Commit Graph

134 Commits

Author SHA1 Message Date
Ben Smith
fae1ab03a9 [wasm] Fix crash serializing modules w/ big frames
When a wasm function has a large stack frame, the x64 code generator
performs the stack overflow check before constructing the frame. This
requires using the `address_of_real_stack_limit` external reference, as
well as the `ThrowWasmStackOverflow` runtime function.

`ThrowWasmStackOverflow` is called via a generated trampoline, but it is
not a builtin, so the serializer adds it to the `stub_lookup_` map. This
map is encoded by using a monotonically increasing `stub_id` that starts
at 0.

When the function is serialized, a stub is differentiated from a builtin
by which half of the `i32` bits is used, upper or lower. A stub only
uses the lower 16 bits and a builtin only uses the upper 16 bits.

The deserializer checks whether the lower 16 bits are 0; if so, it is
determined to be a builtin. But if the `stub_id` is 0, then it will be
confused with builtin 0 (`RecordWrite`). Calling the builtin instead of
the stub causes a crash.

This CL starts all `stub_id`s at 1, which prevents the builtin/stub
confusion.

There is an additional bug that is not fixed by this CL:
`ThrowWasmStackOverflow` shouldn't be called at all. Currently it is
called because `address_of_real_stack_limit` is a thread-local value
that is not properly relocated.

Bug: chromium:808848
Change-Id: I06b3e650ea58ad717dcc47a3716443e16582e711
Reviewed-on: https://chromium-review.googlesource.com/981687
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52252}
2018-03-27 18:34:06 +00:00
Eric Holk
ff43bbe613 [wasm] clear is_wasm_memory flag when neutering ArrayBuffers
Bug: chromium:825087
Change-Id: I2eb163e5399e98da75cd1e4ad6f0a62d6da4ae2c
Reviewed-on: https://chromium-review.googlesource.com/978840
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52198}
2018-03-24 00:30:23 +00:00
Eric Holk
d31dff841e [wasm] always allocate memory when guard regions are needed
When using trap handlers, memory references do not get any checks inserted. This
means there is no check for a null memory as happens when the memory size is
0. Normally this would be correctly caught as an out of bounds access, since the
low memory addresses are not normally mapped. However, if they were mapped for
some reason, we would not catch the out of bounds access.

The fix is to ensure WebAssembly instances always have a guard region even if
the memory is size 0.

This is a rewrite of 5e76ff5a4a

Note that this can lead to a large amount of unnecessary address space usage,
so we share a single reservation for empty array buffers.

Bug: chromium:769637

Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: Ia8e84be6d595e347d3d342959f2c374db1a3f683
Reviewed-on: https://chromium-review.googlesource.com/702657
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52163}
2018-03-22 19:44:17 +00:00
Clemens Hammacher
2589ea08e3 [Liftoff] Fix conditional spilling
On float comparisons, we need a scratch byte register for the setcc
instruction, and if none is available, we spill. But this spilling code
is skipped if one of the operands is NaN. The cache state is updated
however, so following code assumes that the spill happened.
This CL fixes this by spilling before checking for NaN, such that the
spilling code is always executed.

R=titzer@chromium.org

Bug: v8:7582, v8:6600
Change-Id: I768d8de14e494d3ebea181c1f9f3129a4b005396
Reviewed-on: https://chromium-review.googlesource.com/973961
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52162}
2018-03-22 18:45:17 +00:00
Clemens Hammacher
be1b2d66c0 [wasm] Fix deadlock on async compilation
See referenced bug: Async compilation can deadlock if a background task
queues the last compilation unit to be finished while the finisher
is already exiting because there was no more work.
This CL fixes this by making the finisher task check for new work after
setting the finisher_is_running_ flag to false.

R=ahaas@chromium.org
CC=kimanh@google.com

Bug: chromium:824681
Change-Id: If1f5700a9fdd5d150b36e37a5d14b692c2b0f3fb
Reviewed-on: https://chromium-review.googlesource.com/975301
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52139}
2018-03-22 11:57:21 +00:00
Clemens Hammacher
8bb41e8d94 [Liftoff] Fix stack slot overwrite
On ia32, the upper "half stack slot" must be located above the lower
half stack slot (in absolute address), hence the index is
"2 * index - 1" instead of "2 * index + 1". Note that the index
describes the negative offset from the stack pointer.

