Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revert "deps: V8: cherry-pick 9ebca66a5740" #53582

Merged
merged 1 commit into from
Jun 25, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion common.gypi
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@

# Reset this number to 0 on major V8 upgrades.
# Increment by one for each non-official patch applied to deps/v8.
'v8_embedder_string': '-node.16',
'v8_embedder_string': '-node.15',

##### V8 defaults for Node.js #####

Expand Down
3 changes: 3 additions & 0 deletions deps/v8/src/api/api.cc
Original file line number Diff line number Diff line change
Expand Up @@ -8953,6 +8953,9 @@ std::unique_ptr<v8::BackingStore> v8::ArrayBuffer::NewBackingStore(
// static
std::unique_ptr<BackingStore> v8::ArrayBuffer::NewResizableBackingStore(
size_t byte_length, size_t max_byte_length) {
Utils::ApiCheck(i::v8_flags.harmony_rab_gsab,
"v8::ArrayBuffer::NewResizableBackingStore",
"Constructing resizable ArrayBuffers is not supported");
Utils::ApiCheck(byte_length <= max_byte_length,
"v8::ArrayBuffer::NewResizableBackingStore",
"Cannot construct resizable ArrayBuffer, byte_length must be "
Expand Down
20 changes: 11 additions & 9 deletions deps/v8/src/builtins/builtins-arraybuffer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -134,16 +134,18 @@ BUILTIN(ArrayBufferConstructor) {
}

Handle<Object> number_max_length;
Handle<Object> max_length;
Handle<Object> options = args.atOrUndefined(isolate, 2);
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, max_length,
JSObject::ReadFromOptionsBag(
options, isolate->factory()->max_byte_length_string(), isolate));
if (v8_flags.harmony_rab_gsab) {
Handle<Object> max_length;
Handle<Object> options = args.atOrUndefined(isolate, 2);
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, max_length,
JSObject::ReadFromOptionsBag(
options, isolate->factory()->max_byte_length_string(), isolate));

if (!IsUndefined(*max_length, isolate)) {
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, number_max_length,
Object::ToInteger(isolate, max_length));
if (!IsUndefined(*max_length, isolate)) {
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, number_max_length, Object::ToInteger(isolate, max_length));
}
}
return ConstructBuffer(isolate, target, new_target, number_length,
number_max_length, InitializedFlag::kZeroInitialized);
Expand Down
2 changes: 1 addition & 1 deletion deps/v8/src/compiler/heap-refs.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1127,7 +1127,7 @@ bool MapRef::CanInlineElementAccess() const {
(Is64() || (kind != BIGINT64_ELEMENTS && kind != BIGUINT64_ELEMENTS))) {
return true;
}
if (IsRabGsabTypedArrayElementsKind(kind) &&
if (v8_flags.turbo_rab_gsab && IsRabGsabTypedArrayElementsKind(kind) &&
kind != RAB_GSAB_BIGUINT64_ELEMENTS &&
kind != RAB_GSAB_BIGINT64_ELEMENTS) {
return true;
Expand Down
8 changes: 6 additions & 2 deletions deps/v8/src/compiler/js-call-reducer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -7552,7 +7552,7 @@ Reduction JSCallReducer::ReduceArrayBufferViewByteLengthAccessor(
}
}

if (!maybe_rab_gsab) {
if (!v8_flags.harmony_rab_gsab || !maybe_rab_gsab) {
// We do not perform any change depending on this inference.
Reduction unused_reduction = inference.NoChange();
USE(unused_reduction);
Expand All @@ -7561,6 +7561,8 @@ Reduction JSCallReducer::ReduceArrayBufferViewByteLengthAccessor(
node, JS_TYPED_ARRAY_TYPE,
AccessBuilder::ForJSArrayBufferViewByteLength(),
Builtin::kTypedArrayPrototypeByteLength);
} else if (!v8_flags.turbo_rab_gsab) {
return inference.NoChange();
}

const CallParameters& p = CallParametersOf(node->op());
Expand Down Expand Up @@ -7611,14 +7613,16 @@ Reduction JSCallReducer::ReduceTypedArrayPrototypeLength(Node* node) {
if (IsRabGsabTypedArrayElementsKind(kind)) maybe_rab_gsab = true;
}

