Commit Graph

63997 Commits

Author SHA1 Message Date
Lutz Vahl
2afdb4ab0b Changed version number to 8.7
TBR=vahl@chromium.org

Change-Id: Ie869b55eccd0bd0d23cc62c7ec7884dbaa8e7c4d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2366701
Reviewed-by: Lutz Vahl <vahl@chromium.org>
Commit-Queue: Lutz Vahl <vahl@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69505}
2020-08-20 13:54:00 +00:00
Victor Gomes
7a4148005e [wasm] Fix access first parameter in GenericJSToWasmWrapper
Adapt GenericJSToWasmWrapper to support reversed arguments stack.

Change-Id: I46f6492cd8a933a7670eb2ad436a1ac84b055e60
Bug: v8:10201
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2366702
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69504}
2020-08-20 13:29:50 +00:00
Ulan Degenbaev
94453a6264 Add ulan@ to owners of src/libplatform
Change-Id: I328dde4ef8265fa15e2dfc7ac689e175465edebd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2366700
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69503}
2020-08-20 13:24:40 +00:00
Milad Farazmand
0589a2a209 AIX: Fix DeclareSymbolGlobal on AIX
Port 929dd3748e

Original Commit Message:

    When CFI is enabled this adds a check against this list whenever a new
    return address must be set in a deoptimized frame, as a mitigation for
    ROP attacks.
    The list is known at linking time so that its content and the pointer
    to it can be stored in a read-only memory section.
    The check is performed in the signing function, which is no longer
    generic, as well as when setting the current pc of the frame.
    Since the pc is now only signed when setting the caller's pc, there
    is no need for ReplaceContext anymore.

R=salome.thirot@arm.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: I5005096811c289707e2d080477c60ae2ed4bf38b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2365372
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#69502}
2020-08-20 12:55:50 +00:00
Jakob Gruber
faed29869f [nci] Change testing mode to --turbo-nci-as-midtier
To properly test tier-up in the V8 test suite, change the test variant
previously called --turbo-nci-as-highest-tier to
--turbo-nci-as-midtier.  As a midtier (between ignition and turbofan),
all major parts of the NCI pipeline (codegen, caching inside the same
native context, tier-up) are exercised by test suite.

Bug: v8:8888
Change-Id: Ic8ee2f3e3d72768c3869f5e0b25800dd0a5f25b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2361462
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69501}
2020-08-20 12:54:40 +00:00
Andreas Haas
1e6d2cb319 [wasm][fuzzer] Enable trap handlers
On x64, trap handlers are enabled as part of the default configuration.
However, each embedder has to enable trap handlers explicitly, and in
the wasm fuzzers, trap handlers were not enabled. This CL enables trap
handlers now in all wasm fuzzers.

Drive-by change: enable all staged wasm features in the wasm-async
fuzzer.

R=clemensb@chromium.org

Change-Id: Ib7c2addb092551b5554a2b74830e5b67db077909
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362957
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69500}
2020-08-20 12:24:40 +00:00
Dominik Inführ
cf929eba0f [heap] Make Heap::UnregisterStrongRoots work in constant time
Heap::UnregisterStrongRoots needs to iterate the list of all strong
roots to delete the given slot. This CL changes
Heap::RegisterStrongRoots to return the pointer to the linked list node.
Heap::UnregisterStrongRoots gets the node as argument and can directly
delete it in constant time.

The CL also introduces Heap::UpdateStrongRoots which can update a
node without locking the mutex.

Bug: v8:10315
Change-Id: I2c021517c010a659821f8c10de758bb49b28449f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2364511
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69499}
2020-08-20 12:15:20 +00:00
Zeynep Cankara
2afb2dcd90 [tools][system-analyzer] Add stats table to timeline-tracks
This CL adds a table to the right side of the each
timeline-tracks to display statistics about the log
events. Double clicking on an event type notifies other
panels about the selected log events with the selected type.

