A value of type OtherSeqString can change its type to OtherNonSeqString
via inplace internalization (and redirection via a ThinString). This can
lead to out of bounds memory accesses and generally correctness bugs, as
seen with crbug.com/822284.
This change might affect performance in some cases, and we'll need to
evaluate whether it's worth spending cycles on adding another mechanism
that leverages the sequential string information in a safe way on a case
by case basis.
Bug: chromium:822284
Change-Id: I0de77ec089a774236555f38c365f7548f454edfe
Reviewed-on: https://chromium-review.googlesource.com/966021
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51975}
This introduces a new JSCreateTypedArray operator, backed by a dedicated
CreateTypedArray builtin, and adds support to lowering new TypedArray
calls to this operator. This way we avoid the overhead of going through
the generic construct stub machinery for hot code. This not only
recovers the performance regression on the typed array constructor
benchmarks, but even improves slightly beyond what we had in 6.6.
We might in the future try to fully inline the TypedArray constructor
into optimized code for certain cases.
Bug: chromium:820726, v8:7503, v8:7518
Change-Id: Ied465924d5695db576d533792f1db68456b9b5ea
Reviewed-on: https://chromium-review.googlesource.com/959010
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51973}
Prevent d8 from exiting while wasm background compilation is still
going on. This prevents the need to use the testRunner to execute
webassembly tests in d8.
R=yangguo@chromium.orgCC=ahaas@chromium.org
Change-Id: I86fb7ce260fc56ee87040742f77b0ff86b8fbd53
Reviewed-on: https://chromium-review.googlesource.com/964221
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51972}
TurboFan assumed that the output of NumberToString is always a
sequential string, since that's what we put into the number to
string table. However we might eventually morph these strings
into ThinStrings when we need to internalize them, in which case
the type in TurboFan will be wrong, and we read out of bounds.
Also-By: tebbi@chromium.org
Bug: chromium:822284
Change-Id: I5aebe73028b95849fff72bba262c517677112353
Reviewed-on: https://chromium-review.googlesource.com/964523
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51970}
Adds a flag onto InterceptorInfo to mark an interceptor's getter,
query, and enumerator callbacks as side-effect-free.
Bug: v8:7515
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: Iafc5d2fa554d6d9a38604e179ea5b884c3b77af0
Reviewed-on: https://chromium-review.googlesource.com/957870
Commit-Queue: Erik Luo <luoe@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51969}
These checks are critical even in release mode. They won't impact
runtime performance since this happens at snapshot-time.
TBR=yangguo@chromium.org
Bug: v8:6666
Change-Id: I342d9f80c6b882363da00630385686ac6a02cf5d
Reviewed-on: https://chromium-review.googlesource.com/964524
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51966}
Given the following input,
const config = {
min: Math.min(1, 2),
func: myfunc(),
}
Previously, the error was,
➜ ./out.gn/x64.release/d8 _test.js
_test.js:3: ReferenceError: myfunc is not defined
min: Math.min(1, 2),
^
ReferenceError: myfunc is not defined
at _test.js:3:13
Now, the error is,
➜ ./out.gn/x64.release/d8 _test.js
_test.js:4: ReferenceError: myfunc is not defined
func: myfunc(),
^
ReferenceError: myfunc is not defined
at _test.js:4:9
Bug: v8:7507
Change-Id: Ia65b445fdbc1369ecce80f4fc2040e500c807d40
Reviewed-on: https://chromium-review.googlesource.com/964182
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51964}
This makes the moves from constants to the poisoning register
explicit so that the register allocator does not have to burn
a register on it.
Bug: chromium:798964, chromium:820726, v8:7503, v8:7518
Change-Id: Ifc8f9a2f685405dd38fec583bb0e20c3f0320903
Reviewed-on: https://chromium-review.googlesource.com/964202
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51963}
This reverts commit f1b1ec70a6.
Reason for revert: Tentative revert for https://logs.chromium.org/v/?s=chromium%2Fbb%2Fclient.v8.fyi%2FV8-Blink_Mac%2F13696%2F%2B%2Frecipes%2Fsteps%2Fwebkit_unit_tests%2F0%2Fstdout
Original change's description:
> [builtins] Remove off-heap builtins from the snapshot
>
> This CL is the final major step towards shipping off-heap-safe builtins
> embedded into the binary.
