1. 14 Mar, 2022 1 commit
  2. 08 Mar, 2022 1 commit
  3. 03 Mar, 2022 2 commits
  4. 18 Feb, 2022 1 commit
    • Dominik Inführ's avatar
      [compiler] Always use full version of RecordWrite builtin · 1b437aa8
      Dominik Inführ authored
      When we know that the value in a write barrier is a map, we know that
      we are not going to have an old-to-new reference (maps are always in
      old generation). Therefore we also don't really need the generational
      barrier in RecordWrite. While this is technically correct, we don't
      gain much from this optimization. The inline and out-of-line generated
      code for the barrier is still the same as in all other cases. Which
      means that outside marking we don't even reach the RecordWrite builtin.
      Most write barrier executions happen outside incremental marking, hence
      performance of the incremental marking barrier isn't critical. This CL
      always uses the full RecordWrite builtin using a flag in order to
      allow for an easy revert.
      
      This CL is motivated by the shared heap work, which needs an additional
      always-on barrier in the future (similar to OLD_TO_NEW) to keep a
      OLD_TO_SHARED remembered set up-to-date. While maps are always in the
      old generation, they maybe by located in the shared heap.
      
      Bug: v8:11708
      Change-Id: I71a6ded2547a0b2bbb9bbbd796dbcae0987b2232
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3471854Reviewed-by: 's avatarMichael Lippautz <mlippautz@chromium.org>
      Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#79160}
      1b437aa8
  5. 17 Jan, 2022 1 commit
  6. 16 Dec, 2021 1 commit
    • Seth Brenith's avatar
      Revert "Shorten generated code for binary-search switches" · c84bcd74
      Seth Brenith authored
      This reverts commit 00a757fa.
      
      Reason for revert: Caused perf regressions, https://crbug.com/1280236
      
      Original change's description:
      > Shorten generated code for binary-search switches
      >
      > On some branches of the search tree for a binary-search switch, the
      > input value is sufficiently constrained that we could unconditionally
      > jump to the last possible case rather than checking for value equality.
      > This shortens some builtins by a few instructions and might speed things
      > up, though I expect the effect to be small.
      >
      > Change-Id: I2313f26976e6d3c182f03bd927b338c8175b3af3
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3335437
      > Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
      > Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
      > Cr-Commit-Position: refs/heads/main@{#78376}
      
      Bug: chromium:1280236
      Change-Id: I88d9ff64641b85d48198b7012df2eeb9441913b5
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3343234
      Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
      Reviewed-by: 's avatarNico Hartmann <nicohartmann@chromium.org>
      Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
      Cr-Commit-Position: refs/heads/main@{#78397}
      c84bcd74
  7. 15 Dec, 2021 1 commit
    • Samuel Groß's avatar
      V8 Sandbox rebranding · 277fdd1d
      Samuel Groß authored
      This CL renames a number of things related to the V8 sandbox.
      Mainly, what used to be under V8_HEAP_SANDBOX is now under
      V8_SANDBOXED_EXTERNAL_POINTERS, while the previous V8 VirtualMemoryCage
      is now simply the V8 Sandbox:
      
      V8_VIRTUAL_MEMORY_CAGE => V8_SANDBOX
      V8_HEAP_SANDBOX => V8_SANDBOXED_EXTERNAL_POINTERS
      V8_CAGED_POINTERS => V8_SANDBOXED_POINTERS
      V8VirtualMemoryCage => Sandbox
      CagedPointer => SandboxedPointer
      fake cage => partially reserved sandbox
      src/security => src/sandbox
      
      This naming scheme should simplify things: the sandbox is now the large
      region of virtual address space inside which V8 mainly operates and
      which should be considered untrusted. Mechanisms like sandboxed pointers
      are then used to attempt to prevent escapes from the sandbox (i.e.
      corruption of memory outside of it). Furthermore, the new naming scheme
      avoids the confusion with the various other "cages" in V8, in
      particular, the VirtualMemoryCage class, by dropping that name entirely.
      
      Future sandbox features are developed under their own V8_SANDBOX_X flag,
      and will, once final, be merged into V8_SANDBOX. Current future features
      are sandboxed external pointers (using the external pointer table), and
      sandboxed pointers (pointers guaranteed to point into the sandbox, e.g.
      because they are encoded as offsets). This CL then also introduces a new
      build flag, v8_enable_sandbox_future, which enables all future features.
      
      Bug: v8:10391
      Change-Id: I5174ea8f5ab40fb96a04af10853da735ad775c96
      Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3322981Reviewed-by: 's avatarHannes Payer <hpayer@chromium.org>
      Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Reviewed-by: 's avatarMichael Achenbach <machenbach@chromium.org>
      Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
      Commit-Queue: Samuel Groß <saelo@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#78384}
      277fdd1d
  8. 14 Dec, 2021 2 commits
    • Seth Brenith's avatar
      Shorten generated code for binary-search switches · 00a757fa
      Seth Brenith authored
      On some branches of the search tree for a binary-search switch, the
      input value is sufficiently constrained that we could unconditionally
      jump to the last possible case rather than checking for value equality.
      This shortens some builtins by a few instructions and might speed things
      up, though I expect the effect to be small.
      