Bug: v8:10644

Change-Id: Iae523d46da4f0b6a007b02a2beac23d9c48aca02
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2353457
Commit-Queue: Zeynep Cankara <zcankara@google.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69498}
2020-08-20 09:42:40 +00:00
Victor Gomes
db15c5e3a4 [builtin] Fix CallOrConstructForwardVarargs to handle reversed JS stack
Change-Id: Idc204cffce49b564d134a93114a03939c3e75f20
Bug: v8:10201
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2307313
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69497}
2020-08-20 09:35:00 +00:00
Santiago Aboy Solanes
5665d835a6 Reland "[compiler] Remove unused holder parameter from IF_ACCESS_FROM_HEAP(_C)"
This is a reland of ad68de6f5b

Reason for reland: Reverted since another CL got reverted. This cleanup
is independent though and can be relanded.

Original changes description:
> [compiler] Remove unused holder parameter from IF_ACCESS_FROM_HEAP(_C)
>
> Bug: v8:7790
> Change-Id: I44849f45d1049b8a3c794dd0558b734c1e7061fd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362919
> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#69482}

Bug: v8:7790
Change-Id: Ib650ef1701168be7a910ff51e30a90e239d5f5c8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2366774
Auto-Submit: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69496}
2020-08-20 09:17:50 +00:00
Dominik Inführ
41d2e5c9c0 [logging] Make Log::IsEnabled() atomic
With concurrent allocation background threads invoke Log::IsEnabled()
as well. Fix data race here by making is_enabled_ atomic, such that
IsEnabled() remains cheap.

After locking the mutex in MessageBuilder, IsEnabled() needs to be
checked again in case an old value was read. Otherwise we might log
even though logging was already disabled on another thread.

The other direction where a log message isn't logged is deemed
acceptable.

Bug: v8:10315
Change-Id: I32c9dd2e9879fbdb4ca94e080a16ddd875de7c30
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362948
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69495}
2020-08-20 07:24:31 +00:00
Clemens Backes
10a434f37e Revert "[test] Disable asm-wasm regression test"
This reverts commit f0bade979d.

Reason for revert: Culprit CL reverted: https://crrev.com/c/2364504

Original change's description:
> [test] Disable asm-wasm regression test
> 
> Bug: v8:10813
> Change-Id: Ib7b3949147706552a6d569ad5fcd22f2f63d7977
> No-Try: True
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2364496
> Auto-Submit: Maya Lekova <mslekova@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#69479}

TBR=clemensb@chromium.org,mslekova@chromium.org

Change-Id: I8047db66eba1e2221654d7018c661551950f2194
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:10813
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2366712
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69494}
2020-08-20 06:27:42 +00:00
v8-ci-autoroll-builder
5f21d72a27 Update V8 DEPS.
Rolling v8/build: 04505d9..183d29c

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/abfdfbb..c244e33

Rolling v8/tools/clang: 299e8a2..a4bb1c6

TBR=machenbach@chromium.org,tmrts@chromium.org,v8-waterfall-sheriff@grotations.appspotmail.com

Change-Id: Ifb0321f65a8d3e2e96bb216f24641aeb1e11d49a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2366273
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#69493}
2020-08-20 03:48:50 +00:00
v8-ci-autoroll-builder
710214529b Update V8 DEPS.
Rolling v8/build: 78b2991..04505d9

Rolling v8/third_party/depot_tools: 5cff4e3..25f1303

NOTREECHECKS=true
NOPRESUBMIT=true
TBR=machenbach@chromium.org,tmrts@chromium.org,v8-waterfall-sheriff@grotations.appspotmail.com

Change-Id: I76a41e93419494919d8ed64a300e2ee4d530c615
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2364933
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#69492}
2020-08-19 22:10:06 +00:00
Liviu Rau
cde4b2c75f Revert "Whitespace to trigger builders"
This reverts commit dc36a31e32.

Reason for revert: to trigger builders

Original change's description:
> Whitespace to trigger builders
> 
> The plan for V8 switch to Starlark: https://docs.google.com/document/d/10zEulEuM9UWMkaU8ZMGT5Nvyg1-fJ6fnGAW5jn4wyVY/edit#heading=h.ux9y8574985
> 
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug: v8:10661
> Change-Id: I56edc347ae3adc9eba306e20268745687d7c21b8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2364500
> Reviewed-by: Maya Lekova <mslekova@chromium.org>
> Commit-Queue: Liviu Rau <liviurau@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#69490}

