Shared references can also be stored in WeakMaps and during marking we
need to be able to deal with such references. In a client GC shared
objects are treated as live, so we don't need to update or check mark
bits for such objects.
Bug: v8:11708
Change-Id: I0dbf797472c4779f462750dab63cc9b012aad091
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3447365
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79153}
Guard pages are 4k areas at the beginning and end of each oilpan page
(128kiB) which are meant to be inaccessible. However on ARM64 macOS, the
OS page size is 16kiB, meaning that these are not inaccessible. But we
do pay for these, as they are part of the first and last OS
page. Meaning that we effectively waste 2 * 4kiB = 6.25% of each Oilpan
page.
Since these are not serving their purpose, disable them on this
platform. Another fix could be to make the guard page 16kiB, but given
that the entire oilpan page is 128kiB, this may have adverse effects on
e.g. fragmentation.
Note that this doesn't regress security, as the regions were never
protected to begin with on this platform.
Bug: chromium:1298417
Change-Id: Iad5d05670962780e6d1eeab2bb8a331deb7aa1f3
Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3471558
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Benoit Lize <lizeb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79151}
Use the existing generic js-to-wasm wrapper to handle arguments in
the stack-switching export wrapper, by combining them into a single
helper function parameterized by a boolean.
If the stack_switch parameter is false, the generated js-to-wasm wrapper
is the same as before.
If the stack_switch parameter is true, we allocate and switch to the new
stack before starting to process the parameters. To load the parameters,
we also keep a pointer to the old stack.
After the call, we convert the return value according to the return type
as usual, and then switch back to the parent stack (which may be
different than the original stack, but has a compatible stack frame
layout).
If the stack suspends during the call, control-flow jumps right before
we deconstruct and leave the frame, and returns the Promise as an
externref in the return register.
R=ahaas@chromium.org,jkummerow@chromium.org
CC=fgm@chromium.org
Bug: v8:12191
Change-Id: If3f8eaba8edebe6e98d4738f79f895fdb5322adc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3460410
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79148}
Using shm_open with a constant name can lead to race conditions with
other V8 instances using (and unlinking) the same shared memory object.
Bug: v8:12636
Change-Id: Ic2d2317f99c1df7aedec2dc52b187c64eea11d2c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3468899
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79146}
For large modules, the current limit of 100k bytes create a large amount
of batches to be processed by the concurrent tasks. Choosing the batch
size larger removes communication overhead.
R=ahaas@chromium.org
Bug: v8:11974, chromium:1297999
Change-Id: Ia03f42895cb0e6bab8fdc52b82ff2ed59869b749
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3468904
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79144}
There's only a single callsite that performs retries after allocations
which already can determine the proper GC to invoke without requiring
threading the space backwards.
Bug: v8:12615
Change-Id: I5d5d886162b3eca33eb2fe7bde1e113cd08a094c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3468905
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79143}
Avoiding handles in tight loops and setup code improves performance
and reduces code size.
This CL also makes more non-allocating mode more explicit by adding
more DisallowGarbageCollection scopes.
Change-Id: I95b5b1a29204c27a23c42ccd67fff150b3fa4a3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3460740
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79142}
Outside of unittests, if someone tried to delete a GCed object manually
they would get a silent crash without a stacktrace or any error
messages. This CL replaces the silent crash with an informative message.
Change-Id: Ied8895dab43ce7e3a9bf778b13e77d377d269fce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3468346
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79141}
In order to create less tasks that each need to swap permissions for
writing to the code space, merge the two {CopyAndRelocTask} and
{PublishTask} into a single {DeserializeCodeTask}.
This also makes the code a lot shorter, and removes stress from the
scheduler.
R=ahaas@chromium.org
Bug: v8:11974, chromium:1297999
Change-Id: I8866bf7225b0bc2dd4caef79e64cacca9de15519
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3468902
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79139}
Avoid the lookup via heap()->incremental_marking() and instead cache
the marking state on GlobalHandles itself.
Change-Id: I2665681ad38983bf16d22e0a82dd10743877e520
Bug: chromium:1294661
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3468903
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79138}
Publishing Wasm code often happens in a loop (in particular for
deserialization), so hold the {CodeSpaceWriteScope} outside that loop to
avoid repeated switching between writable and executable.
R=ahaas@chromium.org
Bug: v8:11974, chromium:1297999
Change-Id: Ic4bf859685e66c4ba297fed968d0df6ae7d24cba
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3468896
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79135}
Historically the tool only combined files where the run number was
separate by a hash: domain#1.txt , domain#2.txt...
Fix this to allow for underscores and/or abitrary number suffixes.
Change-Id: I85253a1b871eb75fce60fef9a61b7d50afe72abd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3468900
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Auto-Submit: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79134}
Rolling v8/build: 62a6377..996f747
Rolling v8/buildtools: 169eef5..f413334
Rolling v8/buildtools/third_party/libunwind/trunk: b323ac8..1e0047c
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/6fbe580..7504934
Rolling v8/third_party/depot_tools: d6a3040..e293d3d
Rolling v8/third_party/zlib: 9538f41..901a5d9
Rolling v8/tools/clang: 62e2cd9..0a9dd77
Rolling v8/tools/luci-go: git_revision:c4791d15e395b201e6a85336f7d8a21cce973dfa..git_revision:b32c149b6abb5e4e9aead1651c7a65562a956858
Rolling v8/tools/luci-go: git_revision:c4791d15e395b201e6a85336f7d8a21cce973dfa..git_revision:b32c149b6abb5e4e9aead1651c7a65562a956858
R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com
Change-Id: Icd4bf05c19d156a1266ce51b4b8ab9af0d4782ca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3468735
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#79133}
The new shared memory API should only be used on macOS, but
platform-macos.cc was also included on iOS, causing build failures. This
CL splits platform-macos.cc into platform-xnu.cc (common code for macOS
and iOS) and platform-macos.cc (the macOS specific parts)
Bug: chromium:1218005
Change-Id: Iab332865ffd8990ddd246bb9c08802909464d7e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3468895
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79131}
This is a reland of 9ae463bc43
- Don't run the heap stats during bootstrapping
Original change's description:
> [heap-stats] Fix heap-stats with ptr-cage
>
> - Heap-stats was trying to load the map without explicitly passing in
> the PtrComprBase causing failures with Code objects in external code
> space
> - Extend the debugPrint.js tests to run with some more debugging and
> testing flags to prevent future regressions
>
> Change-Id: I1f0d03cb31480f316fe533b507ff98fe3befbe8e
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3432386
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Auto-Submit: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#78919}
Bug: chromium:1297436
Change-Id: Ib42ae7b8c5f4a427abbce633a1b3ac36ad32994b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3437046
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79127}
The flag is required to allow passing in more debug information when
necessary.