>
> Prior to snapshot serialization, we now:
> * create the embedded blob containing off-heap instruction streams,
> * use that to generate embedded.cc (containing embedded binary data),
> * replace off-heap-safe builtins with trampolines,
> * and serialize those into the final snapshot.
>
> The new RelocInfo::OFF_HEAP_TARGET kind is used to fix up trampoline
> targets on deserialization.
>
> Bug: v8:6666
> Change-Id: Ib07aea9e3bd7ecdec42291c1388b3a7453ea96ce
> Reviewed-on: https://chromium-review.googlesource.com/950775
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51960}
TBR=yangguo@chromium.org,mstarzinger@chromium.org,jgruber@chromium.org
Change-Id: I58dd4bf9a99d37416855b48807150e1dd9ecd9e8
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6666
Reviewed-on: https://chromium-review.googlesource.com/964363
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51962}
This CL is the final major step towards shipping off-heap-safe builtins
embedded into the binary.
Prior to snapshot serialization, we now:
* create the embedded blob containing off-heap instruction streams,
* use that to generate embedded.cc (containing embedded binary data),
* replace off-heap-safe builtins with trampolines,
* and serialize those into the final snapshot.
The new RelocInfo::OFF_HEAP_TARGET kind is used to fix up trampoline
targets on deserialization.
Bug: v8:6666
Change-Id: Ib07aea9e3bd7ecdec42291c1388b3a7453ea96ce
Reviewed-on: https://chromium-review.googlesource.com/950775
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51960}
- Rename WasmCode::owner() to WasmCode::native_module() and
- Make {shared} field of WasmCompiledModule no-longer const, since
it had a setter masquerading under the
{OnWasmModuleDeserialization()}.
- Refactor and simplify the flow of "owner" in module-compiler.cc
R=mstarzinger@chromium.org
Change-Id: If9ee371124678fbbc845fc4e93279bf14f8f7ce8
Reviewed-on: https://chromium-review.googlesource.com/964263
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51959}
This function re-uses the implementation of InitializeICUDefaultLocation.
Removal of the API breaks embedders' code without providing any benefit.
Bug: v8:7561
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I006cd307887ac132f574af26ca9cd1d5e5317644
Reviewed-on: https://chromium-review.googlesource.com/963024
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51956}
After processing the string loaded from a file, don't process message
queues. Otherwise, stack traces generated in any processed task will
contain the stack trace of the load. This also introduces
nondeterminism, since it depends on the timing whether something will
be processed inside the load or outside.
Drive-by: Introduce enums for the different bools, to make their
meaning more obvious at call sites.
R=yangguo@chromium.orgCC=herhut@chromium.org
Change-Id: Ib48ee01be8c443a2a408ecb1c9e34bb9ba5a8fe7
Reviewed-on: https://chromium-review.googlesource.com/964141
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51952}
This also undeprecates Message::GetStartColumn API.
The simple versions are easier to use for the embedders and have the
same implementation as the complex versions.
Bug: v8:7560
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I656161b04c5d9de6d1de9435b7825009f96572a5
Reviewed-on: https://chromium-review.googlesource.com/963322
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51951}
Pointing to the exact spot of the incorrect numeric separator seems
clearer both in terms of the error itself, and the resulting code in
scanner because we don't have to keep track of the start position.
Previously, the error was:
➜ ./out.gn/x64.release/d8 --harmony-numeric-separator -e '0x1__1'
unnamed:1: SyntaxError: Only one underscore is allowed as numeric separator
0x1__1
^^^^
SyntaxError: Only one underscore is allowed as numeric separator
Now, the error is:
➜ ./out.gn/x64.release/d8 --harmony-numeric-separator -e '0x1__1'
unnamed:1: SyntaxError: Only one underscore is allowed as numeric separator
0x1__1
^
SyntaxError: Only one underscore is allowed as numeric separator
Bug: v8:7317
Change-Id: I7df1b39816e51a97234da6ed0fca1bf8c0223c3e
Reviewed-on: https://chromium-review.googlesource.com/962241
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51950}
On x64, the upper 32 bit of a register holding a 32-bit value are
always zero. Add several assertions to check that. This is particularly
important for memory accesses, where the whole 64-bit register is used
as offset for the memory access.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: Ifd3c6e90bb0056dbc2b8c66de919f35c7787965b
Reviewed-on: https://chromium-review.googlesource.com/963321
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51947}
This test creates a BigInt object with size more then 250 MB. On certain
test systems, this large memory consumption will cause the test failing.