TBR=clemensb@chromium.org,mslekova@chromium.org,liviurau@chromium.org

Change-Id: I458560eaefacece3faab0c075e749417be1a814d
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:10661
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2365113
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Commit-Queue: Liviu Rau <liviurau@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69491}
2020-08-19 22:00:39 +00:00
Liviu Rau
dc36a31e32 Whitespace to trigger builders
The plan for V8 switch to Starlark: https://docs.google.com/document/d/10zEulEuM9UWMkaU8ZMGT5Nvyg1-fJ6fnGAW5jn4wyVY/edit#heading=h.ux9y8574985

No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:10661
Change-Id: I56edc347ae3adc9eba306e20268745687d7c21b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2364500
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Liviu Rau <liviurau@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69490}
2020-08-19 20:58:30 +00:00
Ng Zhi An
a85b5a63f6 [wasm-simd] Fix bounds check for load extends
Load extends always load 8 bytes, so the access size does not depend on
MachineType of the load. The MachineType is used for classifying the
lane shape of the 8-byte load.

Also add cctest to load splats and load extends to test OOB. (Note that
load splats access size depends on MachineType).

Add regression test from clusterfuzz, minimized by ahaas@. Remove the
`--no-wasm-trap-handler` flag since we have a no_wasm_traps variant that
should test this flag.

Bug: chromium:1116019
Change-Id: I27ba051d0536ca0f6fd75dd641ca9b78132dafed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2363291
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69489}
2020-08-19 18:26:17 +00:00
Dominik Inführ
a61393a332 [heap] Make RegisterStrongRoots thread-safe
CanonicalHandleScope is now also used on background threads. Therefore
Heap::RegisterStrongRoots and Heap::UnregisterStrongRoots are not
exclusively used on the main thread anymore. Simply protect this list
with a mutex.

Bug: v8:10315, v8:10814
Change-Id: Id08269c9f7fecae8c570ab711c522d111b06b005
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2364503
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69488}
2020-08-19 17:16:25 +00:00
Clemens Backes
536092f779 Revert "[compiler] Replace ScopeInfoData with direct reads"
This reverts commit 7b9a0c20f3.

Reason for revert: Different tests start flaking, e.g. https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/29532

Original change's description:
> [compiler] Replace ScopeInfoData with direct reads
> 
> As part of this, introduce a new ObjectData kind for objects that we
> want to read directly from the background thread rather than serialize.
> ScopeInfoRef is the first user of that.
> 
> For details, see:
> https://docs.google.com/document/d/1U6x6Q2bpylfxS55nxSe17yyBW0bQG-ycoBhVA82VmS0/edit?usp=sharing
> 
> Bug: v8:7790
> Change-Id: Ia3cda4f67d3922367afa4a5da2aeaae7160cf1f2
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2346405
> Auto-Submit: Georg Neis <neis@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#69473}

TBR=neis@chromium.org,solanes@chromium.org,nicohartmann@chromium.org

Change-Id: Ide5a4a583547b63cc9accfb93fcadb97b8100e8a
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7790
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2364504
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69487}
2020-08-19 16:25:27 +00:00
Clemens Backes
45f296f7f9 Revert "[compiler] Remove unused holder parameter from IF_ACCESS_FROM_HEAP(_C)"
This reverts commit ad68de6f5b.

Reason for revert: Previous CL needs to be reverted (https://crrev.com/c/2364504)

Original change's description:
> [compiler] Remove unused holder parameter from IF_ACCESS_FROM_HEAP(_C)
> 
> Bug: v8:7790
> Change-Id: I44849f45d1049b8a3c794dd0558b734c1e7061fd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362919
> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#69482}

TBR=solanes@chromium.org,nicohartmann@chromium.org

Change-Id: Iffc7a44faec8a03583aa968271a5d0e6317317a7
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7790
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2364506
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69486}
2020-08-19 16:23:36 +00:00
Clemens Backes
1a911e6cbe [liftoff] Materialize constants before conditional branches
The number of constants stored in locals and the merge region can be
arbitrarily big, thus generating arbitrarily long code for a single
`br_if`. This happened in particular for unoptimized code.

This CL solves this by materializing all constants (in registers or on
the stack) before doing a conditional branch. This ensures that in a
series of `br_if`s, each constant is only spilled once instead of on
each single branch.

For the linked bug, this reduces the total generated code size by ~36%.