if (!maybe_rab_gsab) {
if (!v8_flags.harmony_rab_gsab || !maybe_rab_gsab) {
// We do not perform any change depending on this inference.
Reduction unused_reduction = inference.NoChange();
USE(unused_reduction);
// Call default implementation for non-rab/gsab TAs.
return ReduceArrayBufferViewAccessor(node, JS_TYPED_ARRAY_TYPE,
AccessBuilder::ForJSTypedArrayLength(),
Builtin::kTypedArrayPrototypeLength);
} else if (!v8_flags.turbo_rab_gsab) {
return inference.NoChange();
}

if (!inference.RelyOnMapsViaStability(dependencies())) {
Expand Down
4 changes: 4 additions & 0 deletions deps/v8/src/compiler/js-native-context-specialization.cc
Original file line number Diff line number Diff line change
Expand Up @@ -3199,6 +3199,8 @@ JSNativeContextSpecialization::BuildElementAccess(
// TODO(bmeurer): We currently specialize based on elements kind. We should
// also be able to properly support strings and other JSObjects here.
ElementsKind elements_kind = access_info.elements_kind();
DCHECK_IMPLIES(IsRabGsabTypedArrayElementsKind(elements_kind),
v8_flags.turbo_rab_gsab);
ZoneVector<MapRef> const& receiver_maps =
access_info.lookup_start_object_maps();

Expand Down Expand Up @@ -3584,6 +3586,8 @@ JSNativeContextSpecialization::
KeyedAccessMode const& keyed_mode) {
DCHECK(IsTypedArrayElementsKind(elements_kind) ||
IsRabGsabTypedArrayElementsKind(elements_kind));
DCHECK_IMPLIES(IsRabGsabTypedArrayElementsKind(elements_kind),
v8_flags.turbo_rab_gsab);
// AccessMode::kDefine is not handled here. Optimization should be skipped by
// caller.
DCHECK(keyed_mode.access_mode() != AccessMode::kDefine);
Expand Down
8 changes: 8 additions & 0 deletions deps/v8/src/flags/flag-definitions.h
Original file line number Diff line number Diff line change
Expand Up @@ -280,6 +280,8 @@ DEFINE_BOOL(js_shipping, true, "enable all shipped JavaScript features")
V(js_regexp_modifiers, "RegExp modifiers") \
V(js_regexp_duplicate_named_groups, "RegExp duplicate named groups")

DEFINE_WEAK_IMPLICATION(harmony_rab_gsab_transfer, harmony_rab_gsab)

#ifdef V8_INTL_SUPPORT
#define HARMONY_STAGED(V) HARMONY_STAGED_BASE(V)
#define JAVASCRIPT_STAGED_FEATURES(V) JAVASCRIPT_STAGED_FEATURES_BASE(V)
Expand All @@ -291,8 +293,11 @@ DEFINE_BOOL(js_shipping, true, "enable all shipped JavaScript features")
// Features that are shipping (turned on by default, but internal flag remains).
#define HARMONY_SHIPPING_BASE(V) \
V(harmony_import_assertions, "harmony import assertions") \
V(harmony_rab_gsab, \
"harmony ResizableArrayBuffer / GrowableSharedArrayBuffer") \
V(harmony_regexp_unicode_sets, "harmony RegExp Unicode Sets") \
V(harmony_json_parse_with_source, "harmony json parse with source") \
V(harmony_rab_gsab_transfer, "harmony ArrayBuffer.transfer") \
V(harmony_array_grouping, "harmony array grouping") \
V(harmony_array_from_async, "harmony Array.fromAsync") \
V(harmony_iterator_helpers, "JavaScript iterator helpers") \
Expand Down Expand Up @@ -1273,6 +1278,9 @@ DEFINE_BOOL_READONLY(turbo_rewrite_far_jumps, false,
"rewrite far to near jumps (ia32,x64)")
#endif

DEFINE_BOOL(
turbo_rab_gsab, true,
"optimize ResizableArrayBuffer / GrowableSharedArrayBuffer in TurboFan")
DEFINE_BOOL(
stress_gc_during_compilation, false,
"simulate GC/compiler thread race related to https://crbug.com/v8/8520")
Expand Down
6 changes: 5 additions & 1 deletion deps/v8/src/heap/factory.cc
Original file line number Diff line number Diff line change
Expand Up @@ -3220,7 +3220,7 @@ Handle<JSArrayBuffer> Factory::NewJSArrayBuffer(
isolate()->native_context()->array_buffer_fun()->initial_map(),
isolate());
ResizableFlag resizable_by_js = ResizableFlag::kNotResizable;
if (backing_store->is_resizable_by_js()) {
if (v8_flags.harmony_rab_gsab && backing_store->is_resizable_by_js()) {
resizable_by_js = ResizableFlag::kResizable;
}
auto result =
Expand Down Expand Up @@ -3276,6 +3276,8 @@ MaybeHandle<JSArrayBuffer> Factory::NewJSArrayBufferAndBackingStore(

