The `src/sanitizer` folder is empty after
I212becf205e03b155c188ffd13cf5629df6f2cb8 and
If75674785ca776dac06ed821f0032f865793dd77 changes landed.
Change-Id: I39b880f7a952f481ebae5e6277ffbdd11efb2500
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4057831
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Juan José <soyjuanarbol@gmail.com>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84521}
The debug_helper library is intended to be used from a debugger process
which is attached to the debuggee process that includes V8 content. When
reading memory from the debuggee process, debug_helper should use the
MemoryAccessor function which reads remote memory rather than
dereferencing pointers into the debugger's memory space and potentially
crashing. I recently noticed that v8windbg crashes on external strings
because the sandbox has been enabled, and the debug_helper code for
external strings was incorrectly reading memory from the debugger
process rather than the debuggee.
You might ask: why wasn't this caught in automated tests? There is a
test, cctest/test-debug-helper, which exercises this exact code, but it
does so with the debugger and debuggee in the same process. Setting up a
proper cross-process test would be much more complex and
platform-specific, and this class of bug has never turned up before, so
I think the existing test coverage is adequate.
Change-Id: Ib8730dd47a925f4229962d27b576a759c5a9a9ad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4043821
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84520}
1) Parameter conversions resizing the underlying buffer but *not* in a way that would make a length-tracking TA go OOB.
2) Special case of the former: resize to 0.
Bug: v8:11111, chromium:1392577, chromium:1393375
Change-Id: Ia0f54fc4530618fa2313737d6c643abdb24b9a36
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055630
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84519}
This reverts commit d164f933b8.
Reason for revert: Failure on YoungUnifiedHeapTest: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Mac%20-%20arm64%20-%20no%20pointer%20compression%20debug/1954/overview (Mac arm64)
Failure on Linux: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20shared/51267/overview
Original change's description:
> unified-young-gen: Implement generational barrier for TracedHandles
>
> If unified young generation is enabled, we don't record all young nodes,
> but only ones that have old host. The same std::vector<TracedHandle*> is
> reused for the remembered set implementation.
>
> The barrier is added to TracedHandle creation, i.e.
> - v8::TracedReference::Reset(),
> - v8::TracedReference::operator=(const TracedReference&),
> and to moving between TracedHandles, i.e.
> - v8::TracedReference::operator=(TracedReference&&).
>
> Bug: v8:13475
> Change-Id: I2dc236e21c05f797687344c5745896f0bb8b0a0a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4057070
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Anton Bikineev <bikineev@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#84513}
Bug: v8:13475
Change-Id: I0d97f8cdd0b2e95c7a21b78dacd25c38d08f5a16
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4062087
Owners-Override: Matthias Liedtke <mliedtke@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84516}
After fixing all known bugs found by fuzzers for
--shared-string-table we can enable this flag on all fuzzers again.
Bug: v8:13267
Change-Id: Ie2c361bbd2cf349d2c5d517fb6c71f88a3381626
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4061310
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84514}
If unified young generation is enabled, we don't record all young nodes,
but only ones that have old host. The same std::vector<TracedHandle*> is
reused for the remembered set implementation.
The barrier is added to TracedHandle creation, i.e.
- v8::TracedReference::Reset(),
- v8::TracedReference::operator=(const TracedReference&),
and to moving between TracedHandles, i.e.
- v8::TracedReference::operator=(TracedReference&&).
Bug: v8:13475
Change-Id: I2dc236e21c05f797687344c5745896f0bb8b0a0a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4057070
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84513}
This CL moves the architecture-dependent IsFloat64RoundXXXSupported()
checks from C++ code to CSA graph in order to ensure that the builtins
control flow structure is architecture-independent.
Since the constant value is known at compile-time TurboFan will remove
the check and delete the dead code so in the end the generated code
will be the same and when the check was on C++ side.
However, having these checks in the CSA graph keeps the initial state
of graph structure the same for all architectures of the same bitness.