R=thibaudm@chromium.org

Bug: chromium:1117033
Change-Id: I84ea2ea9ba4d3de9b042ceb223af15c3d73dc5b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2364498
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69485}
2020-08-19 15:31:51 +00:00
Jakob Gruber
1096e03159 [nci] Implement tier-up, part 2 (marking)
This is part two of the implementation (part 1: heuristics in NCI code
to call the runtime profiler, part 2: heuristics in the runtime
profiler to mark the function for optimization, part 3: the final
part, recognizing and acting upon the marked function).

The runtime profiler heuristics added here remain very similar to what
we have for ignition, except that we now inspect optimized frames with
NCI code, and that we (currently) do not OSR from NCI to TF.

Bug: v8:8888
Change-Id: Ie88b0a0dcee16334cea585c771a4b505035f2291
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2358748
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69484}
2020-08-19 15:22:02 +00:00
Santiago Aboy Solanes
8f87753f14 [csa][cleanup] Remove ParameterMode/TNodify FillFixedArrayWithValue
Bug: v8:9708, v8:6949
Change-Id: I1e06f7c87ea05ccb8c73571e9148ff0cb9f574a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362951
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69483}
2020-08-19 14:28:51 +00:00
Santiago Aboy Solanes
ad68de6f5b [compiler] Remove unused holder parameter from IF_ACCESS_FROM_HEAP(_C)
Bug: v8:7790
Change-Id: I44849f45d1049b8a3c794dd0558b734c1e7061fd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362919
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69482}
2020-08-19 14:12:21 +00:00
Santiago Aboy Solanes
33e80ccd5d [csa][cleanup] Remove ParameterMode/TNodify UnsafeStoreFixedArrayElement
Drive-by: Remove a parameter that had to be SKIP_WRITE_BARRIER.

Bug: v8:9708, v8:6949
Change-Id: Ib5d0521f255a92749440a5001dab8b59eb078bf9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362950
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69481}
2020-08-19 14:08:21 +00:00
Omer Katz
132727fd46 cppgc: Initial incremental marking implementation.
This CL adds a basic implementation of incremental marking for standalone GC.
Followup CLs include:
* Use bytes instead of time as deadline
* Port incremental marking schedule from blink
* Mark on allocation
* Guarantees for progres/termination for standalone GC
* etc...

Calling StartIncrementalGarbageCollection triggers StartMarking which
schedules incremental marking as non-nestable tasks.
For unified heap, marking will continue running until it runs out of
work but it won't finalize independently.
For standalone, when incremental runs out of work it will schedule a new
task in which it will finalize marking and trigger the rest of the GC.
Users of standalone can also force finalization before incremental
marking as finished using FinalizeIncrementalGarbageCollectionIfRunning.
Calling CollectGarbage would also finalize an on-going incremental GC
if one exists. Otherwise it will trigger an atomic GC.

See the following doc for explanation of the various methods:
https://docs.google.com/document/d/1ZhJY2fOoD8sH53ZxMh2927Zl8sXqA7azJgcQTWx-YKs/edit?usp=sharing

Bug: chromium:1056170
Change-Id: I75ead414eb9da9f8b7f71c4638b9830fce7708ca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2298009
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69480}
2020-08-19 13:50:16 +00:00
Maya Lekova
f0bade979d [test] Disable asm-wasm regression test
Bug: v8:10813
Change-Id: Ib7b3949147706552a6d569ad5fcd22f2f63d7977
No-Try: True
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2364496
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69479}
2020-08-19 13:49:11 +00:00
Salome Thirot
929dd3748e [arm64] Implement list of allowed return addresses in the deoptimizer
When CFI is enabled this adds a check against this list whenever a new
return address must be set in a deoptimized frame, as a mitigation for
ROP attacks.
The list is known at linking time so that its content and the pointer
to it can be stored in a read-only memory section.
The check is performed in the signing function, which is no longer
generic, as well as when setting the current pc of the frame.
Since the pc is now only signed when setting the caller's pc, there
is no need for ReplaceContext anymore.

Bug: v8:10026
Change-Id: I5e85a62b94722051716fdeba476db383c702a318
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2287490
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Rodolph Perfetta <rodolph.perfetta@arm.com>
Cr-Commit-Position: refs/heads/master@{#69478}
2020-08-19 13:32:46 +00:00
Jakob Kummerow
ad8f2f6fd7 [test] Object verification should not recurse
When running with --verify-heap, ObjectVerify() is invoked for every
live object anyway, so there is no need for individual FooVerify()
implementations to recursively request verification of their
sub-objects. If they do, (a) it is duplicated work of O(n²) complexity,
and (b) it can cause fuzzer-generated tests to crash because they run
out of stack space when they trigger heap verification with very little
stack space left.

