- 27 Apr, 2022 40 commits
-
-
Adam Klein authored
This reverts commit 9d31f866. Reason for revert: crashes on Mac/arm64 bots: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Mac%20-%20arm64%20-%20debug/5923/overview Original change's description: > [rwx][mac] Support fast W^X permission switching on Apple Silicon (M1) > > ... for V8 code space. The feature is currently disabled. > > In order to use fast W^X permission switching we must allocate > executable pages with readable writable executable permissions (RWX). > However, MacOS on ARM64 ("Apple M1"/Apple Silicon) prohibits further > permission changing of RWX memory pages. This means that the code page > headers must be allocated with RWX permissions too because otherwise > it wouldn't be possible to allocate a large code page over the freed > regular code page and vice versa. > > When enabled, the new machinery works as follows: > > 1) when memory region is reserved for allocating executable pages, the > whole region is committed with RWX permissions and then decommitted, > 2) since reconfiguration of RWX page permissions is not allowed on > MacOS on ARM64 ("Apple M1"/Apple Silicon), there must be no attempts > to change them, > 3) the request to set RWX permissions in the executable page region > just recommits the pages without changing permissions (see (1), they > were already allocated as RWX and then discarded), > 4) in order to make executable pages inaccessible one must use > OS::DiscardSystemPages() instead of OS::DecommitPages() or > setting permissions to kNoAccess because the latter two are not > allowed by the MacOS (see (2)). > 5) since code space page headers are allocated as RWX pages it's also > necessary to switch between W^X modes when updating the data in the > page headers (i.e. when marking, updating stats, wiring pages in > lists, etc.). The new CodePageHeaderModificationScope class is used > in the respective places. On unrelated configurations it's a no-op. > > The fast permission switching can't be used for V8 configuration with > enabled pointer compression and disabled external code space because > a) the pointer compression cage has to be reserved with MAP_JIT flag > which is too expensive, > b) in case of shared pointer compression cage if the code range will > be deleted while the cage is still alive then attempt to configure > permissions of pages that were previously set to RWX will fail. > > This also CL extends the unmapper unit tests with permissions tracking > for discarded pages. > > Bug: v8:12797 > Change-Id: Idb28cbc481306477589eee9962d2e75167d87c61 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3579303 > Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> > Reviewed-by: Clemens Backes <clemensb@chromium.org> > Reviewed-by: Michael Lippautz <mlippautz@chromium.org> > Commit-Queue: Igor Sheludko <ishell@chromium.org> > Cr-Commit-Position: refs/heads/main@{#80238} Bug: v8:12797 Change-Id: Ic07948e036db36326d464a2a901d052aa060a406 No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3611665 Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Auto-Submit: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/heads/main@{#80239}
-
Igor Sheludko authored
... for V8 code space. The feature is currently disabled. In order to use fast W^X permission switching we must allocate executable pages with readable writable executable permissions (RWX). However, MacOS on ARM64 ("Apple M1"/Apple Silicon) prohibits further permission changing of RWX memory pages. This means that the code page headers must be allocated with RWX permissions too because otherwise it wouldn't be possible to allocate a large code page over the freed regular code page and vice versa. When enabled, the new machinery works as follows: 1) when memory region is reserved for allocating executable pages, the whole region is committed with RWX permissions and then decommitted, 2) since reconfiguration of RWX page permissions is not allowed on MacOS on ARM64 ("Apple M1"/Apple Silicon), there must be no attempts to change them, 3) the request to set RWX permissions in the executable page region just recommits the pages without changing permissions (see (1), they were already allocated as RWX and then discarded), 4) in order to make executable pages inaccessible one must use OS::DiscardSystemPages() instead of OS::DecommitPages() or setting permissions to kNoAccess because the latter two are not allowed by the MacOS (see (2)). 