Handle<JSArrayBuffer> Factory::NewJSSharedArrayBuffer(
std::shared_ptr<BackingStore> backing_store) {
DCHECK_IMPLIES(backing_store->is_resizable_by_js(),
v8_flags.harmony_rab_gsab);
Handle<Map> map(
isolate()->native_context()->shared_array_buffer_fun()->initial_map(),
isolate());
Expand Down Expand Up @@ -3381,6 +3383,7 @@ Handle<JSTypedArray> Factory::NewJSTypedArray(
ElementsKind elements_kind;
JSTypedArray::ForFixedTypedArray(type, &element_size, &elements_kind);

CHECK_IMPLIES(is_length_tracking, v8_flags.harmony_rab_gsab);
const bool is_backed_by_rab =
buffer->is_resizable_by_js() && !buffer->is_shared();

Expand Down Expand Up @@ -3422,6 +3425,7 @@ Handle<JSTypedArray> Factory::NewJSTypedArray(
Handle<JSDataViewOrRabGsabDataView> Factory::NewJSDataViewOrRabGsabDataView(
DirectHandle<JSArrayBuffer> buffer, size_t byte_offset, size_t byte_length,
bool is_length_tracking) {
CHECK_IMPLIES(is_length_tracking, v8_flags.harmony_rab_gsab);
if (is_length_tracking) {
// Security: enforce the invariant that length-tracking DataViews have their
// byte_length set to 0.
Expand Down
73 changes: 41 additions & 32 deletions deps/v8/src/init/bootstrapper.cc
Original file line number Diff line number Diff line change
Expand Up @@ -4054,25 +4054,6 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
"arrayBufferConstructor_DoNotInitialize"),
Builtin::kArrayBufferConstructor_DoNotInitialize, 1, false);
native_context()->set_array_buffer_noinit_fun(*array_buffer_noinit_fun);

Handle<JSObject> array_buffer_prototype(
JSObject::cast(array_buffer_fun->instance_prototype()), isolate_);
SimpleInstallGetter(isolate_, array_buffer_prototype,
factory->max_byte_length_string(),
Builtin::kArrayBufferPrototypeGetMaxByteLength, false);
SimpleInstallGetter(isolate_, array_buffer_prototype,
factory->resizable_string(),
Builtin::kArrayBufferPrototypeGetResizable, false);
SimpleInstallFunction(isolate_, array_buffer_prototype, "resize",
Builtin::kArrayBufferPrototypeResize, 1, true);
SimpleInstallFunction(isolate_, array_buffer_prototype, "transfer",
Builtin::kArrayBufferPrototypeTransfer, 0, false);
SimpleInstallFunction(
isolate_, array_buffer_prototype, "transferToFixedLength",
Builtin::kArrayBufferPrototypeTransferToFixedLength, 0, false);
SimpleInstallGetter(isolate_, array_buffer_prototype,
factory->detached_string(),
Builtin::kArrayBufferPrototypeGetDetached, false);
}

{ // -- S h a r e d A r r a y B u f f e r
Expand All @@ -4082,19 +4063,6 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
InstallWithIntrinsicDefaultProto(isolate_, shared_array_buffer_fun,
Context::SHARED_ARRAY_BUFFER_FUN_INDEX);
InstallSpeciesGetter(isolate_, shared_array_buffer_fun);

Handle<JSObject> shared_array_buffer_prototype(
JSObject::cast(shared_array_buffer_fun->instance_prototype()),
isolate_);
SimpleInstallGetter(isolate_, shared_array_buffer_prototype,
factory->max_byte_length_string(),
Builtin::kSharedArrayBufferPrototypeGetMaxByteLength,
false);
SimpleInstallGetter(isolate_, shared_array_buffer_prototype,
factory->growable_string(),
Builtin::kSharedArrayBufferPrototypeGetGrowable, false);
SimpleInstallFunction(isolate_, shared_array_buffer_prototype, "grow",
Builtin::kSharedArrayBufferPrototypeGrow, 1, true);
}