Fixed: chromium:1106426
Change-Id: Ib9bd444806b148fffc23d635f931dfe73fe7e4ce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2358746
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69477}
2020-08-19 13:13:29 +00:00
Anton Bikineev
7c9d30f55e [base] Don't destroy pthread_attr if it failed to be created
The issue popped up while implementing conservative stack scanning in
V8.

Bug: v8:10614
Change-Id: I7edc6ca1f248f45b10be0fa45e28a98fd2b03840
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362651
Auto-Submit: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69476}
2020-08-19 12:34:39 +00:00
Maya Lekova
f7a4c31172 Revert "[compiler] Replace HeapNumberData with direct reads"
This reverts commit 7964ac8698.

Reason for revert: Introduces a data race - https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20TSAN/32870

Original change's description:
> [compiler] Replace HeapNumberData with direct reads
> 
> Bug: v8:7790
> Change-Id: I3fbbbd36900146111f83596fd6615a2e4a4f5d33
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362952
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#69474}

TBR=neis@chromium.org,solanes@chromium.org,nicohartmann@chromium.org

Change-Id: Idd17677b2083acf452195a88cb5c363034b43c5f
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7790
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2364493
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69475}
2020-08-19 12:12:33 +00:00
Georg Neis
7964ac8698 [compiler] Replace HeapNumberData with direct reads
Bug: v8:7790
Change-Id: I3fbbbd36900146111f83596fd6615a2e4a4f5d33
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362952
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69474}
2020-08-19 11:50:39 +00:00
Georg Neis
7b9a0c20f3 [compiler] Replace ScopeInfoData with direct reads
As part of this, introduce a new ObjectData kind for objects that we
want to read directly from the background thread rather than serialize.
ScopeInfoRef is the first user of that.

For details, see:
https://docs.google.com/document/d/1U6x6Q2bpylfxS55nxSe17yyBW0bQG-ycoBhVA82VmS0/edit?usp=sharing

Bug: v8:7790
Change-Id: Ia3cda4f67d3922367afa4a5da2aeaae7160cf1f2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2346405
Auto-Submit: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69473}
2020-08-19 11:26:29 +00:00
Emanuel Ziegler
a626bc0362 [ukm][wasm] Add event WasmModuleInstantiated
Add an event for recording metrics related to instantiating Wasm modules.

R=clemensb@chromium.org

Bug: chromium:1092417
Change-Id: I5c87aba7d2cdb012951249b336684580595844cd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2351675
Commit-Queue: Emanuel Ziegler <ecmziegler@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69472}
2020-08-19 10:31:49 +00:00
Santiago Aboy Solanes
f16d3abf06 [compiler] Access the heap for BytecodeArray int/Register members
We can create a new macro to skip the xxxData classes and read directly
from the heap.

Bug: v8:7790
Change-Id: I8de9ba0aee78c74d4c3113eb6bc4870a314de552
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362687
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69471}
2020-08-19 09:07:24 +00:00
Emanuel Ziegler
1d3e274da9 [ukm][wasm] Add event WasmModuleCompiled & WasmModuleTieredUp
Add an event for recording metrics related to compiling Wasm modules.
This provides different events for both baseline compilation and
tier-up.

R=clemensb@chromium.org

Bug: chromium:1092417
Change-Id: Ib5ea7f5ba9e91e2c34473e666eea1c6dc6a97037
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2351674
Commit-Queue: Emanuel Ziegler <ecmziegler@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69470}
2020-08-19 09:02:19 +00:00
Jakob Gruber
25596e8086 Define a constant for the return address stack slot count
... to avoid the repeated pattern of calculating it.

