1. 27 Jun, 2022 1 commit
    • Samuel Groß's avatar
      [sandbox] Turn ExternalPointerTag into a template parameter · 8ca93205
      Samuel Groß authored
      The ExternalPointerTags are assumed to be compile-time constants in most
      cases, so turning them into template parameters enforces that. As
      decisions such as whether to use the per-isolate or the shared external
      pointer table are encoded into the tag values, forcing those to be
      compile-time constants guarantees that the compiler will be able to
      inline the correct logic when accessing an external pointer.
      
      With this, there are now two (high-level) ways of accessing external pointer fields from C++: the Read/WriteExternalPointerField methods
      which require the ExternalPointerTag to be a template parameter, and the
      ExternalPointerSlot class which takes the tag as an argument. The latter
      is for example used for snapshot deserialization and by the garbage
      collector (more generally, by the ObjectVisitor::VisitExternalPointer
      method), where the tag is not a compile-time constant.
      
      Finally, this CL also introduces a new ExternalPointerHandle type which
      represents the (opaque) on-heap representation of a reference to an
      entry in an ExternalPointerTable when sandboxing is enabled. Making this
      its own type makes the code a bit more readable.
      
      Bug: v8:10391
      Change-Id: I867b8ce41d15d485f1dc66786f233c710c56afcb
      Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3720641Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
      Commit-Queue: Samuel Groß <saelo@chromium.org>
      Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Reviewed-by: 's avatarMichael Lippautz <mlippautz@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#81402}
      8ca93205
  2. 22 Jun, 2022 1 commit
    • Luis Fernando Pardo Sixtos's avatar
      [shared-struct] Shared Array Initial prototype · afb26623
      Luis Fernando Pardo Sixtos authored
      Initial implementation for concurrent shared arrays. Current implementation exposes a `SharedArray` constructor, but its syntax might
      change in the future.
      
      Shared arrays can be shared across Isolates, have a fixed size, have no
      prototype, have no constructor, and can only store primitives, shared structs and other shared arrays. With this CL shared structs are also allowed to store shared arrays.
      
      The Backing storage for the SharedArrays is a `FixedArrayBase`. This CL introdces a new ElementKind: `SHARED_ARRAY_ELEMENTS`. The new kind should match the overall functionality of the `PACKED_SEALED_ELEMENTS` kind, but having it as standalone kind allows for easier branching in CSA and turbofan code.
      
      Bug: v8:12547
      Change-Id: I054a04624d4cf1f37bc26ae4b92b6fe33408538a
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3585353Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Commit-Queue: Luis Fernando Pardo Sixtos <lpardosixtos@microsoft.com>
      Reviewed-by: 's avatarShu-yu Guo <syg@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#81285}
      afb26623
  3. 13 May, 2022 1 commit
  4. 05 May, 2022 1 commit
  5. 25 Apr, 2022 1 commit
  6. 08 Apr, 2022 1 commit
  7. 17 Mar, 2022 1 commit
  8. 16 Mar, 2022 2 commits
  9. 14 Mar, 2022 1 commit
  10. 10 Mar, 2022 1 commit
  11. 07 Mar, 2022 1 commit
  12. 23 Feb, 2022 1 commit
  13. 22 Feb, 2022 1 commit
  14. 18 Feb, 2022 2 commits
    • Shu-yu Guo's avatar
      Plumb Isolate through GetDataProperty · 489527d4
      Shu-yu Guo authored
      Currently the Isolate is gotten off of the object that the operation is
      being performed on. GetDataProperty may end up using a per-Isolate
      lookup cache, which is not threadsafe when the Isolate is shared. Plumb
      the executing, non-shared Isolate through.
      
      Bug: v8:12646, v8:12547
      Change-Id: Ia08ece9a9e8cbd7eba9ea38b01caa511895f5bf4
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3475084Reviewed-by: 's avatarAdam Klein <adamk@chromium.org>
      Commit-Queue: Shu-yu Guo <syg@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#79180}
      489527d4
    • Michael Achenbach's avatar
      Revert "[shared-struct] Prototype JS shared structs" · c1078b5e
      Michael Achenbach authored
      This reverts commit 1025bf26.
      
