Control Flow Integrity [1] indirect call checking is a compiler-
instrumentation that verifies that function pointers are only used to
call functions whose type signatures matches the type of the function
pointer. The once implementation casts function pointers to different
types--refactor it to pass around a std::function that calls the
provided function pointer with its original type instead.
[1] https://www.chromium.org/developers/testing/control-flow-integrity
Bug=chromium:776905,v8:7164
Change-Id: I26b63973fdcebbc11b1cd7b023a6a6d0724c360c
Reviewed-on: https://chromium-review.googlesource.com/806262
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49906}
This saves us 14.2kB binary size in libv8.so (in release mode), and
probably also improves performance a little bit.
R=titzer@chromium.org
Bug: v8:7109
Change-Id: I345a48369aaf054572a4fd4368bf5cd526ed146a
Reviewed-on: https://chromium-review.googlesource.com/797270
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49905}
The value is passed as int in most places anyway, so better also store
it as int, and make sure that it's in the range [0..kMaxInt].
Also, our style guide only allows {int} out of the standard integer types.
R=mstarzinger@chromium.org
Bug: v8:6600
Change-Id: Ia425a8a6f64c9e617de02bb1d4f07413e9da4fc6
Reviewed-on: https://chromium-review.googlesource.com/810645
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49904}
- When a global object changes, invalidate its validity cell.
- The global object prototypes don't need to be gathered into an array in InitPrototypeChecks.
Bug: v8:7159
Change-Id: I3621c914d08b83e49e8a391800a92eb53ba19feb
Reviewed-on: https://chromium-review.googlesource.com/808588
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49901}
This reverts commit 0c2faa0633.
Reason for revert: seems to make win asan flaky:
https://build.chromium.org/p/client.v8/builders/V8%20Win32%20ASAN/builds/1094https://build.chromium.org/p/client.v8/builders/V8%20Win32%20ASAN/builds/1095
Original change's description:
> [D8] Clean up ArrayBuffer Allocators in shell.
>
> - Reworks the class hierarchy in d8.cc to conform to the allocator API.
> In particular, allocators should malloc/free or equivalent unless
> v8::ArrayBuffer::Allocator::Reserve is called.
> - Modifies ExternalizedContents to remember the allocation mode.
> - ArrayAllocatorBase now tracks its allocations to make sure it doesn't
> call Free on externalized array buffers it didn't allocate.
>
> Bug: chromium:756050
> Change-Id: Ic2d07d36358f1b4fa542bea27f93d1d51a1757e1
> Reviewed-on: https://chromium-review.googlesource.com/807355
> Commit-Queue: Bill Budge <bbudge@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Eric Holk <eholk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49893}
TBR=bbudge@chromium.org,titzer@chromium.org,eholk@chromium.org
Change-Id: I0f3ecc10de843102e7681285f0300cf98704c92c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:756050
Reviewed-on: https://chromium-review.googlesource.com/810904
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49895}
When implementing Liftoff I realized that these are not tested at all
in our cctests.
R=ahaas@chromium.org
Bug: v8:6600
Change-Id: I9f4da9bb93580f556bc67ebe8b79427373e656ba
Reviewed-on: https://chromium-review.googlesource.com/808385
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49894}
- Reworks the class hierarchy in d8.cc to conform to the allocator API.
In particular, allocators should malloc/free or equivalent unless
v8::ArrayBuffer::Allocator::Reserve is called.
- Modifies ExternalizedContents to remember the allocation mode.
- ArrayAllocatorBase now tracks its allocations to make sure it doesn't
call Free on externalized array buffers it didn't allocate.
Bug: chromium:756050
Change-Id: Ic2d07d36358f1b4fa542bea27f93d1d51a1757e1
Reviewed-on: https://chromium-review.googlesource.com/807355
Commit-Queue: Bill Budge <bbudge@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49893}
This reverts commit 8dd405e39a.
Reason for revert: MSAN errors: https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/18598
Original change's description:
> [heap] introduce SpaceWithLinearArea class
>
> NewSpace and OldSpace have linear allocation areas, but presently the
> implementation doesn't share any code and there are subtle differences.
> This CL introduces a superclass 'SpaceWithLinearArea' that will be used
> to refactor and share code.
>
> Change-Id: I741e6a6ebb9e75c111287214fd1f555fba62c452
> Reviewed-on: https://chromium-review.googlesource.com/809504
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
> Cr-Commit-Position: refs/heads/master@{#49890}
TBR=ulan@chromium.org,ofrobots@google.com
Change-Id: Ibd325c2965b7b8dea36b34a8c4a3ee06ea24e515
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/810664
Reviewed-by: Ali Ijaz Sheikh <ofrobots@google.com>
Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
Cr-Commit-Position: refs/heads/master@{#49892}
NewSpace and OldSpace have linear allocation areas, but presently the
implementation doesn't share any code and there are subtle differences.