R=titzer@chromium.org

Bug: v8:7579
Change-Id: If207af405b126ab30043432d7934273e6e2a5330
Reviewed-on: https://chromium-review.googlesource.com/973301
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52116}
2018-03-21 15:38:39 +00:00
Clemens Hammacher
27e36250f7 [Liftoff][x64] Fix and optimize spilling i64 constants
There was a bug in spilling i64 constants, in that the half stack slot
*above* should have been filled with the high word instead of the one *below*.

Instead of just fixing this, this CL optimizes spilling x64 constants to the
stack by emitting shorter and faster code, especially if the constant fits in
31 bits (which is the majority of cases).

R=titzer@chromium.org

Bug: v8:7565,v8:6600
Change-Id: Id75ddafe82615930a84333a0c49bd515ccbcc093
Reviewed-on: https://chromium-review.googlesource.com/965062
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51985}
2018-03-16 11:05:11 +00:00
Clemens Hammacher
cc862e69c9 [Liftoff] Fix stack pointer corruption
During a C call, a previous value of the stack pointer is stored in a
platform specific callee saved register. Loading the out argument of the
C call might overwrite the value in that register, if the destination
register collides with the platform specific register. Hence, do first
use that register to restore the previous stack pointer, and only then
load the out argument.
Similarly, when pushing arguments to the stack, do first push all
values and then set the platform specific register in order to avoid
overwriting an argument value held in that register.

Drive-by: Fix offset computations for parameters pushed to the stack
for c calls.

R=titzer@chromium.org

Bug: chromium:820802,chromium:820896,chromium:820807,v8:6600
Change-Id: If4567467b7912454f0bd2cad5927233c98894b03
Reviewed-on: https://chromium-review.googlesource.com/959064
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51916}
2018-03-14 08:13:12 +00:00
Clemens Hammacher
a71e5f9a7b [wasm] Avoid integer overflow on function locals check
On 32-bit systems, the computation {count + type_list->size()} can
overflow, leading to memory corruption later on.

R=titzer@chromium.org

Bug: chromium:819869
Change-Id: Ic81d201e58211e3989b4e945cd52e98dc951fbda
Reviewed-on: https://chromium-review.googlesource.com/955025
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51817}
2018-03-08 17:00:55 +00:00
Clemens Hammacher
6195ebe160 [wasm] Fix DCHECK for lazy compilation
Table inits can contain imported functions, hence their code will be a
wasm-to-wasm wrapper.
Fix a DCHECK and add a regression test.

R=ahaas@chromium.org

Bug: chromium:817380
Change-Id: I836be589e1ae66839ccd470154c8dea488e6bc1f
Reviewed-on: https://chromium-review.googlesource.com/943107
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51685}
2018-03-02 09:48:11 +00:00
Clemens Hammacher
08a9e3eb20 [Liftoff] Fix get_use_count for register pairs
R=ahaas@chromium.org

Bug: v8:7508, v8:6600
Change-Id: I9eb04171eb489383bb746e2d04c6ffff304b7918
Reviewed-on: https://chromium-review.googlesource.com/942821
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51652}
2018-03-01 13:06:17 +00:00
Eric Holk
c137eb509d [typed arrays] GetBuffer returns old buffer for guarded buffers
This also adds a DCHECK that the buffer does not have guard pages in
MaterializeArrayBuffer because the code there does not know how correctly set up
a buffer with guard pages.

Bug: chromium:801849
Change-Id: Ic761fcdfbd16a2d6e87f4eb135f5d03b7aa2d71d
Reviewed-on: https://chromium-review.googlesource.com/938968
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51616}
2018-02-27 20:36:54 +00:00
Clemens Hammacher
a0e66bca78 [Liftoff][ia32] Handle overflow in memory offset
When generating a 64bit memory operation on ia32, we need to emit two
operations, one at {offset+4}, one at {offset}. The computation
{offset+4} can overflow, which is ok because
1) it won't be used for code generation later, and
2) the generated code will not be reached because the memory access is
   always out of bounds anyway.

R=ahaas@chromium.org

Bug: v8:7499, v8:6600
Change-Id: Ia4660688c3291700c48efc201d15fc370b4dd854
Reviewed-on: https://chromium-review.googlesource.com/939389
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51604}
2018-02-27 15:06:24 +00:00
Clemens Hammacher
6ac2579f23 [Liftoff] Fix result type of f64 binops
The result of an f64 binop was marked as f32 on Liftoffs value stack.
This lead to errors and is fixed in this CL.
I plan to clean up all binop implementions in a follow-up CL.