      Change-Id: I2313f26976e6d3c182f03bd927b338c8175b3af3
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3335437Reviewed-by: 's avatarNico Hartmann <nicohartmann@chromium.org>
      Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
      Cr-Commit-Position: refs/heads/main@{#78376}
      00a757fa
    • Seth Brenith's avatar
      Always emit unconditional jump in binary-search switch · dd9d4c96
      Seth Brenith authored
      We probably expect a binary-search switch to take log(n) time in all
      cases, but there is currently a possibility of that expectation being
      broken. I'm not aware of any place where this actually happens, but if
      the default handler immediately follows the switch dispatch block in
      assembly order, then unconditional jump instructions for that handler
      would be omitted. This omission could cause linear execution time, where
      every case is checked before falling through to the default handler.
      
      This change introduces a new function to emit an unconditional jump
      instruction regardless of whether the target is the following block, and
      uses that new function when generating a binary-search switch to ensure
      consistently log(n) behavior.
      
      Change-Id: I5cab86fd66386762519035410e3b532dc6fd764c
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3335222Reviewed-by: 's avatarNico Hartmann <nicohartmann@chromium.org>
      Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
      Cr-Commit-Position: refs/heads/main@{#78370}
      dd9d4c96
  9. 02 Nov, 2021 1 commit
    • Manos Koukoutos's avatar
      [wasm] Simplify 'ref' field for API-defined functions · 48b2b891
      Manos Koukoutos authored
      Design doc:  https://bit.ly/3jEVgzz
      
      Summary:
      We change the context for WasmJSFunction and WasmCapiFunction from a
      tuple containing the instance to a triple WasmAPIFunctionRef =
      {isolate root, context, callable}. This way we do not have to maintain
      the correct instance at runtime. Also, a few places in the code get
      simplified.
      
      Changes:
      - In WasmGraphBuilder, support having a WasmAPIFunctionRef at parameter
        0.
      - Remove unpacking of (instance, callable) tuple from code generators.
      - Remove the part in WasmGraphBuilder and LiftoffCompiler that used to
        set the instance field of the function reference.
      - Modify code that handles the 'ref' field in wasm-objects.*, factory.*
        and c-api.cc.
      - Fix the recorded safepoint address for arm when calling a C function
        from wasm.
      - (Drive-by) Remove WasmAllocatePair.
      
      Bug: v8:11510
      Change-Id: I2a4ef3abaf9da36c4a2d85b434965a40a289b9ec
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3236719
      Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
      Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
      Reviewed-by: 's avatarMichael Lippautz <mlippautz@chromium.org>
      Reviewed-by: 's avatarMaya Lekova <mslekova@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#77639}
      48b2b891
  10. 29 Oct, 2021 1 commit
    • Samuel Groß's avatar
      Introduce CagedPointer · afd15549
      Samuel Groß authored
      A CagedPointer is guaranteed to point into the Virtual Memory Cage and
      will for example be used for ArrayBuffer backing stores when the heap
      sandbox is enabled. In the current implementation, CagedPointers are
      stored as offsets from the cage base, shifted to the left. Because the
      cage base address is usually available in a register, accessing a
      CagedPointer is very efficient, requiring only an additional shift and
      add operation.
      
      Bug: chromium:1218005
      Change-Id: Ifc8c088e3862400672051a8c52840514dee2911f
      Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3123417Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
      Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
      Commit-Queue: Samuel Groß <saelo@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#77614}
      afd15549
  11. 18 Oct, 2021 1 commit
  12. 01 Oct, 2021 1 commit
  13. 30 Sep, 2021 1 commit
  14. 24 Sep, 2021 2 commits
  15. 07 Sep, 2021 1 commit
  16. 20 Aug, 2021 1 commit
  17. 19 Aug, 2021 3 commits
  18. 13 Aug, 2021 1 commit
  19. 12 Aug, 2021 1 commit
  20. 04 Aug, 2021 1 commit
  21. 02 Aug, 2021 1 commit
  22. 28 Jun, 2021 1 commit
  23. 24 Jun, 2021 3 commits
  24. 14 Jun, 2021 1 commit
  25. 10 Jun, 2021 1 commit
  26. 07 Jun, 2021 1 commit
  27. 01 Jun, 2021 1 commit
  28. 19 May, 2021 1 commit
  29. 11 May, 2021 1 commit
  30. 10 May, 2021 2 commits
  31. 04 May, 2021 1 commit
  32. 21 Apr, 2021 1 commit