Changes to the trap-handler directory need special security review. Add
a WATCHLIST to make it less likely that security review is ignored.
The watch list has ahaas and clemensb as V8-side owners and mark and
mseaborn as security reviewers.
R=ahaas@chromium.org, mark@chromium.org, mseaborn@chromium.org
Change-Id: I3af3eee5797d20353c39a33de009f39df85e98a9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4165617
Reviewed-by: Mark Seaborn <mseaborn@chromium.org>
Reviewed-by: Mark Mentovai <mark@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85355}
This completes the big Code/CodeDataContainer name shuffle.
Bug: v8:13654
Change-Id: If033e9153e751ab0d2a38572da2ce2f7029bc359
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4173569
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85354}
The runtime function took two parameters, the instance and the function
index. The function index, however, seems to be unnatural information,
as the function index is a value that only has meaning with the binary
format of a wasm module, and not for the embedder of a wasm module.
This CL changes the signature of the runtime function to a single
parameter, the wasm function that should be optimized.
R=manoskouk@chromium.org
Bug: v8:12926
Change-Id: I6802cb6c8ffc586f4997a4a069735785ce59583d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4171625
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85352}
functions from the TurboAssembler class
JumpTableAssembler inherits from TurboAssembler class instead of
MacroAssembler class, so its function cannot directly use
JumpToOffHeapInstructionStream.
Change-Id: Id87901157202443440cc8ff658b098d1db1a6865
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4173347
Auto-Submit: Liu Yu <liuyu@loongson.cn>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85351}
Rolling v8/build: 8eddf35..e831815
Rolling v8/buildtools: a1adda9..d843e69
Rolling v8/buildtools/clang_format/script: 8b525d2..f97059d
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/a4c8178..7a311fe
Rolling v8/third_party/depot_tools: 1757677..86cfa62
Rolling v8/third_party/fuchsia-sdk/sdk: version:11.20230112.1.1..version:11.20230114.0.1
Rolling v8/third_party/ninja: version:2@1.8.2.chromium.3..version:2@1.11.1.chromium.6
Change-Id: I0f3f07dadc4a8d82737e147bd0ff7b1836f5e0d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4174855
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#85350}
Liftoff will only be called on valid functions, but does not validate
itself. So we should not set the function to "validated" after executing
Liftoff compilation. Instead, we can DCHECK that the function was
validated before.
This requires a few changes to tests and fuzzers to correctly set the
{function_was_validated} bit.
R=ahaas@chromium.org
Change-Id: I669fca77724189c83d78bdfda9f08df9f7fd63f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4168411
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85349}
This is a followup to crrev.com/c/4165084.
Using relaxed atomic is not sufficient since the tasks are still running
and thus are not synced with the main thread.
This CL switches to using acquire-release semantics instead.
Bug: v8:13668
Change-Id: I613e56d423926d990aa22b3bd762a51af34737b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4174078
Auto-Submit: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85348}
We used to optimize the pattern of a {WasmTypeCast} followed by an
{AssertNotNull} in the wasm typer, by moving the latter before the
former. This has caused multiple bugs in the past.
Now that we have null-trapping casts, we can simplify the optimization
by changing the return type of the type cast to non-nullable, thus
making it trap on null, and removing the explicit null assertion. We
also move it to the WasmGCOperatorReducer, which is more appropriate.
Bug: v8:7748
Change-Id: I756543090145c71e998042607437a5bad3fd19da
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4172731
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85346}
Tests with shared memory are non-deterministic and shall not be
run with --predictable.
Bug: v8:13267, v8:13669
Change-Id: I65c9e1b273ff96ea73acd817a297c08f83ba615f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4174076
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85345}
SmallVectors are assumed to be small most of the time. Hence the {Grow}
method and others will most of the time not be called. So mark them
{V8_PRESERVE_MOST} to make caller code slimmer and faster.
R=dlehmann@chromium.org
Bug: v8:13565
Change-Id: Ia2bdcdff7e415b1d8a2717849c74604677a9dade
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4168413
Reviewed-by: Daniel Lehmann <dlehmann@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85344}
We sometimes validate functions in the background, e.g. when inlining in
TurboFan. This had a slight chance of triggering a DCHECK when we were
validating the same function explicitly in another thread.
This would only happen in non-default configurations, if some functions
get eagerly compiled with TurboFan and other functions get lazily
compiled, and therefore validated explicitly.
Since listing all such conditions is tricky, we just return early if we
detect that a function was already validated.