This allows reusing the x64/x86 builtins PGO profiles on arm64/arm
builds respectively.
Bug: v8:10470
Change-Id: Ib3ddf2bf2bb7001b28d4477cc490495f3be79d98
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055924
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84512}
Adding the crash status and type to the test result with dummy values,
with the intention of populating these values with data from
ClusterFuzz analyzer or our own logic.
Bug: v8:12313
Change-Id: I8a537734a9c48393b77d582516ae45638986aa55
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4047486
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Almothana Athamneh <almuthanna@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84511}
Keep NodeT verification code closer to the reset of the NodeT
implementation by making input verification a function on NodeT rather
than being implemented in a separate verifier.
This function has a default implementation for fixed-input nodes, which
just looks up a static input types array (with CRTP) on the derive
node.
As a drive-by, change the fixed-size node base classes to share a mixin
base class, to avoid duplicating the verification logic.
Bug: v8:7700
Change-Id: Ib9dd7dba540f16fa359b170d513f20aa0e110e24
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4026343
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84510}
Currently V8 recompiles all functions of a WebAssembly module with
TurboFan when a debugging session ends. This is outdated behavior and
causes OOMs for developers. With this CL all debugging code gets removed
when a debugging session ends, and functions get re-compiled lazily.
This behavior may lead to slightly worse performance for some time after
debugging finishes, but it avoids OOMs, and developers are used to
debugging code being not as performant as production code.
R=clemensb@chromium.org
Bug: chromium:1372621, v8:13224
Change-Id: I9fc97408ef92ad5564f2a9743213762226c2b25e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055923
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84509}
This simplifies some call sites as they do not need to worry about
stores to external pointer fields (especially lazily initialized ones)
triggering GCs. This also keeps the sandbox and non-sandbox mode more
consistent, as these stores will never trigger GC in non-sandbox builds.
Since there must be millions of objects that own the external pointer
table entries, the chances are quite high that GCs will anyway be
scheduled. If not, we should instead see if we can introduce an API
to only schedule incremental marking but not perform GC finalization.
Bug: v8:13535
Change-Id: Ie3c82b51194746107d4b0ed61d47abf87d28ba63
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4061688
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84508}
With shared strings we can't get the isolate/heap from the heap object
itself, so we need to pass this as additional argument instead.
Luckily enough all callers already know the current isolate.
Bug: v8:13267, chromium:1392755
Change-Id: I7c40f7a38da8ad57fcdaa575451b8f5ac2272b1b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4059026
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84507}
Performing actions such as changing page permissions can fail under
memory pressure, as such, these DCHECKs can sometimes trigger and should
be removed. Instead, this CL adds V8_WARN_UNUSED_RESULT to these APIs to
ensure that callers check the return value.
Bug: chromium:1382075
Change-Id: I678d3fb41ee465feda7d677678d3462dbc4c5940
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031633
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84506}
One of the kMips64MulOvf should be kMips64DMulOvf.
Change-Id: Ie333da46b443513c58d78bc092a3245ce612efbf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4061106
Auto-Submit: Liu Yu <liuyu@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#84505}
Rolling v8/build: abd061c..3542a5d
Rolling v8/buildtools: 8641823..4a1666e
Rolling v8/buildtools/third_party/libc++/trunk: 8a91ae4..0488dfb
Rolling v8/buildtools/third_party/libc++abi/trunk: 83cce21..7362046
Rolling v8/third_party/depot_tools: 73a2624..0115386
Rolling v8/third_party/fuchsia-sdk/sdk: version:10.20221123.1.1..version:10.20221126.2.1
Change-Id: Ib645e3757a280b9ffbd542b428560f7734a05520
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4058468
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#84503}
This CL moves the architecture-dependent Word32ShiftIsSafe() check
from C++ code to CSA graph in order to ensure that the builtins control
flow structure is architecture-independent.
