Skip to content

Commit

Permalink
Revert "deps: V8: cherry-pick 9ebca66a5740"
Browse files Browse the repository at this point in the history
Reason for revert: broke test-snapshot-reproducible.js in
dynamically linked builds in the CI.

This reverts commit 4c730ae.

PR-URL: #53582
Refs: #53579
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Moshe Atlow <[email protected]>
Reviewed-By: Jiawen Geng <[email protected]>
Reviewed-By: Chengzhong Wu <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Stewart X Addison <[email protected]>
  • Loading branch information
joyeecheung authored Jun 25, 2024
1 parent d7d9278 commit 8e33f20
Show file tree
Hide file tree
Showing 58 changed files with 204 additions and 71 deletions.
2 changes: 1 addition & 1 deletion common.gypi
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@

# Reset this number to 0 on major V8 upgrades.
# Increment by one for each non-official patch applied to deps/v8.
'v8_embedder_string': '-node.16',
'v8_embedder_string': '-node.15',

##### V8 defaults for Node.js #####

Expand Down
3 changes: 3 additions & 0 deletions deps/v8/src/api/api.cc
Original file line number Diff line number Diff line change
Expand Up @@ -8953,6 +8953,9 @@ std::unique_ptr<v8::BackingStore> v8::ArrayBuffer::NewBackingStore(
// static
std::unique_ptr<BackingStore> v8::ArrayBuffer::NewResizableBackingStore(
size_t byte_length, size_t max_byte_length) {
Utils::ApiCheck(i::v8_flags.harmony_rab_gsab,
"v8::ArrayBuffer::NewResizableBackingStore",
"Constructing resizable ArrayBuffers is not supported");
Utils::ApiCheck(byte_length <= max_byte_length,
"v8::ArrayBuffer::NewResizableBackingStore",
"Cannot construct resizable ArrayBuffer, byte_length must be "
Expand Down
20 changes: 11 additions & 9 deletions deps/v8/src/builtins/builtins-arraybuffer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -134,16 +134,18 @@ BUILTIN(ArrayBufferConstructor) {
}

Handle<Object> number_max_length;
Handle<Object> max_length;
Handle<Object> options = args.atOrUndefined(isolate, 2);
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, max_length,
JSObject::ReadFromOptionsBag(
options, isolate->factory()->max_byte_length_string(), isolate));
if (v8_flags.harmony_rab_gsab) {
Handle<Object> max_length;
Handle<Object> options = args.atOrUndefined(isolate, 2);
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, max_length,
JSObject::ReadFromOptionsBag(
options, isolate->factory()->max_byte_length_string(), isolate));

if (!IsUndefined(*max_length, isolate)) {
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, number_max_length,
Object::ToInteger(isolate, max_length));
if (!IsUndefined(*max_length, isolate)) {
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, number_max_length, Object::ToInteger(isolate, max_length));
}
}
return ConstructBuffer(isolate, target, new_target, number_length,
number_max_length, InitializedFlag::kZeroInitialized);
Expand Down
2 changes: 1 addition & 1 deletion deps/v8/src/compiler/heap-refs.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1127,7 +1127,7 @@ bool MapRef::CanInlineElementAccess() const {
(Is64() || (kind != BIGINT64_ELEMENTS && kind != BIGUINT64_ELEMENTS))) {
return true;
}
if (IsRabGsabTypedArrayElementsKind(kind) &&
if (v8_flags.turbo_rab_gsab && IsRabGsabTypedArrayElementsKind(kind) &&
kind != RAB_GSAB_BIGUINT64_ELEMENTS &&
kind != RAB_GSAB_BIGINT64_ELEMENTS) {
return true;
Expand Down
8 changes: 6 additions & 2 deletions deps/v8/src/compiler/js-call-reducer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -7552,7 +7552,7 @@ Reduction JSCallReducer::ReduceArrayBufferViewByteLengthAccessor(
}
}

if (!maybe_rab_gsab) {
if (!v8_flags.harmony_rab_gsab || !maybe_rab_gsab) {
// We do not perform any change depending on this inference.
Reduction unused_reduction = inference.NoChange();
USE(unused_reduction);
Expand All @@ -7561,6 +7561,8 @@ Reduction JSCallReducer::ReduceArrayBufferViewByteLengthAccessor(
node, JS_TYPED_ARRAY_TYPE,
AccessBuilder::ForJSArrayBufferViewByteLength(),
Builtin::kTypedArrayPrototypeByteLength);
} else if (!v8_flags.turbo_rab_gsab) {
return inference.NoChange();
}

