Commit Graph

75351 Commits

Author SHA1 Message Date
Samuel Groß
4a12cb1022 [sandbox] Add new Memory Corruption API
When enabled, this API exposes a new global 'Sandbox' object which
contains a number of functions and objects that in effect emulate
typical memory corruption primitives constructed by exploits. In
particular, the 'MemoryView' constructor can construct ArrayBuffers
instances that can corrupt arbitrary memory inside the sandbox. Further,
the getAddressOf(obj) and getSizeInBytesOf(obj) functions can be used
respectively to obtain the address (relative to the base of the sandbox)
and size of any HeapObject that can be accessed from JavaScript.

This API is useful for testing the sandbox, for example to
facilitate developing PoC sandbox escapes or writing regression tests.
In the future, it may also be used by custom V8 sandbox fuzzers.

Bug: v8:12878
Change-Id: I4e420b2ff28bd834b0693f1546942e51c71bfdda
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3650718
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80659}
2022-05-20 11:09:25 +00:00
Leszek Swirski
58d19ed76a [compiler-dispatcher] Fix double ShouldYield call
Fixed: v8:12886
Change-Id: I729f6f11be3befa573ac6a201dc91e3d5f2eebc1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652791
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80658}
2022-05-20 10:14:58 +00:00
Liu Yu
207f489fc5 [mips][liftoff] Fix atomic ops implementation error
LLd and Scd should be used for StoreType::kI64Store* types.

Change-Id: Ic645c9149c7ade95e0a36acadb48d246ee817469
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3655179
Auto-Submit: Yu Liu <liuyu@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#80657}
2022-05-20 09:33:54 +00:00
Dominik Inführ
407218d60a [heap] Combine write barrier flag checks
Adding the shared heap write barrier caused regressions on some
benchmarks. Presumably this is because the compiler can't merge the
fast paths of the generational and shared heap write barrier.

This CL therefore introduces a CombinedHeapBarrier that manually
unifies the fast path for the marking, generational and shared heap
write barrier. This should make the barrier easier to optimize for
the compiler. In particular it should help to ensure that page flags
don't need to be loaded multiple times in a single full write barrier.

Bug: chromium:1326446, v8:11708
Change-Id: Iacd487f1263491cf4c05f25e004233a52b7c45a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644964
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80656}
2022-05-20 08:54:34 +00:00
Jakob Kummerow
ac3c8f8ff2 [wasm-gc] Bump array.init limit to 10,000
By popular demand.

Bug: v8:7748
Change-Id: I6892d5cb92066ecc56574b5f27a09088c692e071
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3650927
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80655}
2022-05-20 08:51:47 +00:00
Andy Wingo
b48262d719 [stringrefs] Add generalized UTF-8 decoder / validator
Bug: v8:12868

A slight modification to the existing DFA-based UTF-8 allocator to allow
decoding surrogates, for use in decoding WTF-8.  We'll need to
additionally constrain the decoder to disallow surrogate pairs.

Change-Id: Ifddbf08d4eeeff8f270df52a68f01769ea790eec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652787
Commit-Queue: Andy Wingo <wingo@igalia.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80654}
2022-05-20 08:05:04 +00:00
Samuel Groß
0440123e30 [sandbox] Enable sandboxed pointers on sanitizer builds
With crrev.com/c/3641564, Chromium now uses PartitionAlloc for
ArrayBuffer allocations even if one of the sanizier tools (e.g. ASan) is
enabled. As such, sanitizer builds are now compatible with the sandbox.

Bug: chromium:1218005
Change-Id: I100bf3ef442c556652fb00dd6c09d06b167e6577
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652785
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80653}
2022-05-20 06:18:23 +00:00
v8-ci-autoroll-builder
a0bbd00112 Update ICU
Rolling v8/third_party/icu: 585942f..1c67b4e

CP PR2090 to remove ATOMIC_VAR_INIT (Frank Tang)
https://chromium.googlesource.com/chromium/deps/icu/+/1c67b4e

Disable -Wambiguous-reversed-operator in ICU. (Peter Kasting)
https://chromium.googlesource.com/chromium/deps/icu/+/3272ffe

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com,ftang@chromium.org

Change-Id: I1a35eadab7a580b6f447af17fc75981723e89d22
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3656643
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#80652}
2022-05-20 05:55:26 +00:00
Pan, Tao
54191d0887 [cleanup] Remove abandoned osr_code_cache_state from SFI
All user of osr_code_cache_state had been removed.