R=titzer@chromium.org

Bug: chromium:812005, v8:6600
Change-Id: I5bcd5c2e7d2b6170ef60f5e83cf2876b3475c38a
Reviewed-on: https://chromium-review.googlesource.com/924025
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51375}
2018-02-19 16:12:30 +00:00
Ben L. Titzer
73d6072166 [asm.js] Enforce maximum number of parameters for asm.js.
R=bradnelson@chromium.org

Bug: chromium:810973
Change-Id: I818c17ef03b27df72976048b1873fc3f3a368900
Reviewed-on: https://chromium-review.googlesource.com/914330
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51252}
2018-02-12 19:42:12 +00:00
Andreas Haas
384ac3cde9 [wasm] Reexported wasm functions should be identical to imports
According to the spec, if an imported function gets exported, the
exported function has to be identical to to imported function.

With this CL we initialize the list of potential js_wrappers_ with all
wasm function we imported. Therefore no new wrappers are generated for
these functions.

R=clemensh@chromium.org

Bug: v8:7364
Change-Id: Ibcd47d8fcc4c2fb5740d57ea547fbd01c2a4e80a
Reviewed-on: https://chromium-review.googlesource.com/901626
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51244}
2018-02-12 14:27:18 +00:00
Clemens Hammacher
3c47499881 [Liftoff] Fix caller frame slots generated from stack values
Because of missing parentheses, the computation of the "half index" was
wrong, and always produced 0 or 1.
Also, for non-pairs, we were still passing kHighWord for the
RegPairHalf.

R=ahaas@chromium.org

Bug: v8:7422, v8:6600
Change-Id: If056aa8005d4b44e667b7d76b9be49ec0191d0eb
Reviewed-on: https://chromium-review.googlesource.com/908554
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51175}
2018-02-08 13:47:20 +00:00
Michael Starzinger
61391f366b [wasm] Ensure WasmCode always has protected instructions.
R=clemensh@chromium.org
TEST=mjsunit/regress/wasm/regress-808012
BUG=chromium:808012

Change-Id: Ia1e4527c6c845ffd01ecf5c7fa13b8b484d6ef6e
Reviewed-on: https://chromium-review.googlesource.com/899122
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51103}
2018-02-05 22:01:56 +00:00
Choongwoo Han
34a8204a1e [wasm] Set wasm_compiled_module for script of deserialized module
Bug: chromium:808980
Change-Id: I7a89c6e30f473821f676fd5771365103072c78f1
Reviewed-on: https://chromium-review.googlesource.com/901306
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51099}
2018-02-05 16:48:00 +00:00
Clemens Hammacher
ad98ba7773 [Liftoff] Fix register spilling on stack transfer
When moving arguments for calls into the right registers and stack
slots, we were sometimes overwriting stack slots which would still be
used later to load arguments from. This is because we popped the (wasm)
value stack before executing the register moves, hence the stack
transfer would think the values are not being used any more and reuse
the stack slots.
With this CL, we only pop the arguments from the stack after executing
the stack transfer.

R=ahaas@chromium.org

Bug: v8:7366, v8:6600
Change-Id: I3aa5126c82634fd281959075e91e73465c39abaa
Reviewed-on: https://chromium-review.googlesource.com/883802
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50853}
2018-01-24 19:42:48 +00:00
Clemens Hammacher
ecb3afcaed [Liftoff] Fill registers as the right type
When spilling a value to the stack, make sure to fill it as the same
type later. Otherwise, we might load garbage from the stack and violate
the assumption that the upper 32 bits of a 64 bit register are zero if
it currently holds a 32 bit value.

R=titzer@chromium.org

Bug: v8:7353, v8:6600
Change-Id: I7f2b1b31b7f3c13aa152c682cb59400fb5a3ebf0
Reviewed-on: https://chromium-review.googlesource.com/880682
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50797}
2018-01-23 11:45:15 +00:00
Michael Starzinger
e11c57fe9e [wasm] Remove {NativeModule::lazy_builtin} field.
This removes the field in question to make it simpler to serialize and
deserialize modules without having to worry about the state of lazy
compilation. It is always possible to clone a non-anonymous builtin,
even without having this module-wide field.

