Skip to content

V
V8
Switch branch/tag
  1. 14 Apr, 2018 1 commit
    • Jakob Kummerow's avatar
      [ubsan] Change Address typedef to uintptr_t · 2459046c
      Jakob Kummerow authored 
      The "Address" type is V8's general-purpose type for manipulating memory
addresses. Per the C++ spec, pointer arithmetic and pointer comparisons
are undefined behavior except within the same array; since we generally
don't operate within a C++ array, our general-purpose type shouldn't be
a pointer type.

Bug: v8:3770
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ib96016c24a0f18bcdba916dabd83e3f24a1b5779
Reviewed-on: https://chromium-review.googlesource.com/988657
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52601}
      2459046c
  3. 10 Apr, 2018 1 commit
  5. 05 Apr, 2018 1 commit
    • jgruber's avatar
      Rename Code::instruction_{start,end,size} functions · 7b29fe43
      jgruber authored 
      In order to clarify the difference between, e.g., InstructionStart and
instruction_start, rename as follows:

Code::instruction_start -> raw_instruction_start
Code::instruction_end   -> raw_instruction_end
Code::instruction_size  -> raw_instruction_size

The difference between the camel-case and raw_* function families is
in how they handle off-heap-trampoline Code objects. For example, when
called on an off-heap-trampoline: raw_instruction_start returns the
trampoline's entry point, while InstructionStart returns the off-heap
code's entry point (located in the .text section of the binary).

Some callsites were updated to call the camel-case function family as
appropriate.

Bug: v8:6666
Change-Id: I4a572f47c2d161a853599d7c17879e263b0d1a87
Reviewed-on: https://chromium-review.googlesource.com/997532
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52387}
      7b29fe43
  7. 04 Apr, 2018 3 commits
    • Ross McIlroy's avatar
      [Compiler] Split up Unoptimized/Optimized CompilationInfo and CompilationJobs · 3a0419a6
      Ross McIlroy authored 
      With the Ignition + Turbofan pipeline there is very little overlap between the data
needed for unoptimized compilation and optimized compilation. As a result, it is
cleaner to split up the CompilationInfo into UnoptimizedCompilationInfo and
OptimizedCompilationInfo.

Doing so also necessitate splitting up CompilationJob into UnoptimizedCompilationJob
and OptimizedCompilationJob - again there is not much overlap so this seems cleaner.

Change-Id: I1056ad520937b7f8582e4fc3ca8f4910742de30a
Reviewed-on: https://chromium-review.googlesource.com/995895
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52369}
      3a0419a6
    • Eric Holk's avatar
      [wasm] enable StoreMem_offset_oob_i64 test with trap handlers · f56e2a02
      Eric Holk authored 
      The first part of this change updates StoreMem_offset_oob_i64 to use one page of
Wasm memory, rather than just a few bytes. Using less than a page was out of
spec for Wasm anyway, so this is better.

This required a small change in the test runner to set and clear the
thread_in_wasm flag around Wasm calls. This was accomplished by a
ThreadInWasmScope convenience class.

The majority of the changes are because the cctest environment does not support
runtime exceptions. In the code generator, where we used to throw a
WasmMemOutOfBounds exception, we now need to call out to the test hook instead
if runtime exceptions are not supported. This involved plumbing the
runtime_exception_support flag down to the code generator. Rather than adding
and shuffling around extra parameters everywhere, this CL packages the previous
protected instruction list in a new WasmCompilationData object that now includes
the runtime_exception_support flag as well.

Bug: v8:5277
Change-Id: Ic9c9e5a53a07a7773b58c0aee7c26bbd2ddf82f3
Reviewed-on: https://chromium-review.googlesource.com/989017
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52368}
      f56e2a02
    • Sigurd Schneider's avatar
      [promises/deoptimizer] Support "catching" builtin continuations · 1cee0196
      Sigurd Schneider authored 
      This CL allows builtin continuations to handle pending exceptions.
This implements exception handling for the promise constructor in
case of deoptimization.

Bug: v8:7584


Change-Id: Ib5df5eb6606abb3f9690f294397981858dbdbf25
Reviewed-on: https://chromium-review.googlesource.com/983912
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52340}
      1cee0196
  9. 27 Mar, 2018 1 commit
    • Tobias Tebbi's avatar
      [turbofan] unify interpreter and JIT speculation poisoning · 1ef6c437
      Tobias Tebbi authored 
      This CL changes the poisoning in the interpreter to use the
infrastructure used in the JIT.

