In Liftoff, the result of table.grow was smi-untagged and sign-extended
to a ptr-sized value. However the result is typed as i32, so the upper
32 bits should be cleared on 64 bit platforms. In particular this is
observable when the value is used as an index for a memory operand,
which leads to the repro in the attached issue.
Match the TF behavior by untagging the value as a 32-bit int.
R=clemensb@chromium.orgCC=ahaas@chromium.org
Bug: chromium:1251465
Change-Id: Ia57fd8a69ecb2787b42bbf8217e448976aa1dbd9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3173680
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77044}
Attempts to allocate memory pages inside the virtual memory cage are
currently allowed to fall back to allocating them outside of the cage if
necessary. When this will be forbidden in the future, these cases will
turn into allocation failures. To estimate the frequency of such events,
we now record the outcome of allocation attempts for memory inside the
cage into UMA.
Bug: chromium:1218005
Change-Id: I788fdd968eea10c887eaba1585cd7951823246e0
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3178520
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77041}
Introduce IDENTIFIER_WITH_LINE() that can be similarly used in other
scope-based macros throughout the codebase.
Bug: v8:12244,v8:12245
Change-Id: If9d45b7065d7eb3df0297f35eb9be777b497ea95
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3181524
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77038}
Because these instructions can trap, we don't want them to be reordered
as freely as unprotected accesses.
As part of this, make explicit which opcodes support a MemoryAccessMode.
Bug: v8:12018
Change-Id: I9db3053d7d62ffce6d3c95d62adce71ae40dae62
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3172770
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77031}
The tests won't be very interesting, but we should still have basic
smoke tests.
Bug: v8:11111
Change-Id: I57eadfc090883bc9b84e5b2fb5984b5ed588a69b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3177223
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77029}
Bug: v8:12244
Change-Id: I5a85e109316b349545d2699a59200c167d261842
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3180244
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77026}
Change-Id: Iba7d3f528262b3979d3bfe83784c3cfe050cd6e6
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3180241
Auto-Submit: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77025}
Port: bba7c09aad
Original Commit Message:
.. by reusing the regexp stack from potentially multiple nested
irregexp activations.
To do this, we now maintain a stack pointer in RegExpStack. This stack
pointer is synchronized at all boundaries between generated irregexp
code and the outside world, i.e. when entering or returning from
irregexp code, and when calling into C functions such as GrowStack.
Fixed: v8:11382
Change-Id: I0f97363a069c65f4fbe081b2f9fa796f9d950f43
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3179030
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#77023}
Scalar lowering pass is removed, so if hardware does not support SIMD,
compilation should fail.
Bug: chromium:1202671,v8:11613
Change-Id: I4cafd244d066121dc716ea880529603d9013a05d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3179762
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77022}
- create a helper class to set up Disassembler for testing
- add a helper macro to only compare disassembled instruction (ignore
the hex bytes), this is useful for comparing SSE instructions, whose
opcodes are defined in sse-instr.h, and use uppercase letters, but the
disassembly always uses lowercase
- emit and compare SSE instructions using macro list
Bug: v8:12207
Change-Id: I3580f5d756736cada4f7260efc4d90e2c894f43c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3173906
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77021}
'#x in expr' currently parses incorrectly and associates #x as an
operand of an existing binary expression continuation if the previous
operator was of higher precedence. For example, 0 << #x in foo gets
incorrectly parsed as (0 << #x) in foo.
Bug: v8:12259, v8:12086
Change-Id: Ie37ff49ff6e63b3ea91fd0fba6bc73ec839c580b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3176506
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77020}
Similar optimization to the one for x64 at https://crrev.com/c/3154347.
There is a change to VisitLoad, which should call
GetEffectiveAddressMemoryOperand on the value node. This allows us to
match the input operands to the value (S128Load64Zero node), while
emitting instructions for the node (F64x2PromoteLowF32x4 node).
Bug: v8:12189
Change-Id: I30ca09b567c12a43f7f3bbb4811bae53006bedaf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3171979
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77019}
emitted comparison differs depending on the input type (signed
or unsigned).
