This is a reland of 1f504c36da
Changes since revert:
- Removed disabling of RO heap sharing when --stress-snapshot is passed;
was fixed by f4a6c628c9
- Fixed crashing tests that caused revert separately in
a61aa4919f
Original change's description:
> > [ptr-cage] Turn on shared pointer cage by default for arm64 and x64
> >
> > Reviewed-on:
> https://chromium-review.googlesource.com/c/v8/v8/+/2873226
> > Reviewed-by: Igor Sheludko <ishell@chromium.org>
> > Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#74422}
>
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2878855
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Dan Elphick <delphick@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74448}
Bug: v8:11460
Change-Id: I4e491574437f4c832e24b29815de6bdfd8975511
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2891460
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74546}
This is a reland of 3356078ae1.
The fix is in PS2:
- fix the DCHECK to be triggered only if dst != src, the dcheck
is meant to prevent rep from being overwritten, which happens only
if dst != src
- fix instruction selector for f64x2.replace_lane, require SameAsFirst
only for non-AVX, which makes dst == src, saving a move
- on x64 we also require all registers, since the macro-assembler
helper only handles registers
Original change's description:
> [wasm-simd][x64][ia32] Factor f64x2.replace_lane into shared code
>
> This pblendw/movlhps combination has lower latency and requires less
> unop than pinsrq (1 v.s. 2).
>
> Bug: v8:11589
> Change-Id: I770b0c20a286774afefbac5ef0adffe463318f21
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2828871
> Reviewed-by: Bill Budge <bbudge@chromium.org>
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74049}
Bug: v8:11589
Change-Id: I51cba0539d5241242dc4d7d971ede1940b9ac1fd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2842264
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74545}
Replaces Payload* terminiology with Object* terminology.
HoH::ObjectSize = just the object, without the header.
HoH::AllocatedSize = both the object and the header.
Payload terminology is retained only for pages.
Bug: chromium:1056170
Change-Id: I568a324ae8728f098be642b024493c375ec873cb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2892079
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74538}
We would use a payload size of 0 and end up walking up the stack till
we crash.
Bug: chromium:1056170
Change-Id: I12a69ada24697faaf05e2f4ab210045d54cf34e5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2891657
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74537}
As mentioned in this CL https://crrev.com/c/2510070,
PPC_OWNERS file is the only necessary file applied
to all *-ppc* files.
Change-Id: I2052186660c6d186e3ead3e8e127a9129814377f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2892602
Reviewed-by: Junliang Yan <junyan@redhat.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#74536}
If a shared CodeRange is already allocated when creating an Isolate in
jitless mode, the CodeRange will be used. This is to better support the
following use pattern:
```
FLAG_jitless = false;
v8::Isolate::New();
FLAG_jitless = true;
v8::Isolate::New();
```
Note that the other direction of toggling jitless from true to false is
unsupported and may have undefined behavior.
Bug: v8:11460
Change-Id: I1c451c53bc160be4122056d8b309323a94d4b8b6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2890591
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74535}
The previous fix resolved the register conflict in favor of moving
kInterpreterBytecodeArrayRegister instead of kSpeculationPoisonRegister,
which regressed interpreter performance. This CL resolves the conflict
in favor of moving kSpeculationPoisonRegister.
Bug: v8:11726
Change-Id: I1975c386c758144d6ade12101957ab03ce7aa4c3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2886660
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74534}
I found no way to speed up the (relaxed) atomic accesses, so the only
way to get back the original performance is having a separate path for
the non-shared case.
R=ulan@chromium.org
Bug: v8:11704, chromium:1206552, chromium:1207351
Change-Id: I2ea0ecf07583dfe24f4085533491a1d5709c9ffb
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2878750
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74533}
Reporting to V8 may trigger GCs and thus also synchronously invoke
callbacks. Since such callbacks may allocate they can add to
allocated bytes. If the counter is reset after the call to the GC,
then those bytes are not properly recorded anywhere and can trigger an
underflow in case they are explicitly freed later on.
Bug: chromium:1056170
Change-Id: Id384eaeffa129e5b75f6ca16d43eb1c89e0fffec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2891838
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74532}
This can be reverted once TryMakeRef checks the heap predicate.
I'm not reverting the previous CL because newer changes already depend
on it.
Tbr: jgruber@chromium.org
Bug: v8:11765, v8:7790
Change-Id: Iacc6a78a70fe6f40c9421258889c2175fb400b04
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2891579
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74531}
Rel/acq is needed to guarantee the memcpy for re-embedding builtins
should be visible to all threads once embedded_blob_code_copy_ is
observed to have the address of the copy.