5) since code space page headers are allocated as RWX pages it's also necessary to switch between W^X modes when updating the data in the page headers (i.e. when marking, updating stats, wiring pages in lists, etc.). The new CodePageHeaderModificationScope class is used in the respective places. On unrelated configurations it's a no-op. The fast permission switching can't be used for V8 configuration with enabled pointer compression and disabled external code space because a) the pointer compression cage has to be reserved with MAP_JIT flag which is too expensive, b) in case of shared pointer compression cage if the code range will be deleted while the cage is still alive then attempt to configure permissions of pages that were previously set to RWX will fail. This also CL extends the unmapper unit tests with permissions tracking for discarded pages. Bug: v8:12797 Change-Id: Idb28cbc481306477589eee9962d2e75167d87c61 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3579303Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/main@{#80238}
-
Camillo Bruni authored
Runtime and Builtin function should always return the exception object as a marker if there is a pending_exception on the current isolate. Change-Id: I7c255aa501800384c288664a9ca6578afbe0a103 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3610449Reviewed-by: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/main@{#80237}
-
Camillo Bruni authored
Change-Id: Iec93e286c8067453cc1f9a978fa09b8734999f83 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3596159Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Jakob Linke <jgruber@chromium.org> Reviewed-by: Marja Hölttä <marja@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/main@{#80236}
-
Clemens Backes authored
If the debug handler (called via {OnDebugBreak}) requests termination of the isolate, this would only get considered on the next stack check, where it is turned into a proper termination exception. Handling this correctly is further complicated by the {DebugScope} blocking any handling of interrupts via the included {PostponeInterruptsScope}. Hence this CL refactors the code to call any debug handlers in a second function which has the {DebugScope}, and to check for interrupts after leaving that scope. R=thibaudm@chromium.org CC=bmeurer@chromium.org Bug: chromium:1319343 Change-Id: Ia2df0f2610d50eedc6437841c4bf1d2ad3ac9125 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3605228Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#80235}
-
Milad Fa authored
Tests runs out of code space on ppc as size exceeds 32MB. More details can be found under the comment section of this CL: https://crrev.com/c/3605814. Bug: v8:11577 Change-Id: Iadfbc3b9618a0873f5f08a030b799d5761946671 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3610628 Commit-Queue: Milad Farazmand <mfarazma@redhat.com> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#80234}
-
Frank Tang authored
Bug: v8:7834 Change-Id: Iedd97d665df91ccbdceaaeb68d936b210c31b662 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3611662Reviewed-by: Shu-yu Guo <syg@chromium.org> Commit-Queue: Frank Tang <ftang@chromium.org> Cr-Commit-Position: refs/heads/main@{#80233}
-
Frank Tang authored
https://chromium.googlesource.com/external/github.com/tc39/test262/+log/33a5433d..8f5c7aed093 Bug: v8:7834 Change-Id: I0b1419127becef463044a5c1b62fb45a2a9569ac Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3606546 Commit-Queue: Frank Tang <ftang@chromium.org> Reviewed-by: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/main@{#80232}
-
Nikolaos Papaspyrou authored
This is a follow-up to https://crrev.com/c/3581774. It inlines method GCTracer::Scope::Name so that the calculation of the name of the trace event can be performed at compile time and optimized away, at most call sites. This is a reland of 370cae1d which was reviewed here: https://crrev.com/c/3602511 Bug: chromium:1318062 Change-Id: I617fcad07448ebbd63790600a071e51964baf85c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3605811Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org> Reviewed-by: Omer Katz <omerkatz@chromium.org> Cr-Commit-Position: refs/heads/main@{#80231}
-
Camillo Bruni authored
Check that we don't accidentally end up entering a microtask if we have a pending terminating exception. Bug: chromium:1319267 Change-Id: Id1ec7e3deb39aa18f08c363e17bb8df599379d66 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3610624Reviewed-by: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/main@{#80230}
-
Jakob Linke authored