R=clemensh@chromium.org
TEST=mjsunit/regress/wasm/regress-803427
BUG=chromium:803427

Change-Id: I72041e314eb6ee92859d45f1db0ed8500003edc4
Reviewed-on: https://chromium-review.googlesource.com/878581
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50771}
2018-01-22 17:27:15 +00:00
Clemens Hammacher
d414d80d25 [wasm] Fix printing of reloc info on the native heap
Tag RelocInfo which belongs to native wasm code, and fix printing to
not try to access the Code object for CODE_TARGET, but rather just
print "(wasm trampoline)".

Bug: chromium:801785

R=mstarzinger@chromium.org

Change-Id: I84a37f0c48ed7397cccf677b4d0f0352e5aceb9d
Reviewed-on: https://chromium-review.googlesource.com/875271
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50758}
2018-01-22 13:49:21 +00:00
Michael Starzinger
f30a86c8d3 [wasm] Fix lazy compilation with native-heap code.
This fixes a corner-case with lazy compilation in WebAssembly where
native-heap code did not expect to see WASM-to-JS wrappers in tables.

R=clemensh@chromium.org
TEST=mjsunit/regress/wasm/regress-803788
BUG=chromium:803788

Change-Id: Ie44b5c9efe2b171e1915295bb95d6cb61dfab3dc
Reviewed-on: https://chromium-review.googlesource.com/878262
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50755}
2018-01-22 13:11:11 +00:00
Clemens Hammacher
cb903d803e [Liftoff] Fix registers spilling
The method {SpillAllRegisters} should really just spill registers, and
not also constants. Also, since more code is inlined into that method
now, we can optimize it to update register use counters only once in
the end, since no used register should be left after executing this
method.

R=titzer@chromium.org

Bug: v8:6600, chromium:802244
Change-Id: I737a1a87f8e912151062224952c4f5dffd43f802
Reviewed-on: https://chromium-review.googlesource.com/868022
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50644}
2018-01-17 09:41:04 +00:00
Michael Starzinger
0465c7607a [wasm] Fix serialization of empty modules.
This fixes a corner-case in the {NativeModuleSerializer} with modules
that do not contain any functions in the code table.

R=ahaas@chromium.org
TEST=mjsunit/regress/wasm/regress-801850
BUG=chromium:801850

Change-Id: I30cc3a26f30d8653fba2d7b99715830d12300ac2
Reviewed-on: https://chromium-review.googlesource.com/866773
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50581}
2018-01-15 14:25:18 +00:00
Clemens Hammacher
29e4696ade [Liftoff] Fix i32.eqz on ia32
Ensure that for setcc, we only use a byte register as destination
register.

R=titzer@chromium.org

Bug: v8:6600, chromium:800756
Change-Id: Ie33f3faf602e7eda845205ba0ed2d9966460fd54
Reviewed-on: https://chromium-review.googlesource.com/860640
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50508}
2018-01-11 14:55:24 +00:00
Andreas Haas
1016e6257d [d8] Run the message loop in the same RealmScope as the script
In d8 a script is executed in a RealmScope. However, all micro task
which are created by the script are not executed within the RealmScope
at the moment. With this CL I move the execution of the micro task into
the RealmScope.

I thought about creating a new RealmScope for the micro tasks, but
(1) It did not fix the crashing repro;
(2) It seems wrong that the micro tasks are executed in a different
    realm than the script;

Therefore I just moved the execution of the micro tasks into the
RealmScope of the script.

Thereby I moved the execution tasks also into the Context::Scope of the
script. The problem is that the Context::Scope surrounds the RealmScope,
and when I to open the RealmScope before the Context::Scope, not even
the execution of the script works anymore.

R=yangguo@chromium.org

Bug: chromium:797846
Change-Id: If152af282beec8f0b0564dcc9682fee8588e142c
Reviewed-on: https://chromium-review.googlesource.com/856497
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50442}
2018-01-09 13:51:41 +00:00
Clemens Hammacher
9678c5320d [Liftoff] Fix redundant register moves
Moving a register to itself is not only unnecessary overhead, it also
breaks invariants in the StackTransferRecipe.

R=ahaas@chromium.org

Bug: v8:6600, chromium:793551
Change-Id: I659fd66b4f2d4564c437ed9fb048322af4299d97
Reviewed-on: https://chromium-review.googlesource.com/819231
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49992}
2017-12-11 13:47:02 +00:00
Clemens Hammacher
9a91669f40 [Liftoff] Fix cache state initialization
Ensure that the type is always stored correctly.

