SL's VisitSpeculativeIntegerAdditiveOp was setting Signed32 as
restriction type even when relying on a Word32 truncation in order to
skip the overflow check. This is not sound.
Bug: chromium:1150649
Change-Id: I3113a2102c62d6ecef342c98d25daf31431c01ed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2557498
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71364}
Make compileAndRunWithOrigin accept the same six arguments as
inspector-test. This makes inspector tests more useful as seed for the
inspector fuzzer, and allows to run more inspector fuzzer outputs
directly in the inspector-test binary.
R=szuend@chromium.org
Bug: chromium:1142437
Change-Id: Ib9e9768c834204ff17a641e9d462400a139bf6b0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2557507
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71363}
For pages that are already swept, it can happen that one thread
iterates old-to-new-slots while another thread promotes an object onto
the same page.
Accessing the slot_set in Scavenger::ScavengePage therefore needs to be
atomic.
Bug: v8:11077
Change-Id: I086db612ed4e861aa9bd1c18fdf5c0e17c519a4b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2555009
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71360}
The Code object returned by CompileOptimized runtime functions is
tail-called to continue execution. This Code object should not be the
CompileLazy builtin.
We ran into this case when the requested code kind was available, but
not attached - here we returned early from Compiler::CompileOptimized
without doing anything.
To satisfy the postcondition, this CL removes the early exit and lets
GetOptimizedCode handle the cached cases (both the FeedbackVector's
optimized code cache, and the isolate cache).
Bug: v8:8888
Change-Id: Ie60e6cf27b697ea6685441184b65f28f3583f75a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2557500
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71358}
Also add test to ensure it won't crash. The crash is caused by int32_t overflow inside ICU68-1
Real fix in 3bf08c6a50
Bug: chromium:1150371
Change-Id: I71c7bb3c50453fe3fa40226cab83bee0d865b0f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2551212
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71357}
The CPPGC_BUILD_IN_V8 define (used for tracing) isn't propagated from
v8_base_without_compiler to cppgc_base, which breaks build with
perfetto. Instead use a gn args to specify standalone builds (defaulted
to false) and use that to choose the right tracing implementation.
Bug: chromium:1056170
Change-Id: I70bce819d45fb133b6f932a50a5d027e39f3e5b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2555007
Auto-Submit: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71356}
Prototype 2 prefetch instructions (temporal and non-temporal) on arm64
and interpreter.
Add prfm to assembler, and use MiscField to encode the two versions.
Small tweak to simulator to handle these new instructions (no-op).
The implementation in the interpreter just pops the memory index and
does nothing.
Simple test cases added for these 2 new instructions, as well as a
prefetch with OOB index, which should not trap.
Bug: v8:11168
Change-Id: Ieced8081615d07f950d6d4c1128d1bc6a75839fd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2543167
Reviewed-by: Bill Budge <bbudge@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71353}
Now the ModS opcode and MacroAssembler::EmitFPUTruncate function
are useless, and should be removed.
Change-Id: I5ba7c2cd01084b322046c8267b7581ab9d1755c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2554382
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/master@{#71352}
Drive-by cleanup for other bitmask instructions to
UseScratchRegisterScope instead of using temporary registers in
instruction-selector.
Bug: v8:10997
Change-Id: Id46d249fd20ceaeab8e867babec8b34d7995c17f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2548081
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71351}
Currently we only correctly disassemble encoding A4, with a list of 4
regs.
Also added tests for these encodings.
Change-Id: I38066186d19deb8c180129d7a92b49bc589315cd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2554258
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71350}
In our codegen, we are mixing SSE and AVX. This can potentially cause
transition delays. Ideally we should stick to one. We add some new AVX
versions of movss and movsd, then use the macro-assembler methods to
generate AVX instructions if supported.
Bug: v8:11190
Change-Id: Iff7c0fb892cea85731f880ac2895480621b3092f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2554257
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71349}
This reverts commit 5557a63beb.
Reason for revert: Sheriff's mistake, failing test was previously flaking.
Original change's description:
> Revert "stack-trace-api: implement getEnclosingLine/Column"
>
> This reverts commit c48ae2d96c.
>
> Reason for revert: Breaks a profiling test:
> https://ci.chromium.org/p/v8/builders/ci/V8%20Win32/30010
>
> Original change's description:
> > stack-trace-api: implement getEnclosingLine/Column
> >
> > Introduces getEnclosingColumn and getEnclosingLine on CallSite
> > so that the position can be used to lookup the original symbol
> > for function when source maps are used.
