Skip to content

V
V8
Switch branch/tag
  1. 13 Oct, 2020 1 commit
  3. 12 Oct, 2020 1 commit
    • Anna Henningsen's avatar
      [heap-profiler] Fix crash when a snapshot deleted while taking one · 3176bfd4
      Anna Henningsen authored 
      Fix a crash/hang that occurred when deleting a snapshot during the
GC that is part of taking another one.

Specifically, when deleting the only other snapshot in such
a situation, the `v8::HeapSnapshot::Delete()` method sees that there
is only one (complete) snapshot at that point, and decides that it is
okay to perform “delete all snapshots” instead of just deleting
the requested one. That resets the internal string lookup table
of the heap profiler, but the new snapshot that is currently in
progress still holds references to the old string lookup table,
leading to a use-after-free segfault or infinite loop.

Fix this by guarding against resetting the string table while
another heap snapshot is being taken, and add a test that would
crash before this fix.

This can be triggered in Node.js by repeatedly calling
`v8.getHeapSnapshot()`, which provides heap snapshots as weakly
held host objects.

Change-Id: If9ac3728bf79114000982f1e7bb05e8034299e3c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2464823Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70445}
      3176bfd4
  5. 09 Oct, 2020 1 commit
  7. 07 Oct, 2020 2 commits
  9. 05 Oct, 2020 1 commit
  11. 30 Sep, 2020 2 commits
  13. 29 Sep, 2020 1 commit
  15. 22 Sep, 2020 1 commit
  17. 14 Sep, 2020 1 commit
  19. 08 Sep, 2020 1 commit
  21. 03 Sep, 2020 1 commit
  23. 02 Sep, 2020 1 commit
  25. 01 Sep, 2020 2 commits
  27. 24 Aug, 2020 1 commit
  29. 18 Aug, 2020 1 commit
  31. 17 Aug, 2020 1 commit
    • Emanuel Ziegler's avatar
      [ukm] Some fixes to the metrics recording framework · 189dc5ac
      Emanuel Ziegler authored 
      Some fixes that were required to make the metric recording framework run
better:
  - Set the foreground task runner later so it can still be modified in
    test cases
  - Add Start and Stop methods to TimedScope for more control
  - Clear map of contexts explicitly to avoid it being triggered at the
    end of the destructor when counters are already destroyed and a
    SEGFAULT may occur due to histogram updates during destruction of
    the weak persistent handles.

R=rmcilroy@chromium.org

Bug: chromium:1101749
Change-Id: Ib41c7aeb1aac96f0fa102f0fceadbf7ec2dd78dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2351668Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
Commit-Queue: Emanuel Ziegler <ecmziegler@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69422}
      189dc5ac
  33. 12 Aug, 2020 1 commit
  35. 10 Aug, 2020 1 commit
  37. 06 Aug, 2020 3 commits
    • Santiago Aboy Solanes's avatar
      [heap] Remove DeferredHandles instrumentation · d855a6aa
      Santiago Aboy Solanes authored 
      Now that we are using PersistentHandles, we don't need it anymore.

Bug: v8:7790
Change-Id: Id0b9d555191c00fb08dc2bb9099746076c5ad1b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2332161
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: 's avatarDominik Inführ <dinfuehr@chromium.org>
Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69278}
      d855a6aa
    • Leszek Swirski's avatar
      [runtime] Move string table off-heap · 1546be9c
      Leszek Swirski authored 
      Changes the isolate's string table into an off-heap structure. This
allows the string table to be resized without allocating on the V8 heap,
and potentially triggering a GC. This allows existing strings to be
inserted into the string table without requiring allocation.

This has two important benefits:

  1) It allows the deserializer to insert strings directly into the
     string table, rather than having to defer string insertion until
     deserialization completes.

  2) It simplifies the concurrent string table lookup to allow resizing
     the table inside the write lock, therefore eliminating the race
     where two concurrent lookups could both resize the table.

The off-heap string table has the following properties:

  1) The general hashmap behaviour matches the HashTable, i.e. open
     addressing, power-of-two sized, quadratic probing. This could, of
     course, now be changed.

  2) The empty and deleted sentinels are changed to Smi 0 and 1,
     respectively, to make those comparisons a bit cheaper and not
     require roots access.

  3) When the HashTable is resized, the old elements array is kept
     alive in a linked list of previous arrays, so that concurrent
     lookups don't lose the data they're accessing. This linked list
     is cleared by the GC, as then we know that all threads are in
     a safepoint.

  4) The GC treats the hash table entries as weak roots, and only walks
     them for non-live reference clearing and for evacuation.

  5) Since there is no longer a FixedArray to serialize for the startup
     snapshot, there is now a custom serialization of the string table,
     and the string table root is considered unserializable during weak
     root iteration. As a bonus, the custom serialization is more
     efficient, as it skips non-string entries.

As a drive-by, rename LookupStringExists_NoAllocate to
TryStringToIndexOrLookupExisting, to make it clearer that it returns
a non-string for the case when the string is an array index. As another
drive-by, extract StringSet into a separate header.