{ // -- A t o m i c s
Expand Down Expand Up @@ -5332,6 +5300,7 @@ void Genesis::InitializeConsole(Handle<JSObject> extras_binding) {

EMPTY_INITIALIZE_GLOBAL_FOR_FEATURE(harmony_import_assertions)
EMPTY_INITIALIZE_GLOBAL_FOR_FEATURE(harmony_import_attributes)
EMPTY_INITIALIZE_GLOBAL_FOR_FEATURE(harmony_rab_gsab_transfer)
EMPTY_INITIALIZE_GLOBAL_FOR_FEATURE(js_regexp_modifiers)
EMPTY_INITIALIZE_GLOBAL_FOR_FEATURE(js_regexp_duplicate_named_groups)

Expand Down Expand Up @@ -5799,6 +5768,46 @@ void Genesis::InitializeGlobal_regexp_linear_flag() {
native_context()->set_regexp_prototype_map(regexp_prototype->map());
}

void Genesis::InitializeGlobal_harmony_rab_gsab() {
if (!v8_flags.harmony_rab_gsab) return;
Handle<JSObject> array_buffer_prototype(
JSObject::cast(
native_context()->array_buffer_fun()->instance_prototype()),
isolate());
SimpleInstallGetter(isolate(), array_buffer_prototype,
factory()->max_byte_length_string(),
Builtin::kArrayBufferPrototypeGetMaxByteLength, false);
SimpleInstallGetter(isolate(), array_buffer_prototype,
factory()->resizable_string(),
Builtin::kArrayBufferPrototypeGetResizable, false);
SimpleInstallFunction(isolate(), array_buffer_prototype, "resize",
Builtin::kArrayBufferPrototypeResize, 1, true);
if (v8_flags.harmony_rab_gsab_transfer) {
SimpleInstallFunction(isolate(), array_buffer_prototype, "transfer",
Builtin::kArrayBufferPrototypeTransfer, 0, false);
SimpleInstallFunction(
isolate(), array_buffer_prototype, "transferToFixedLength",
Builtin::kArrayBufferPrototypeTransferToFixedLength, 0, false);
SimpleInstallGetter(isolate(), array_buffer_prototype,
factory()->detached_string(),
Builtin::kArrayBufferPrototypeGetDetached, false);
}

Handle<JSObject> shared_array_buffer_prototype(
JSObject::cast(
native_context()->shared_array_buffer_fun()->instance_prototype()),
isolate());
SimpleInstallGetter(isolate(), shared_array_buffer_prototype,
factory()->max_byte_length_string(),
Builtin::kSharedArrayBufferPrototypeGetMaxByteLength,
false);
SimpleInstallGetter(isolate(), shared_array_buffer_prototype,
factory()->growable_string(),
Builtin::kSharedArrayBufferPrototypeGetGrowable, false);
SimpleInstallFunction(isolate(), shared_array_buffer_prototype, "grow",
Builtin::kSharedArrayBufferPrototypeGrow, 1, true);
}

void Genesis::InitializeGlobal_harmony_temporal() {
if (!v8_flags.harmony_temporal) return;