R=ahaas@chromium.org
Bug: v8:13659
Change-Id: Ie75b2638e86e263406edfbc41cc4f404b3b98e68
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4171623
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85343}
This does:
- Move gcmole runs to bots with matching arch.
- Update mb_configs to enable gcmole on the bots that run it.
- Add a GN target that extracts some compiler flags from a
ninja file of one of V8's other targets.
- Use the extracted flags in the gcmole script and remove other
hard-coded arch-specific flags.
This is done for DEFINES and includes for now. Other compiler flags
are still a TODO.
Bug: v8:9287
Change-Id: Icba9ce59e0bfffd138d9207b1c2ad64d42bf6a91
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055629
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85341}
KindField seems to be a 2 byte value (rather than 4).
Loading 32 bits would read an incorrect value on BE and fails
runtime assertions.
Behaviour does not change on little endian as only the low-order
4 bits are used.
Change-Id: I0933a00e6fb5259785f894a838933791d411edba
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4168418
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#85339}
SeqStrings are now zero padded. This allows us to check equality in
chunks of 32, or 64 bytes. Makes StringEqual about 2x as fast for
strings larger than 4-8 bytes.
Bug: v8:13664
Change-Id: Ic5e21bbef97b401a6d28a76bcb164a88739a68a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4156058
Auto-Submit: Olivier Flückiger <olivf@chromium.org>
Commit-Queue: Olivier Flückiger <olivf@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85338}
.. as part of the big Code/CodeDataContainer name shuffle. In the
next step, CodeDataContainer will be renamed to Code.
Bug: v8:13654
Change-Id: Ia80ac984d46dd6c2a108098055a5cd60e22a837c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4171628
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85337}
Add a map check for the RHS of instanceof checks (i.e. the class) when
loading its hasInstance method. We were previously confirming the value
of the RHS, to make sure that it's a constant, but not considering the
case that the map of that class could change (e.g. because of a
prototype change or field definition).
Bug: v8:7700
Change-Id: Ia2923b99dd0524670bebcc57e4c0c209f8835d04
Fixed: chromium:1407959
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4173568
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85336}
Matches were transmitted in a JSArray, although a FixedArray is
enough.
Change-Id: I71145c6b55d57a15e330a3865f00d038e613dde3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4171631
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85332}
The RegisterInput (NewTarget) was not correctly visited by the GC.
This:
- Creates a sentinel safepoint to indicate that the stack is not
fully created (we are in the stack guard call).
- Generalises RegisterInputs (we assumed only NewTarget before) and
save them in the graph.
- Pass the register input count via tagged_register_indexes in
this case.
Fixed: chromium:1407606
Bug: v8:7700
Change-Id: I8f599f8c1a992ee6fd886eec1e289454649dfec8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4171626
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85331}
Actual worklist segment capacity may vary depending on allocator
internals. Varying capacity can result in different push/pop order
even in single-threaded execution which is incompatible with
--predictable.
As a fix, rely on minimum capacity for --predictable.
Bug: v8:13614
Change-Id: Icbf093b31c32f4eb20476954572b3731f5c8ef88
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4171641
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85330}
Split tagged and double element loads (LoadTagged/DoubleElement) into
loads of the elements array, and a load from the Fixed[Double]Array.
This will allow us to potentially re-use elements array loads, as well
as use the more generic FixedArray load for other FixedArrays.
Bug: v8:7700
Change-Id: I382132585a709ab1351666fd820156148b35bc42
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4168414
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85328}
.. now that it unconditionally refers to CodeDataContainer. All
previous references to 'CodeT' (the type and as part of names) are
now updated to 'CodeDataContainer', including 'codet', 'CODET', etc.
Bug: v8:13654
Change-Id: I7abbba040091eddf3ef09028a891aed460363929
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4165619
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85325}
Use the static root pointers to generate better code for C++ builtins.
First, comparisons like `IsUndefined` should only consider the
compressed pointer. The change ensures that comparisons compile to:
```
; IsUndefined
cmp DWORD PTR [rbx+r14*1],0x22e1
```
Further, storing into a tagged field should be just one instruction as
well. To avoid complicating stores we opt for ensuring clang can
optimize `compress(decompress(cage_base, 0x42)) -> 0x42`. To that end
`DecompressTaggedPointer` has to be slightly rewritten, as
using the base as `Address` makes clang ignore the specified alignment
(see https://godbolt.org/z/f1ajneW1P).
