Now that the cage is shared, we can remove the thread-local base and
instead use a simple global.
Bug: chromium:1325007
Change-Id: I05019de83868f823c66003740e277578f2a1d439
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688051
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81037}
This CL handles weakcallbacks for resetting WeakMember smart pointers in parallel.
Tracing data for browsing nytimes.com:
CppGC.AtomicWeak
4.628 ms
CppGC.ConcurrentWeakCallback
0.157 ms
Bug: v8:12796
Change-Id: I1e7aa9d27e22985072a8fc332376ac3bd84a3720
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3692433
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Jianxiao Lu <jianxiao.lu@intel.com>
Commit-Queue: Jianxiao Lu <jianxiao.lu@intel.com>
Cr-Commit-Position: refs/heads/main@{#81036}
This configuration allows testing the V8 sandbox by exposing the memory
corruption API (which emulates typical V8 exploit primitives) and
(through a d8 command line flag) enabling the sandbox crash filter which
filters out "harmless" crashes (those that don't break the sandbox's
security guarantees).
Bug: v8:12878
Change-Id: Iad3ee2a8c20b9056766c5c654018b41920fe8703
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695581
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81034}
The flag is causing build failures in some environments (when it is not
defined) and it is not actually needed since the behaviour of these FDs
across fork/exec isn't defined and this code is only used for testing.
Bug: chromium:1218005
Change-Id: If2bf6835705318079af56d920017accedaf769dd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695583
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81032}
This CL introduces a new `status` enum returned by setScriptSource.
We'll use the information in the DevTools frontend to show more
meaningful error messages as well as disambiguate compilation errors
from failed live edits.
Drive-by: Deprecate the sync and async stack traces in the result.
Currently `setScriptSource` is guaranteed to stay paused so there
is no need to send along the same information from the
preceeding `Debugger.paused` event.
In the future we will restart the top-most frame once we allow
the top-most frame to be edited. In that case the inspector
fires Debugger.resumed + Debugger.paused events following the
live edit also making the info returned here superfluous.
R=jarin@chromium.org
Bug: chromium:1334484
Change-Id: I4226491caed72013a00927273c523213d797a766
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3691850
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81031}
After flags are frozen, this will not work any more. It's also not
required, as flags cannot be accessed after teardown anyway.
This CL changes that to only release the memory of dynamically allocated
string flags, which is something we still need to do after
write-protecting the flags anyway.
R=tebbi@chromium.org
Bug: v8:12887
Change-Id: Iff0e3845cbd91fb59878b2ed36a44d6df00572f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695379
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81030}
The getters and setters were not using the correct types for the casts
of {valptr_} and {defptr_}. It was mostly fine though, because
{FlagValue<T>} just wraps a {T}, so accessing a {FlagValue<T>*} as a
{T*} just works.
This CL fixes the casts of {valptr_} to use proper {FlagValue<T>*}, and
changes the definition of the default values to use plain {T} instead of
{FlagValue<T>}.
R=tebbi@chromium.org
Bug: v8:12887
Change-Id: I3a38ba466df95a4c7b45e83fbd5d37c9a4785a13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695558
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81029}
The CL does the following:
1) Globalizes CagedHeap for all HeapBases;
2) Adds the global variable representing the cage base;
3) Changes all write-barriers to use this global variable for value/slot
checks;
4) Removes no longer needed functionality introduced in previous CLs.
Bug: v8:12231
Change-Id: I281a7b0bf67e349c988486fc2d43ec6d703fd292
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688050
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81027}
... which required unnecessarily big alignment for the base on Windows.
Drive-by: adapt hint usage in VirtualMemoryCage::InitReservation() for
non-zero kReservedCodeRangePages and hint values provided by
CodeRangeAddressHint::GetAddressHint() which might be the start address
of the previously reserved region which in turn already includes the
kReservedCodeRangePages pages.
Bug: v8:11880, v8:12942
Change-Id: Ieee44ed2bdfc77aa8efaef449221caaae1f0f08f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695382
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81026}
This reverts commit 7787ed2007.
Reason for revert: Seems to break the archive bot (https://ci.chromium.org/ui/p/chromium/builders/ci/linux-archive-dbg/b8811978830853167601/overview)
Original change's description:
> Build cctest while building V8
>
> I noticed in a recent build that C++ files from cctest didn't start
> compiling until after several slow non-parallel tasks such as running
> mksnapshot and linking v8_for_testing. I don't see any reason that
> cctest sources should wait for those tasks, so in this change I propose
> adjusting the build dependencies for more parallelism.
>
> Change-Id: I2472117c8555ac397fa1232954c8b699d6429d38
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3690170
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Cr-Commit-Position: refs/heads/main@{#80976}
Change-Id: I1d22362080962b424c21232f63e8896a2cbe2bb4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695357
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81025}
We will not be able to modify flags after initializing V8 (soon).