This reverts commit b36c87e3. Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20noi18n%20-%20debug/42210/overview Original change's description: > [test] Move cctest/test-regexp to unittests > > ... /regexp/regexp-unittest. > > Bug: v8:12781 > Change-Id: I3c3ba4c519ff503b242c39d0e3b2350f25d7e84c > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3607370 > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Commit-Queue: 王澳 <wangao.james@bytedance.com> > Cr-Commit-Position: refs/heads/main@{#80217} Bug: v8:12781 Change-Id: I0c5fae4b156df0a305b83acfa639bb0ff6eeb87f No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3610626 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Jakob Linke <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#80229}
-
Omer Katz authored
ToSpaceContainsSlow is only from Heap:InSpaceSlow that is never used for new space. FromSpaceContains is never called. ToSpaceContains is called from unittests and from Heap::Contains, and replacing it wioth NewSpace::Contains should keep things fast as that one relies on a page flag. Bug: v8:12612 Change-Id: I58d63a85fd66aa27f9c4a7794e21838a59aab3d0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3610447Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Omer Katz <omerkatz@chromium.org> Cr-Commit-Position: refs/heads/main@{#80228}
-
Milad Fa authored
tests where moved from cctest to unittests under this cl: https://crrev.com/c/3607370 Bug: v8:12781 Change-Id: If625e0dda51034e731c5e7fe87d591dce9804888 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3611182Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Milad Farazmand <mfarazma@redhat.com> Cr-Commit-Position: refs/heads/main@{#80227}
-
George Wort authored
Allow live ranges to be displayed beside the instruction sequence in turbolizer. Bug: v8:7327 Change-Id: Idec5130655ccc9365dd32ec6927d8615a3e5c570 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3585960 Commit-Queue: George Wort <george.wort@arm.com> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Cr-Commit-Position: refs/heads/main@{#80226}
-
Leszek Swirski authored
Bug: v8:7700 Change-Id: I44b5fd2172522034bfe9566ab314dc93e05b2e80 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3610425 Commit-Queue: Victor Gomes <victorgomes@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Victor Gomes <victorgomes@chromium.org> Cr-Commit-Position: refs/heads/main@{#80225}
-
Sergey Ulanov authored
Previously the POSIX version of TimeTicks::Now() was used on Fuchsia. It's more efficient to call zx_clock_get_monotonic() directly. Bug: chromium:1317914 Change-Id: I56da954a2567bcb866100c157878176bcb7cf319 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3595601 Auto-Submit: Sergey Ulanov <sergeyu@chromium.org> Commit-Queue: Hannes Payer <hpayer@chromium.org> Reviewed-by: Hannes Payer <hpayer@chromium.org> Cr-Commit-Position: refs/heads/main@{#80224}
-
Camillo Bruni authored
Change-Id: Ib94979f4cf7f52a1544f2b3c0d51c0266a4fa14c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3586985Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/main@{#80223}
-
Camillo Bruni authored
Bug: v8:12795, chromium:1316443 Change-Id: I0ecaf8ebbf1a83d0d5b305fd014bc5a765c0d2f5 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3610446Reviewed-by: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/main@{#80222}
-
Leszek Swirski authored
Add an unboxing double field load node, and fix a couple of locations where it might be used enough to pass tests. Bug: v8:7700 Change-Id: Ic134484e87a4fa363cbd8a3de667ac8e8116d502 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3610623Reviewed-by: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#80221}
-
Nico Hartmann authored
This reverts commit f196c878. Reason for revert: https://crbug.com/v8/12838 Original change's description: > [test] Move cctest/test-log to unittests/logging/log-unittest > > Bug: v8:12781 > Change-Id: If94de50440b15f000ff2f961f2dd77abd9c90ca4 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3607389 > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Commit-Queue: 王澳 <wangao.james@bytedance.com> > Cr-Commit-Position: refs/heads/main@{#80209} Bug: v8:12781 Change-Id: I9e2d9496f16581ebbb851fb207191d6b77b51c0d No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3610448 Auto-Submit: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Cr-Commit-Position: refs/heads/main@{#80220}
-
Al Muthanna Athamina authored
Bug: v8:12023 Change-Id: I6feed0560daa89c363b37f735510d5c3aac4567a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3610443Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Almothana Athamneh <almuthanna@chromium.org> Cr-Commit-Position: refs/heads/main@{#80219}