Bug: v8:11460
Change-Id: I68d0c532b7c7bba3d2cafeb0ff83533a67a1447d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2890590
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74529}
Loop unrolling did not work properly with floating control. Seeing as
very few spots in the wasm compiler introduced floating control, we
decided to disallow it altogether.
Changes:
- When lowering 64-bit rol/ror/clz/ctz in 32-bit platforms, we use a
diamond operator, which used to introduce floating control. This CL
adds a control edge to these operators so that the diamond can be
chained to that control instead.
- During loop analysis, as an additional safety check, we check that the
explored loop does not have floating control. Exceptionally, floating
control pointing directly do start() is allowed.
- Change wasm-compiler so that generated floating projections point to
start() even after stack check patch-in.
Bug: chromium:1184929, v8:11298
Change-Id: I1ee063f5250037ae6c84d2f16b0bd8fff3923117
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2876851
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74527}
The callback IsolateData::ModuleResolveCallback, used by the fuzzer,
can return an empty MaybeLocal.
In this case v8::internal::SourceTextModule::PrepareInstantiate expects
it to have thrown an exception, and DCHECKs.
The fuzzer can hit this case because it doesn't load the entire module
graph before starting to tell V8 to instantiate modules. So if a module
fails to compile or load, another module trying to import it will hit
this DCHECK because we didn't bail out prior to module instantiation
like we should have.
This doesn't happen in Chromium because Blink loads the entire module
graph before trying to instantiate/link modules, ensuring that the
'real' ModuleRecord::ResolveModuleCallback never fails; indeed this is
mandated by the spec (see
https://html.spec.whatwg.org/#fetch-the-descendants-of-and-link-a-module-script).
To satisfy the fuzzer, this change makes
IsolateData::ModuleResolveCallback throw if it can't find the module.
Note, the bug's testcase doesn't involve import assertions. I don't
think this issue is new with my change
9d72d08a8c
but maybe that changed the crash stack or something in a way that
caused the issue to be reported.
Bug: chromium:1207078
Change-Id: I1fbc80faa099e040cdc489c965a5f2f5daafb38e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2890589
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Dan Clark <daniec@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#74526}
Reads from the compiler thread require either 1. the last write to
happen before the compiler thread starts, or 2. acquire-release
semantics. For simplicity, this CL converts all NativeContext field
writes to be acq-rel. With the usual exception of writes from
generated code (these are limited for NativeContexts though).
The situation of context sets/gets is still somewhat complex:
- Context::get/set are relaxed (but don't use the corresponding tag)
- Context::get(.., kAcquireLoad) and Context::set(.., kReleaseStore)
are acquire-release.
- Context::set_foo (defined for all native context fields) uses
kReleaseStore underneath.
- Context::get_foo (defined for all native context fields) uses
the default relaxed getter. The get_foo(kAcquireLoad) variant uses
the acquire getter.
- NativeContext hides the default relaxed setter since all
NativeContext sets should be acq-rel.
Ideally (future work), this should be simplified and made more explicit.
For example, get/set_foo could move to the NativeContext class, and we
could reevaluate whether we really need both relaxed and acq-rel
semantics (the pairing non-atomic/acq-rel feels more natural lets
tsan find concurrency issues).
Bug: v8:7790
Change-Id: I25efd37ece758da5a11dc11c6ae913e4975f4d20
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2891575
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74524}
The HeapProfiler.startSampling method accepts a samplingInterval
parameter, which is assumed to be a positive (non-zero) number,
but doesn't validate the input (the renderer process just crashes
hard on a CHECK instead).
Fixed: chromium:1197392
Change-Id: Ib8e34f4b9881cd195214791ca0a3892e7b49bf55
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2891573
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Kim-Anh Tran <kimanh@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74523}
Also delete undefined ContextRef methods and make
Context::set_previous private (it is only used when
creating a new context).
Bug: v8:7790
Change-Id: I25a701f317f0f4e82432f7537eec1d63c5ef63f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2886860
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74521}
Marking on allocation was missing the top level scope.
Also adding a dedicated scope for on allocation to more clearly
distinguish it in traces.
Bug: chromium:1056170
Change-Id: I1b7d80c9f171f81988826de0174ef5b00d6f1d34
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2891572
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74520}
This CL enhances the fast C API in a way to allow passing the receiver
to the fast callback as Local<Object> instead of Local<Value>. It also
fixes documentation comments.