Change-Id: I34e407ba57786c242aac8b6f6af258969de43efd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3468894
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79126}
Allow Wasm to generate calls directly to Fast API C functions.
Also fixes a problem when calling a Fast Api C function with no
FastApiCallbackOptions from JS.
This is a rebase of
https://chromium-review.googlesource.com/c/v8/v8/+/3364356,
which was a rebase of the work originally done by devsnek in:
https://chromium-review.googlesource.com/c/v8/v8/+/2718666.
Bug: chromium:1052746, chromium:1292333
Change-Id: Ic56268e7723f80f7ea9e6799e777786d3a50222f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3440694
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#79125}
This API allows allocating shared memory mappings inside a virtual
address space from a platform-specific handle to a shared memory object.
This will make it possible to allocate shared memory inside the sandbox,
for example as backing memory for ArrayBuffers.
Bug: chromium:1218005
Change-Id: I4f1f50baec50734e846496cff78046e4fffe75c5
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3383777
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79123}
The information was previously kept heap-global but is really only
used by spaces when refilling their LABs.
Bug: v8:12615
Change-Id: Iee256d35ffa0112c93ec721bc3afdc2881c4743b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3465898
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79122}
These should not be allowed inside the sandbox as they could be
corrupted by an attacker, thus posing a security risk. Furthermore,
executable pages require MAP_JIT on macOS, which causes fork() to become
excessively slow, in turn causing tests to time out.
Due to this, the sandbox now requires the external code space.
In addition, this CL adds a max_page_permissions member to the
VirtualAddressSpace API to make it possible to verify the maximum
permissions of a subspace.
Bug: v8:10391
Change-Id: Ib9562ecff6f018696bfa25143113d8583d1ec6cd
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3460406
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79119}
Now that different tiers use dedicated interrupt_budgets (which
determine how often the runtime profiler (now tiering manager) is
called), I don't see a meaningful way to use results from this counter.
Bug: v8:7700
Change-Id: I2ec2242d3c7f6c2b9deab075a6f0500cc1350e96
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3467595
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79117}
TierUpCheck and UpdateInterruptBudget were only used by Turboprop
(likewise feedback_cell_node).
Bug: v8:12552
Change-Id: Ic73d44a5734e183bc1a2eda58cdf85163220e4d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3463954
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79116}
This predicate is just confusing - it's a renamed version of
HasBytecodeArray; but HasBytecodeArray also returns true if the SFI
has attached Sparkplug code - and is thus not interpreted.
Simply replace it by HasBytecodeArray.
Bug: v8:7700
Change-Id: Id4be2048a625142ade1096044133d9cd2896b51d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3461935
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79115}
Rolling v8/build: d5f9249..62a6377
Rolling v8/buildtools/third_party/libc++abi/trunk: 01efcb5..738dc10
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/7bede42..6fbe580
Rolling v8/third_party/depot_tools: 4e4a2b8..d6a3040
Rolling v8/third_party/zlib: 03f3212..9538f41
Rolling v8/tools/clang: ad74e59..62e2cd9
Rolling v8/tools/luci-go: git_revision:fbbb5b9748a05dd16fe621f7ea48a4ece1913874..git_revision:c4791d15e395b201e6a85336f7d8a21cce973dfa
Rolling v8/tools/luci-go: git_revision:fbbb5b9748a05dd16fe621f7ea48a4ece1913874..git_revision:c4791d15e395b201e6a85336f7d8a21cce973dfa
R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com
Change-Id: I7ac51800087314d5c0bf5e6a186c63b059305f3f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3465720
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#79110}
Even though this is not a perfect protection, it will make it harder to
write to the wasm code space because it's not permanently RWX.
After optimizations (see https://crbug.com/v8/11974) the performance is
good enough that it's worth just enabling it.
R=ahaas@chromium.org
Bug: v8:11974
Change-Id: I82786e932387732863c3c5e3aa743f7836cc45e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3464035
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79109}
This was mostly unused. We should simply be able to use CodeKind plus
related predicates instead.
Replace FeedbackVector::optimization_tier with
maybe_has_optimized_code, which states whether the optimized code
cache is filled. The value is updated lazily and may lag behind the
actual code cache state. We only use this field for quick cache-empty?
checks from generated code.
Bug: v8:7700,v8:12552
Change-Id: Ibfc5c0128eac56167a68ecba5690eab2e9369640
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3460741
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79107}
Data segments were missing in the output of --wasm-fuzzer-gen-test.
R=manoskouk@chromium.org
Bug: v8:11863
Change-Id: I40e60ef8626125ca9df6bead688607215d9e5b58
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3461932
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79106}