Change-Id: I08a4783e47c900617b53ba789d267fb9a0bd1e92
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652276
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Tao Pan <tao.pan@intel.com>
Cr-Commit-Position: refs/heads/main@{#80651}
2022-05-20 03:54:06 +00:00
v8-ci-autoroll-builder
599b415bd3 Update V8 DEPS.
Rolling v8/build: 62419bc..399520d

Rolling v8/buildtools: 7208edd..a5fa465

Rolling v8/buildtools/third_party/libc++abi/trunk: 75a3853..3e4d383

Rolling v8/buildtools/third_party/libunwind/trunk: 837a94e..c9b2288

Rolling v8/third_party/depot_tools: ab4d2e3..bd80a1b

Rolling v8/third_party/fuchsia-sdk/sdk: version:8.20220518.3.1..version:8.20220519.0.1

Rolling v8/tools/clang: 6e492e7..bec960d

Rolling v8/tools/luci-go: git_revision:d3db74920e35147955be43f62b5f4ed0cf84c614..git_revision:0ef9351a5b73943d547fb27d463d5f4a1572727f

Rolling v8/tools/luci-go: git_revision:d3db74920e35147955be43f62b5f4ed0cf84c614..git_revision:0ef9351a5b73943d547fb27d463d5f4a1572727f

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: I0eb24c3dcae59d3d9f7a1049fd42c984f8d0440c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3654637
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#80650}
2022-05-20 03:53:04 +00:00
Shu-yu Guo
658286989f [Error.cause] Remove --harmony-error-cause
Error.cause has shipped since M93.

Bug: chromium:1192162
Change-Id: Ib6019f5796cc41447af70c325c90136bcbd774ab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3624981
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80649}
2022-05-20 00:21:19 +00:00
Andy Wingo
e43a2540ab [wasm] table.get, set only calls out to C++ for function tables
Avoid a run-time dispatch for tables that don't contain subtypes of
funcref.

Change-Id: I27a55c378b0a4fcd98e77f8ff45ae9972c9d095a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644961
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andy Wingo <wingo@igalia.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80648}
2022-05-19 19:40:14 +00:00
Milad Fa
59cd199d51 PPC/s390: [wasm-relaxed-simd] Add liftoff min/max operations on Arm and Arm64
Port 0236d7b5b4

Original Commit Message:

    Instruction lowering on ARM uses pmin/pmax as there is no hardware support.
    More details here: https://github.com/WebAssembly/relaxed-simd/issues/33

R=gdeepti@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N

Change-Id: Ifbee1c0485ae47939fc070121ed6e0abd01c3547
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3654562
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#80647}
2022-05-19 17:09:24 +00:00
Igor Sheludko
86656444a2 [rwx][mac] Fix jitless mode, pt.2
... when com.apple.security.cs.allow-jit entitlement is not enabled.

Bug: v8:12797, chromium:1324829
Change-Id: I660008e1f8abbac3436dd78ea90937971599b5d0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644960
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80646}
2022-05-19 17:05:14 +00:00
Seth Brenith
16a7150bae Reland "Disable recompilation of existing Scripts from Isolate compilation cache"
This is a reland of commit a76072217a

The bug exposed by landing this change the first time has been fixed
separately in https://crrev.com/c/3654413 .

Original change's description:
> Disable recompilation of existing Scripts from Isolate compilation cache
>
> My previous change https://crrev.com/c/3597106 led to some performance
> regressions in time spent on parsing and compilation. This change
> disables the ability to recompile an existing uncompiled Script, as an
> attempt to both fix the regressions and isolate which part of the
> previous change was the cause of those problems.
>
> Bug: v8:12808, chromium:1325566, chromium:1325567, chromium:1325601
> Change-Id: Ifa086bf27070da8f4b3c0e4415af5ca7b6706b0a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652252
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Cr-Commit-Position: refs/heads/main@{#80616}

Bug: v8:12808, chromium:1325566, chromium:1325567, chromium:1325601
Change-Id: Ib31864bef90ff3340d1dfd4e25e21bef121f2d49
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3655011
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#80645}
2022-05-19 16:50:14 +00:00
Clemens Backes
4a6e65bf56 [wasm] Avoid HandleScope when triggering tier-up
Triggering tier-up can happen very often, so the runtime function should
be as slim as possible.