R=titzer@chromium.org

Bug: v8:6600, chromium:791810
Change-Id: Id3a3c20b14f8730b9550c548dec49ac47121e691
Reviewed-on: https://chromium-review.googlesource.com/811188
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49924}
2017-12-07 10:51:46 +00:00
Ben L. Titzer
b6ca58e57e Reland "[wasm] Gracefully handle malformed custom sections in WebAssembly.Module.customSections()."
This is a reland of 163c1c8262
Original change's description:
> [wasm] Gracefully handle malformed custom sections in WebAssembly.Module.customSections().
> 
> R=clemensh@chromium.org
> BUG=chromium:789952
> 
> Change-Id: Ida627fa6cdeacff01a0ec4d20e58281f17528010
> Reviewed-on: https://chromium-review.googlesource.com/800941
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49767}

Bug: chromium:789952
Change-Id: Ie17629b3fcbf2d5f78c83be2aa2a6b904a61f3ab
Reviewed-on: https://chromium-review.googlesource.com/803575
Commit-Queue: Ben L. Titzer <titzer@google.com>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49796}
2017-12-01 14:39:57 +00:00
Clemens Hammacher
b9a649c1ce Revert "[wasm] Gracefully handle malformed custom sections in WebAssembly.Module.customSections()."
This reverts commit 163c1c8262.

Reason for revert: Throws std::bad_alloc on linux: https://build.chromium.org/p/client.v8/builders/V8%20Linux/builds/21927; needs investigation.

Original change's description:
> [wasm] Gracefully handle malformed custom sections in WebAssembly.Module.customSections().
> 
> R=​clemensh@chromium.org
> BUG=chromium:789952
> 
> Change-Id: Ida627fa6cdeacff01a0ec4d20e58281f17528010
> Reviewed-on: https://chromium-review.googlesource.com/800941
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49767}

TBR=titzer@chromium.org,clemensh@chromium.org

Change-Id: I63fbd8f55025f53c453e91d0f7a181c21ae53a39
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:789952
Reviewed-on: https://chromium-review.googlesource.com/801554
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49768}
2017-11-30 19:07:55 +00:00
Ben L. Titzer
163c1c8262 [wasm] Gracefully handle malformed custom sections in WebAssembly.Module.customSections().
R=clemensh@chromium.org
BUG=chromium:789952

Change-Id: Ida627fa6cdeacff01a0ec4d20e58281f17528010
Reviewed-on: https://chromium-review.googlesource.com/800941
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49767}
2017-11-30 18:25:09 +00:00
Clemens Hammacher
1cec66d31b [Liftoff] Don't force unrelated stack slots into registers
When initializing the stack state at a merge point, don't force all
stack slots into registers. Allow constants to stay constants as long
as they are not part of the merge. Otherwise we might break assumptions
of outer blocks which then try to merge a register into a constant and
fail.
Also, add some documentation to {InitMergeStackSlot} to document the
intent of the implementation.

R=titzer@chromium.org

Bug: v8:784050, v8:6600
Change-Id: I3a4c83b446909027be075d3207cb7c748a6b1aad
Reviewed-on: https://chromium-review.googlesource.com/766353
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49423}
2017-11-16 17:34:17 +00:00
Clemens Hammacher
359e69e183 Reland "[Liftoff] Implement parallel register moves"
This is a reland of 6c6132880a
Original change's description:
> [Liftoff] Implement parallel register moves
> 
> This was not implemented so far, leading to lots of clusterfuzz issues.
> Testing this feature would require complicating the interface a lot and
> exposing more implementation details in the header file, hence we just
> go with regression tests for now.
> 
> R=ahaas@chromium.org, titzer@chromium.org
> 
> Bug: v8:6600, chromium:782280
> Change-Id: I12863f3eb59a8dffdcc7d3bfb8e1f0ae0eec15ee
> Reviewed-on: https://chromium-review.googlesource.com/758772
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49286}

Bug: v8:6600, chromium:782280
Change-Id: I82a75bfeaf83dc63a2917da3ccdc4721c5d689e7
Reviewed-on: https://chromium-review.googlesource.com/763387
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49292}
2017-11-10 12:18:08 +00:00
Clemens Hammacher
5a6cc315f8 Revert "[Liftoff] Implement parallel register moves"
This reverts commit 6c6132880a.

