for the FixedTypedArrayBase
      > class hierarchy). By doing so, we can drastically simplify the system
      > around typed arrays.
      > 
      > Note: Several places in the code base used to check the instance type
      > of the elements backing store of a JSTypedArray instead of checking the
      > elements kind on the JSTypedArray map directly. Those had to be fixed,
      > since the backing store is now always a ByteArray.
      > 
      > Drive-by-fix: Move all the typed elements access related code into the
      > elements.cc file to properly encapsulate the accesses.
      > 
      > Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
      > Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
      > Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646
      > Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535
      > Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > Reviewed-by: Simon Zünd <szuend@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#61855}
      
      TBR=ulan@chromium.org,yangguo@chromium.org,titzer@chromium.org,sigurds@chromium.org,petermarshall@chromium.org,bmeurer@chromium.org,szuend@chromium.org
      
      Change-Id: I0bc1f935de6063acf75a0f4bb8c0ba67428603fd
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
      Cq-Include-Trybots: luci.chromium.try:linux-rel, win7-rel
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631427Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
      Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#61856}
      e4db146a
    • Benedikt Meurer's avatar
      [typedarray] Move external/data pointer to JSTypedArray. · 4b86fea5
      Benedikt Meurer authored
      As the next step in supporting huge typed arrays in V8, this moves the
      external/data pointer from the FixedTypedArrayBase backing store to the
      JSTypedArray instance itself, and replaces the special backing stores
      with a plain ByteArray (removing all the code for the FixedTypedArrayBase
      class hierarchy). By doing so, we can drastically simplify the system
      around typed arrays.
      
      Note: Several places in the code base used to check the instance type
      of the elements backing store of a JSTypedArray instead of checking the
      elements kind on the JSTypedArray map directly. Those had to be fixed,
      since the backing store is now always a ByteArray.
      
      Drive-by-fix: Move all the typed elements access related code into the
      elements.cc file to properly encapsulate the accesses.
      
      Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
      Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
      Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646
      Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarPeter Marshall <petermarshall@chromium.org>
      Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Reviewed-by: 's avatarSimon Zünd <szuend@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#61855}
      4b86fea5
  31. 23 May, 2019 3 commits
  32. 22 May, 2019 1 commit
  33. 21 May, 2019 1 commit
  34. 20 May, 2019 1 commit