1. 05 May, 2022 1 commit
  2. 23 Mar, 2022 1 commit
    • Nico Hartmann's avatar
      Reland "[turbofan] Enable --verify-simplified-lowering in debug" · 87d73a3a
      Nico Hartmann authored
      This reverts commit aaedd8b7.
      
      Changes in the reland:
      The inital problem was caused by nodes that were removed during SL
      because they are no-ops but have an effect on typing (in the repro, this
      was e.g. PlainPrimitiveToNumber). The reland introdocues a new operator
      SLVerifierHint that is used exclusively in SL to provide hints to the
      verifier and that solves this problem. SLVerifierHint also replaces the
      previous use of TypeGuard to type constant nodes for the verifier.
      
      Bug: v8:12619, chromium:1302572
      Change-Id: I0957645c03d8b7c26cd6d630a1ecbd0a6a8223ce
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3512574Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#79564}
      87d73a3a
  3. 24 Feb, 2022 1 commit
  4. 15 Dec, 2021 1 commit
    • Samuel Groß's avatar
      V8 Sandbox rebranding · 277fdd1d
      Samuel Groß authored
      This CL renames a number of things related to the V8 sandbox.
      Mainly, what used to be under V8_HEAP_SANDBOX is now under
      V8_SANDBOXED_EXTERNAL_POINTERS, while the previous V8 VirtualMemoryCage
      is now simply the V8 Sandbox:
      
      V8_VIRTUAL_MEMORY_CAGE => V8_SANDBOX
      V8_HEAP_SANDBOX => V8_SANDBOXED_EXTERNAL_POINTERS
      V8_CAGED_POINTERS => V8_SANDBOXED_POINTERS
      V8VirtualMemoryCage => Sandbox
      CagedPointer => SandboxedPointer
      fake cage => partially reserved sandbox
      src/security => src/sandbox
      
      This naming scheme should simplify things: the sandbox is now the large
      region of virtual address space inside which V8 mainly operates and
      which should be considered untrusted. Mechanisms like sandboxed pointers
      are then used to attempt to prevent escapes from the sandbox (i.e.
      corruption of memory outside of it). Furthermore, the new naming scheme
      avoids the confusion with the various other "cages" in V8, in
      particular, the VirtualMemoryCage class, by dropping that name entirely.
      
      Future sandbox features are developed under their own V8_SANDBOX_X flag,
      and will, once final, be merged into V8_SANDBOX. Current future features
      are sandboxed external pointers (using the external pointer table), and
      sandboxed pointers (pointers guaranteed to point into the sandbox, e.g.
      because they are encoded as offsets). This CL then also introduces a new
      build flag, v8_enable_sandbox_future, which enables all future features.
      
      Bug: v8:10391
      Change-Id: I5174ea8f5ab40fb96a04af10853da735ad775c96
      Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3322981Reviewed-by: 's avatarHannes Payer <hpayer@chromium.org>
      Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Reviewed-by: 's avatarMichael Achenbach <machenbach@chromium.org>
      Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
      Commit-Queue: Samuel Groß <saelo@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#78384}
      277fdd1d
  5. 29 Oct, 2021 1 commit
    • Samuel Groß's avatar
      Introduce CagedPointer · afd15549
      Samuel Groß authored
      A CagedPointer is guaranteed to point into the Virtual Memory Cage and
      will for example be used for ArrayBuffer backing stores when the heap
      sandbox is enabled. In the current implementation, CagedPointers are
      stored as offsets from the cage base, shifted to the left. Because the
      cage base address is usually available in a register, accessing a
      CagedPointer is very efficient, requiring only an additional shift and
      add operation.
      
      Bug: chromium:1218005
      Change-Id: Ifc8c088e3862400672051a8c52840514dee2911f
      Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3123417Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
      Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
      Commit-Queue: Samuel Groß <saelo@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#77614}
      afd15549
  6. 19 Oct, 2021 1 commit
  7. 06 Jul, 2021 1 commit
    • Z Nguyen-Huu's avatar
      Use type feedback to improve exponentiation. · ae95f46d
      Z Nguyen-Huu authored
      With this change, we use Float64Pow for both Smi and Float inputs, also
      introduce new speculative operator.
      