Reason for revert: breaks compilation on win64 bot: https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20msvc/builds/69

Original change's description:
> [Liftoff] Implement parallel register moves
> 
> This was not implemented so far, leading to lots of clusterfuzz issues.
> Testing this feature would require complicating the interface a lot and
> exposing more implementation details in the header file, hence we just
> go with regression tests for now.
> 
> R=​ahaas@chromium.org, titzer@chromium.org
> 
> Bug: v8:6600, chromium:782280
> Change-Id: I12863f3eb59a8dffdcc7d3bfb8e1f0ae0eec15ee
> Reviewed-on: https://chromium-review.googlesource.com/758772
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49286}

TBR=titzer@chromium.org,ahaas@chromium.org,clemensh@chromium.org

Change-Id: I386983da7f9f03d54cef2190b01fd2cc5785966e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6600, chromium:782280
Reviewed-on: https://chromium-review.googlesource.com/763367
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49289}
2017-11-10 10:04:35 +00:00
Clemens Hammacher
6c6132880a [Liftoff] Implement parallel register moves
This was not implemented so far, leading to lots of clusterfuzz issues.
Testing this feature would require complicating the interface a lot and
exposing more implementation details in the header file, hence we just
go with regression tests for now.

R=ahaas@chromium.org, titzer@chromium.org

Bug: v8:6600, chromium:782280
Change-Id: I12863f3eb59a8dffdcc7d3bfb8e1f0ae0eec15ee
Reviewed-on: https://chromium-review.googlesource.com/758772
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49286}
2017-11-10 09:47:32 +00:00
Clemens Hammacher
3c483de7df [wasm] Mark C_WASM_ENTRY as no tagged_params
The C_WASM_ENTRY only calls wasm code, so (outgoing) parameters of this
code are always untagged.

R=ahaas@chromium.org

Bug: v8:7049
Change-Id: I989908eea668bd56aa88f3f1744105d218584ef1
Reviewed-on: https://chromium-review.googlesource.com/758245
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49221}
2017-11-08 12:55:17 +00:00
Clemens Hammacher
c7ad5652d3 [Liftoff] Fix register reuse in merge init
When initializing the cache state for a merge, we should never use
registers multiple times. Other code paths leading to the same merge
point might provide different values for the different slots there.

R=ahaas@chromium.org

Bug: v8:7035, v8:6600
Change-Id: I8e409b494af0fdc1a5045ec04571611b97fcaf86
Reviewed-on: https://chromium-review.googlesource.com/754816
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49150}
2017-11-06 17:35:07 +00:00
Clemens Hammacher
407cfc02eb [Liftoff] Fix binop code generation bug
If the destination register of a binop is the same register as the
right hand side, we would first move the left hand side into that
register (overwriting the value of the rhs), and then use the rhs.
This CL fixes this issue and adds a regression test.

R=ahaas@chromium.org

Bug: v8:6600, v8:7033
Change-Id: Ief90b5bcffc65823037bc57fb00741b2448e6375
Reviewed-on: https://chromium-review.googlesource.com/753462
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49137}
2017-11-06 11:45:44 +00:00
Andreas Haas
793c52ed26 [wasm] Improve stack check in the interpreter
The existing stack check only checked the number of stack frames on the
stack, not the actual size of the stack frames. In the test case, each
stack frame is huge, and the interpreter runs out of memory before the
stack check stops the execution. With this change we take the size of
the value stack and the size of the control stack and compare their sum
to the stack limit of V8. Note that this stack limit is kind of
arbitrary, because the stack space of the interpreter is not on the
actual runtime stack but allocated in zone memory, and the stack check
exists to simulate stack overflows in compiled code, not to prevent
actual stack overflows.

R=clemensh@chromium.org
TEST=mjsunit/regress/wasm/regress-778917

Bug: chromium:778917
Change-Id: Ife47631fcb1a178a68facab1e42c0069b12c0155
Reviewed-on: https://chromium-review.googlesource.com/744003
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49071}
2017-11-02 10:10:27 +00:00
Andreas Haas
a99423c389 Revert "[test] Refactor assertPromiseResult"
This reverts commit 361bb1a047.