This patch is needed to fix test failures after this CL:
https://crrev.com/c/3172765.
Change-Id: If709920d609c94dd3fa5abf14e509978bd7b40ff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3178970
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#77018}
The argument is no longer in use.
Bug: v8:11382
Change-Id: I7febc7fe7ef17ae462c700f0dba3ca1beade3021
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3173681
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77017}
The proposal has changed and we'll start on the new implementation
from scratch.
Bug: v8:11935, v8:7467
Change-Id: I29e39a414027d80fd91764ce02a05d7c032a41f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3178964
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77016}
.. by reusing the regexp stack from potentially multiple nested
irregexp activations.
To do this, we now maintain a stack pointer in RegExpStack. This stack
pointer is synchronized at all boundaries between generated irregexp
code and the outside world, i.e. when entering or returning from
irregexp code, and when calling into C functions such as GrowStack.
Fixed: v8:11382
Change-Id: I5ed27630c1a64ebf3afb9ddf80fb60ea067c0c40
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3162604
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77013}
The CL provides a way for the embedder to hook in a special malloc-like
allocator that will be used for zone allocations.
An alternative approach would be to use weak functions with branches,
checking whether the functions were available at link-time. Those
branches could be optimized away with LTOs, so they would essentially
be free. However, the weak function approach is not portable (e.g.
there is no easy way to emulate it with msvc). The approach can be
revisited if indirect call turns out to be expensive (e.g. on hardware
with weak branch target predictors).
The CL is a prerequisite for running PCScan in the renderer process.
Bug: chromium:1249550
Change-Id: I221dcb2486c13e8e6e6761839ba391978319bde4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3172760
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77012}
Port aa259e30c3
Original Commit Message:
When kDontAdaptArgumentsSentinel is 0 (the receiver is included in the
argument count), we don't need a dedicated check against the sentinel
before comparing the formal parameter count to the actual argument count
when calling a JS function.
R=pthier@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N
Change-Id: I055ce6d72da8140aa81acd41f917e1e9a7751f72
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3175663
Reviewed-by: Junliang Yan <junyan@redhat.com>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#77011}
Generate arbitrary struct and array types based on
the fuzzer random input stream.
They replace the hard-coded types.
Generated types include nested reference types and recursive types.
Bug: v8:11954
Change-Id: I2e40697f2ace3eb818360213e8a4dd40037e580e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3173683
Commit-Queue: Maria Tîmbur <mtimbur@google.com>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77010}
i32 comparisons often compare against constants, in order to implement
conditional branches. This CL optimizes such code by not loading the
constant into a register first, but directly emitting the comparison.
The code is shared for implementing {if} and {br_if} (and thereby makes
those two methods more readable).
R=thibaudm@chromium.org
Change-Id: I3f2f071a1c9e4b02c7368a2757bf4aae2920bd69
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3172765
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77008}
This bailout applies only when young generation is disabled.
Otherwise, getting the caged heap is required and the global load
bailout becomes redundant.
Bug: chromium:1056170, chromium:1239030
Change-Id: I826b355f4356a5c20812d9c8bf6ebc7ea0997b8a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3173685
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77006}
This fast path check protects the IsRegExp() path (which checks
RegExp.prototype[Symbol.match]) and thus we must use the appropriate
ForMatch check instead of the default check.
Fixed: chromium:1238033
Change-Id: I0b7ce280f1fa9bfacf20381d80c84f9513f45163
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3177222
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77004}
Bug: chromium:1203071
Change-Id: Iab81add0c71c4a37b7aa8d9d6f1272781a6bae3d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3152217
Auto-Submit: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76999}
Long term, ideally, these would be fixed and this flag can be removed.
For now, this is an expedient way to allow enabling -Wshadow in
Chromium.
Bug: chromium:794619
Change-Id: I038e5fc758fbb8284bb28cb4f7f8a4c44da0db66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3173891
Commit-Queue: Peter Kasting <pkasting@chromium.org>
Auto-Submit: Peter Kasting <pkasting@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76996}