const CallParameters& p = CallParametersOf(node->op());
Expand Down Expand Up @@ -7611,14 +7613,16 @@ Reduction JSCallReducer::ReduceTypedArrayPrototypeLength(Node* node) {
if (IsRabGsabTypedArrayElementsKind(kind)) maybe_rab_gsab = true;
}

if (!maybe_rab_gsab) {
if (!v8_flags.harmony_rab_gsab || !maybe_rab_gsab) {
// We do not perform any change depending on this inference.
Reduction unused_reduction = inference.NoChange();
USE(unused_reduction);
// Call default implementation for non-rab/gsab TAs.
return ReduceArrayBufferViewAccessor(node, JS_TYPED_ARRAY_TYPE,
AccessBuilder::ForJSTypedArrayLength(),
Builtin::kTypedArrayPrototypeLength);
} else if (!v8_flags.turbo_rab_gsab) {
return inference.NoChange();
}

if (!inference.RelyOnMapsViaStability(dependencies())) {
Expand Down
4 changes: 4 additions & 0 deletions deps/v8/src/compiler/js-native-context-specialization.cc
Original file line number Diff line number Diff line change
Expand Up @@ -3199,6 +3199,8 @@ JSNativeContextSpecialization::BuildElementAccess(
// TODO(bmeurer): We currently specialize based on elements kind. We should
// also be able to properly support strings and other JSObjects here.
ElementsKind elements_kind = access_info.elements_kind();
DCHECK_IMPLIES(IsRabGsabTypedArrayElementsKind(elements_kind),
v8_flags.turbo_rab_gsab);
ZoneVector<MapRef> const& receiver_maps =
access_info.lookup_start_object_maps();

Expand Down Expand Up @@ -3584,6 +3586,8 @@ JSNativeContextSpecialization::
KeyedAccessMode const& keyed_mode) {
DCHECK(IsTypedArrayElementsKind(elements_kind) ||
IsRabGsabTypedArrayElementsKind(elements_kind));
DCHECK_IMPLIES(IsRabGsabTypedArrayElementsKind(elements_kind),
v8_flags.turbo_rab_gsab);
// AccessMode::kDefine is not handled here. Optimization should be skipped by
// caller.
DCHECK(keyed_mode.access_mode() != AccessMode::kDefine);
Expand Down
8 changes: 8 additions & 0 deletions deps/v8/src/flags/flag-definitions.h
Original file line number Diff line number Diff line change
Expand Up @@ -280,6 +280,8 @@ DEFINE_BOOL(js_shipping, true, "enable all shipped JavaScript features")
V(js_regexp_modifiers, "RegExp modifiers") \
V(js_regexp_duplicate_named_groups, "RegExp duplicate named groups")

DEFINE_WEAK_IMPLICATION(harmony_rab_gsab_transfer, harmony_rab_gsab)

#ifdef V8_INTL_SUPPORT
#define HARMONY_STAGED(V) HARMONY_STAGED_BASE(V)
#define JAVASCRIPT_STAGED_FEATURES(V) JAVASCRIPT_STAGED_FEATURES_BASE(V)
Expand All @@ -291,8 +293,11 @@ DEFINE_BOOL(js_shipping, true, "enable all shipped JavaScript features")
// Features that are shipping (turned on by default, but internal flag remains).
#define HARMONY_SHIPPING_BASE(V) \
V(harmony_import_assertions, "harmony import assertions") \
V(harmony_rab_gsab, \
"harmony ResizableArrayBuffer / GrowableSharedArrayBuffer") \
V(harmony_regexp_unicode_sets, "harmony RegExp Unicode Sets") \
V(harmony_json_parse_with_source, "harmony json parse with source") \
V(harmony_rab_gsab_transfer, "harmony ArrayBuffer.transfer") \
V(harmony_array_grouping, "harmony array grouping") \
V(harmony_array_from_async, "harmony Array.fromAsync") \
V(harmony_iterator_helpers, "JavaScript iterator helpers") \
Expand Down Expand Up @@ -1273,6 +1278,9 @@ DEFINE_BOOL_READONLY(turbo_rewrite_far_jumps, false,
"rewrite far to near jumps (ia32,x64)")
#endif