This CL adds two DisallowGarbageCollection scopes and removes a
HandleScope which was unnecessarily created.

R=jkummerow@chromium.org

Bug: v8:12281
Change-Id: I43e7f2b449630856ac8dfb36d294fbd29191d0eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652300
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80644}
2022-05-19 16:43:05 +00:00
Toon Verwaest
6e79970f17 [maglev] Convert smi->int32 constant
Bug: v8:7700
Change-Id: I4a772e0b2b821376ba75afd587694e130f059089
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647831
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80643}
2022-05-19 15:09:14 +00:00
Issack John
a679edbb6e JSON.parse errors made user-friendly part 2
Part of the improve error messages initiative.

Based on a resource of JSON.parse() errors found at
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Errors/JSON_bad_parse

added support for:
- 'Bad control character in string literal'
- 'Bad Unicode escape'

Previously JSON.parse('"a\bz"') would output:
SyntaxError: Unexpected token  in JSON at position 2
Now the output is:
SyntaxError: Bad control character in string literal in
JSON at position 2

Previously JSON.parse("[\"\\t\\u") would output:
SyntaxError: Unexpected end of JSON input
Now the output is:
SyntaxError: Bad Unicode escape in JSON at position 6

Bug: v8:6551
Change-Id: I3ba5450c41b8a388643a15bc58e4e3fc75855d13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652254
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Issack John <issackjohn@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#80642}
2022-05-19 15:07:03 +00:00
Stephen Roettger
1da4b373a7 Replace more args.set_at usages with ChangeValueScope
args.set_at lead to a vulnerability in the past where the caller
(ignition) didn't expect the callee to overwrite the arguments.

The current usage doesn't look like an issue, but let's preemptively
remove these usages so that they don't lead to issues in the future.

Change-Id: I64e1f84ad1833b2b2f96cd7503bdde00f344404c
Bug: chromium:1268738
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644965
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Stephen Röttger <sroettger@google.com>
Cr-Commit-Position: refs/heads/main@{#80641}
2022-05-19 14:59:44 +00:00
Liu Yu
44e1d129e2 [loong64][mips] Remove a useless declaration of Operand
Change-Id: Ib4039ede294fe3c108cd49c45a7a5e36a6f51780
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3653714
Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Auto-Submit: Yu Liu <liuyu@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#80640}
2022-05-19 14:20:44 +00:00
Stephen Roettger
4d6ddf1b5f Remove deprecated AccessorSignatures
Bug: chromium:1310790
Change-Id: I739161f47fc1fc32d832f106d5ef6b7df4aed213
Fixed: chromium:1310790
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3654096
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Stephen Röttger <sroettger@google.com>
Cr-Commit-Position: refs/heads/main@{#80639}
2022-05-19 14:15:54 +00:00
Manos Koukoutos
3904606c1a [wasm] Move and add functionality to WasmGraphAssembler
Specifically, move numeric conversions from WasmGraphBuilder, and add
functionality for traps.
These will be used in wasm-gc lowering phases.

Change-Id: I73f0dab28d87db8f1c4c339ea3d871f262e270ab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3654101
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80638}
2022-05-19 14:13:23 +00:00
Seth Brenith
2df4d58a9e Fix rehashing of script compilation cache
The script compilation cache contains weak pointers to Script objects as
its keys. When doing a rehashing operation, any hash table needs the
ability to get the hash code for every entry in the table. However, if
the weak pointer was cleared from a key, there is no longer any way to
get the hash code for that entry.

In https://crrev.com/c/3597106 , I attempted to solve this problem by
deleting all entries whose keys contain cleared weak pointers prior to
rehashing, but the implementation has a bug: when resizing, the new
table is allocated after deleting the entries with cleared keys, so if
that allocation triggers a GC, the table can once again have entries
with cleared keys.