Bug: v8:10729
Change-Id: I9c990fb2d74d1fe222920408670974a70e969bca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2339104
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69270}
      1546be9c
    • Anna Henningsen's avatar
      [api] Fix empty Maybe crash in GetRealNamedPropertyAttributes · e06ace6b
      Anna Henningsen authored 
      `Object::GetRealNamedPropertyAttributes()` can crash if an empty
`Maybe` is returned by `JSReceiver::GetPropertyAttributes()` because
it was not checking for that. Fix that.

Refs: https://github.com/nodejs/node/issues/34606
Change-Id: Ic83f904ba7134786bcd8f786eb2ce98adb4fea1e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2335057
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69258}
      e06ace6b
  39. 05 Aug, 2020 1 commit
  41. 01 Aug, 2020 1 commit
    • Ulan Degenbaev's avatar
      [ukm] Rename v8::Context::Token to v8::metrics::Recorder::ContextId · 260ec995
      Ulan Degenbaev authored 
      Chrome is currently adding a 128-bit V8ContextToken to keep track of
V8 contexts across multiple isolates and processes. Having per-isolate
token exposed by V8 leads to confusion of these two tokens.

This moves v8::Context::Token to v8::metrics::Recorder and changes
the corresponding functions:
- v8::Context::GetToken => v8::metrics::Recorder::GetContextId
- v8::Context::GetByToken => v8::metrics::Recorder::GetContext

This CL is purely mechanical and does not change the behaviour.

Bug: chromium:1101749
Tbr: clemensb@chromium.org
Change-Id: I31bbfa02ebab1c0d91b00f0d08c1b236392d14d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2330023
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: 's avatarEmanuel Ziegler <ecmziegler@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69188}
      260ec995
  43. 31 Jul, 2020 1 commit
    • Dan Elphick's avatar
      [heap] Share RO_SPACE pages with pointer compression · c7d22c49
      Dan Elphick authored 
      This allows the configuration v8_enable_shared_ro_heap and
v8_enable_pointer_compression on Linux and Android, although it still
defaults to off.

When pointer compression and read-only heap sharing are enabled, sharing
is achieved by allocating ReadOnlyPages in shared memory that are
retained in the shared ReadOnlyArtifacts object. These ReadOnlyPages are
then remapped into the address space of the Isolate ultimately using
mremap.

To simplify the creation process the ReadOnlySpace memory for the first
Isolate is created as before without any sharing. It is only when the
ReadOnlySpace memory has been finalized that the shared memory is
allocated and has its contents copied into it. The original memory is
then released (with PC this means it's just released back to the
BoundedPageAllocator) and immediately re-allocated as a shared mapping.

Because we would like to make v8_enable_shared_ro_heap default to true
at some point but can't make this conditional on the value returned by
a method in the code we are yet to compile, the code required for
sharing has been mostly changed to use ifs with
ReadOnlyHeap::IsReadOnlySpaceShared() instead of #ifdefs except where
a compile error would result due to the absence of a class members
without sharing. IsReadOnlySpaceShared() will evaluate
CanAllocateSharedPages in the platform PageAllocator (with pointer
compression and sharing enabled) once and cache that value so sharing
cannot be toggled during the lifetime of the process.

Bug: v8:10454
Change-Id: I0236d752047ecce71bd64c159430517a712bc1e2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2267300
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69174}
      c7d22c49
  45. 30 Jul, 2020 1 commit
    • Dominik Inführ's avatar
      [handles] Add PersistentHandlesScope · 3c6d9aac
      Dominik Inführ authored 
      PersistentHandlesScope works similar to the DeferredHandleScope, but
returns PersistentHandles instead of DeferredHandles on Detach().

Since PersistentHandlesScope takes over filled blocks from the
main thread local handle, remove the block_size_ field and use
kHandleBlockSize instead. This way all blocks have exactly the same size.

Bug: v8:10315
Change-Id: I295cad6f84852f87c55d95572905069443f5698c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2324254
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69138}
      3c6d9aac
  47. 29 Jul, 2020 1 commit
  49. 28 Jul, 2020 1 commit
  51. 24 Jul, 2020 1 commit
  53. 23 Jul, 2020 1 commit
  55. 22 Jul, 2020 2 commits
  57. 20 Jul, 2020 1 commit
  59. 14 Jul, 2020 1 commit
    • Daniel Bevenius's avatar
      [snapshot] enable mksnapshot usage to be displayed · c8679386
      Daniel Bevenius authored 
      Currently, when specifying '--help' with mksnapshot it will only
print the v8/d8 help message and options and then exit the process.
This means that the usage message from mksnapshot will never be
displayed.

This commit suggests adding an option to SetFlagsFromCommandLine that
can disable this printing and exiting. This allows mksnapshot to display
the usage and print the options after that.

While this works, it does seems a little strange that
SetFlagsFromCommandLine prints the help message and exits the process
but I'm probably missing some background details around this.

Change-Id: I28932adf3478b88b05eed4db70bf74946f8abf2d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2290852Reviewed-by: 's avatarDan Elphick <delphick@chromium.org>
Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68851}
      c8679386
  61. 10 Jul, 2020 1 commit
  63. 29 Jun, 2020 1 commit
  65. 23 Jun, 2020 1 commit
  67. 19 Jun, 2020 1 commit