When using correctness fuzzing, this makes sure all non-object
arguments to typed array constructors are bound by 1MiB when
interpreted as numbers.
NOTRY=true
Bug: chromium:910962
Change-Id: I66e87ece27aae7c5fa88429c5d1f1f478de702ae
Reviewed-on: https://chromium-review.googlesource.com/c/1369959
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58144}
The class declaration regexp in cpplint did not catch classes decorated
by V8_EXPORT, V8_EXPORT_PRIVATE or any other decorator containing
digits.
This will be fixed in https://github.com/google/styleguide/pull/422.
This CL already prepares the code base by fixing all errors that will
be found after that change.
Some follow-up changes were needed to fix implicit conversion that are
not taken any more now.
R=mstarzinger@chromium.org
Bug: v8:8562
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I03713bd04dbc3f54b89a6c857a93463139aa5efd
Reviewed-on: https://chromium-review.googlesource.com/c/1367751
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58143}
This callback is not being used by now, so we can just change it
without the deprecation dance.
Instead of the WasmModuleObject, it now receives the new
CompiledWasmModule wrapper which contains a shared pointer to the
NativeModule. This is all that's needed for serialization.
Some classes are pulled out of WasmModuleObject to allow reuse.
R=adamk@chromium.org, mstarzinger@chromium.org
CC=bbudge@chromium.org
Bug: chromium:912031
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: Icedb64efa92e66bec45cf8742942a07ae22f59c8
Reviewed-on: https://chromium-review.googlesource.com/c/1363140
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58142}
This was deleted source side in https://crrev.com/c/1308912 with
seemingly no ill effects.
Bug: chromium:718157
Change-Id: Ic2516b391b76a8fb72df97f6f090af3c24f35766
Reviewed-on: https://chromium-review.googlesource.com/c/1371035
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58141}
We no longer implement part of the debugger in JS. Therefore we can
remove the infrastructure to support this in the bootstrapper.
Also includes some drive-by cleanups.
Bug: v8:5530
R=petermarshall@chromium.org
Change-Id: I06628a559c17f99c70029fcc94848b0c78f1d3e9
Reviewed-on: https://chromium-review.googlesource.com/c/1369945
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58140}
Fix and re-enable tests for WebAssembly's memory/constructor and
table/constructor js-api.
It introduces the '[EnforceRange] unsigned long' algorithm used
to validate initial and maximum properties.
The initial property is now required, by the switch to the Web IDL
specification. Most of the input validations errors are now considered
TypeError instead of RangeError.
The WasmTableObject and WasmMemoryObject APIs use more consistently uint32_t
to ensure integer range and remove the need for bounds checks.
Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Bug: v8:8319
Change-Id: Iedd3ee6484ef688a5e96f93006eb6ca66d805a48
Reviewed-on: https://chromium-review.googlesource.com/c/1354043
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58138}
This implementation currently only supports the optimized tier.
Bug: v8:7747
Change-Id: Ia1af29b11a5d3e8a48b122f6cf3240c9f5948bfb
Reviewed-on: https://chromium-review.googlesource.com/c/1364710
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58137}
because RelocInfo does not need host Code object for updating pointers to heap
objects embedded into code.
This CL also simplifies typed slot iteration callback signature.
Bug: v8:8518, v8:8262
Change-Id: I59fe9e3b4e9b69e3d87b5449c80bed14e311516f
Reviewed-on: https://chromium-review.googlesource.com/c/1370037
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58136}
Just pass a pointer to the current stack. This makes it easier to reuse
the {DoReturn} method for breaks to the outermost block.
R=titzer@chromium.org
Bug: v8:8423
Change-Id: Ide8533b154daa227e044820bb9c181f836ba654a
Reviewed-on: https://chromium-review.googlesource.com/c/1370028
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58132}
This loop is redundant in {GetNodes}.
R=titzer@chromium.org
Bug: v8:8423
Change-Id: Ia624fbe145ae2cd77ea099c3f109899ea6fac9c0
Reviewed-on: https://chromium-review.googlesource.com/c/1370031
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58131}
and a bit of drive-by cleanup.
Bug: v8:8518
Change-Id: I46873f0a5e56509d75f2d169dc7a4372cc94efbc
Reviewed-on: https://chromium-review.googlesource.com/c/1370027
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58130}
Instead of branching to the end merge of the outermost block, we should
return directly. This often generates shorter and faster code, since
the merge is omitted.
R=titzer@chromium.org
Bug: v8:6600, v8:8423
Change-Id: Id5e92b05d3fbbcdb69e4a8bf48629d6031d85291
Reviewed-on: https://chromium-review.googlesource.com/c/1358411
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58129}
Names of external references are statically known, so there is no need
to store them in the dynamically generated ExternalReferenceTable.
