Add an implementation of BranchIfInt32Compare, which is emitted whenever
a compare op is immediately followed by a branch.
Bug: v8:7700
Change-Id: I2c56d9de199bac8de33b33201f8614aee8e9894e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647693
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80694}
SimulatorBase::ConvertArg should be a protect member so that
CallArgument::CallArgument can access it.
Change-Id: I60b23b45c2247cd28e73808df7b77e604d154932
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3659057
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Yu Liu <liuyu@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#80693}
Deopt InputLocation next_use fields are not initialised, so if a deopt
is the last use of a node we won't release it. Fix this by initialising
the input location array. Also add a DCHECK to verify that register
assignments match what registers a node thinks it's in.
Bug: v8:7700
Change-Id: I4003a027489cf8eeef7c4e60fa64f72cebd2c4e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657438
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80690}
Mostly in comments, again, not much to be said...
Bug: v8:12425
Change-Id: If0890132606b5ae8d5e173907bfdc063b9811ac6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657428
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80689}
TSAN intercepts atomic accesses and uses locking. Since YIELD_PROCESSOR
is used in spinlock loops in conjunction with atomic accesses, such
spinlock loops can exhibit starvation in TSAN. To work around the
problem, have YIELD_PROCESSOR sleep the process for 1ms.
Change-Id: I042368cfc6b55abdba5c897a8f23cc633a70ba13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3651514
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80679}
Bug: v8:12868
Also adds wtf8.cc, wtf8.h to src/wasm, to implement WTF-8 validation and
possibly other utilities. Also fixes a bug when parsing the string
literals section; I had misunderstood the way the unordered/ordered
sections mechanism worked.
Change-Id: I3c4205e0872379a69575f84ba33e0090a9d8d656
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652789
Commit-Queue: Andy Wingo <wingo@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80674}
Before: when cet is disabled v8_shell is marked with the
cetcompat bit, which breaks the chromium build on cet
machines.
With this CL: v8_shell is not marked as cetcompat unless
v8_enable_cet_shadow_stacks is true.
Bug: chromium:1289318
Change-Id: If8a79ac5288a9a3385bf6b692db566508cca248f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3656146
Commit-Queue: Alex Gough <ajgo@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80673}
Add Int32/Float64 nodes for:
* Subtract
* Multiply
* Divide
and additionally Int32 nodes for
* BitwiseOr/And/Xor
* ShiftLeft/Right/RightLogical
The latter ones don't have Float64 equivalents since they're implicitly
Int32 operations. In the future we'll add support for Number feedback by
adding Float64-to-Int32 conversions and using the Int32 nodes.
The divide node does an Int32 division and deopts if there's a remainder
to the division -- we may want to make it output a Float64 instead if we
think that's more likely in real-world code. There's also no peephole
optimisations for constant operations, which would generate much better
code, especially for shifts.
Bug: v8:7700
Change-Id: Ief1d24b46557cf4d2b7929ed50956df7b0d25992
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652301
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80670}
Original CL got reverted, this time the failing test should be fixed.
Bug: v8:12578
Change-Id: Id2d8801f07742e8b00884fefec8200e4270f4250
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657434
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80668}
Unfortunately heap setup happens before setting up flags in practice.
This means that flags such as `--single-threaded-gc` were not respected
properly for Oilpan. Delay the setup until the GC is actually triggered.
Bug: chromium:1326723
Change-Id: Icabe7ecf27e879bd44bba5e09ca176beb012c58a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657430
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80667}
Enforce the parent context has a smaller id, this time more forcefully.
Bug: v8:11525,v8:12820
Change-Id: I05bf675545b81b818eebfcaa40ee6bb93f5bcf9e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652792
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80666}
These bots should run sandbox tests in the future, for which the memory
corruption API will be required.
Bug: v8:12878
Change-Id: Ib64bfb0ae080016db6d1629f375d2a71a20d70b4
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657427
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Auto-Submit: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80665}
This is a reland of commit e8cac3776e
The proxy resolver issue is fixed in a separate CL.
Original change's description:
> [rwx][mac] Enable fast W^X on Apple Silicon (M1)
>
> Bug: v8:12797
> Change-Id: I53bb803dd77db5bdd42b1a1b4b568e63857adf31
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3598861
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80396}
Bug: v8:12797
Change-Id: Icd897d3f3ff1f1bcfdb9e874e13f6a654c985fc8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3650925
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80662}
When enabled, this API exposes a new global 'Sandbox' object which
contains a number of functions and objects that in effect emulate
typical memory corruption primitives constructed by exploits. In
particular, the 'MemoryView' constructor can construct ArrayBuffers
instances that can corrupt arbitrary memory inside the sandbox. Further,
the getAddressOf(obj) and getSizeInBytesOf(obj) functions can be used
respectively to obtain the address (relative to the base of the sandbox)
and size of any HeapObject that can be accessed from JavaScript.