-
Leszek Swirski authored
This fixes the ordering of DCHECKs which expect the value to not be in the free list yet when it is dropped. Bug: v8:7700 Change-Id: Ifb85d0e20cfe5c083d1f2bc971817143265fdc7f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3610444 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Victor Gomes <victorgomes@chromium.org> Cr-Commit-Position: refs/heads/main@{#80218}
-
jameslahm authored
... /regexp/regexp-unittest. Bug: v8:12781 Change-Id: I3c3ba4c519ff503b242c39d0e3b2350f25d7e84c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3607370Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: 王澳 <wangao.james@bytedance.com> Cr-Commit-Position: refs/heads/main@{#80217}
-
Liu Yu authored
Port commit 91453880 Bug: v8:12161 Change-Id: If2a465a80387d08df885e72e07b16962b6bc5d8b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3609227 Auto-Submit: Yu Liu <liuyu@loongson.cn> Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn> Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn> Cr-Commit-Position: refs/heads/main@{#80216}
-
jameslahm authored
... /objects/object-unittest. Bug: v8:12781 Change-Id: I48156098cf2ce216b8231a05dd68cfa96e04911d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3607388Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: 王澳 <wangao.james@bytedance.com> Cr-Commit-Position: refs/heads/main@{#80215}
-
Victor Gomes authored
CheckedFloat64Unbox mutates the input value, but the register allocator does not expects this behaviour and propagates a wrong value in the register. In particular we deopt with the wrong value if the second Float64Unbox in a Float64Add needs to deopt. This fixes the input value after we convert to double. Bug: v8:7700 Change-Id: Ib89573e9f728dc3a34b817fc84f1afcb96f14d18 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3610422 Commit-Queue: Victor Gomes <victorgomes@chromium.org> Auto-Submit: Victor Gomes <victorgomes@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#80214}
-
Thibaud Michaud authored
The JS import returns a tagged value, not a value of the machine representation that corresponds to the signature's return type, since it hasn't been converted yet. R=ahaas@chromium.org Bug: v8:12191 Change-Id: I0783af85eed9c5d25347200540e3e4eee48edfd4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3464036Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/main@{#80213}
-
Jakob Gruber authored
This logic was confused in the presence of inlined frames; the deopt exit offset would point inside the innermost inlined frame while we incorrectly assumed it points at the outermost frame. Fix this by always referring to the bytecode offset of the outermost frame. Bug: v8:12161 Fixed: chromium:1320094 Change-Id: I2eb28498639432c5344859f64a9388d93ee23bde Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3608630 Auto-Submit: Jakob Linke <jgruber@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Jakob Linke <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#80212}
-
Victor Gomes authored
This makes it hopefully easier to add new operations and fixes the current bug where we add new nodes (box/unbox/smitag/smiuntag) that is not being used since the operation does not support a fast path. Bug: v8:7700 Change-Id: I7ce33e44a4f8e63f42541a615fa72aa6e1b5cccc Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3605819Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Victor Gomes <victorgomes@chromium.org> Cr-Commit-Position: refs/heads/main@{#80211}
-
Clemens Backes authored
The AssemblerBufferCache was so far only used for Liftoff compilation. Hence all TurboFan compilation was using unprotected assembler buffers. This CL passes the AssemblerBufferCache from the function compiler down to the TurboFan PipelineData. From there it is used when instantiating the CodeGenerator to generate the AssemblerBuffer for the TurboAssembler. This will protect the assembler buffers used for TurboFan Wasm compilation via PKU, if available. Since PipelineData has a single constructor for all Wasm compilation, we have a single choke point to ensure that an AssemblerBufferCache is passed down. For Wasm stub compilation (import wrappers etc) we currently explicitly pass a nullptr, this will be fixed in a follow-up CL. R=thibaudm@chromium.org, tebbi@chromium.org Bug: v8:12809 Change-Id: I268bd21047adbd7f0aab78e8b0a4b4df1d1f8ddf Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3596172Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#80210}
-
jameslahm authored