Expand Down
2 changes: 2 additions & 0 deletions deps/v8/src/objects/js-array-buffer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,7 @@ size_t JSArrayBuffer::GsabByteLength(Isolate* isolate,
Address raw_array_buffer) {
// TODO(v8:11111): Cache the last seen length in JSArrayBuffer and use it
// in bounds checks to minimize the need for calling this function.
DCHECK(v8_flags.harmony_rab_gsab);
DisallowGarbageCollection no_gc;
DisallowJavascriptExecution no_js(isolate);
Tagged<JSArrayBuffer> buffer =
Expand Down Expand Up @@ -404,6 +405,7 @@ size_t JSTypedArray::LengthTrackingGsabBackedTypedArrayLength(
Isolate* isolate, Address raw_array) {
// TODO(v8:11111): Cache the last seen length in JSArrayBuffer and use it
// in bounds checks to minimize the need for calling this function.
DCHECK(v8_flags.harmony_rab_gsab);
DisallowGarbageCollection no_gc;
DisallowJavascriptExecution no_js(isolate);
Tagged<JSTypedArray> array = JSTypedArray::cast(Tagged<Object>(raw_array));
Expand Down
19 changes: 19 additions & 0 deletions deps/v8/src/objects/value-serializer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1009,6 +1009,7 @@ Maybe<bool> ValueSerializer::WriteJSArrayBufferView(
ArrayBufferViewTag tag = ArrayBufferViewTag::kInt8Array;
if (IsJSTypedArray(view)) {
if (JSTypedArray::cast(view)->IsOutOfBounds()) {
DCHECK(v8_flags.harmony_rab_gsab);
return ThrowDataCloneError(MessageTemplate::kDataCloneError,
handle(view, isolate_));
}
Expand All @@ -1024,6 +1025,7 @@ Maybe<bool> ValueSerializer::WriteJSArrayBufferView(
DCHECK(IsJSDataViewOrRabGsabDataView(view));
if (IsJSRabGsabDataView(view) &&
JSRabGsabDataView::cast(view)->IsOutOfBounds()) {
DCHECK(v8_flags.harmony_rab_gsab);
return ThrowDataCloneError(MessageTemplate::kDataCloneError,
handle(view, isolate_));
}
Expand Down Expand Up @@ -2103,6 +2105,13 @@ MaybeHandle<JSArrayBuffer> ValueDeserializer::ReadJSArrayBuffer(
if (byte_length > max_byte_length) {
return MaybeHandle<JSArrayBuffer>();
}
if (!v8_flags.harmony_rab_gsab) {
// Disable resizability. This ensures that no resizable buffers are
// created in a version which has the harmony_rab_gsab turned off, even if
// such a version is reading data containing resizable buffers from disk.
is_resizable = false;
max_byte_length = byte_length;
}
}
if (byte_length > static_cast<size_t>(end_ - position_)) {
return MaybeHandle<JSArrayBuffer>();
Expand Down Expand Up @@ -2224,6 +2233,16 @@ bool ValueDeserializer::ValidateJSArrayBufferViewFlags(
// TODO(marja): When the version number is bumped the next time, check that
// serialized_flags doesn't contain spurious 1-bits.

if (!v8_flags.harmony_rab_gsab) {
// Disable resizability. This ensures that no resizable buffers are
// created in a version which has the harmony_rab_gsab turned off, even if
// such a version is reading data containing resizable buffers from disk.
is_length_tracking = false;
is_backed_by_rab = false;
// The resizability of the buffer was already disabled.
CHECK(!buffer->is_resizable_by_js());
}

if (is_backed_by_rab || is_length_tracking) {
if (!buffer->is_resizable_by_js()) {
return false;
Expand Down
6 changes: 6 additions & 0 deletions deps/v8/test/cctest/test-api-array-buffer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -455,6 +455,8 @@ THREADED_TEST(ArrayBuffer_NewBackingStore) {
}

THREADED_TEST(ArrayBuffer_NewResizableBackingStore) {
FLAG_SCOPE(harmony_rab_gsab);

LocalContext env;
v8::Isolate* isolate = env->GetIsolate();
v8::HandleScope handle_scope(isolate);
Expand Down Expand Up @@ -829,6 +831,8 @@ TEST(BackingStore_ReallocateShared) {
}

TEST(ArrayBuffer_Resizable) {
FLAG_SCOPE(harmony_rab_gsab);

LocalContext env;
v8::Isolate* isolate = env->GetIsolate();
v8::HandleScope handle_scope(isolate);
Expand All @@ -850,6 +854,8 @@ TEST(ArrayBuffer_Resizable) {
}

TEST(ArrayBuffer_FixedLength) {
FLAG_SCOPE(harmony_rab_gsab);

LocalContext env;
v8::Isolate* isolate = env->GetIsolate();
v8::HandleScope handle_scope(isolate);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --turbofan --no-always-turbofan
// Flags: --harmony-rab-gsab --allow-natives-syntax --turbofan
// Flags: --no-always-turbofan --turbo-rab-gsab
// Flags: --js-float16array

"use strict";
Expand Down
3 changes: 2 additions & 1 deletion deps/v8/test/mjsunit/dataview-growablesharedarraybuffer.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --js-float16array
// Flags: --harmony-rab-gsab --allow-natives-syntax
// Flags: --js-float16array

"use strict";

Expand Down
3 changes: 2 additions & 1 deletion deps/v8/test/mjsunit/dataview-resizablearraybuffer-detach.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --js-float16array
// Flags: --harmony-rab-gsab --allow-natives-syntax
// Flags: --js-float16array

"use strict";

Expand Down
Loading
Loading