      Reason for revert: https://crbug.com/v8/12645
      
      Original change's description:
      > [shared-struct] Prototype JS shared structs
      >
      > Unlike the Stage 1 proposal, for simplicity the prototype does not add
      > any new syntax, instead opting for exposing a SharedStructType
      > constructor which takes an array of field names. This type constructor
      > returns constructors for shared structs.
      >
      > Shared structs can be shared across Isolates, are fixed layout, have no
      > prototype, have no .constructor, and can only store primitives and
      > other shared structs.
      >
      > The initial prototype does not have TurboFan support.
      >
      > Bug: v8:12547
      > Change-Id: I23bdd819940b42139692bcdb53d372099b0d4426
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3390643
      > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
      > Reviewed-by: Marja Hölttä <marja@chromium.org>
      > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
      > Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
      > Commit-Queue: Shu-yu Guo <syg@chromium.org>
      > Cr-Commit-Position: refs/heads/main@{#79156}
      
      Bug: v8:12547
      Change-Id: I44f2b8bb7487b4d39ba1282585e0b2282501230f
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3474676
      Auto-Submit: Michael Achenbach <machenbach@chromium.org>
      Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
      Owners-Override: Michael Achenbach <machenbach@chromium.org>
      Commit-Queue: Michael Achenbach <machenbach@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#79170}
      c1078b5e
  15. 17 Feb, 2022 1 commit
  16. 05 Feb, 2022 1 commit
  17. 30 Nov, 2021 1 commit
  18. 15 Nov, 2021 1 commit
  19. 12 Nov, 2021 1 commit
  20. 27 Oct, 2021 1 commit
  21. 28 Sep, 2021 1 commit
  22. 30 Aug, 2021 1 commit
  23. 29 Jul, 2021 1 commit
  24. 06 Jul, 2021 1 commit
  25. 23 Jun, 2021 1 commit
  26. 17 Jun, 2021 1 commit
  27. 16 Jun, 2021 1 commit
  28. 09 Jun, 2021 1 commit
    • Jakob Gruber's avatar
      [compiler] RawFastPropertyAt without serialization · 9bfd401e
      Jakob Gruber authored
      This is a step towards making JSObjectRef non-serialized.
      
      Change JSObjectRef::RawFastPropertyAt to use a direct load with
      relaxed semantics. Special handling of `uninitialized` sentinel values
      is moved to the only use-site.
      
      A new lock `boilerplate_migration_access` protects against concurrent
      boilerplate migrations while we are iterating over properties.
      
      Bug: v8:7790
      Change-Id: Ic9de54ca16c1f3364d497a77058cfa33d48dd4a4
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2928184
      Commit-Queue: Jakob Gruber <jgruber@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#75033}
      9bfd401e
  29. 07 Jun, 2021 1 commit
    • Jakob Gruber's avatar
      [compiler] Remove use of serialized JSObjectRef::elements · 8769666e
      Jakob Gruber authored
      .. and replace them by elements read directly from the heap object.
      
      With this change, consistency between `map` and `elements` is
      no longer guaranteed. Users were updated, when necessary, to deal
      with this, e.g. by being more careful not to read out of bounds,
      by inserting new `actual_elements == elements_constant` runtime
      checks, or through a new compilation dependency that verifies
      unchanged elements at finalization time.
      
      Drive-by: inline GetElementsKind into callsites.
      
      Bug: v8:7790
      Change-Id: Ifba78182e185ff0d4e954e3be52f0eb24328c853
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2909655Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Commit-Queue: Jakob Gruber <jgruber@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#74977}
      8769666e
  30. 23 Apr, 2021 1 commit
  31. 12 Apr, 2021 1 commit
    • Wenyu Zhao's avatar
      Allowing map word to be used for other state in GC header. · 5e0b94c4
      Wenyu Zhao authored
      This CL adds features to pack/unpack map words.
      
      Currently V8 cannot store extra metadata in object headers -- because V8
      objects do not have a proper header, but only a map pointer at the start
      of the object. To store per-object metadata like marking data, a side
      table is required as the per-object metadata storage.
      
      This CL enables V8 to use higher unused bits in a 64-bit map word as
      per-object metadata storage. Map pointer stores come with an extra step
      to encode the metadata into the pointer (we call it "map packing").
      Map pointer loads will also remove the metadata bits as well (we call it
      "map packing").
      
      Since the map word is no longer a valid pointer after packing, we also
      change the tag of the packed map word to make it looks like a Smi. This
      helps various GC and barrier code to correctly skip them instead of
      blindly dereferencing this invalid pointer.
      
      A ninja flag `v8_enable_map_packing` is provided to turn this
      map-packing feature on and off. It is disabled by default.
      
