TSAN may cause the sandbox to fail to obtain enough virtual address
space during initialization, thereby causing it to fall back to a
smaller backing reservation. This may then in turn cause future
WebAssembly.Memory allocations to fail.
Bug: v8:12980
Change-Id: I812ee02c5421153f1ea3b6bc371c72bc1da406a8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757897
Commit-Queue: Samuel Groß <saelo@chromium.org>
Auto-Submit: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81686}
This adds a new type 'none' as part of the WASM GC MVP.
The type can only be used in combination with a nullable reference, e.g.
'ref.null none'.
A 'nullref' is implicitly convertible to any nullable reference type.
Bug: v8:7748
Change-Id: Ic5ab6cc27094b3c9103ce3584452daa34633612f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3755136
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81670}
If we detect out-of-order sections, we should not enter the individual
decoding functions, because they might make assumptions that are not
true in the error case.
In this case, a DCHECK was firing if we call {DecodeFunctionSection}
twice.
R=ahaas@chromium.org
Bug: chromium:1342274
Change-Id: I3d9d8c8c604aeeb92b9766f07d4b5464f4c8d72c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3755112
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81662}
With the flag --always-use-forwarding-table we could end up turning a
String into a ThinString that had a forwarding index set.
This could happen when a String with a forwarding index is externalized.
Bug: chromium:1337469
Change-Id: Iea05586f61e2b78d83d04d5d2e94c4dca2892c1f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3735164
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81660}
Previously SnapshotCreator demanded a blob to be created before
it can be destructed in debug build, this patch removes the
DCHECK so that the embedder can choose not to create the blob
when e.g. the snapshot building isn't successful due to errors.
Change-Id: I72939be1e0d79b257b9761f48a72e45325a1f6d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716682
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/main@{#81644}
Suspender.{returnPromiseOnSuspend,suspendOnReturnedPromise}
are not tied to a specific suspender anymore, so move them to
WebAssembly.{returnPRomiseOnSuspend,suspendOnReturnedPromise}.
With this change, the suspender property is not needed anymore on the
function data. Convert it to a boolean flag that just indicates whether
a function uses the JS Promise Integration API.
R=ahaas@chromium.org
Bug: v8:12191
Change-Id: I1b6d8e3190ebf5049dbc7eedee448999cf077509
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3748660
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81639}
This CL is the first step towards the 'static API':
https://github.com/WebAssembly/js-promise-integration/pull/1/files
The limitation of the previous API is that the stack-switching wrappers
are tied to a particular suspender. Since a suspender cannot be
re-entered until the corresponding computation has completed, this
prevents creating multiple concurrent instances of the same export.
Multiple APIs have been proposed and are still under discussion to
solve that, but the core idea is the same: the suspender should become a
runtime argument of the export and the import. This CL implements that.
For now, the suspender is still explicit everywhere: it is created in JS
and passed to the export, and forwarded to the JS import. Eventually,
the suspender may be completely hidden from JS: it would be materialized
by the export wrapper, and "swallowed" by the import wrapper, as
proposed in the PR above.
R=ahaas@chromium.org
Bug: v8:12191
Change-Id: Ic425a3fd920c7ad03874c636cd835d31c0e04994
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3748655
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81633}
Duplicate subsections in the name section are disallowed by the spec.
Since the whole name section is optional, we shouldn't fail validation
because of it, but we'll ignore duplicate subsections.
Drive-by cleanup: reduce code duplication by reusing DecodeNameMap from
DecodeIndirectNameMap.
Fixed: chromium:1342338
Change-Id: Icae14c27a0255c6107517354f07ec8eb78d2a7b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3751211
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81608}
The stack-switching variant of the wasm-to-js wrapper was only generated
for js functions with matching arity. Also suspend for js functions with
mismatching arity and unknown callables.
R=ahaas@chromium.org
Bug: v8:12191
Change-Id: Iab3e2d85210c86a814ae1defab9cd57bf74d80d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3749578
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81605}
Limit the allowed module size in the streaming decoder to 256kiB to
avoid OOMs on systems that are very memory constained (32-bit ASan
builds).
Drive-by: Skip linting wasm fuzzer input files, as those are binary
files.
R=ahaas@chromium.org
Bug: chromium:1334577, chromium:1337558
Change-Id: Ie5599088fd25c0bc7c8f9f1a953d31fe61a21844
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3700073
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81602}
The test mjsunit/wasm/shared-memory-worker-gc is too slow on the gcov
bot.
No-Try: true
Bug: v8:13005
Change-Id: Idac2a6df836c981195d61f9c2737c06d548edb28
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3751204
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81587}
This field points to the start of an ArrayBuffer backing store, which
is guaranteed to be located inside the sandbox if it is enabled. As
such, this simply turns the field into a sandboxed pointer field.
Bug: chromium:1342548
Change-Id: I5a76e23cfc83b2a04cd461def1cd04337ccf5cf7
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3749190
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81579}
Page allocation in a partially-reserved sandbox is generally best-effort
once the reserved part is fully allocated, which happens in this test.
As such, there is no guarantee that this test succeeds, and it does seem
to fail in practice on some bots with memory sanitizers enabled. The
same logic is essentially tested by the
VirtualAddressSpaceTest.TestEmulatedSubspace test so simply deleting
this test should be fine.
Bug: v8:13040
Change-Id: I1469bd9d2e330a6e834bb565ce4e7f5985be28a9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3749180
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81578}
When the failed access callback is configured but it doesn't throw,
we should return instead of expecting an exception, otherwise
it would crash because there isn't one.
This patch also adds --throw-on-failed-access-check and
--noop-on-failed-access-check in d8 to mimic the behavior
of the failed access check callback in chromium.
Bug: chromium:1339722
Change-Id: Ie1db9d2fb364c6f8259eb9b8d81a21071c280a80
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3737305
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81557}