The {SingleThreadedDefaultPlatformTest} was resetting flags during
teardown for no reason, as we do not support running multiple tests in a
row anyway. Thus remove that use of {SaveFlags} and just set the
--single-threaded flag before initializing V8.
R=ahaas@chromium.org
Bug: v8:12887
Change-Id: Ia89d442cf4b2fe2e12e258da5c0c9f1f871ded12
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695378
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81024}
Some temp register slots are only used in a short range at the begining
of a statement or expression. They can be released earlier to save a
slot for later use. After the change, we can see frame size reduced in
the switch, class literal and ForOf tests.
Bug: v8:12940
Change-Id: I17b412d89353206fc01248cb3eefd2c678bc4ebb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688565
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Yolanda Chen <yolanda.chen@intel.com>
Cr-Commit-Position: refs/heads/main@{#81021}
The error message held in {CompilationResult} was not null-terminated,
leading to ASan complaints. Just store it in a {std::string} and use
{c_str()} to get a properly null-terminated C-string.
Drive-by: Enable execution of the fuzzer tests.
R=ahaas@chromium.org
Bug: chromium:1334548, v8:12922
Change-Id: Iafcfd5ce77e49e2aa1ff0910d8718bcd51f83662
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695356
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81020}
Rolling v8/build: a568526..a789781
Rolling v8/buildtools/linux64: git_revision:37baefb026b199605affa7bcb24810d1724ce373..git_revision:fd6cae41bd7d5d255dc2fb96004a8bf74ac9d972
Rolling v8/buildtools/third_party/libc++abi/trunk: c30c515..11395e5
Rolling v8/buildtools/third_party/libunwind/trunk: 86ab9dd..1644d07
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/3a2e446..8a8c0b9
Rolling v8/third_party/depot_tools: 13c50b4..b3579d4
Rolling v8/third_party/fuchsia-sdk/sdk: version:8.20220531.3.1..version:8.20220608.4.1
Rolling v8/tools/clang: 4e79fda..2f657cfR=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com
Change-Id: I39b7245d9f2abc5c603049674f6599158eed159d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695962
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#81017}
Port commit e50d19cb11
Original Commit Message:
https://crrev.com/c/3471854 already disabled the RecordWrite builtin
specifically for incremental marking. Since this didn't regress performance as expected, we can now remove those versions of the
builtin.
This will simplify the barrier implementation a bit, but is also
required for the shared heap write barrier. Unlike the generational barrier, the shared heap barrier can't be elided for map values.
Change-Id: Ie84c77c0d633a5835580a976b3f11736a68cde62
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3696492
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Commit-Queue: ji qiu <qiuji@iscas.ac.cn>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#81016}
Add a simple, linear-time scheduler to check whether two nodes can be
scheduled to a same basic block without actually building basic blocks.
Bug: v8:12716
Change-Id: I20506f28a9126f881b7e4748f54b12551967ba76
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3388910
Reviewed-by: Almothana Athamneh <almuthanna@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Hao A Xu <hao.a.xu@intel.com>
Cr-Commit-Position: refs/heads/main@{#81015}
Currently the Isolate is gotten off of the object that the operation is
being performed on. Shared objects return the shared Isolate, which is
incorrect as it shouldn't be used to run JS, nor does it have
HandleScopes open. Plumb the executing Isolate through.
Bug: v8:12547
Change-Id: Ib7542c8cf63563d29f23fb03f86974c319ed88c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3697456
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Luis Fernando Pardo Sixtos <lpardosixtos@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#81014}
The test should now be self-skipping without extra work
Bug: v8:12547
Change-Id: I0adf5d8745e19b17d2644587e416eb16063b210d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3694455
Reviewed-by: Milad Farazmand <mfarazma@redhat.com>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81013}
This saves one indirection when fetching the supertype array for
type checks.
Bug: v8:7748
Change-Id: I41ec5a190c1ccdd9112869c7cdf1748bef4b359a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688405
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81012}
Earlier, we had to introduce some temporary workarounds in Turbofan to
enable optimizations for common wasm-gc patterns. These are now not
required, since these optimizations are applied in WasmTyper and WasmGCOperatorReducer.
Bug: v8:7748
Change-Id: I3a7bc4bd2a8023a438ee4620934ff3fcb8bcfc6a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3693999
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81011}
This wraps CagedHeap in #if defined(CPPGC_CAGED_HEAP)
Bug: v8:12231
Change-Id: I8407abdd88c6a96b6c79c08e7039b5eb6f8175f9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695384
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Auto-Submit: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81010}
This is a reland of commit abcb6bb8b4.
The data race is fixed by using atomic operations.