      * Only works on x64 platform, with `v8_enable_pointer_compression`
        set to `false`
      
      Bug: v8:11624
      Change-Id: Ia2bdf79553945e5fc0b0874c87803d2cc733e073
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2247561Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Reviewed-by: 's avatarNico Hartmann <nicohartmann@chromium.org>
      Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#73915}
      5e0b94c4
  32. 06 Apr, 2021 1 commit
    • Shu-yu Guo's avatar
      Reland^2 "[ptr-cage] Rename IsolateRoot to PtrComprCageBase" · 627b6b2f
      Shu-yu Guo authored
      This is a reland of e28dadc2
      
      The original failure was due to a stale Win32 bot. The reland failure
      was due to idempotent task deduplication returning the exact same
      failure. See crbug/1196064
      
      Original change's description:
      > [ptr-cage] Rename IsolateRoot to PtrComprCageBase
      >
      > Currently, IsolateRoot is both the address of the Isolate root and the
      > base address of the pointer compression reservation. This CL teases the
      > two uses apart by renaming IsolateRoot to PtrComprCageBase.
      >
      > - In addition to V8_COMPRESS_POINTERS, add a
      >   V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE (vs SHARED_CAGE).
      >
      > - Rename GetIsolate* helpers to GetPtrComprCageBase. When
      >   V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE is true, the helpers remain as
      >   aliases to GetPtrComprCageBase.
      >
      > - Rename kPtrComprIsolateRootAlignment to kPtrComprCageBaseAlignment.
      >
      > Bug: v8:11460
      > Change-Id: I1d715f678ce9a0b5731895612ca14f56579b1c48
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2783672
      > Commit-Queue: Shu-yu Guo <syg@chromium.org>
      > Auto-Submit: Shu-yu Guo <syg@chromium.org>
      > Reviewed-by: Igor Sheludko <ishell@chromium.org>
      > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#73790}
      
      Bug: v8:11460
      No-Try: true
      Tbr: ishell@chromium.org
      Tbr: rmcilroy@chromium.org
      Change-Id: Id69311cf3267ebe1297fff159de0be48b15b65a3
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2806546Reviewed-by: 's avatarShu-yu Guo <syg@chromium.org>
      Commit-Queue: Shu-yu Guo <syg@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#73795}
      627b6b2f
  33. 05 Apr, 2021 4 commits
    • Shu-yu Guo's avatar
      Revert "Reland "[ptr-cage] Rename IsolateRoot to PtrComprCageBase"" · 562c4251
      Shu-yu Guo authored
      This reverts commit 15c78b45.
      
      Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Win32/32277/overview
      
      Original change's description:
      > Reland "[ptr-cage] Rename IsolateRoot to PtrComprCageBase"
      >
      > This is a reland of e28dadc2
      >
      > Relanding to see if Win32 rel failures from
      > https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Win32/32275/overview
      > were infra flakes. Could not repro on try bots.
      >
      > Original change's description:
      > > [ptr-cage] Rename IsolateRoot to PtrComprCageBase
      > >
      > > Currently, IsolateRoot is both the address of the Isolate root and the
      > > base address of the pointer compression reservation. This CL teases the
      > > two uses apart by renaming IsolateRoot to PtrComprCageBase.
      > >
      > > - In addition to V8_COMPRESS_POINTERS, add a
      > >   V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE (vs SHARED_CAGE).
      > >
      > > - Rename GetIsolate* helpers to GetPtrComprCageBase. When
      > >   V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE is true, the helpers remain as
      > >   aliases to GetPtrComprCageBase.
      > >
      > > - Rename kPtrComprIsolateRootAlignment to kPtrComprCageBaseAlignment.
      > >
      > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2783672
      > > Reviewed-by: Igor Sheludko <ishell@chromium.org>
      > > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
      >
      > No-Try: true
      > Bug: v8:11460
      > Tbr: ishell@chromium.org
      > Tbr: rmcilroy@chromium.org
      > Change-Id: I0a8c3a48999d6737c8c64d2c2703607f14f3fdd0
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2806169
      > Reviewed-by: Shu-yu Guo <syg@chromium.org>
      > Commit-Queue: Shu-yu Guo <syg@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#73792}
      
      Bug: v8:11460
      Change-Id: Ifee92d622c43a91c15f45ef94ff739237bd2024b
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2806545
      Auto-Submit: Shu-yu Guo <syg@chromium.org>
      Reviewed-by: 's avatarShu-yu Guo <syg@chromium.org>
      Commit-Queue: Shu-yu Guo <syg@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#73793}
      562c4251
    • Shu-yu Guo's avatar
      Reland "[ptr-cage] Rename IsolateRoot to PtrComprCageBase" · 15c78b45
      Shu-yu Guo authored
      This is a reland of e28dadc2
      
      Relanding to see if Win32 rel failures from
      https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Win32/32275/overview
      were infra flakes. Could not repro on try bots.
      