This could be solved in a variety of ways, such as:

1. Iterate the entries again and delete those with cleared keys, after
   allocating the new table but before calling Rehash() to copy data
   into that new table. This means we can't directly use
   HashTable::EnsureCapacity, which normally does both the allocation
   and the rehashing.
2. Return a bogus hash code for entries whose keys contain cleared weak
   pointers. This is simple but risks poor distribution of data after
   rehashing.
3. Implement custom rehashing which can avoid copying entries with
   cleared keys, rather than reusing the rehashing implementation from
   HashTable.
4. Include the hash value in every key, so a consistent hash value is
   available even after the weak Script pointer has been cleared.

The fourth option sounds like the lowest risk to me, so this change
implements that option.

Bug: v8:12808
Change-Id: I6b19b9c8af67dcfc31b74842ba581dd141e18845
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3654413
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#80637}
2022-05-19 12:58:54 +00:00
Samuel Groß
d812c9a977 [sandbox] Shrink sandbox on Android to 128GB
The majority of 64-bit Android devices appear to be using a 40-bit
address space, i.e. 512GB for userspace. Allocating a 256GB sandbox
(plus 2x 32GB guard regions) may take too much of the address space and
cause the creation of other address space reservations (e.g. the cppgc
caged heap), which are created per worker, to fail later on.

In general, we should try to limit the sandbox size to less than 1/4 of
the address space, so this CL shinks the sandbox on Android to 128GB.

Bug: chromium:1327131
Change-Id: Ib48b45506ad6a7a5e15b95115c7642bf62a68fa1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652783
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80636}
2022-05-19 11:35:23 +00:00
Clemens Backes
16fb5ccfa5 [wasm] Add comment about WasmOpcode encoding
As a follow-up to https://crrev.com/c/3625835, document how we
internally encode Wasm opcodes in the WasmOpcode enum. In particular,
it's important for the mapping to be bijective.

R=thibaudm@chromium.org
CC=gdeepti@chromium.org

Bug: v8:12284
Change-Id: Ic4bcd70211e83b1eabb45204bdcce3209a4432b3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647360
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80635}
2022-05-19 10:40:05 +00:00
Clemens Backes
63f42852cc [wasm] Minor fixes to priority compilation units
This fixes a few minor issues in the handling of priority top-tier
compilation units, and adds some comment.

1) We document the current design around priority top-tier units.
2) We simplify the code to increase the priority a bit, and make sure to
   avoid integer overflows.
3) We reorder two statements to first increase the
   outstanding_top_tier_functions_ counter before adding a new unit, in
   order to avoid starting to execute a top-tier unit when the counter
   is 0, which would be an inconsistent state.

R=ahaas@chromium.org

Bug: v8:12880
Change-Id: I67bd71135f34b793ea5cf064108668fb72c7e345
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3654097
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80634}
2022-05-19 10:34:43 +00:00
Clemens Backes
6a977bd1fd [wasm] Deprecate "dynamic tiering enabled" callback
Dynamic tiering is now enabled by default, and the origin trial is
expired, so the callback can be removed.
The callback was already never called, because the flag value is always
checked first.

R=ahaas@chromium.org, mlippautz@chromium.org

Bug: v8:12281
Change-Id: I58eaa210c86024128328a13ba07bb8fc1b437841
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644951
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80633}
2022-05-19 09:59:43 +00:00
Manos Koukoutos
15d83bff30 [wasm-gc] Enable decompression optimization
This gives a small speedup for wasm-gc programs.

Bug: v8:7748
Change-Id: I4a172251ab85e2a5e030ee5cae97db9e3655f5cd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3654095
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80632}
2022-05-19 09:05:13 +00:00
Peter Kasting
e80779d299 Fixes for C++20 mode.
* "volatile" on by-value params is deprecated.  Remove.
* ICU has decided not to fix a warning about rewritten comparison
  operators.  Work around.  This is ugly, but the alternative is
  disabling the warning entirely for this file or all of v8, which seem
  worse.