This saves 7.4kB per Isolate, plus ~46.4kB binary size.
R=mstarzinger@chromium.org
Bug: v8:8562
Change-Id: Ia494de38474e0a7308563ab6d1797ff488b0a072
Reviewed-on: https://chromium-review.googlesource.com/c/1369947
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58128}
When the --debug-code flag is turned on, we create code now which checks
if the thread-in-wasm flag has the expected value. If not, we abort
execution.
R=clemensh@chromium.org
Bug: v8:5277, v8:8554
Change-Id: I74c4e6a60b874b48f13ded9b5cee81f602e4c9fd
Reviewed-on: https://chromium-review.googlesource.com/c/1370025
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58127}
MIPS32 doesn't have instructions to properly handle 64-bit atomic
instructions.
Skipping those test on MIPS64 simulator because they have flaky
TIMEOUT on buildbots.
Change-Id: I31511dfce70a933b9326a7c270509c5f31af743a
Reviewed-on: https://chromium-review.googlesource.com/c/1367450
Reviewed-by: Stephan Herhut <herhut@chromium.org>
Commit-Queue: Predrag Rudic <prudic@wavecomp.com>
Cr-Commit-Position: refs/heads/master@{#58125}
which used to treat off-heap slots as on-heap ones and implement embedded objects
visitation in derived visitor classes.
Bug: v8:8518
Change-Id: Ia40d8135078379cca990e9167d3f1bebb3b5be0a
Reviewed-on: https://chromium-review.googlesource.com/c/1367747
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58123}
This is a reland of 9c2c8f15f8
Original change's description:
> [wasm] Support encoding s128 simd types in exceptions.
>
> This adds support for having simd type values (i.e. s128) stored in an
> exception. It is the natural combination of the simd propsal and the
> exception handling proposal.
>
> R=clemensh@chromium.org
> TEST=mjsunit/wasm/exceptions-simd
> BUG=v8:8390
>
> Change-Id: I01079f82a6ba4d9152de4dae63e3db1584ca7cd8
> Reviewed-on: https://chromium-review.googlesource.com/c/1363141
> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#58098}
Bug: v8:8390
Change-Id: I333c50cd766055f74b023df626d0fd90fdef3bac
Reviewed-on: https://chromium-review.googlesource.com/c/1370024
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58122}
which used to treat off-heap slots as on-heap ones and implement code target
visitation in derived visitor classes.
Bug: v8:8518
Change-Id: I477bf3a4a8a3de0c67bc15e2e20d8ecee6493da8
Reviewed-on: https://chromium-review.googlesource.com/c/1367745
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58121}
CompileJsToWasmWrappers only needs a WasmModule, so we should not pass
in a NativeModule.
R=clemensh@chromium.org
Bug: v8:8562
Change-Id: Ic38f1bee2eab3a06921c27f56fd175b51688ad5f
Reviewed-on: https://chromium-review.googlesource.com/c/1367748
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58120}
Right now, this is the limit implicitly imposed for spread/apply calls
as to actually do a spread/apply call through CallVarargs, you need to
pass a FixedArray with the args to be pushed.
Likewise, turbofan can only materialize an arguments object with a
backing store of length FixedArray::kMaxLength.
The practical limit that users will actually hit is the stack - this
change doesn't change that, it just documents what the actual limit is.
This would actually allow an embedder/custom fork to increase stack
size and still be able to make spread/apply calls with a large number
of args.
Change-Id: If5e66a61ed3f9df36031eb098646d48fc2ca2507
Reviewed-on: https://chromium-review.googlesource.com/c/1367451
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58119}
This patch changes the output from:
function fn() {
^
SyntaxError: Unexpected end of input
to:
function fn() {
^
SyntaxError: missing '}' after function body
Bug: v8:6513, v8:7321
Change-Id: I4ca8a40fa0be246da2a3ff776b3fb3c87b4ba4e0
Also-By: gsathya@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/c/1367448
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58116}
That should prevent leak of objects when page is reloaded.
BUG=chromium:906847
Change-Id: I90928a5c4979c0ddc01c201bf60a693e2b03863a
Reviewed-on: https://chromium-review.googlesource.com/c/1366449
Commit-Queue: Alexei Filippov <alph@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58110}
If we create a second foreground task, only the second one will be
registered with the AsyncCompileJob, so the first one will not be
cancelled, which can lead to use-after-free of the AsyncCompileJob.
In a debug build, a DCHECK will fail when creating the second
foreground task.