This CL introduces a superclass 'SpaceWithLinearArea' that will be used
to refactor and share code.
Change-Id: I741e6a6ebb9e75c111287214fd1f555fba62c452
Reviewed-on: https://chromium-review.googlesource.com/809504
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
Cr-Commit-Position: refs/heads/master@{#49890}
Similar to the Scavenger, the Minor MC updates typed pointers into the
young generation and thus requires priviliges to write to code space.
Bug: chromium:651354
Change-Id: If5ce600f651ccb04b6ac3d82e6c2e311bfd7dc4d
Reviewed-on: https://chromium-review.googlesource.com/809013
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49884}
This removes a condition that seems to have become always true in the
cases we care about.
R=jarin@chromium.org
Bug:
Change-Id: I3684db93ab7e498b7b7ac0b42945625c30fd1afa
Reviewed-on: https://chromium-review.googlesource.com/806225
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49883}
We cannot remove a speculative operation when it's type relies on it to deopt.
Fix this by only relying on the lowering to remove operations.
Bug: chromium:786521
Change-Id: I2cf45e8d45b76cfeb06e6329f323cade74719124
Reviewed-on: https://chromium-review.googlesource.com/793043
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49882}
The space does not have a FreeList and the cast to PagedSpace is UB.
Bug: chromium:792105
Change-Id: If566374ab87374302a209a9ba4a15ce7c198a4e0
Reviewed-on: https://chromium-review.googlesource.com/809145
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49878}
For "top digit" (of the result) comparison to be applicable, we must
also check that there are no further digits in the source.
The included regression test flushes out another bug in "TruncateToNBits",
so that gets fixed here too (in contrast to the first landing attempt).
This reverts commit cb9e7af4e5.
Bug: v8:7150
Change-Id: Id631b1ae79e60b8e85ed4667e246a64c46765f2b
Reviewed-on: https://chromium-review.googlesource.com/807348
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49877}
Rename to better capture what the files contain.
Removed includes of wasm-code-manager.h from .h files to improve
build time.
Bug:
Change-Id: I0f0108cfb00b061c4433b6ff9670e9c4cae9c699
Reviewed-on: https://chromium-review.googlesource.com/807368
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49875}
The proper fix would be to make TruncatingUseInfoFromRepresentation
respect tagged signed use representation, but requires extra work
to refine typing for all values that are stored into Smi fields.
Bug: chromium:791245
Change-Id: I83965bcc18a836d2c758a6a8b1477a4aa2c6133d
Reviewed-on: https://chromium-review.googlesource.com/808866
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49870}
Fix cctests to maintain an aligned stack pointer, and delete a couple
that don't make sense if only an aligned stack pointer is allowed.
Bug: v8:6644
Change-Id: Ib825df0f93515ec408169018eb97ab587f1f14b6
Reviewed-on: https://chromium-review.googlesource.com/808386
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/master@{#49866}
We were returning too early. Don't double-log the script, but log all
source-code-infos within it.
Bug: v8:7018
Change-Id: Icd29905ee1ae3444e30760cae0b0a18b55440335
Reviewed-on: https://chromium-review.googlesource.com/808165
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49861}
Also remove preparser_scope_analysis from future implications since it
is already enabled by default.
BUG=v8:5203
Change-Id: I70eb392d6ec1ff904eae8b5ddb238774b75005f3
Reviewed-on: https://chromium-review.googlesource.com/806164
Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49860}
Use Neon for floating point number insertion and extraction in
TurboFan code generator.
Bug:
Change-Id: Ic955ff0bc5ddaadfe560ea9cfdd82f6b40815be3
Reviewed-on: https://chromium-review.googlesource.com/806172
Reviewed-by: Bill Budge <bbudge@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/master@{#49859}
9 additional bots has been added to the LUCI pool, which should be sufficient to
handle the additional load from this builder.
R=machenbach@chromium.org
No-Try: true
Bug: chromium:748124
Change-Id: I1aba2be502298ce9e3d76adb25addfe7cfe2ff9f
Reviewed-on: https://chromium-review.googlesource.com/806163
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49858}
- When a dictionary mode prototype changes, invalidate the validity cell.
- The dictionary mode prototypes don't need to be gathered into an array in InitPrototypeChecks.
Bug: v8:7159
Change-Id: I1c7bbaf4b20556f44df18be1463d38fa4fbabe05
Reviewed-on: https://chromium-review.googlesource.com/793732
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49857}