Bug: v8:12781 Change-Id: If94de50440b15f000ff2f961f2dd77abd9c90ca4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3607389Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: 王澳 <wangao.james@bytedance.com> Cr-Commit-Position: refs/heads/main@{#80209}
-
Al Muthanna Athamina authored
Bug: v8:12802 Change-Id: I4e12edc71ce110f603026f2b9a446af8965f9510 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3598887Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Almothana Athamneh <almuthanna@chromium.org> Cr-Commit-Position: refs/heads/main@{#80208}
-
Anton Bikineev authored
params.start was not set when marker was present, however the barrier relies on params.start. Bug: chromium:1029379 Change-Id: I12cfbdbdec63518cfc0d0d174085ea8aefb3a375 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3605822Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Anton Bikineev <bikineev@chromium.org> Cr-Commit-Position: refs/heads/main@{#80207}
-
Patrick Thier authored
Add flag --always-use-string-forwarding-table to always use the forwarding table (usually only used for shared strings) instead of ThinString migrations initially (during GC strings will be migrated to normal ThinStrings). The goal is to get more coverage of this code that is designed for shared strings. Bug: v8:12007 Change-Id: I7eb2e5ccf0018c4ac349611aebe337d8288de5c8 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3536650Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Reviewed-by: Shu-yu Guo <syg@chromium.org> Commit-Queue: Patrick Thier <pthier@chromium.org> Cr-Commit-Position: refs/heads/main@{#80206}
-
Lu Yahan authored
Port commit 4ae5a813 Change-Id: I2b4fccff6bf5266cd4cf9df45cabe3a19f29ab41 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3609751 Commit-Queue: Yahan Lu <yahan@iscas.ac.cn> Auto-Submit: Yahan Lu <yahan@iscas.ac.cn> Reviewed-by: ji qiu <qiuji@iscas.ac.cn> Commit-Queue: ji qiu <qiuji@iscas.ac.cn> Cr-Commit-Position: refs/heads/main@{#80205}
-
Leszek Swirski authored
Add a simple unwinder for gdb which, on x64, walks frame pointers whenever there is no source information available. Ideally we would only do this for V8 PCs but this appears hard to do in an Unwinder without messing with gdb's internal assumptions. Change-Id: Iba1e62a3768340ee912e81d691237c1920a8ae91 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3608628Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#80204}
-
Victor Gomes authored
Bug: v8:7700 Change-Id: I766b523cfaf30eda9c33d9f2c580bc72a2eaa9ca Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3605815 Auto-Submit: Victor Gomes <victorgomes@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#80203}
-
Anton Bikineev authored
If the following conditions hold: 1) value is kSentinel, 2) slot is on stack, 3) stack is allocated below 4GB, then the generational barrier would be erroneously triggered for the stack object object. This CL fixes it. At the same time, it aims to simplify the code and potentially optimizes it (by having 'and' instead of 'sub'). Bug: chromium:1029379 Change-Id: Iafd91d50b0a1c3d97647f7bf3643dfcc7e9fb48f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3608629Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Anton Bikineev <bikineev@chromium.org> Cr-Commit-Position: refs/heads/main@{#80202}
-
Samuel Groß authored
These can be tricked into corrupting memory when an attacker can leak the "hole" value due to a bug. This CL simply adds CHECKs to prevent this. A longer-term solution might be to introduce "special-purpose holes" so that a leaked "hole" value can no longer be used to confuse unrelated code like the JSMap implementation because that would then use a different "hole" value. Bug: chromium:1315901 Change-Id: Id6c432d39fb97002fa67efe90d34014fc5408ba3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3593783Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#80201}
-
Dominik Inführ authored
Introduce a bottleneck for right-trimming an object. In a subsequent CL we will use this method to update the cached size of invalidated objects. This CL also tries to clean-up the various CreateFillerObjectAt methods. CreateFillerObjectAtRaw is now the internal method for all these methods. After moving right-trimming to NotifyObjectSizeChange, both CreateFillerObjectAt and CreateFillerObjectAtBackground don't need those arguments for clearing slots or memory anymore. Bug: v8:12578, chromium:1316289 Change-Id: I6ff0bfaced3e0a1765152700e68a4ad33a155723 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3607992Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/main@{#80200}
-