Bug: chromium:1052746
Change-Id: I424aa83023c2e6633b9df08ee040bf170db32b3d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2887510
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74519}
We just asked if saves_fp was different than 0 two lines above.
Change-Id: I8cca5206041d3436ac7b2d619ab82f5955e99aaf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2888285
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74518}
The WebAssembly specification requires the "name" property of (exported)
function wrappers to hold the index of the function within the module,
and the default ToString algorithm for Function instances thus generates
something along the lines of `function 42() { [native code] }`, which is
technically correct, but not very useful to developers to diagnose
(humans don't think of functions in a module in terms of their indices).
With this CL, we change the description returned for Wasm (exported)
functions to use the debug name of the Wasm function instead.
Screenshot: https://imgur.com/a/FVPeXDU.png
Doc: http://bit.ly/devtools-wasm-entities
Fixed: chromium:1206620
Bug: chromium:1164241
Change-Id: I096abc287ea077556c13c71f8d71f64452ab4831
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2891570
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74517}
Drive-by-fix: Remove command line API fn.toString() override, which was
still in place from the early days when much of the inspector was
implemented in JavaScript.
Fixed: chromium:1207867
Bug: chromium:1206620
Change-Id: I8429f109da5f021f729f184fd824160a24e60897
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2887508
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74516}
This reverts commit 0ce36e7d0e.
Reason for revert: Speculative revert for a Chromium build breakage causing a blocked roll - https://bugs.chromium.org/p/v8/issues/detail?id=11761
Original change's description:
> [ic] Fix handling of API properties with side effects
>
> DebugEvaluate can evaluate expressions in side-effect-free mode, where
> any operation that would cause observable side effects throws an
> exception. Currently, when accessors are backed by callbacks, it's
> possible that ICs call those accessors directly, bypassing the
> side-effect checks. This CL introduces a bailouts to runtime in those
> cases.
>
> Fixed: chromium:1201781
> Also-By: ishell@chromium.org, pfaffe@chromium.org
> Change-Id: Ie53bfb2bff7b3420f2b27091e8df6723382cf53c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2857634
> Commit-Queue: Philip Pfaffe <pfaffe@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74507}
Change-Id: Ifb5c24682af29572591d436ab92b0304058e99af
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2891650
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#74515}
Rolling v8/build: 52ccb29..4e27ee8
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/1fbada9..302ca09
Rolling v8/third_party/depot_tools: c499142..b65bbfe
Rolling v8/third_party/google_benchmark/src: 3b508fa..7d0d906
Rolling v8/tools/clang: e76c8f1..53a9334
Rolling v8/tools/luci-go: git_revision:1b50bbe2f93441dd227ad6e6684fa9be4ab0dec2..git_revision:37e5f238829f911f85b62d66670d2fbd88354ef1
Rolling v8/tools/luci-go: git_revision:1b50bbe2f93441dd227ad6e6684fa9be4ab0dec2..git_revision:37e5f238829f911f85b62d66670d2fbd88354ef1
Rolling v8/tools/luci-go: git_revision:1b50bbe2f93441dd227ad6e6684fa9be4ab0dec2..git_revision:37e5f238829f911f85b62d66670d2fbd88354ef1
TBR=v8-waterfall-sheriff@grotations.appspotmail.com
Change-Id: If03b514240069b576a774c574225d84a387b8b7b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2888363
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#74514}
The following bit casting method using reinterpret_cast
has undefined behaviour:
```
int a = 1;
float b = *reinterpret_cast<float*>(&a);
```
Above breaks the strict aliasing rule which indicates:
> dereferencing pointers to objects of different types will
never refer to the same memory location.
More information can be found under src/base/macros.h.
`bit_cast` here is implemented with `memcpy` behind the scenes.
C++20 will have this feature included by default.
Change-Id: I69ffdbeba6db64e24b268d838ea1d863fcd9121d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2889331
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#74513}
On x64 we can emit more compact instructions for mov(reg, imm). However
currently this only happens when using the Set method explicitly.
This CL renames Set to Move to avoid confusion and yield better code
by default.
Also use the new Move helper for Smis as well.
Change-Id: I06558e88d1142098f77fb98870f09742d494f3dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2874450
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74512}
Allow GC of the shared heap without any attached clients. This
CL also disables incremental marking for shared heaps for now.
Bug: v8:11708
Change-Id: I1eb47a42fe3ced0f23f679ecaae0c32e09eab461
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2886878
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74511}
This change adds support for `const` redeclaration on REPL mode with
the semantincs recommended in the design doc:
1) REPL scripts should not be able to reassign bindings to `const`
variables.