This API is useful for testing the sandbox, for example to
facilitate developing PoC sandbox escapes or writing regression tests.
In the future, it may also be used by custom V8 sandbox fuzzers.
Bug: v8:12878
Change-Id: I4e420b2ff28bd834b0693f1546942e51c71bfdda
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3650718
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80659}
LLd and Scd should be used for StoreType::kI64Store* types.
Change-Id: Ic645c9149c7ade95e0a36acadb48d246ee817469
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3655179
Auto-Submit: Yu Liu <liuyu@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#80657}
Adding the shared heap write barrier caused regressions on some
benchmarks. Presumably this is because the compiler can't merge the
fast paths of the generational and shared heap write barrier.
This CL therefore introduces a CombinedHeapBarrier that manually
unifies the fast path for the marking, generational and shared heap
write barrier. This should make the barrier easier to optimize for
the compiler. In particular it should help to ensure that page flags
don't need to be loaded multiple times in a single full write barrier.
Bug: chromium:1326446, v8:11708
Change-Id: Iacd487f1263491cf4c05f25e004233a52b7c45a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644964
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80656}
Bug: v8:12868
A slight modification to the existing DFA-based UTF-8 allocator to allow
decoding surrogates, for use in decoding WTF-8. We'll need to
additionally constrain the decoder to disallow surrogate pairs.
Change-Id: Ifddbf08d4eeeff8f270df52a68f01769ea790eec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652787
Commit-Queue: Andy Wingo <wingo@igalia.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80654}
With crrev.com/c/3641564, Chromium now uses PartitionAlloc for
ArrayBuffer allocations even if one of the sanizier tools (e.g. ASan) is
enabled. As such, sanitizer builds are now compatible with the sandbox.
Bug: chromium:1218005
Change-Id: I100bf3ef442c556652fb00dd6c09d06b167e6577
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652785
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80653}
All user of osr_code_cache_state had been removed.
Change-Id: I08a4783e47c900617b53ba789d267fb9a0bd1e92
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652276
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Tao Pan <tao.pan@intel.com>
Cr-Commit-Position: refs/heads/main@{#80651}
Rolling v8/build: 62419bc..399520d
Rolling v8/buildtools: 7208edd..a5fa465
Rolling v8/buildtools/third_party/libc++abi/trunk: 75a3853..3e4d383
Rolling v8/buildtools/third_party/libunwind/trunk: 837a94e..c9b2288
Rolling v8/third_party/depot_tools: ab4d2e3..bd80a1b
Rolling v8/third_party/fuchsia-sdk/sdk: version:8.20220518.3.1..version:8.20220519.0.1
Rolling v8/tools/clang: 6e492e7..bec960d
Rolling v8/tools/luci-go: git_revision:d3db74920e35147955be43f62b5f4ed0cf84c614..git_revision:0ef9351a5b73943d547fb27d463d5f4a1572727f
Rolling v8/tools/luci-go: git_revision:d3db74920e35147955be43f62b5f4ed0cf84c614..git_revision:0ef9351a5b73943d547fb27d463d5f4a1572727f
R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com
Change-Id: I0eb24c3dcae59d3d9f7a1049fd42c984f8d0440c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3654637
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#80650}
Avoid a run-time dispatch for tables that don't contain subtypes of
funcref.
Change-Id: I27a55c378b0a4fcd98e77f8ff45ae9972c9d095a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644961
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andy Wingo <wingo@igalia.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80648}
... when com.apple.security.cs.allow-jit entitlement is not enabled.
Bug: v8:12797, chromium:1324829
Change-Id: I660008e1f8abbac3436dd78ea90937971599b5d0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644960
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80646}
This is a reland of commit a76072217a
The bug exposed by landing this change the first time has been fixed
separately in https://crrev.com/c/3654413 .
Original change's description:
> Disable recompilation of existing Scripts from Isolate compilation cache
>
> My previous change https://crrev.com/c/3597106 led to some performance
> regressions in time spent on parsing and compilation. This change
> disables the ability to recompile an existing uncompiled Script, as an
> attempt to both fix the regressions and isolate which part of the
> previous change was the cause of those problems.
>
> Bug: v8:12808, chromium:1325566, chromium:1325567, chromium:1325601
> Change-Id: Ifa086bf27070da8f4b3c0e4415af5ca7b6706b0a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652252
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Cr-Commit-Position: refs/heads/main@{#80616}
Bug: v8:12808, chromium:1325566, chromium:1325567, chromium:1325601
Change-Id: Ib31864bef90ff3340d1dfd4e25e21bef121f2d49
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3655011
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#80645}