DEFINE_BOOL(
turbo_rab_gsab, true,
"optimize ResizableArrayBuffer / GrowableSharedArrayBuffer in TurboFan")
DEFINE_BOOL(
stress_gc_during_compilation, false,
"simulate GC/compiler thread race related to https://crbug.com/v8/8520")
Expand Down
6 changes: 5 additions & 1 deletion deps/v8/src/heap/factory.cc
Original file line number Diff line number Diff line change
Expand Up @@ -3220,7 +3220,7 @@ Handle<JSArrayBuffer> Factory::NewJSArrayBuffer(
isolate()->native_context()->array_buffer_fun()->initial_map(),
isolate());
ResizableFlag resizable_by_js = ResizableFlag::kNotResizable;
if (backing_store->is_resizable_by_js()) {
if (v8_flags.harmony_rab_gsab && backing_store->is_resizable_by_js()) {
resizable_by_js = ResizableFlag::kResizable;
}
auto result =
Expand Down Expand Up @@ -3276,6 +3276,8 @@ MaybeHandle<JSArrayBuffer> Factory::NewJSArrayBufferAndBackingStore(

Handle<JSArrayBuffer> Factory::NewJSSharedArrayBuffer(
std::shared_ptr<BackingStore> backing_store) {
DCHECK_IMPLIES(backing_store->is_resizable_by_js(),
v8_flags.harmony_rab_gsab);
Handle<Map> map(
isolate()->native_context()->shared_array_buffer_fun()->initial_map(),
isolate());
Expand Down Expand Up @@ -3381,6 +3383,7 @@ Handle<JSTypedArray> Factory::NewJSTypedArray(
ElementsKind elements_kind;
JSTypedArray::ForFixedTypedArray(type, &element_size, &elements_kind);

CHECK_IMPLIES(is_length_tracking, v8_flags.harmony_rab_gsab);
const bool is_backed_by_rab =
buffer->is_resizable_by_js() && !buffer->is_shared();

Expand Down Expand Up @@ -3422,6 +3425,7 @@ Handle<JSTypedArray> Factory::NewJSTypedArray(
Handle<JSDataViewOrRabGsabDataView> Factory::NewJSDataViewOrRabGsabDataView(
DirectHandle<JSArrayBuffer> buffer, size_t byte_offset, size_t byte_length,
bool is_length_tracking) {
CHECK_IMPLIES(is_length_tracking, v8_flags.harmony_rab_gsab);
if (is_length_tracking) {
// Security: enforce the invariant that length-tracking DataViews have their
// byte_length set to 0.
Expand Down
73 changes: 41 additions & 32 deletions deps/v8/src/init/bootstrapper.cc
Original file line number Diff line number Diff line change
Expand Up @@ -4054,25 +4054,6 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
"arrayBufferConstructor_DoNotInitialize"),
Builtin::kArrayBufferConstructor_DoNotInitialize, 1, false);
native_context()->set_array_buffer_noinit_fun(*array_buffer_noinit_fun);

Handle<JSObject> array_buffer_prototype(
JSObject::cast(array_buffer_fun->instance_prototype()), isolate_);
SimpleInstallGetter(isolate_, array_buffer_prototype,
factory->max_byte_length_string(),
Builtin::kArrayBufferPrototypeGetMaxByteLength, false);
SimpleInstallGetter(isolate_, array_buffer_prototype,
factory->resizable_string(),
Builtin::kArrayBufferPrototypeGetResizable, false);
SimpleInstallFunction(isolate_, array_buffer_prototype, "resize",
Builtin::kArrayBufferPrototypeResize, 1, true);
SimpleInstallFunction(isolate_, array_buffer_prototype, "transfer",
Builtin::kArrayBufferPrototypeTransfer, 0, false);
SimpleInstallFunction(
isolate_, array_buffer_prototype, "transferToFixedLength",
Builtin::kArrayBufferPrototypeTransferToFixedLength, 0, false);
SimpleInstallGetter(isolate_, array_buffer_prototype,
factory->detached_string(),
Builtin::kArrayBufferPrototypeGetDetached, false);
}

{ // -- S h a r e d A r r a y B u f f e r
Expand All @@ -4082,19 +4063,6 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
InstallWithIntrinsicDefaultProto(isolate_, shared_array_buffer_fun,
Context::SHARED_ARRAY_BUFFER_FUN_INDEX);
InstallSpeciesGetter(isolate_, shared_array_buffer_fun);

Handle<JSObject> shared_array_buffer_prototype(
JSObject::cast(shared_array_buffer_fun->instance_prototype()),
isolate_);
SimpleInstallGetter(isolate_, shared_array_buffer_prototype,
factory->max_byte_length_string(),
Builtin::kSharedArrayBufferPrototypeGetMaxByteLength,
false);
SimpleInstallGetter(isolate_, shared_array_buffer_prototype,
factory->growable_string(),
Builtin::kSharedArrayBufferPrototypeGetGrowable, false);
SimpleInstallFunction(isolate_, shared_array_buffer_prototype, "grow",
Builtin::kSharedArrayBufferPrototypeGrow, 1, true);
}