2) Re-declaring `const` variables of page scripts is not allowed in
REPL scripts.
3) Re-declearing `const` variables is not allowed in the same REPL
script.
4) `const` re-declaration is allowed across separate REPL scripts.
5) Old references to previously declared variables get updated with the
new value, even those references from within optimized functions.
Design doc: https://goo.gle/devtools-const-repl
Bug: chromium:1076427
Change-Id: Ic73d2ae7fcfbfc1f5b58f61e0c3c69e9c4d85d77
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2865721
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Luis Fernando Pardo Sixtos <lpardosixtos@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#74510}
DebugEvaluate can evaluate expressions in side-effect-free mode, where
any operation that would cause observable side effects throws an
exception. Currently, when accessors are backed by callbacks, it's
possible that ICs call those accessors directly, bypassing the
side-effect checks. This CL introduces a bailouts to runtime in those
cases.
Fixed: chromium:1201781
Also-By: ishell@chromium.org, pfaffe@chromium.org
Change-Id: Ie53bfb2bff7b3420f2b27091e8df6723382cf53c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2857634
Commit-Queue: Philip Pfaffe <pfaffe@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74507}
The deoptimization table needs to be continuously, so we need to block
trampoline pool emission during the whole process.
bug: v8:11759
Change-Id: Ie5e0ffe27dc8e6cdb18985dc2cf26bdadeff318f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2881918
Commit-Queue: Junliang Yan <junyan@redhat.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74506}
Argc and Slot are usually small and fit within a single 32bit word.
This reduces most property calls by 5 bytes.
This results in roughly 1% code reduction for sparkplug and no
measurable regression on x64.
Bug: v8:11420
Change-Id: I272c26c40b99f2dc5817f18bec113662a5bfebce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2872828
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74505}
This is the second CL in a line of two to implement PKU-based
WebAssembly code space write protection. The first CL added two
low-level PKU functions; this CL uses them to grant/withdraw writable
permissions, local to each thread that wants to modify the code space.
In particular, when {--wasm-memory-protection-keys} is enabled, we first
associate a memory protection key with all code pages, which by
default does not allow any write access. Then, before each location that
needs to modify the code space, we open
{NativeModuleModificationScope}s (which are already present for
mprotect-based write protection). When the PKU flag is given, this then
first tries to set permissions of a memory protection key (which is
fast), and otherwise when {--wasm-write-protect-code-memory} is enabled,
falls back to mprotect-based write protection (which is much more
expensive and also not thread-local, but for the whole process).
R=clemensb@chromium.org
Bug: v8:11714
Change-Id: I3527906a8d9f776ed44c8d5db52539e78e1c52fd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2882800
Commit-Queue: Daniel Lehmann <dlehmann@google.com>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74501}
This is the first CL in a line of two to finish PKU-based WebAssembly
code space write protection. This CL adds two low-level PKU functions,
which are essentially wrapping the functionality in glibc's
{pkey_mprotect()} and {pkey_set()}).
The added functionality is in
(1) {SetPermissionsAndMemoryProtectionKey()}: Associate a memory
protection key with a page (simultaneously with setting the page's
regular permssions). This is as costly as a regular {mprotect()}.
This call itself does not restrict permissions besides the regular page
permissions.
(2) {SetPermissionsForMemoryProtectionKey()}: Set permissions for the
key itself (now associated with a page). This can be either "all data
access disabled" (i.e., no read or write, but execution is allowed) or
"write access disabled" (which we use for code space write protection).
The permissions are added on top of the page's regular permissions. This
operation is cheap (in the order of 20 cycles) since it is roughly a
thread-local register read, some bit-masking, and register write.
See the second CL (based on this one) for how those two functions will
be used.
A note on compatability and security implications: Because the functions
which we use here were only added in glibc 2.27, and since glibc is
dynamically linked, we check at runtime (with {dlsym()}) whether
{pkey_*()} functions are available. However, calling functions via a
pointer coming from {dlsym()} is not supported by CFI so far, which is
why we disable indirect call checking for the added functions.
Potentially, the functions could hence be used as an indirect call
gadget in a ROP attack. On the other hand, they are only compiled in
currently only on Linux on x64, and disabling CFI indirect call checking
is also done in other places already.
R=clemensb@chromium.org
Bug: v8:11714
Change-Id: I0da00818f28cf1da195a5149bf11fccf87c5f8ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2882797
Commit-Queue: Daniel Lehmann <dlehmann@google.com>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74498}
