Instead, bail out of inline literal creation if a deprecated map is
found. This makes it easier to compile on the background thread.
Bug: v8:7790
Change-Id: I87941938d4f13dcf49230cf246c33bf2f49897f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2745134
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73988}
- represent smis as fake heap numbers
- numbers nodes (both smi and heap numbers) reference a child node whose
name is "value" and whose entry is the string representation of that
number
That feature is disabled by default, and can be enabled by passing
captureNumericValue: true when calling HeapProfiler.takeHeapSnapshot
This patch slightly refactors some functions that operate on "essential
objects". We now check that the object is essential before trying to
create the entry. Otherwise, we would end up with smi objects created,
but not referenced anywhere.
Design doc:
https://docs.google.com/document/d/1Qh1zxyn0SS5wzJzitD6ecBJTdFbQkJogSMwxDRsn44o/edit
Change-Id: Ibbe6e79a54c4f9eace72bc0a0ccb622a97698e00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2806747
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Arnaud Renevier <arenevier@fb.com>
Cr-Commit-Position: refs/heads/master@{#73985}
Port 06a2c2e0c0
Original Commit Message:
We currently allow OSR (On-Stack Replacement) of arbitrarily deep return
addresses. This is in direct violation of Intel CET's shadow stack,
which we plan to enable eventually.
This change works around this by postponing OSR until after we return to
the old code. The main changes are:
- Reserve a slot in Liftoff frames to store the OSR target,
- Skip the return address modification, and instead store the new code
pointer in the dedicated slot,
- Upon returning to the old code, check the slot and do an indirect jump
to the new code if needed.
CET also prevents indirect jumps to arbitrary locations, so the last
point is also a CET violation. Valid indirect jump targets must be
marked with the ENDBRANCH instruction, which I will do in a follow-up
CL.
R=thibaudm@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N
Change-Id: Id972de1ba7556474cb00b377ea3a38eb4332eae3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2828870
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#73984}
The typing of br_table was relaxed in
https://github.com/WebAssembly/spec/pull/1305. Before, we had to compute
the greatest lower bound of all branch types and make sure that stack
values are subtypes of that type. Now, we have to check that the stack
values are subtypes of each individual branch. This makes a difference
only in polymorphic stacks, but greatly simplifies the code, especially
with the upcoming introduction of a much more complex type system in
wasm-gc.
Change-Id: I6e3b410cfe0e71a97623b3030b3575ef707c4900
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2827897
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73982}
This is a reland of 6ec52d9026. The failing
tests have been adapted at the blink side.
Original change's description:
> [wasm] Enable wasm threads by default in V8
>
> Finer grained control of platforms that support threads are
> enforced by chromium.
>
> Bug: chromium:1167733
> Change-Id: Ic34a4950aebf6ba394053b79df97b703af333636
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2810190
> Reviewed-by: Lutz Vahl <vahl@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73919}
Bug: chromium:1167733
Cq-Include-Trybots: luci.v8.try:v8_linux_blink_rel
Change-Id: I56a00a24f17fef8a8050ee6f4b28fc13c7d3fb30
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2826540
Reviewed-by: Lutz Vahl <vahl@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73981}
This test relies on non-concurrent optimizations to precisely test
transitions between the different tiers.
Disable flags that invalidate this test:
--no-always-opt to test transiation from Ignition to Sparkplug
--deopt-every-n-times=0 to test transition from Sparkplug to TF
Bug: v8:11656
Change-Id: I85047015d3f7cfdf00bddad59c9742d5d8f5d223
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2827902
Auto-Submit: Patrick Thier <pthier@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73978}
We currently allow OSR (On-Stack Replacement) of arbitrarily deep return
addresses. This is in direct violation of Intel CET's shadow stack,
which we plan to enable eventually.
This change works around this by postponing OSR until after we return to
the old code. The main changes are:
- Reserve a slot in Liftoff frames to store the OSR target,
- Skip the return address modification, and instead store the new code
pointer in the dedicated slot,
- Upon returning to the old code, check the slot and do an indirect jump
to the new code if needed.
CET also prevents indirect jumps to arbitrary locations, so the last
point is also a CET violation. Valid indirect jump targets must be
marked with the ENDBRANCH instruction, which I will do in a follow-up
CL.
Bug: v8:11654
Change-Id: I6925005211aa95d60803b9409e3c07c7c226b25c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2826127
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73977}
An exploitation technique that abuses `pop` and `shift` to create a JS
array with a negative length was publicly disclosed some time ago.
Add extra checks to break the technique.
Bug: chromium:1198696
Change-Id: Ie008e9ae60bbdc3b25ca3a986d3cdc5e3cc00431
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2823707
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sergei Glazunov <glazunov@google.com>
Cr-Commit-Position: refs/heads/master@{#73973}
Changes:
- Implement function subtyping in wasm-subtyping.cc.