This does not change the original flag semantics:

--branch-load-poisoning enables JIT mitigations as before.

--untrusted-code-mitigation enables the interpreter mitigations
  (now realized using the compiler back-end), but does not enable
  the back-end based mitigations for the Javascript JIT. So in effect
  --untrusted-code-mitigation makes the CSA pipeline for bytecode handlers
  use the same mechanics (including changed register allocation) that
  --branch-load-poisoning enables for the JIT.

Bug: chromium:798964
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: If7f6852ae44e32e6e0ad508e9237f24dec7e5b27
Reviewed-on: https://chromium-review.googlesource.com/928881Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52243}
      1ef6c437
  11. 08 Mar, 2018 1 commit
    • Jaroslav Sevcik's avatar
      [turbofan] IA32 port of branch load poisoning. · 383ec7b5
      Jaroslav Sevcik authored 
      The tricky part here is to take away one register from register
allocation for the mask. The only problem is with calls that need
an input operand to be passed in the poison register. For such calls,
we change the register constraint in the instruction selector
to pass the value in whatever place the register allocator sees fit.
During code generation, we then copy the value from that place
to the poison register. By that time, the mask is not necessary
(once we bake the mask into the target, it should be done before
this move).

For the branches, the mask update does not use cmov (unlike x64)
because cmov does not take an immediate and we do not have
a scratch register. Instead we use bit-twiddling tricks
(suggested by @tebbi). For example, here is the code for masking
register update after a bailout on non-zero:

  jnz deopt_bailout    ;; Bailout branch
  setnz bl             ;; These three instructions update the mask
  add  ebx, 255
  sar  ebx, 31

(On x64, the sequence is:

  jnz deopt_bailout
  mov r10, 0      ;; We have a scratch register for zero
  cmovnz r9, r10  ;; Set to zero if we execute this branch
                  ;; in branch mis-speculation
)


This CL also fixes a bug in register configuration, where we used
to wrongly restrict the array of register name.

Change-Id: I5fceff2faf8bdc527d9934afc284b749574ab69e
Bug: chromium:798964
Reviewed-on: https://chromium-review.googlesource.com/946251
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51798}
      383ec7b5
  13. 27 Feb, 2018 1 commit
  15. 26 Feb, 2018 1 commit
  17. 14 Feb, 2018 1 commit
  19. 13 Feb, 2018 2 commits
    • Mike Stanton's avatar
      [turbofan] Masking/poisoning in codegen (optimized code, x64) · 8f489e73
      Mike Stanton authored 
      This introduces masking of loads with speculation bit during code generation.
At the moment, this is done only for x64 optimized code, under the
--branch-load-poisoning flag.

Overview of changes:
- new register configuration configuration with one register reserved for
  the speculation poison/mask (kSpeculationPoisonRegister).
- in codegen, we introduce an update to the poison register at the starts
  of all successors of branches (and deopts) that are marked as safety
  branches (deopts).
- in memory optimizer, we lower all field and element loads to PoisonedLoads.
- poisoned loads are then masked in codegen with the poison register.
  * only integer loads are masked at the moment.

Bug: chromium:798964
Change-Id: Ie51fdbde578fc289dff029794f3cfe8eaf33e1ef
Reviewed-on: https://chromium-review.googlesource.com/901625
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51272}
      8f489e73
    • Michael Starzinger's avatar
      [turbofan] Better checking of code start register. · 5586ecfc
      Michael Starzinger authored 
      This decouples the checking of the {kJavaScriptCallCodeStartRegister}
from the deoptimization checks. We now rely more heavily on the above
register and should check its validity more broadly. Note that there
also is a bug fix for the ARM port contained in this change.

R=mvstanton@chromium.org

Change-Id: I27d8b72cb2b36a85dae4bbbf35e4dbcf150eac01
Reviewed-on: https://chromium-review.googlesource.com/916242
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: 's avatarMichael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51270}
      5586ecfc
  21. 12 Feb, 2018 1 commit
    • Ross McIlroy's avatar
      [Ignition] [TurboFan] Generate speculation poison in code generator. · a021b6c4
      Ross McIlroy authored 
      Moves generation of speculation poison to be based on the PC target vs the
actual PC being executed. The speculation poison is generated in the prologue
of the generated code if CompilationInfo::kGenerateSpeculationPoison is set.
The result is stored in a known register, which can then be read using the
SpeculationPoison machine node.