Bug: v8:8888
Change-Id: I4af5264aae6cfb8b6232b5aaf9ceb2cb568c29d0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362692
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69469}
2020-08-19 07:12:38 +00:00
v8-ci-autoroll-builder
817c75e588 Update V8 DEPS.
Rolling v8/build: 13765d6..78b2991

Rolling v8/third_party/aemu-linux-x64: p5IjOVYEoaWHNJ28H6OKk3LlpDPCUruvOahozwiZAIgC..cG1zzefbD24rFmPDujqP0rrEG0uXUhH8axBOrD619hoC

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/03f5451..abfdfbb

Rolling v8/third_party/depot_tools: 5664586..5cff4e3

Rolling v8/tools/clang: 7c75562..299e8a2

TBR=machenbach@chromium.org,tmrts@chromium.org,v8-waterfall-sheriff@grotations.appspotmail.com

Change-Id: I8e126fab0c47d9cd9b9112fd93929d91b0f53f00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2363898
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#69468}
2020-08-19 03:48:24 +00:00
Andreas Haas
74b907aeff [wasm] Add some simd opcodes to the wasm-module-builder
The V8 wasm fuzzer can create regression tests for failing fuzzer cases.
These regression tests use the wasm-module-builder.js. With the addition
of simd to the wasm-compile-fuzzer, the fuzzer can now create test cases
that use simd instructions, but the wasm-module-builder.js did not know
yet about the new instructions. This CL adds some instructions to
wasm-module-builder.js.

R=zhin@chromium.org

Bug: chromium:1116019
Change-Id: I198e4f11c2225a65d6b438f95e351fc14ee66218
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362694
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69467}
2020-08-18 21:02:43 +00:00
Shu-yu Guo
985a9ddaa1 Fix "name" property of %ThrowTypeError% to be spec-conformant
This is a normative PR that reached consensus at the June 2019 TC39:
https://github.com/tc39/test262/pull/2299

Bug: v8:9646
Change-Id: Idbeea703fe264da43825729e7b37a08a1bb10001
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2360907
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69466}
2020-08-18 19:36:53 +00:00
Milad Farazmand
65dde24353 PPC/s390: [wasm] Fix tier down after deserialization
Port 2547e1cece

Original Commit Message:

    Since the compilation progress was never initialized on deserialization,
    tier down was always skipped on such modules.
    By initializing to the expected state after deserialization (i.e. all
    code as TurboFan code), we make sure that later recompilation works as
    expected.

R=clemensb@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: Iab66ca0d1bfb36cfee56ccd85720d4c5552eb9c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2363270
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#69465}
2020-08-18 19:27:14 +00:00
Clemens Backes
677a22fb37 [wasm] Improve error messages on OOM
Instead of returning a boolean value on {WasmCodeManager::Commit}, and
always failing on {false}, just remove the return value and fail within
{WasmCodeManager::Commit} directly. This allows us to generate better
error messages if running OOM.

R=thibaudm@chromium.org

Bug: chromium:1107649, chromium:1117033
Change-Id: Ic8089e4385ddf92c164b9a0c770c210e1caddcbe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362962
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69464}
2020-08-18 18:53:48 +00:00
Dirk Pranke
7c182bd65f Fix visiblity rules for configs enforced by the latest GN version.
Prior versions of GN had a bug (gn:22) where visibility rules
for configs weren't being enforced properly.

This CL tweaks the visibility settings of some configs to
conform to the latest version.

Change-Id: Ic5d827a1f2774278d3894f67fe52bfca836c0409
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2360909
Commit-Queue: Dirk Pranke <dpranke@google.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69463}
2020-08-18 18:52:43 +00:00
Z Nguyen-Huu
e3bbf2bf24 [turbofan] Reduce consecutive machine multiplication with constants
There exists such optimization for additions but not for multiplication.

This adds optimizations that apply the reductions
  (x * Int32Constant(a)) * Int32Constant(b)) => x * Int32Constant(a * b)
  (x * Int64Constant(a)) * Int64Constant(b)) => x * Int64Constant(a * b)
to the TurboFan graph.

Bug: v8:10305
Change-Id: I28f72c2b7d8ff0f758a0a08b69fb3763557a6241
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2360327
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69462}
2020-08-18 17:44:13 +00:00
Milad Farazmand
9b317d2dc5 PPC/s390: [wasm-simd] Support returning Simd128 on caller's stack
Port 360c9294a8

Original Commit Message:

    In Liftoff, we were missing kS128 cases to load to/from stack.