With this optimization also stores are compiled to one instruction:
```
; map.set_prototype(roots.null()):
DWORD PTR [rax+0x13],0x22c5
```
Bug: v8:13466
Change-Id: I5355dc21cf7cb459f5dc3718f8facefc1d04e229
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4130075
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Olivier Flückiger <olivf@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85323}
In some cases, a declaration of a function may be covered by
variables with a same name and thus bound to one parameter. This
CL records variables which should not be bound to the parameter,
are skipped when inserting shadowing variable binding initilizers.
Bug: v8:13459
Change-Id: Id7d147392450b177d219bfd04245b47d9e58c20e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4130416
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85321}
Use the bottleneck for right-trimming of objects also for BigInts.
Change-Id: I82fcb38143f939fdd3d7763c9c60d2e9003196eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4165614
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85319}
V8 uses memcpy and memmove for implementing Heap::CopyRange and
Heap::MoveRange respectively, but only when concurrent marking is off.
When concurrent marking is on, atomic stores are used to avoid data
races.
Since iteration of promoted pages also iterates objects concurrently,
memcpy and memmove should be avoided while it is active as well.
A dedicated bailout for promoted page iteration is added rather than
checking when sweeping is active. Sweeping will likely be active
until the next GC, which means relying on it here would prevent us
from ever using memcpy and memmove.
Bug: chromium:1407041
Change-Id: Idde80b456df843f91ef7ef05c0694c5930711ae4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4165084
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85318}
After the latest fix (https://crrev.com/c/4118547), it could happen that
we stop execution even though the stored "max steps" counter did not
reach zero. This was previously not possible because we did always
subtract 1, and only terminated once we reached zero. Not we sometimes
subtract bigger numbers, and terminate if the counter is smaller than
the number we want to subtract.
This CL fixes this by first subtracting, and then checking if the
counter ran negative.
R=thibaudm@chromium.org
Bug: chromium:1405322
Change-Id: I19d7be263b000eb0a6319aaeb8838d11b8c5a3b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4165602
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85317}
kScratchRegister is not safe to use in arm64 code.
Bug: v8:7700
Change-Id: Ied242e103d4947cd17770a440ed1475729472d40
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4165610
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85313}
With https://crrev.com/c/4111524 the jump table of a newly created
NativeModule gets initialized with CompileLazy stubs. This CL optimizes
the initialization by hoisting function-index independent code out of
the iteration over all functions.
R=clemensb@chromium.org
Bug: chromium:1402732
Change-Id: I531335e2a5e36a939a63ec3d2f8822beea4f315b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4128098
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85312}
This is a reland of commit 48fee7d232.
We now use the "COMPONENT_BUILD" macro to disable preserve_all, which
covers more uses (like building libbase or libplatform, where we would
otherwise have to check for BUILDING_V8_BASE_SHARED or
BUILDING_V8_PLATFORM_SHARED).
Original change's description:
> Use preserve_most calling conventions for Zone::NewExpand
>
> The zone uses bump allocation in the fast-path, and falls back to
> allocating a new segment if there is not enough space.
> Since this is rarely executed and zone allocations happen a lot, we
> should mark `Zone::NewExpand` as "preserve_most" to make
> `Zone::Allocate` as fast and slim as possible.
>
> R=bikineev@chromium.org, leszeks@chromium.org
>
> Change-Id: I0d592a35440bc3d61ca04425fc2f98c8a8bbbaae
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4146436
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Anton Bikineev <bikineev@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#85258}
Change-Id: I1413d47d84f384a724850a6f5b60adf75bba84f8
Cq-Include-Trybots: luci.v8.try:v8_win64_dbg
Cq-Include-Trybots: luci.v8.try:v8_win_compile_rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4162931
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85310}
With --shared-space we weren't marking the main isolate's entry in
the EPT for the WaiterQueueNode.
Bug: v8:13267, chromium:1406729
Change-Id: I833b0a9f93d6b129529dcda71084c3bff5417bad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4162927
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85309}
The tests deal with recording OLD_TO_SHARED slots during page promotion
(in MinorMC) on a client heap, and retaining the corresponding shared
objects.
These tests cover issues fixed by crrev.com/c/4152485 and
crrev.com/c/4094755 (in the reland, compared to the previously submitted
version).
Bug: v8:12612
Change-Id: I7ba399d56ad75646092e6955f347a210c3dcac6e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4156473
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85308}
The callback can be used to enable / disable Wasm GC from Chrome or
other users. For more simplicity and as many users of Wasm GC also use
stringrefs, enabling it via the callback will also stringrefs.
Bug: v8:7748
Change-Id: I474034eabe438f0ce9759c1d34dda12a99aa491e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4165090
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85306}