> >
> > BUG=v8:11157
> >
> > Change-Id: I06c4c374d172d206579abb170c7b7a2bd3bb159f
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2547218
> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> > Commit-Queue: Benjamin Coe <bencoe@google.com>
> > Cr-Commit-Position: refs/heads/master@{#71343}
>
> TBR=jkummerow@chromium.org,yangguo@chromium.org,bencoe@google.com
>
> Change-Id: Iab5c250c1c4fbdab86971f4a7e40abc8f87cf79c
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug: v8:11157
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2555384
> Reviewed-by: Bill Budge <bbudge@chromium.org>
> Commit-Queue: Bill Budge <bbudge@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#71345}
TBR=bbudge@chromium.org,jkummerow@chromium.org,yangguo@chromium.org,bencoe@google.com
# Not skipping CQ checks because this is a reland.
Bug: v8:11157
Change-Id: I8dba19ceb29a24594469d2cf79626f741dc4cad3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2555499
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71348}
This reverts commit c48ae2d96c.
Reason for revert: Breaks a profiling test:
https://ci.chromium.org/p/v8/builders/ci/V8%20Win32/30010
Original change's description:
> stack-trace-api: implement getEnclosingLine/Column
>
> Introduces getEnclosingColumn and getEnclosingLine on CallSite
> so that the position can be used to lookup the original symbol
> for function when source maps are used.
>
> BUG=v8:11157
>
> Change-Id: I06c4c374d172d206579abb170c7b7a2bd3bb159f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2547218
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Benjamin Coe <bencoe@google.com>
> Cr-Commit-Position: refs/heads/master@{#71343}
TBR=jkummerow@chromium.org,yangguo@chromium.org,bencoe@google.com
Change-Id: Iab5c250c1c4fbdab86971f4a7e40abc8f87cf79c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:11157
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2555384
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71345}
Introduces getEnclosingColumn and getEnclosingLine on CallSite
so that the position can be used to lookup the original symbol
for function when source maps are used.
BUG=v8:11157
Change-Id: I06c4c374d172d206579abb170c7b7a2bd3bb159f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2547218
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Benjamin Coe <bencoe@google.com>
Cr-Commit-Position: refs/heads/master@{#71343}
If we have a regular isolate (or none at all), we can skip acquiring
the lock check and DCHECK that we are calling from the main thread.
If we have a LocalIsolate, we acquire the string lock if needed.
Bug: v8:7790
Change-Id: Ie3562e8172a3e3eca8d194e8652cb881f765cdb8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2551102
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71340}
We use the same temporary mechanism as with eqref, in anticipation of
standardization of the wasm-gc JS API.
Bug: v8:7748
Change-Id: I224a043e5450ce489fc7f3b2f07f277a0444b8e0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2546695
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71339}
This changes a '<' to a '<=' and adds a comment to explain why it is
safe to use a jump table where the maximum distance is exactly
{kMaxCodeSpaceSize}.
R=jkummerow@chromium.org
Bug: chromium:1151364
Change-Id: Id4971a2e9095fa99df48367ab09af4adbfadffaf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2552906
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71337}
For a very particular special case (long "chains" of bound
functions with an undefined @@hasInstance handler), evaluating
the `instanceof` operator could lead to a very deep recursion.
This patch adds a stack check to make sure we throw rather than
crash on stack overflow.
Bug: v8:11115
Change-Id: I6bf941b9e75e9fe3a52112ade27388ac4fbbda2f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2545624
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71335}
Bug: v8:7790
Change-Id: Idee149b3d59064941473d5e17e2c56a253a5f49d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2546691
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71334}
Don't pass the correctness-fuzzing suppressions to normal fuzzing as
they turn stack overflows and invalid string length checks into
crashes.
This became first now a problem after the flag was passed in an mjsunit
test case.
No-Try: true
Bug: chromium:1151600,chromium:1151599
Change-Id: I5d29900a4b155762cae447fc102055eab1916309
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2551112
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71333}
I'm working for Loongson Technology, and I have contributed 120+
patches to maintain v8 on mips platform. I request to be an owner
of MIPS files, so that we can maintain mips ports more conveniently.
Change-Id: Ib01dadfb879fefe7c095398930573e8df0f7c8dd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2525542
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71332}
When comparing two-byte strings, the correct number of characters to
compare is length(), not byte_length().
The bug was introduced in
https://chromium-review.googlesource.com/c/v8/v8/+/2533038
There's no regression test, since going beyond the AstRawString
boundary generally doesn't crash.