    For the x64 and ARM64 instruction selector, the calculation of
    reverse_slot is incorrect for 128-bit values:

    - reverse_slot += 2 (size of 128-bit values, 2 pointers)
    - this copies from slot -2 into register
    - but the value starts at slot -1, it occupies slots -1 and -2
    - we end up copying slot -2 (most significant half) of the register, and
    also slot -3, which is where rsi was store (Wasm instance addr)
    - the test ends up with a different result every time

    The calculation of reverse_slot is changed to follow how ia32 and ARM
    does it, which is to start with

    - reverse_slot = 0
    - in the code-generator, add 1 to the slot
    - then after emitting Peek operation, reverse_slot += 2

    The fixes for x64 and ARM64 are in both instruction-selector and
    code-generator.

    ia32 and ARM didn't support writing kSimd128 values yet, it was only a
    missing check in code-generator, so add that in.

    For ARM, the codegen is more involved, vld1 does not support addressing
    with an offset, so we have to do the addition into a scratch register.

    Also adding a test for returning multiple v128. V128 is not exposed to
    JavaScript, so we use a Wasm function call, and then an involved chain
    of extract lanes, returning 6 i32 which we verify the values of. It
    extracts the first and last lane of the i32x4 value in order to catch
    bugs where we write or read to a wrong stack slot (off by 1).

    The simd-scalar-lowering for kCall was only handling single s128 return,
    we adopt the way i64-lowering handles kCall, so that is can now handle
    any kinds of calls with s128 in the descriptor.

R=zhin@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: I1ad9595d7820f04687c9d79941ad04c6eb207897
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2363118
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#69461}
2020-08-18 17:08:23 +00:00
Shu-yu Guo
048761aa0f Install "name" property on anonymous classes
This is a normative PR that reached consensus at the June 2019 TC39:
https://github.com/tc39/test262/pull/2299

Bug: v8:9646
Change-Id: I8cb927b9e9231dfb71ebf47171205a096350e38b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2360905
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69460}
2020-08-18 16:41:23 +00:00
Thibaud Michaud
65d28a7fe4 [wasm][mv] Enable wasm multi-value
R=ahaas@chromium.org

Bug: chromium:1097717
Change-Id: I6c5a0a32191c9a06fd894c8fe7d9367e9403de8c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362956
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69459}
2020-08-18 16:21:43 +00:00
Clemens Backes
2547e1cece [wasm] Fix tier down after deserialization
Since the compilation progress was never initialized on deserialization,
tier down was always skipped on such modules.
By initializing to the expected state after deserialization (i.e. all
code as TurboFan code), we make sure that later recompilation works as
expected.

Drive-by: Fix an unnecessary copy of a {shared_ptr} in deserialization.

R=thibaudm@chromium.org

Bug: chromium:1110258
Change-Id: Ia12af888e4b11aabfb8cd4e1201e9fa3cd2ceb47
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2323355
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69458}
2020-08-18 15:15:53 +00:00
Seth Brenith
0f4b9cefc0 [torque] Allow indexed field access in length expressions
In some objects, the length field for an indexed field might itself be
conditionally included depending on some previous field's value. The
module-related stuff at the end of ScopeInfo is a good example. Torque
can represent that case, with a minor change allowing indexed field
access from within the length expression for another indexed field.

Bug: v8:7793
Change-Id: I9ff5c9cea2b9423f28004beba05a9a24b22c8e3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2360328
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#69457}
2020-08-18 15:05:33 +00:00
Milad Farazmand
2638328dc9 PPC/s390: [wasm][arm][arm64][liftoff] Allow loads from negative indices
Port 4765c70fa6

Original Commit Message:

    On arm, the root register points into the middle of the roots array to
    allow to use the full int12_t offset range. Therefore some offsets into
    the root array are negative. This CL changes the liftoff assembler for
    arm to allow loads from negative offsets.

    On arm64, offsets can also be negative when pointer compression is
    disabled.

    Additionally this CL changes the signature of
    LiftoffAssembler::LoadTaggedPointer from uint32_t to int32_t to allow
    the LiftoffCompiler to provide negative indices.

    This CL does not come with a separate test yet. However, this changes is
    needed for https://crrev.com/c/2352784. Where there will also be a test.

R=ahaas@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: Ie286b0169a5f7a1de90e0ec7002bfac83383ea6c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2363127
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#69456}
2020-08-18 14:37:53 +00:00