      For this PoC
      ==========================================================
      let result = [NaN]; // Avoid HeapNumber-boxing the results.
      
      function slow(){
        for(let i = 0; i < 100000000; i++) {
          result[0] = i ** 2;
        }
      }
      
      start = Date.now();
      slow();
      console.log(Date.now() - start);
      ==========================================================
      Before: 1313
      After: 112
      
      Bug: v8:11731
      Change-Id: I07a1bde068bef8184b9f556be9d1fe2d6a288705
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2960064
      Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
      Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#75590}
      ae95f46d
  8. 01 Jul, 2021 1 commit
  9. 29 Jun, 2021 1 commit
  10. 28 Jun, 2021 2 commits
  11. 31 May, 2021 1 commit
  12. 03 May, 2021 1 commit
  13. 27 Apr, 2021 1 commit
  14. 20 Apr, 2021 1 commit
  15. 19 Apr, 2021 2 commits
  16. 12 Apr, 2021 2 commits
  17. 27 Jan, 2021 1 commit
  18. 28 Oct, 2020 1 commit
  19. 24 Jun, 2020 1 commit
  20. 04 Jun, 2020 1 commit
  21. 28 May, 2020 1 commit
    • Nico Hartmann's avatar
      Reland "[turbofan] Improve equality on NumberOrOddball" · 120d4333
      Nico Hartmann authored
      This is a reland of 6204768b
      
      The original issue exposed the problem that NumberEqual performs
      implicit conversion of oddballs to numbers, which is incorrect for
      abstract equality comparison (i.e. 0 == null must not be true).
      
      This reland fixes this by applying the following steps:
      * Introduced a new kNumberOrBoolean value for CompareOperationFeedback,
        CompareOperationHint, TypeCheckKind and CheckedTaggedInputMode.
      * In CodeStubAssembler::Equal: Further distinguish between boolean and
        non-boolean oddballs and set feedback accoringly.
      * In JSTypedLowering: Construct [Speculative]NumberEqual operator with
        CompareOperationHint::kNumberOrBoolean, when this feedback is present.
        JSOperatorBuilder and operator cache are extended accordingly.
      * In SimplifiedLowering: Propagate a UseInfo with new
        TypeCheckKind::kNumberOrBoolean.
      * This leads to the generation of CheckedTaggedToFloat64 in
        RepresentationChanger with new CheckedTaggedInputMode::kNumberOrBoolean.
      * In EffectControlLinearizer: Handle this new mode. Accept and convert
        number and boolean and deopt for rest.
      
      Original change's description:
      > [turbofan] Improve equality on NumberOrOddball
      >
      > This CL cleans up CompareOperationFeedback by replacing it with a
      > composable set of flags. The interpreter is changed to collect
      > more specific feedback for abstract equality, especially if oddballs
      > are involved.
      >
      > TurboFan is changed to construct SpeculativeNumberEqual operator
      > instead of the generic JSEqual in many more cases. This change has
      > shown a local speedup of a factor of 3-10, because the specific
      > operator is way faster than calling into the generic builtin, but
      > it also enables additional optimizations, further improving
      > runtime performance.
      >
      > Bug: v8:5660
      > Change-Id: I856752caa707e9a4f742c6e7a9c75552fb431d28
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2162854
      > Reviewed-by: Mythri Alle <mythria@chromium.org>
      > Reviewed-by: Georg Neis <neis@chromium.org>
      > Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#67645}
      
      TBR: tebbi@chromium.org
      Bug: v8:5660
      Change-Id: I12e733149a1d2773cafb781a1d4b10aa1eb242a7
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2193713
      Commit-Queue: Georg Neis <neis@chromium.org>
      Reviewed-by: 's avatarMythri Alle <mythria@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#68037}
      120d4333
  22. 06 May, 2020 1 commit
  23. 21 Feb, 2020 1 commit
  24. 19 Feb, 2020 2 commits
  25. 18 Feb, 2020 2 commits
  26. 08 Jan, 2020 1 commit
  27. 12 Dec, 2019 1 commit
  28. 29 Nov, 2019 1 commit
  29. 26 Nov, 2019 1 commit
  30. 20 Nov, 2019 1 commit
  31. 11 Nov, 2019 2 commits
  32. 16 Oct, 2019 1 commit
  33. 04 Oct, 2019 1 commit
  34. 01 Oct, 2019 1 commit