Bug: chromium:1151602
Change-Id: I32c297c2751835dd7574ff928d2d5b8346b4381a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2551110
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71330}
Rolling v8/build: ee1c001..030a312
Rolling v8/third_party/aemu-linux-x64: 4f-YWuHlGrqS9jy308GUs0eo8DxU3h6PwgpHfNYq290C..gt2DKWmtJU6vqOju1UcBB-_Nthud81s3cnZkERzzSEUC
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/2ed6fc0..11b4013
Rolling v8/third_party/depot_tools: 2f8e0fa..9c0dc30
Rolling v8/third_party/zlib: e84c9a3..9893e50
Rolling v8/tools/luci-go: git_revision:1a022d3a4c50be4207ee93451255d71896416596..git_revision:6cbe3f56e9f00b8f65eae21f01838a8b58191a47
Rolling v8/tools/luci-go: git_revision:1a022d3a4c50be4207ee93451255d71896416596..git_revision:6cbe3f56e9f00b8f65eae21f01838a8b58191a47
Rolling v8/tools/luci-go: git_revision:1a022d3a4c50be4207ee93451255d71896416596..git_revision:6cbe3f56e9f00b8f65eae21f01838a8b58191a47
TBR=machenbach@chromium.org,tmrts@chromium.org,v8-waterfall-sheriff@grotations.appspotmail.com
Change-Id: Ia6309934987cdc0f0da95a83875041761673ec3d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2553156
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#71326}
Without the cast, gcc might throw the following error
during compilation:
error: enumeral mismatch in conditional expression:
'cppgc::internal::StatsCollector::ScopeId' vs
'cppgc::internal::StatsCollector::ConcurrentScopeId'
Change-Id: I95e230310a0cbdc775d63657b8c407a8392a57e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2551104
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#71325}
Drive-by: Add alias for lzer on Assembler
Change-Id: Id0d705ef864899241f77d92c2cf8a144f753ef15
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2552928
Reviewed-by: Milad Fa <mfarazma@redhat.com>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/master@{#71324}
With pointer compression, the size of a reference depends on whether it
is stored on the stack or on the heap. The size provided by
ValueType::element_size_bytes() is the size of a reference on the heap.
LiftoffAssembler::SlotSizeForType(...) however should return the size
on the stack. This CL fixes this inconsistency.
This issue would have been found by an existing test, but this test is
disabled at the moment because of missing safepoint maps for stack
checks.
R=thibaudm@chromium.org
Bug: v8:7581
Change-Id: Ia45944b265fa4ce0d560ff00a24b023d6c1ae10a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2552515
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71320}
Because of LocalHeap safepoints, our existing assert scopes don't
necessarily maintain the same guarantees as desired. In particular,
DisallowHeapAllocation no longer guarantees that objects don't move.
This patch transitions DisallowHeapAllocation to
DisallowGarbageCollection, to ensure that code using this scope is
also protected against safepoints.
Change-Id: I0411425884f6849982611205fb17bb072881c722
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2540547
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71319}
This retrieves script name directly from StackFrameBase, bypassing
building of StackFrameInfo if one hasn't already been initialized,
thus avoiding computation of expensive properties that are not required.
This matches current behavior of GetScriptNameOrSourceURL() and is a
workaround until a dedicated API is available.
This is necessary to switch AdTagging over from using
GetScriptNameOrSourceURL() to GetScriptName(), to ensure that scripts
with source urls are tagged appropriately. (See crrev.com/c/2551259.)
Bug: chromium:1127391
Change-Id: I6eb145b88c26deb1a088f038b0f8b377bc8fe3ab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2550504
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Alex Turner <alexmt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71318}
Port 1da429fb8a
Original Commit Message:
This is a reland of 800307f6a5, with a
minimal fix for arm64 (uint64_t -> uintptr_t).
Original change's description:
> [wasm][memory64] Prepare Liftoff for ptrsize offsets
>
> This CL prepares the LiftoffAssembler interface for uintptr_t offsets.
> Many places can still only handle 32-bit values, but after this CL we can
> start storing the offsets as uintptr_t in the memory access immediates.
> Some TODOs are placed to extend code generation for 64-bit additions, if
> memory64 is enabled.
> All of this will be addressed in follow-up CLs.
>
> R=manoskouk@chromium.org
>
> Bug: v8:10949
> Change-Id: Id3b9b8aa555ab41f082ba012f4f8d80586c35b89
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2529452
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#71236}
R=clemensb@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N
Change-Id: I87a421ab1fe6e4d0f2098c24ff34a3888631722e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2552166
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#71317}