{ // -- A t o m i c s
Expand Down Expand Up @@ -5332,6 +5300,7 @@ void Genesis::InitializeConsole(Handle<JSObject> extras_binding) {

EMPTY_INITIALIZE_GLOBAL_FOR_FEATURE(harmony_import_assertions)
EMPTY_INITIALIZE_GLOBAL_FOR_FEATURE(harmony_import_attributes)
EMPTY_INITIALIZE_GLOBAL_FOR_FEATURE(harmony_rab_gsab_transfer)
EMPTY_INITIALIZE_GLOBAL_FOR_FEATURE(js_regexp_modifiers)
EMPTY_INITIALIZE_GLOBAL_FOR_FEATURE(js_regexp_duplicate_named_groups)

Expand Down Expand Up @@ -5799,6 +5768,46 @@ void Genesis::InitializeGlobal_regexp_linear_flag() {
native_context()->set_regexp_prototype_map(regexp_prototype->map());
}

void Genesis::InitializeGlobal_harmony_rab_gsab() {
if (!v8_flags.harmony_rab_gsab) return;
Handle<JSObject> array_buffer_prototype(
JSObject::cast(
native_context()->array_buffer_fun()->instance_prototype()),
isolate());
SimpleInstallGetter(isolate(), array_buffer_prototype,
factory()->max_byte_length_string(),
Builtin::kArrayBufferPrototypeGetMaxByteLength, false);
SimpleInstallGetter(isolate(), array_buffer_prototype,
factory()->resizable_string(),
Builtin::kArrayBufferPrototypeGetResizable, false);
SimpleInstallFunction(isolate(), array_buffer_prototype, "resize",
Builtin::kArrayBufferPrototypeResize, 1, true);
if (v8_flags.harmony_rab_gsab_transfer) {
SimpleInstallFunction(isolate(), array_buffer_prototype, "transfer",
Builtin::kArrayBufferPrototypeTransfer, 0, false);
SimpleInstallFunction(
isolate(), array_buffer_prototype, "transferToFixedLength",
Builtin::kArrayBufferPrototypeTransferToFixedLength, 0, false);
SimpleInstallGetter(isolate(), array_buffer_prototype,
factory()->detached_string(),
Builtin::kArrayBufferPrototypeGetDetached, false);
}

Handle<JSObject> shared_array_buffer_prototype(
JSObject::cast(
native_context()->shared_array_buffer_fun()->instance_prototype()),
isolate());
SimpleInstallGetter(isolate(), shared_array_buffer_prototype,
factory()->max_byte_length_string(),
Builtin::kSharedArrayBufferPrototypeGetMaxByteLength,
false);
SimpleInstallGetter(isolate(), shared_array_buffer_prototype,
factory()->growable_string(),
Builtin::kSharedArrayBufferPrototypeGetGrowable, false);
SimpleInstallFunction(isolate(), shared_array_buffer_prototype, "grow",
Builtin::kSharedArrayBufferPrototypeGrow, 1, true);
}

void Genesis::InitializeGlobal_harmony_temporal() {
if (!v8_flags.harmony_temporal) return;