Therefore, this test will be skipped for MIPS32 architecture.
TEST=mjsunit/harmony/bigint/regressions
BUG=
Change-Id: I21bf86c3e6058818c6db3ed8970c0f1e3873e0a6
Reviewed-on: https://chromium-review.googlesource.com/962381
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Cr-Commit-Position: refs/heads/master@{#51940}
Previously install-sysroot.py relied on gyp. This should be fixed now.
This way, tools/node/fetch_deps.py can also be used to fetch
dependencies when building V8 to run V8 tests from a Node.js checkout.
R=machenbach@chromium.org
Change-Id: Ic4ee425d6ae744c32f604d14fbfdb0554a00c486
Reviewed-on: https://chromium-review.googlesource.com/962421
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51939}
Now, 'queryObjects' takes an optional 'objectGroup' argument,
allowing the frontend to release the response value.
This is important because each call produces a new Array, which
could not be released before.
Bug: chromium:815263
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I18c9a68c4ba45020fce9eea63cb263396a18d498
Reviewed-on: https://chromium-review.googlesource.com/935153
Commit-Queue: Erik Luo <luoe@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51938}
- Update CodeSpecialization::RelocateDirectCalls and ApplyToWholeInstance to take a native module instead
- Use CodeSpecialization on NativeModule::LinkAll
Bug: v8:7539
Change-Id: I71ceb3114e8a0fca71dfa32f0721ef5fb4485eb4
Reviewed-on: https://chromium-review.googlesource.com/959592
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51937}
Annotate global handle with label to identify the context held alive for
debugging in DevTools
Bug: chromium:811842
Change-Id: I24f08b4d01939421ba1b7ec7b03982f00ebbdd1a
Reviewed-on: https://chromium-review.googlesource.com/962788
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51936}
- Add a new bytecode for the ToString operation, replacing the old
intrinsic call (currently does not collect type feedback).
- Add a new AST node to represent TemplateLiterals, and avoid
generating unnecessary ToString operations in some simple cases.
- Use a single feedback slot for each string addition, because the
type feedback should always be the same for each addition
This seems to produce a very slight improvement on JSTests benchmarks
and bench-ruben.js from v8:7415, and it's possible that type feedback
for the ToString bytecode could provide more opportunities to eliminate
the runtime call in TurboFan.
Doesn't touch tagged templates
[esnext] fix OOB read in ASTPrinter::VisistTemplateLiteral
Fixes an error where TemplateLiteral printing in --print-ast
would try to read an element beyond the length of a vector.
BUG=v8:7415, chromium:820596
R=adamk@chromium.org, gsathya@chromum.org, rmcilroy@chromium.org, ishell@chromium.org, bmeurer@chromium.org
Change-Id: Ie56894f73a6445550a5f95f42160c4e29ab1da42
Reviewed-on: https://chromium-review.googlesource.com/958408
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#51933}
This CL is preparation for moving the contents of the WasmContext
directly into the WasmInstanceObject. The moved fields are all untagged
pointers to C++ memory or untagged sizes which will be used in
generated machine code for WASM. They are not currently used, but
they are all set to kHeapObjectTag to make sure they are not
interpreted as tagged by the GC, using a custom object descriptor.
R=mstarzinger@chromium.orgCC=clemensh@chromium.org
Bug: v8:7424
Change-Id: Ie5d5161df32564dcac74c6ff659f1a38ddca3cb0
Reviewed-on: https://chromium-review.googlesource.com/961065
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51932}
This adds support for i32.wrap/i64, i64.extend_s/i32, and
i64.extend_u/i32.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: Iaeac1d24a53d044151cb244fffe3eab04314d908
Reviewed-on: https://chromium-review.googlesource.com/962281
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51930}
Now that Array.from() always calls the runtime to set the length if it's
not equal to the current length, don't actually set it on the fast path
since it's unobservable and doesn't change anything.
Also remove check for the array being writable since it's no longer
needed.
Change-Id: I0928d80b445807912fd925f7957c9a76385fc6bc
Reviewed-on: https://chromium-review.googlesource.com/961403
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51929}