R=ahaas@chromium.org
Bug: chromium:907937, chromium:910920
Change-Id: Iefefc4a85e7b35b32051cfe8cd5cbbfc4e95b843
Reviewed-on: https://chromium-review.googlesource.com/c/1367684
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58108}
Updates the following bytecode handlers to handle cases when feedback
vector is not allocated:
StaDataPropertyLiteral
CreateRegExpLiteral
CreateArrayLiteral
EmptyArrayLiteral
CreateObjectLiteral
GetTemplateObject
ForInPrepare
ForInNext
Bug: v8:8394
Change-Id: I854cca8dd69539f7e8a17dd8eddb0f9f6d42f762
Reviewed-on: https://chromium-review.googlesource.com/c/1362992
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58107}
Moving Frame-inspection functionality to Torque is a prerequisite
for porting the CSA-based arguments code, which is a great candidate
to simplify/cleanup with Torque.
Change-Id: I1f4cb94cb357aae5864c2e84f3bf5a07549b27f8
Reviewed-on: https://chromium-review.googlesource.com/c/1357050
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58106}
in order to make it also work with optional registers.
Bug: v8:8562
Change-Id: Iaea905913cc9fd1637026b83e9356c740965e128
Reviewed-on: https://chromium-review.googlesource.com/c/1367807
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58105}
This reverts commit 9c2c8f15f8.
Reason for revert: New test crashes: https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux/28948
Original change's description:
> [wasm] Support encoding s128 simd types in exceptions.
>
> This adds support for having simd type values (i.e. s128) stored in an
> exception. It is the natural combination of the simd propsal and the
> exception handling proposal.
>
> R=clemensh@chromium.org
> TEST=mjsunit/wasm/exceptions-simd
> BUG=v8:8390
>
> Change-Id: I01079f82a6ba4d9152de4dae63e3db1584ca7cd8
> Reviewed-on: https://chromium-review.googlesource.com/c/1363141
> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#58098}
TBR=mstarzinger@chromium.org,gdeepti@chromium.org,clemensh@chromium.org
Change-Id: Iedcfba36af925249131a2b0e9aebd92321ae72f5
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8390
Reviewed-on: https://chromium-review.googlesource.com/c/1367808
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58102}
This is a reland of f849396c3a
Original change's description:
> [nojit] Remove code stubs
>
> All stubs have been migrated to builtins. This CL removes most related
> code.
>
> Bug: v8:7777, v8:5784
> Change-Id: I4470cfef34788e6c8e0fd5fd09e40e250d088dad
> Reviewed-on: https://chromium-review.googlesource.com/c/1365284
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#58093}
Tbr: mstarzinger@chromium.org,yangguo@chromium.org,jkummerow@chromium.org,bmeurer@chromium.org
Bug: v8:7777, v8:5784
Change-Id: I005ee2a820d49a75a90481d262a310e4ccfd1391
Reviewed-on: https://chromium-review.googlesource.com/c/1367746
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58101}
This makes the roll branch diffs smaller again.
TBR=hablich@chromium.org
NOTRY=true
Bug: v8:8546
Change-Id: Ic5223593dfe086c61119bd82bfd51075160aab85
Reviewed-on: https://chromium-review.googlesource.com/c/1367749
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58100}
We need to be able to serialize a NativeModule, which is not bound to
any Isolate. Hence we should not want to pass any Isolate to the
serializer. This CL removes the dependence by not using the
ExternalReferenceTable from the Isolate, but instead using its own
ExternalReferenceList for serialization and deserialization. This
ExternalReferenceList only contains isolate-independent external
references.
R=mstarzinger@chromium.org
Bug: chromium:912043, chromium:912031
Change-Id: Iea5abd95dce9c54e618255cc577b6b43f002ac5d
Reviewed-on: https://chromium-review.googlesource.com/c/1363135
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58099}
This adds support for having simd type values (i.e. s128) stored in an
exception. It is the natural combination of the simd propsal and the
exception handling proposal.
R=clemensh@chromium.org
TEST=mjsunit/wasm/exceptions-simd
BUG=v8:8390
Change-Id: I01079f82a6ba4d9152de4dae63e3db1584ca7cd8
Reviewed-on: https://chromium-review.googlesource.com/c/1363141
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58098}
https://crrev.com/c/1343709 fixed GetIncumbentContext to work
with ASan, however, GetIncumbentContext didn't work well with
MSan because MSan uses a simulator which supports yet another
separate stack frame.
This patch fixes GetIncumbentContext so that it works well
with not only ASan but also MSan simply following the same way
as v8::TryCatch does.
i::GetCurrentStackPosition() solves the issue of ASan and
SafeStack (native but separate stack frame), and
i::SimulatorStack solves the issue of MSan (simulator stack
frame).
Bug: chromium:888867, chromium:866610
Change-Id: Id803cbfd17fb1b1d9b8ee34c4802768f3a2f8e79
Reviewed-on: https://chromium-review.googlesource.com/c/1356691
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58096}