- Add Signature::Build(), which takes initializer lists for the return
and parameter types.
- Only throw kTrapFuncSigMismatch in call_indirect, change that trap's
message.
- Add a missing "return 0" in function-body-decoder-impl.h
- Fix a faulty check in wasm-objects.cc.
- Improve some comments.
- Write tests. Improve readability of subtyping-unittest.
Bug: v8:7748
Change-Id: I1caba09d5bd01cfd4d6125f300cd9c16af7aba99
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2822633
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73972}
- FLAG_turbo_inline_js_wasm_calls data race
- Map::instance_descriptors non-atomic concurrent loads
- Skip one more cctest incompatible with stress_concurrent_inlining
Bug: v8:7790,v8:11648,v8:11651
Change-Id: Ie4833373a1da34497f4cfe129254071d8a5772dd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2827891
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73970}
building the unittests target for example fails when cppgc_is_standalone
is set to true due to conflicting implementations of trace-event.h. It
is not clear from the output for these failures that V8 targets cannot
be built with cppgc_is_standalone.
We could disable all non-cppgc targets that depend on cppgc when
cppgc_is_standalone is set, but that would be fragile and dirty.
Since all V8 targets need to include cppgc-js headers, adding a static
assert in cpp-heap.h would cover all V8 targets. The static assert
doesn't hide the current output, butadds a clear and expllicit message
stating that it cannot be done.
Bug: chromium:1056170
Change-Id: I8bd1b1a5ada18d9688e6b78de4693386539d78bf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2826535
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73968}
.. to increase coverage of concurrent inlining, at least in this stress
mode. The common pattern in mjsunit tests is to call
`%OptimizeFunctionOnNextCall(f)` for interesting function `f`. This
explicitly triggers non-concurrent compilation, significantly decreasing
relevant coverage of concurrent inlining.
This CL recovers coverage by spawning an additional concurrent compile
job when 1. --stress-concurrent-inlining is enabled, and 2. the
requested compile mode is non-concurrent. The result of these
additional jobs is discarded.
Drive-by: Fix two simple uncovered issues.
Bug: v8:7790,v8:11513,v8:11648
Change-Id: If1e8ca5ba737e3cecdec9e15e4a86b28fe9fb2de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2824440
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73967}
Rolling v8/build: b30d9d1..e966858
Rolling v8/third_party/aemu-linux-x64: 81MEiC7zu9wgtKKP_jHorqj5uRmgBSx04zU75G1PX8YC..V4pHBauOtd8S1jDOxP65uQ5t1vxtzWpESymTE3h7ZMMC
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/6cb38d7..3898886
Rolling v8/third_party/depot_tools: f9d141a..b1cc5ed
Rolling v8/tools/clang: 633b99a..eefe475
Rolling v8/tools/luci-go: git_revision:de0691397dd4daa4ae63d308fe911bb6ee8630d6..git_revision:4b61ac9cadfb8d19a09262c6e6f5342d9324acd0
Rolling v8/tools/luci-go: git_revision:de0691397dd4daa4ae63d308fe911bb6ee8630d6..git_revision:4b61ac9cadfb8d19a09262c6e6f5342d9324acd0
Rolling v8/tools/luci-go: git_revision:de0691397dd4daa4ae63d308fe911bb6ee8630d6..git_revision:4b61ac9cadfb8d19a09262c6e6f5342d9324acd0
TBR=v8-waterfall-sheriff@grotations.appspotmail.com
Change-Id: I193cd09e604cf60f4a3243c7512de1d27a745149
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2826915
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#73966}
This is a partial port of :
2c38a47752
Some of the opcodes were added back in later CLs.
Change-Id: Iba33b0930f5b7ec95cdbe6febaa38766a9a6344f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2826238
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#73964}
Migrating unittests from Blink that were not already covered by cppgc.
Bug: chromium:1056170
Change-Id: If31591c3f1e99562028087c2b818f5ceb8122ec9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821542
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73960}
The flag is useful for disabling tests that are not supported in
the third_party_heap build configuration.
Example usage in the status files:
['third_party_heap', {
'testname': [SKIP],
}], # third_party_heap
Bug: v8:11155
Change-Id: I991532bf7cdf89d8c505e4d6cbd7cf9e4d70dd63
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821960
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73957}
After https://crrev.com/c/2807609 a test has started
failing as parameter_slots was more than 16 bits, hence
we need to load it instead of using it as an immediate value.
Change-Id: I738472634b3e30cbf277959965e72b028f9fb969
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2826231
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/master@{#73956}
Instead of assigning serial numbers when the template infos are
created, this patch creates serial numbers only when they are added to
cache.