Original change's description:
> [heap] Avoid dynamic updates of FLAG_gc_interval
>
> Flags will be protected from updates after V8 initialization (in the
> future). This CL avoids any updates of the --gc-interval flag during
> runtime, and instead updates a static field on the HeapAllocator
> directly.
>
> R=mlippautz@chromium.org
>
> Bug: v8:12887
> Change-Id: I17a495cae50a46d59a8159c6ece1558d4d61b949
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3687691
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80998}
Bug: v8:12887
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel_ng
Change-Id: Ib5b537500413a627d9b2509354d20906e0474d8e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695380
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81008}
This is a reland of commit c443858fa9
The original version included an operation which could left-shift
signed values, which is undefined behavior; the updated version masks
the value first to avoid the problem.
Original change's description:
> Allow lookup of matching scripts in Isolate compilation cache
>
> Currently, if the same script text is compiled multiple times with
> differing details (such as name, line number, or host-defined options),
> then multiple copies of that script are added to the Isolate's
> compilation cache. However, any attempt to look up those scripts can
> find only the first instance. This change makes the script compilation
> cache behave more consistently by checking the details while searching
> the hash table for a match, rather than after a potential match has been
> found.
>
> Bug: v8:12808
> Change-Id: Ic9da0bf74f359d4f1c88af89d585404f173056ee
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3671615
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Cr-Commit-Position: refs/heads/main@{#80919}
Bug: v8:12808
Change-Id: I494c3c9cc520b79f34247aab6618c40c854b9edc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3687070
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#81007}
The CL is a prerequisite for the shared cage. Instead of storing
state variables (is_incremental_marking_in_progress,
is_young_generation_enabled) in the cage metadata, the CL moves them to
HeapHandle. The HeapHandle pointer is now retrieved from page-headers.
To make sure that the write-barrier code is better optimized, the
HeapHandle definition is moved to internal/ headers. The part of
BasePage that contains HeapBase (i.e. HeapHandle) pointer is also
extracted and moved to the headers.
Bug: v8:12231
Change-Id: I44bf65d99a621d9548e4250386cf87476ca186ac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3689730
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81005}
We previously missed out on turning ConsString objects into ThinStrings
due to the flattening step in StringTable::LookupString.
// Example input string:
string = cons("A", cons"B", "C"))
// After flatten:
string == cons("ABC", "")
// OLD: After internalising and thinning:
string == cons(#"ABC", "")
The new behaviour yields a thin string after internalising:
// NEW: After internalising and thinning:
string == thin(#"ABC")
Change-Id: I99bbebd52fa02ecfeb2289cb85b69f3e01175cdd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3667080
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81004}
Current method is passing no_reg as scratch and causes failure.
This CL copies the necessary parts from under ASSEMBLE_STORE_INTEGER
and passes r0 as scratch.
Change-Id: Iaa8477bed6ee73ad85514a390ceff4847d2c8c27
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695957
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#81003}
This reverts commit abcb6bb8b4.
Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20isolates/20029/overview
Original change's description:
> [heap] Avoid dynamic updates of FLAG_gc_interval
>
> Flags will be protected from updates after V8 initialization (in the
> future). This CL avoids any updates of the --gc-interval flag during
> runtime, and instead updates a static field on the HeapAllocator
> directly.
>
> R=mlippautz@chromium.org
>
> Bug: v8:12887
> Change-Id: I17a495cae50a46d59a8159c6ece1558d4d61b949
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3687691
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80998}
Bug: v8:12887
Change-Id: I18310a3f515506d617f42be7a208013957625eaf
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695559
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Owners-Override: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81002}
Anyone using CopyablePersistentTraits should be using v8::Global, so
deprecate it and fix the uses in V8.
Bug: v8:12915
Change-Id: I25e6f2a03e070db9e9af9bbd9ea8cbc0f838c5ac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3669254
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81001}
If enabled, a signal handler is installed which intercepts memory access
violations (e.g. SIGSEGV) and checks whether they occurred inside the
sandbox address space, in which case the process is terminated cleanly
as this does not represent a (security) issue with the sandbox. However,
if the access violation occurred outside the sandbox, the access
violation is forwarded to the original signal handler.
The filter can be enabled in d8 by specifying
--enable-sandbox-crash-filter.
Bug: v8:12878
Change-Id: If9d76267e90ee79ee81ab793d7774afed6226b7c
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688408
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80999}
Flags will be protected from updates after V8 initialization (in the
future). This CL avoids any updates of the --gc-interval flag during
runtime, and instead updates a static field on the HeapAllocator
directly.
R=mlippautz@chromium.org
Bug: v8:12887
Change-Id: I17a495cae50a46d59a8159c6ece1558d4d61b949
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3687691
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80998}
... by default when fast W^X is enabled.
Bug: v8:12054
Change-Id: I242567a07aa323127e5f7cdcbf3a1a7d5708b923
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688518
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80995}