Currently we need to ensure the SpeculationPoison node is scheduled right after
the code prologue so that the poison register doesn't get clobbered. This is
currently not verified, however it's only use is in RawMachineAssembler where
it is manually scheduled early.

The Ignition bytecode handlers are updated to use this speculation poison
rather than one generated by comparing the target bytecode.

BUG=chromium:798964

Change-Id: I2a3d0cfc694e88d7a8fe893282bd5082f693d5e2
Reviewed-on: https://chromium-review.googlesource.com/893160
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51229}
      a021b6c4
  23. 30 Jan, 2018 1 commit
    • Pierre Langlois's avatar
      [turbofan] Refactor AssembleMove and AssembleSwap · 16f2bcdb
      Pierre Langlois authored 
      The way the code generator's AssembleMove and AssembleSwap methods are written
makes it easy to forget which sort of move is being implemented when looking at
a sequence of instructions. This patch is an attempt to address this by
rewriting those methods using switch/case instead of a string of if/else.

To do this, introduce new utility functions to detect what type of move to
perform given a pair of InstructionOperands.

Bug: 
Change-Id: I32b146c86409e595b7b59a66bf43220899024fdd
Reviewed-on: https://chromium-review.googlesource.com/749201
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Reviewed-by: 's avatarSigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50966}
      16f2bcdb
  25. 12 Jan, 2018 1 commit
  27. 13 Dec, 2017 1 commit
  29. 05 Dec, 2017 1 commit
    • Michael Achenbach's avatar
      Revert "[compiler] Remove dead code in CodeGenerator::BuildTranslation." · b501bf93
      Michael Achenbach authored 
      This reverts commit 8d9de7ff.

Reason for revert: Breaks roll:
https://chromium-review.googlesource.com/c/chromium/src/+/806714

  # Fatal error in ../../v8/src/compiler/code-generator.cc, line 1032
  # unreachable code

  #3 v8::internal::compiler::CodeGenerator::AddTranslationForOperand()
  #4 v8::internal::compiler::CodeGenerator::TranslateFrameStateDescriptorOperands()
  #5 v8::internal::compiler::CodeGenerator::BuildTranslation()
  #6 v8::internal::compiler::CodeGenerator::AssembleInstruction()
  #7 v8::internal::compiler::CodeGenerator::AssembleCode()
  #8 v8::internal::compiler::PipelineImpl::AssembleCode()

Original change's description:
> [compiler] Remove dead code in CodeGenerator::BuildTranslation.
> 
> R=​jarin@chromium.org
> 
> Bug: 
> Change-Id: Id219fb91c4c4f40677edea6f9c04763284e14373
> Reviewed-on: https://chromium-review.googlesource.com/800934
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49831}

TBR=jarin@chromium.org,neis@chromium.org

Change-Id: I6f5e13e70dc816a4e0c4a362bd3a30091c14c637
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/807944Reviewed-by: 's avatarMichael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49852}
      b501bf93
  31. 04 Dec, 2017 1 commit
  33. 30 Nov, 2017 1 commit
  35. 28 Nov, 2017 3 commits
    • Mircea Trofin's avatar
      Revert "Revert "[wasm] JIT using WasmCodeManager"" · b03b1bd9
      Mircea Trofin authored 
      This reverts commit b301203e.

Reason for revert: Fixed issues on arm.

Original change's description:
> Revert "[wasm] JIT using WasmCodeManager"
> 
> This reverts commit d4c8393c.
> 
> Reason for revert: Breaks ARM hardware:
> https://build.chromium.org/p/client.v8.ports/builders/V8%20Arm%20-%20debug/builds/5268
> 
> Original change's description:
> > [wasm] JIT using WasmCodeManager
> > 
> > This is the first step towards wasm code sharing. This CL moves wasm
> > code generation outside the JavaScript GC heap using the previously -
> > introduced WasmCodeManager (all this, behind the --wasm-jit-to-native
> > flag).
> > 
> > See design document: go/wasm-on-native-heap-stage-1
> > 
> > This CL doesn't change other wasm architectural invariants. We still
> > have per-Isolate wasm code generation, and per-wasm module instance
> > code specialization.
> > 
> > Bug:v8:6876
> > 
> > Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> > Change-Id: I1e08cecad75f93fb081545c31228a4568be276d3
> > Reviewed-on: https://chromium-review.googlesource.com/674086
> > Reviewed-by: Ben Titzer <titzer@chromium.org>
> > Reviewed-by: Eric Holk <eholk@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#49689}
> 
> TBR=bradnelson@chromium.org,titzer@chromium.org,mtrofin@chromium.org,eholk@chromium.org
> 
> Change-Id: I89af1ea5decd841bc12cd2ceaf74d32bc4433885
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug: v8:6876
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Reviewed-on: https://chromium-review.googlesource.com/794690
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49691}