Bug: chromium:1284275
Change-Id: Ia90ae439fc56c3970da539d4ae3a64927ec4357b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652575
Auto-Submit: Peter Kasting <pkasting@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80631}
2022-05-19 08:53:03 +00:00
Marja Hölttä
8dcc6f8135 [web snap] More consistently allow frozen / sealed elements
The frozenness / sealednes is not yet serialized & deserialized, but
this allows prototyping web snap in contexts where frozen / sealed
elements occur.

Bug: v8:11525, v8:12820
Change-Id: I8fb788bd3d1a1ec3e6b47610c69230cc900033b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652779
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80630}
2022-05-19 08:41:53 +00:00
Tobias Tebbi
bc00836ef0 [turbofan] fold repeated essentially-pure operations
This improves a pattern that appears in the SunSpider
base64 benchmark.

Change-Id: I1b5f4535d24d8a39cc480508d1e11c8e92e0135c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3654098
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80629}
2022-05-19 08:16:03 +00:00
Liu Yu
b5d6997af4 [loong64][mips][wasm-relaxed-simd] Add liftoff min/max operations on Arm and Arm64
Port commit 0236d7b5b4

Bug: v8:12284
Change-Id: I8ce66d3e4d61e8cc446364fbc1b1ba7d6036fca7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3653715
Auto-Submit: Yu Liu <liuyu@loongson.cn>
Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#80628}
2022-05-19 06:42:25 +00:00
Frank Tang
5354d8a1c6 [Temporal] Add PlainYearMonth.prototype.toJSON
Also add AOs: TemporalYearMonthToString

Spec Text:
https://tc39.es/proposal-temporal/#sec-temporal.plainyearmonth.prototype.tojson
https://tc39.es/proposal-temporal/#sec-temporal-temporalyearmonthtostring

Bug: v8:11544
Change-Id: Ibe8bd20ae5eb5b7721e50cf5386c20d8d23e18e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3437894
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80627}
2022-05-19 05:06:23 +00:00
v8-ci-autoroll-builder
04359996f4 Update V8 DEPS.
Rolling v8/build: 5b615fa..62419bc

Rolling v8/buildtools/linux64: git_revision:bf4e17dc67b2a2007475415e3f9e1d1cf32f6e35..git_revision:c547ca1497e3ff0dcbc0b2cb036b3d40380cbeeb

Rolling v8/buildtools/third_party/libc++abi/trunk: b682786..75a3853

Rolling v8/buildtools/third_party/libunwind/trunk: 44c86bb..837a94e

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/ecd2da3..8111049

Rolling v8/third_party/depot_tools: 8fb649c..ab4d2e3

Rolling v8/third_party/fuchsia-sdk/sdk: version:8.20220516.3.1..version:8.20220518.3.1

Rolling v8/third_party/zlib: 7085d03..2fe249a

Rolling v8/tools/clang: 56af55b..6e492e7

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: Ie312502b162d4244148f4345649c3a7f1d0a7f65
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3654580
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#80626}
2022-05-19 03:54:43 +00:00
Lu Yahan
e868f793e1 [riscv64][wasm-relaxed-simd] Add liftoff min/max operations on RISCV64
Port commit 0236d7b5b4

Bug: v8:12284
Change-Id: I5a1c7b7a50c45e0d768ee3e200a2c25dbfcc8b36
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3654978
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Commit-Queue: ji qiu <qiuji@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#80625}
2022-05-19 03:10:13 +00:00
Frank Tang
0b44a86009 [Temporal] Add PlainMonthDay.prototype.toJSON
Also add AO: TemporalMonthDayToString

Spec Text:
https://tc39.es/proposal-temporal/#sec-temporal.plainmonthday.prototype.tojson
https://tc39.es/proposal-temporal/#sec-temporal-temporalmonthdaytostring

Bug: v8:11544
Change-Id: Ibbc5b28a9c73474f7edc1b67c9beabf5bca54dbc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3437891
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80624}
2022-05-19 02:44:13 +00:00
jiepan
852e075639 [wasm-simd][x64] Optimize I8x16Shuffle if one input is S128Zero
If b is S128Zero, Shuffle(a,b,s) can be optimized to
Swizzle(a,s). By setting s[i] to 0x80, we can avoid access b.
If a is S128Zero, we can swap a and b first.

If one input of I8x16Shuffle is S128Zero, this patch can save
~60% instructions(7 of 12), and more than 30% improvement is
observed in local microbenchmarks.