Since the constant value is known at compile-time TurboFan will remove
the check and delete the dead code so in the end the generated code
will be the same and when the check was on C++ side.
However, having these checks in the CSA graph keeps the initial state
of graph structure the same for all architectures of the same bitness.
This allows reusing the x64/x86 builtins PGO profiles on arm64/arm
builds respectively.
Bug: v8:10470
Change-Id: I5a7a10dfbf905e542d14f05193ff3b3990288b87
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055606
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84497}
Now that 1618cb9f99
has landed, BranchElimination should work again.
Bug: v8:12783
Change-Id: I6c1f148d1ce97a45107bfed2da41b387ad9bf1ba
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055113
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84496}
As this is by now equivalent to v8_enable_sandbox.
Bug: v8:10391
Change-Id: I1eef40a86b984a1867de3513a108ece0d43ec394
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055273
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84494}
PPC has a smaller wasm code space compared to other platforms and
as a result can't execute modules with large number of functions.
More details are available under the comment section of
crrev.com/c/4027963
Change-Id: I0531ec855ee9ffa5542bf0527287a3e49e1cdb0b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4053377
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/main@{#84491}
This test had to be updated for --shared-space because the main isolate
is always parked when the client isolate requests a GC. In such cases
the GC isn't performed and therefore the weak handle not reset.
The CL moves the client isolate into a proper thread which allows the
main isolate to remain in the running state.
In addition this CL adds the BasicMemoryChunk::ComputeMarkBit
methods. These methods make it easy during debugging to compute
the MarkBit (cell + mask) for an object.
Bug: v8:13267
Change-Id: I6680d8d1d8b36d86b22c43399abbd4325f64ccb2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4054622
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84488}
This is consistent with the bottom value type.
Bug: v8:13525
Change-Id: Ib413c67a3b79b27280e2ea6b8ba3d48d3786cdf8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4053553
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84485}
If a value is used after a try-block finishes, we need to make sure that
the catch-block can restore its value. Otherwise we'd accidentally drop
the value on register merge thinking we're in a liveness hole on the
merge after the catch (since the catch cleared all the registers). This
then breaks JumpLoops that need to restore the value in a specific
register.
Bug: v8:7700, chromium:1392061
Change-Id: I7255ccf9b36bf36583ad612882137b251c48caed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055111
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84483}
The flag --harmony-struct changes the global object which is
observable when doing differential fuzzing. The flag will now be
ignored to close ongoing false positives. It could be enabled in
the future if the global object stays equal in all compared
configurations, which could be faked behind the flag:
--correctness-fuzzer-suppressions.
No-Try: true
Bug: chromium:1393020
Change-Id: Ib5f3325a742dd32cac34febca58bf99e0184ac97
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055627
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84478}
This uses arch-specific config keys for gcmole prepared by:
https://crrev.com/c/4055685
In a follow up, we can move the runs to bots with the respective
architecture.
Bug: v8:9287
Change-Id: Iedbb44490195b49d560658451263a1abdc2d3258
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055320
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84477}
HeapTest.GrowAndShrinkNewSpace emulates a GC cycle for shrinking new
space. Starting a new MinorMC cycle should first finalize sweeping from
the previous GC cycle.
Bug: v8:12612
Change-Id: Iea35b54ba0f7be3b7870c557c92042a8d9896045
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055625
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84475}
There are still tests that use EmbedderHeapTracer, which would crash
with --minor-gc enabled. Bail out from PerformWrapperTracing() if
there is no cpp marking worklist to MarkingWorklists (i.e. Publish()
returns false).
Bug: v8:13475
Change-Id: I04708ffe8ebaf18f94f1a3fc60d9f6afeef13e03
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055505
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84473}
This DCHECK doesn't hold anymore since we are comparing the old
and the new target objects.
Bug: v8:13267
Change-Id: I7fe1ec58f165555eab003bf021b856a5095e8daf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4056256
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84472}