Reason for revert: See https://crbug.com/v8/6981

BUG=v8:6981

Original change's description:
> [test] Refactor assertPromiseResult
>
> This patch introduces assertPromiseFulfills and assertPromiseFulfills as
> a replacement for assertPromiseResult because it’s more JavaScript-y.
>
> BUG=v8:6921
> R=ahaas@chromium.org
>
> Also-By: ahaas@chromium.org
> Change-Id: I2f865dba3992ddf3b58987bf0b376d143edb5c31
> Reviewed-on: https://chromium-review.googlesource.com/718746
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48578}

Change-Id: Ie760d2422451f16acc616aae001fe9fd18bf5cd4
Reviewed-on: https://chromium-review.googlesource.com/738249
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48936}
2017-10-25 14:42:25 +00:00
Clemens Hammacher
bb56b7ecad [asm.js] Limit number of local variables
We have an internal limit of 50000 local variables per wasm function.
This limit is checked when decoding the function body. For asm.js, we
skip function body validation, since by construction the code we
generate is correct. This makes us fail unexpectedly when trying to
(lazily) compile an asm.js function with more than 50000 locals.
Hence, check this limit in the asm parser and bail out if it is
exceeded.

R=mstarzinger@chromium.org

Bug: chromium:775710
Change-Id: I89d2069e133fb0f84947d477ae1ac5eda85571aa
Reviewed-on: https://chromium-review.googlesource.com/732660
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48929}
2017-10-25 12:45:36 +00:00
Deepti Gandluri
5f960dfc06 [wasm] Fix Memory.grow when shared with asm.js modules
If the buffer associated with WebAssembly.Memory is used as memory
for asm.js modules, throw a range error on Memory.Grow.

Bug: chromium:776677
Change-Id: Iebcd7797fa7724002dd8073d1dbaeb98f080d316
Reviewed-on: https://chromium-review.googlesource.com/731844
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48837}
2017-10-23 15:49:03 +00:00
Ben L. Titzer
b2199faf52 g# Enter a description of the change.
[wasm] Fix signature canonicalization for error case.

The decoder should not attempt to insert null signatures into the SignatureMap.

R=ahaas@chromium.org

Bug: chromium:775366
Change-Id: I0fbc0547dbf00fd25d37271a03b6756481a4c6a1
Reviewed-on: https://chromium-review.googlesource.com/730752
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48793}
2017-10-20 14:00:34 +00:00
Eric Holk
ef2036a4e7 [wasm] add a test for accidental sign extension
The bug reference has been fixed, probably due to the new WasmContext
changes. We should keep a regression test for this anyway though.

Bug: v8:6931
Change-Id: Ie9d94690e764498d2153691d96414d0d26258794
Reviewed-on: https://chromium-review.googlesource.com/727022
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48712}
2017-10-19 04:09:21 +00:00
Ben L. Titzer
bff42d3594 [wasm] Add regression tests for some recently fixed WasmInterpreter issues.
R=clemensh@chromium.org

Bug: chromium:766003,chromium:772332,chromium:771243
Change-Id: I1e2df014f31a87fd94154277d1a415ec359d42df
Reviewed-on: https://chromium-review.googlesource.com/721666
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48635}
2017-10-17 12:04:40 +00:00
Ben L. Titzer
9fe36eca64 [test] Shorten regression-*.js filenames to regress-*.js
R=rossberg@chromium.org

Bug: 
Change-Id: Icac33dc87dd660173e5a45d02b31be46f7d1cb2d
Reviewed-on: https://chromium-review.googlesource.com/721550
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Andreas Rossberg <rossberg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48632}
2017-10-17 11:13:26 +00:00
Mathias Bynens
361bb1a047 [test] Refactor assertPromiseResult
This patch introduces assertPromiseFulfills and assertPromiseFulfills as
a replacement for assertPromiseResult because it’s more JavaScript-y.

BUG=v8:6921
R=ahaas@chromium.org

Also-By: ahaas@chromium.org
Change-Id: I2f865dba3992ddf3b58987bf0b376d143edb5c31
Reviewed-on: https://chromium-review.googlesource.com/718746
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48578}
2017-10-16 08:39:15 +00:00
Clemens Hammacher
ab0266e21e [wasm] Fix regression test
Repeatedly allocating >1GB fails on stress bots, hence run a GC
in-between to free the array buffer.

R=titzer@chromium.org
CC=​mlippautz@chromium.org, ulan@chromium.org

Bug: v8:6924
Change-Id: I44761e83f62b8225148eecbc569748cd3be21d6a
Reviewed-on: https://chromium-review.googlesource.com/718109
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48541}
2017-10-13 12:36:47 +00:00