Change-Id: I5953fa9064e01203cd4cf423c55dd5ed33cad57e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3544992
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Jie Pan <jie.pan@intel.com>
Cr-Commit-Position: refs/heads/main@{#80623}
2022-05-19 01:26:03 +00:00
Frank Tang
a5697616eb [Temporal] Add PlainDate.prototype.toJSON
Also add AOs: PadISOYear, FormatCalendarAnnotation, TemporalDateToString
Spec Text:
https://tc39.es/proposal-temporal/#sec-temporal.plaindate.prototype.tojson
https://tc39.es/proposal-temporal/#sec-temporal-padisoyear
https://tc39.es/proposal-temporal/#sec-temporal-formatcalendarannotation
https://tc39.es/proposal-temporal/#sec-temporal-temporaldatetostring

Change the ISODateTimeWithinLimits from
-8.64 × 10^21 - 8.64 × 10^16, 8.64 × 10^21 + 8.64 × 10^16
to
-8.64 × 10^21 - 8.64 × 10^13, 8.64 × 10^21 + 8.64 × 10^13
per https://github.com/tc39/proposal-temporal/pull/1723

Change to use AppendCStringLiteral instead of AppendCharacter when
appropriate.

Bug: v8:11544
Change-Id: I01f22657b2c3e5aacbea790593d7e9f60076ec74
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3438379
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80622}
2022-05-19 01:22:23 +00:00
Deepti Gandluri
0236d7b5b4 [wasm-relaxed-simd] Add liftoff min/max operations on Arm and Arm64
Instruction lowering on ARM uses pmin/pmax as there is no hardware support.
More details here: https://github.com/WebAssembly/relaxed-simd/issues/33

Bug: v8:12284
Change-Id: I075d4a6660afc4418fcc91c5d48e8e9096536dc9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3646075
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80621}
2022-05-18 23:22:03 +00:00
Milad Fa
e49f00d4bd Fix compilation error with gcc
Fix for the following minor issue:
```
error: variable 'first_output_index' set but not used
```

Change-Id: Iccc5e15db62a5768ba6f3742f3c4d7123f493c65
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652093
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80620}
2022-05-18 20:29:10 +00:00
Adam Klein
09c1012b21 Skip shared-memory tests under tsan/stress_incremental_marking
Goal is to keep the tree green while the issue is investigated.
No impact on shipped product since shared-memory is flag-guarded off.

Bug: v8:12883
Change-Id: I9a434bdebc781023fa6693eef47db6dbe81cd4bb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3653320
Auto-Submit: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#80619}
2022-05-18 18:48:01 +00:00
Tobias Tebbi
ecc0bc8f35 [turboshaft] add basic optimization phase: liveness analysis
Bug: v8:12783
Change-Id: I15cf16bd66a97c33170ca4f1f5e3acc6ff9bf956
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3576129
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80618}
2022-05-18 17:17:07 +00:00
Adam Klein
de877f7497 Revert "Disable recompilation of existing Scripts from Isolate compilation cache"
This reverts commit a76072217a.

Reason for revert: fails on GC Stress bot:
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/38512/overview

Original change's description:
> Disable recompilation of existing Scripts from Isolate compilation cache
>
> My previous change https://crrev.com/c/3597106 led to some performance
> regressions in time spent on parsing and compilation. This change
> disables the ability to recompile an existing uncompiled Script, as an
> attempt to both fix the regressions and isolate which part of the
> previous change was the cause of those problems.
>
> Bug: v8:12808, chromium:1325566, chromium:1325567, chromium:1325601
> Change-Id: Ifa086bf27070da8f4b3c0e4415af5ca7b6706b0a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652252
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Cr-Commit-Position: refs/heads/main@{#80616}

Bug: v8:12808, chromium:1325566, chromium:1325567, chromium:1325601
Change-Id: I0f56163856d04ff49da96b0fb344fb59b5501a40
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3653273
Auto-Submit: Adam Klein <adamk@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#80617}
2022-05-18 16:45:11 +00:00
Seth Brenith
a76072217a Disable recompilation of existing Scripts from Isolate compilation cache
My previous change https://crrev.com/c/3597106 led to some performance
regressions in time spent on parsing and compilation. This change
disables the ability to recompile an existing uncompiled Script, as an
attempt to both fix the regressions and isolate which part of the
previous change was the cause of those problems.