      Original change's description:
      > [ptr-cage] Rename IsolateRoot to PtrComprCageBase
      >
      > Currently, IsolateRoot is both the address of the Isolate root and the
      > base address of the pointer compression reservation. This CL teases the
      > two uses apart by renaming IsolateRoot to PtrComprCageBase.
      >
      > - In addition to V8_COMPRESS_POINTERS, add a
      >   V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE (vs SHARED_CAGE).
      >
      > - Rename GetIsolate* helpers to GetPtrComprCageBase. When
      >   V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE is true, the helpers remain as
      >   aliases to GetPtrComprCageBase.
      >
      > - Rename kPtrComprIsolateRootAlignment to kPtrComprCageBaseAlignment.
      >
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2783672
      > Reviewed-by: Igor Sheludko <ishell@chromium.org>
      > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
      
      No-Try: true
      Bug: v8:11460
      Tbr: ishell@chromium.org
      Tbr: rmcilroy@chromium.org
      Change-Id: I0a8c3a48999d6737c8c64d2c2703607f14f3fdd0
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2806169Reviewed-by: 's avatarShu-yu Guo <syg@chromium.org>
      Commit-Queue: Shu-yu Guo <syg@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#73792}
      15c78b45
    • Francis McCabe's avatar
      Revert "[ptr-cage] Rename IsolateRoot to PtrComprCageBase" · 07a9ff4d
      Francis McCabe authored
      This reverts commit e28dadc2.
      
      Reason for revert: failed test262 tests;; see https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Win32/32275/steps?succeeded=true&debug=false
      
      Original change's description:
      > [ptr-cage] Rename IsolateRoot to PtrComprCageBase
      >
      > Currently, IsolateRoot is both the address of the Isolate root and the
      > base address of the pointer compression reservation. This CL teases the
      > two uses apart by renaming IsolateRoot to PtrComprCageBase.
      >
      > - In addition to V8_COMPRESS_POINTERS, add a
      >   V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE (vs SHARED_CAGE).
      >
      > - Rename GetIsolate* helpers to GetPtrComprCageBase. When
      >   V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE is true, the helpers remain as
      >   aliases to GetPtrComprCageBase.
      >
      > - Rename kPtrComprIsolateRootAlignment to kPtrComprCageBaseAlignment.
      >
      > Bug: v8:11460
      > Change-Id: I1d715f678ce9a0b5731895612ca14f56579b1c48
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2783672
      > Commit-Queue: Shu-yu Guo <syg@chromium.org>
      > Auto-Submit: Shu-yu Guo <syg@chromium.org>
      > Reviewed-by: Igor Sheludko <ishell@chromium.org>
      > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#73790}
      
      Bug: v8:11460
      Change-Id: I19d0e28194fcdb28e89f129a7694ca3fe29fa17a
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2806168
      Auto-Submit: Francis McCabe <fgm@chromium.org>
      Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
      Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
      Cr-Commit-Position: refs/heads/master@{#73791}
      07a9ff4d
    • Shu-yu Guo's avatar
      [ptr-cage] Rename IsolateRoot to PtrComprCageBase · e28dadc2
      Shu-yu Guo authored
      Currently, IsolateRoot is both the address of the Isolate root and the
      base address of the pointer compression reservation. This CL teases the
      two uses apart by renaming IsolateRoot to PtrComprCageBase.
      
      - In addition to V8_COMPRESS_POINTERS, add a
        V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE (vs SHARED_CAGE).
      
      - Rename GetIsolate* helpers to GetPtrComprCageBase. When
        V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE is true, the helpers remain as
        aliases to GetPtrComprCageBase.
      
      - Rename kPtrComprIsolateRootAlignment to kPtrComprCageBaseAlignment.
      
      Bug: v8:11460
      Change-Id: I1d715f678ce9a0b5731895612ca14f56579b1c48
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2783672
      Commit-Queue: Shu-yu Guo <syg@chromium.org>
      Auto-Submit: Shu-yu Guo <syg@chromium.org>
      Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#73790}
      e28dadc2
  34. 29 Mar, 2021 1 commit
  35. 08 Mar, 2021 1 commit
    • Frank Emrich's avatar
      [dict-proto] SwissNameDictionary rollout in runtime code, pt. 3 · 416fae86
      Frank Emrich authored
      This CL is part of a series that makes SwissNameDictionary available
      as a new property backing store. Previously, the flag
      v8_dict_mode_prototypes allows selecting between NameDictionary and
      OrderedNameDictionary as the backing store used for all dictionary
      mode objects. This series of CLs changes this such that enabling the
      flag causes SwissNameDictionary being used instead of
      OrderedNameDictionary. The behavior for when the flag is not set
      remains unchanged (= use NameDictionary).
      
      This particular CL just collects many small changes, including some
      CSA changes where runtime calls are necessary.
      
      Bug: v8:11388
      Change-Id: I38fd18098fc641a5d92a986da251a6b3ac09411a
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2739642
      Commit-Queue: Frank Emrich <emrich@google.com>
      Reviewed-by: 's avatarMarja Hölttä <marja@chromium.org>
      Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#73257}
      416fae86