Expand Down
2 changes: 2 additions & 0 deletions deps/v8/src/objects/js-array-buffer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,7 @@ size_t JSArrayBuffer::GsabByteLength(Isolate* isolate,
Address raw_array_buffer) {
// TODO(v8:11111): Cache the last seen length in JSArrayBuffer and use it
// in bounds checks to minimize the need for calling this function.
DCHECK(v8_flags.harmony_rab_gsab);
DisallowGarbageCollection no_gc;
DisallowJavascriptExecution no_js(isolate);
Tagged<JSArrayBuffer> buffer =
Expand Down Expand Up @@ -404,6 +405,7 @@ size_t JSTypedArray::LengthTrackingGsabBackedTypedArrayLength(
Isolate* isolate, Address raw_array) {
// TODO(v8:11111): Cache the last seen length in JSArrayBuffer and use it
// in bounds checks to minimize the need for calling this function.
DCHECK(v8_flags.harmony_rab_gsab);
DisallowGarbageCollection no_gc;
DisallowJavascriptExecution no_js(isolate);
Tagged<JSTypedArray> array = JSTypedArray::cast(Tagged<Object>(raw_array));
Expand Down
19 changes: 19 additions & 0 deletions deps/v8/src/objects/value-serializer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1009,6 +1009,7 @@ Maybe<bool> ValueSerializer::WriteJSArrayBufferView(
ArrayBufferViewTag tag = ArrayBufferViewTag::kInt8Array;
if (IsJSTypedArray(view)) {
if (JSTypedArray::cast(view)->IsOutOfBounds()) {
DCHECK(v8_flags.harmony_rab_gsab);
return ThrowDataCloneError(MessageTemplate::kDataCloneError,
handle(view, isolate_));
}
Expand All @@ -1024,6 +1025,7 @@ Maybe<bool> ValueSerializer::WriteJSArrayBufferView(
DCHECK(IsJSDataViewOrRabGsabDataView(view));
if (IsJSRabGsabDataView(view) &&
JSRabGsabDataView::cast(view)->IsOutOfBounds()) {
DCHECK(v8_flags.harmony_rab_gsab);
return ThrowDataCloneError(MessageTemplate::kDataCloneError,
handle(view, isolate_));
}
Expand Down Expand Up @@ -2103,6 +2105,13 @@ MaybeHandle<JSArrayBuffer> ValueDeserializer::ReadJSArrayBuffer(
if (byte_length > max_byte_length) {
return MaybeHandle<JSArrayBuffer>();
}
if (!v8_flags.harmony_rab_gsab) {
// Disable resizability. This ensures that no resizable buffers are
// created in a version which has the harmony_rab_gsab turned off, even if
// such a version is reading data containing resizable buffers from disk.
is_resizable = false;
max_byte_length = byte_length;
}
}
if (byte_length > static_cast<size_t>(end_ - position_)) {
return MaybeHandle<JSArrayBuffer>();
Expand Down Expand Up @@ -2224,6 +2233,16 @@ bool ValueDeserializer::ValidateJSArrayBufferViewFlags(
// TODO(marja): When the version number is bumped the next time, check that
// serialized_flags doesn't contain spurious 1-bits.

if (!v8_flags.harmony_rab_gsab) {
// Disable resizability. This ensures that no resizable buffers are
// created in a version which has the harmony_rab_gsab turned off, even if
// such a version is reading data containing resizable buffers from disk.
is_length_tracking = false;
is_backed_by_rab = false;
// The resizability of the buffer was already disabled.
CHECK(!buffer->is_resizable_by_js());
}

if (is_backed_by_rab || is_length_tracking) {
if (!buffer->is_resizable_by_js()) {
return false;
Expand Down
6 changes: 6 additions & 0 deletions deps/v8/test/cctest/test-api-array-buffer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -455,6 +455,8 @@ THREADED_TEST(ArrayBuffer_NewBackingStore) {
}

THREADED_TEST(ArrayBuffer_NewResizableBackingStore) {
FLAG_SCOPE(harmony_rab_gsab);

LocalContext env;
v8::Isolate* isolate = env->GetIsolate();
v8::HandleScope handle_scope(isolate);
Expand Down Expand Up @@ -829,6 +831,8 @@ TEST(BackingStore_ReallocateShared) {
}

TEST(ArrayBuffer_Resizable) {
FLAG_SCOPE(harmony_rab_gsab);

LocalContext env;
v8::Isolate* isolate = env->GetIsolate();
v8::HandleScope handle_scope(isolate);
Expand All @@ -850,6 +854,8 @@ TEST(ArrayBuffer_Resizable) {
}

TEST(ArrayBuffer_FixedLength) {
FLAG_SCOPE(harmony_rab_gsab);

LocalContext env;
v8::Isolate* isolate = env->GetIsolate();
v8::HandleScope handle_scope(isolate);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --turbofan --no-always-turbofan
// Flags: --harmony-rab-gsab --allow-natives-syntax --turbofan
// Flags: --no-always-turbofan --turbo-rab-gsab
// Flags: --js-float16array

"use strict";
Expand Down
3 changes: 2 additions & 1 deletion deps/v8/test/mjsunit/dataview-growablesharedarraybuffer.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --js-float16array
// Flags: --harmony-rab-gsab --allow-natives-syntax
// Flags: --js-float16array

"use strict";

Expand Down
3 changes: 2 additions & 1 deletion deps/v8/test/mjsunit/dataview-resizablearraybuffer-detach.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --js-float16array
// Flags: --harmony-rab-gsab --allow-natives-syntax
// Flags: --js-float16array

"use strict";

Expand Down
Loading

0 comments on commit 8e33f20

Please sign in to comment.