This way only the ones that are first instantiated are allocated the
fast template cache. Previously, various accessors and methods that
would almost never get instantiated got assigned to the fast template
cache.
Bug: v8:11284
Change-Id: I8f7578aa0dae48267bbc6303515114eb6e24c1c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2621081
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#73655}
TBR: ulan@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2825592
Cr-Commit-Position: refs/heads/master@{#73951}
.. of the backing store, instead of continuing and silently attempting
to deref nullptr.
Bug: chromium:1198657
Change-Id: I82e51abc4d2f9dfe0de596b082a6f78089af7df8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2824438
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73949}
Similarly to Windows, on macOS we should touch the memory in a page
when allocating stack space that crosses page boundaries.
Change-Id: I8968805c4abe255123a41d0f63f89d4af509b6c8
Bug: v8:11615
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2825588
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73948}
By using RWX memory to write we've likely managed to avoid the largest
part of the cost on Intel CPUs.
Bug: v8:11420
Change-Id: Ibf571abc136fc97b3e6429fe42ebf4cfc423b458
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2824443
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73947}
Rolling v8/build: 79006be..b30d9d1
Rolling v8/third_party/aemu-linux-x64: dXMWT4elldlEXvj4YHtc9u0W4YEfTP-KZbIKpA75-7MC..81MEiC7zu9wgtKKP_jHorqj5uRmgBSx04zU75G1PX8YC
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/8680ff0..6cb38d7
Rolling v8/third_party/depot_tools: 057831e..f9d141a
Rolling v8/tools/clang: 7168936..633b99a
Rolling v8/tools/luci-go: git_revision:cbabdf2ff62e64e99bfdf57ab5625d3da3eb5db9..git_revision:de0691397dd4daa4ae63d308fe911bb6ee8630d6
Rolling v8/tools/luci-go: git_revision:cbabdf2ff62e64e99bfdf57ab5625d3da3eb5db9..git_revision:de0691397dd4daa4ae63d308fe911bb6ee8630d6
Rolling v8/tools/luci-go: git_revision:cbabdf2ff62e64e99bfdf57ab5625d3da3eb5db9..git_revision:de0691397dd4daa4ae63d308fe911bb6ee8630d6
TBR=v8-waterfall-sheriff@grotations.appspotmail.com
Change-Id: Iffe657ca45beccf7379237650b0cd8574b55b836
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2824104
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#73946}
https://crrev.com/c/2817958 is going to support artificial
calls of NoAllocDirectCall for a testing purpose, and this
new API will be used there.
Change-Id: If47ba080eede96e91ba60b89ff502dd3d3e34b93
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2822188
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73945}
We add one more member function template to AvxHelper to allow one new
way of calling:
- Andps(x, y, z) -> vandps(x, y, z), andps(x, z) && x == y
Clean up a bunch of places where we need to pass an int literal as a
byte.
Unfortunately we cannot define Movq using AVX_OP. Because of the way
movq is defined in the assembler, using function templates, there are
versions of movq with 1 argument defined. That is not a valid
instruction (but is valid for `dec`). We end up selecting
vmovq(XMMRegister, Register) and movq(XMMRegister), which is not valid.
Bug: v8:11589
Change-Id: I45e3bc213d93ece7f65da8eb1e3fa185aec4c573
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2815560
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73944}
We optimized swizzle with constant mask, but failed to actually swizzle
using the masks...
Bug: v8:10992
Change-Id: If655fdad1e17e92b62e8a2eaabbf1f8d82e4d5e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2822951
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73943}
This is similar in spirit to https://crrev.com/c/2808621, which is to
ensure that no matter what combination of --[no-]enable-{extension} flag
is passed, we end up with a set of supported extensions that make sense.
The 2 rules are:
- If a newer extension is supported (SSE4_2), older extensions are
supported (SSE4_1, SSSE3, SSE3),
- If an older extension is not supported (SSE4_1), new extensions are
not supported (SSE4_2, AVX)
Tests have been added to both ia32 and x64 to check that we follow these
above 2 rules.
We change the ProbeImpl to have a reconciliation step to ensure that we
stick to the 2 rules.
E.g. if --enable-avx --no-enable-sse4-2, we will first set AVX to
supported, then in the second step, fix-up AVX to unsupported. In this
sense, the --no version of the flags take priority. This more accurately
follows the intention of the flags.
Bug: chromium:1195579
Change-Id: I0390f24de9d203fe6bbd4cc02a23771a1f052618
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2818570
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73942}
Added a comparison to throw a TypeError when the "enumerable"
field of the new descriptor doesn't match the one of the old descriptor.
Bug: v8:10782
Change-Id: I2f1acf215e597b85be5d29e22c006cbd79afcb47
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2818067
Commit-Queue: Luis Fernando Pardo Sixtos <lpardosixtos@microsoft.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73941}