TBR=bradnelson@chromium.org,machenbach@chromium.org,titzer@chromium.org,mtrofin@chromium.org,eholk@chromium.org

Change-Id: I1b07638d1bb2ba0664305b4b2dcfc1342dc8444f
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6876
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/794434
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: 's avatarMircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49692}
      b03b1bd9
    • Michael Achenbach's avatar
      Revert "[wasm] JIT using WasmCodeManager" · b301203e
      Michael Achenbach authored 
      This reverts commit d4c8393c.

Reason for revert: Breaks ARM hardware:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Arm%20-%20debug/builds/5268

Original change's description:
> [wasm] JIT using WasmCodeManager
> 
> This is the first step towards wasm code sharing. This CL moves wasm
> code generation outside the JavaScript GC heap using the previously -
> introduced WasmCodeManager (all this, behind the --wasm-jit-to-native
> flag).
> 
> See design document: go/wasm-on-native-heap-stage-1
> 
> This CL doesn't change other wasm architectural invariants. We still
> have per-Isolate wasm code generation, and per-wasm module instance
> code specialization.
> 
> Bug:v8:6876
> 
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Change-Id: I1e08cecad75f93fb081545c31228a4568be276d3
> Reviewed-on: https://chromium-review.googlesource.com/674086
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Eric Holk <eholk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49689}

TBR=bradnelson@chromium.org,titzer@chromium.org,mtrofin@chromium.org,eholk@chromium.org

Change-Id: I89af1ea5decd841bc12cd2ceaf74d32bc4433885
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6876
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/794690Reviewed-by: 's avatarMichael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49691}
      b301203e
    • Mircea Trofin's avatar
      [wasm] JIT using WasmCodeManager · d4c8393c
      Mircea Trofin authored 
      This is the first step towards wasm code sharing. This CL moves wasm
code generation outside the JavaScript GC heap using the previously -
introduced WasmCodeManager (all this, behind the --wasm-jit-to-native
flag).

See design document: go/wasm-on-native-heap-stage-1

This CL doesn't change other wasm architectural invariants. We still
have per-Isolate wasm code generation, and per-wasm module instance
code specialization.

Bug:v8:6876

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I1e08cecad75f93fb081545c31228a4568be276d3
Reviewed-on: https://chromium-review.googlesource.com/674086Reviewed-by: 's avatarBen Titzer <titzer@chromium.org>
Reviewed-by: 's avatarEric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49689}
      d4c8393c
  37. 22 Nov, 2017 1 commit
  39. 21 Nov, 2017 2 commits
  41. 16 Nov, 2017 1 commit
  43. 15 Nov, 2017 2 commits
  45. 07 Nov, 2017 1 commit
  47. 06 Nov, 2017 1 commit
    • Toon Verwaest's avatar
      Drop custom accessor deoptimization support · c82cd313
      Toon Verwaest authored 
      Previously StaNamedProperty and StaKeyedProperty were in a weird state where
they claimed to not touch the accumulator, but actually did in case they were
deopted in the middle. A frame was added in the middle to overwrite the 
accumulator again with the right value before returning from the setter, using
a lot of complexity in the deoptimizer.

This changes those instructions to be marked as writing to the accumulator
(e.g., the result of the setter), and uses to manually store and reload into
the accumulator the value being stored.

If we want to avoid the additional bytecodes, we could make sure that bytecodes
that claim to leave the accumulator alone don't deopt back to Advance/Dispatch
but LoadAccumulatorWithValue/Advance/Dispatch. That's in a way similar to what
happened before this CL, but I believe could be implemented much simpler.


Bug: 
Change-Id: I4850a690ef5a30976701d0e050951faa46fd1c18
Reviewed-on: https://chromium-review.googlesource.com/753487Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49159}
      c82cd313
  49. 26 Oct, 2017 1 commit
  51. 25 Oct, 2017 2 commits
  53. 20 Oct, 2017 1 commit
  55. 19 Oct, 2017 1 commit
  57. 18 Oct, 2017 2 commits
  59. 17 Oct, 2017 1 commit
  61. 09 Oct, 2017 1 commit