Bug: v8:12808, chromium:1325566, chromium:1325567, chromium:1325601
Change-Id: Ifa086bf27070da8f4b3c0e4415af5ca7b6706b0a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652252
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#80616}
2022-05-18 15:47:59 +00:00
Seth Brenith
3a558456a9 [v8windbg] Skip undefined types in Torque structs
The test cctest/test-v8windbg recently started failing because the
v8windbg debugger extension is unable to read the "flags" field on a
SharedFunctionInfo instance. This occurs because one of the bitfields
within "flags" has type OSRCodeCacheStateOfSFI, which is only declared
using an "opaque enum declaration":

  enum OSRCodeCacheStateOfSFI : uint8_t;

When WinDbg fails in its attempt to look up that type, v8windbg responds
by failing to construct anything at all for "flags". However, the other
17 bitfields in "flags" can be represented successfully, so a more
useful behavior is to just skip the one failed entry.

Change-Id: I40630548d21499e49f0214da28260318a38d9360
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3653096
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#80615}
2022-05-18 15:24:09 +00:00
gengjiawen
0f4731c825 [build] fix MSVC build issues
on latest MSVC, build will fail due to error C1017

log: https://github.com/bnoordhuis/v8-cmake/runs/6473602404
Change-Id: Ida6a4f1cbace68cbfc5aa7d4df2e7829fc755a55
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3653496
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80614}
2022-05-18 13:34:55 +00:00
Nikolaos Papaspyrou
d75d524c90 [heap][cleanup] Fix tracking two background scope symbols
BACKGROUND_UNPARK and BACKGROUND_SAFEPOINT were introduced in
crrev.com/c/2704075 but the LAST_GENERAL_BACKGROUND_SCOPE was
not updated, so they were not tracked properly by GCTracer.

Bug: v8:12425
Change-Id: Ibbd7f5410088c45454b6e22af4e038e8ef0dd7fa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3650598
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80613}
2022-05-18 13:25:15 +00:00
Clemens Backes
7e14a41ca6 [wasm] Use new OOM API for passing details
In particular use the same "location" in any call site to make grouping
OOMs easier. Move the detail information into the new OOMDetails struct.

Since we cannot construct OOMDetails via "{.detail = ...}" yet (C++20),
we add another variants of FatalProcessOutOfMemory which receives the
detail string and internally stores it in an OOMDetails struct.

R=jkummerow@chromium.org
CC=mlippautz@chromium.org

Bug: chromium:1323177
Change-Id: Ie10cde8dd060867515fab4c61c15030f9c3ccff9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652298
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80612}
2022-05-18 10:40:48 +00:00
Clemens Backes
7eacc4d552 [API] Enforce that ShouldYield == true is respected
There is a DCHECK in the gin platform that {ShouldYield} is not called
again after it already returned {true}.
This CL adds a similar DCHECK to the default platform to catch bugs
earlier (in d8).

R=ahaas@chromium.org, mlippautz@chromium.org

Bug: chromium:1277962
Change-Id: I4dc9d880cf6d36e3e497c5324aaf44889fe7fcee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644801
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80611}
2022-05-18 10:33:28 +00:00
Almothana Athamneh
c3107f0692 Revert "Change linux_chromium_chromeos_msan_rel_ng to blocking on auto roll"
This reverts commit e412e6435b.

Reason for revert: builder takes too long on CQ

Original change's description:
> Change linux_chromium_chromeos_msan_rel_ng to blocking on auto roll
>
> Bug: v8:12755
> Change-Id: I7c693c07640fd5952047666063f23b4be77692bd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644954
> Commit-Queue: Almothana Athamneh <almuthanna@chromium.org>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Auto-Submit: Almothana Athamneh <almuthanna@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80590}

Bug: v8:12755
Change-Id: I371c4ebbfc9dc9a0e806653c6c819b0eb29e5228
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644962
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Almothana Athamneh <almuthanna@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#80610}
2022-05-18 09:20:08 +00:00