- 24 Aug, 2018 37 commits
-
-
Georg Neis authored
Now that we always instantiate the right ObjectData subclass, we can give precise types to members. R=jarin@chromium.org Bug: v8:7790 Change-Id: Ic2194de90f458ddccbeb9f101903e5865fb4eb41 Reviewed-on: https://chromium-review.googlesource.com/1187103Reviewed-by:
Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#55404}
-
Florian Sattler authored
This halfs the test size but also halfs the baseline for the score to make it comparable. Bug: v8:7926 Change-Id: Id3769def6a555ef1bddf8dd5e54c04b8652e5b54 Reviewed-on: https://chromium-review.googlesource.com/1188465Reviewed-by:
Toon Verwaest <verwaest@chromium.org> Commit-Queue: Florian Sattler <sattlerf@google.com> Cr-Commit-Position: refs/heads/master@{#55403}
-
Georg Neis authored
Also define classes NativeContext and InternalizedString. Those object kinds were already part of our Object hierarchy but didn't have their own class, which was inconvenient. R=jarin@chromium.org, mslekova@chromium.org Bug: v8:7790 Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Change-Id: Ic443a2b2e34afc89bc924e845d995e3f287a2535 Reviewed-on: https://chromium-review.googlesource.com/1185592Reviewed-by:
Ulan Degenbaev <ulan@chromium.org> Reviewed-by:
-
Bret Sepulveda authored
It appears that the fields are already being unescaped elsewhere, perhaps by the JSON writer. So if we unescape when adding the source filename and contents, unescaping will happen again later and plain backslashes will be interpreted as escape codes. Bug: v8:6240 Change-Id: Ic66b9017ae685d6dd12944ee8d254991e26fbd32 Reviewed-on: https://chromium-review.googlesource.com/1186625Reviewed-by:
-
Michael Starzinger authored
R=titzer@chromium.org TEST=mjsunit/wasm/module-memory Change-Id: If190f4f75feb0560bfb608b5ec01234c95e1f715 Reviewed-on: https://chromium-review.googlesource.com/1188464Reviewed-by:
Ben Titzer <titzer@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#55400}
-
Toon Verwaest authored
Change-Id: I228bbd81807fdfac9e760576f89aeb133e45cf61 Reviewed-on: https://chromium-review.googlesource.com/1186326 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by:
Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#55399}
-
Michael Starzinger authored
R=ahaas@chromium.org BUG=v8:8091 Change-Id: I648e5a957e02d32e51c94175a6596801ca5ebd9e Reviewed-on: https://chromium-review.googlesource.com/1188310 Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by:
Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#55398}
-
jgruber authored
This fixes several issues related to off-heap trampoline handling on ia32. Unlike other architectures, ia32 uses a pc-relative call/jump for the off-heap trampoline. That means we cannot skip reloc info emission, and we need to relocate when the buffer grows during code generation. Finally, inlined trampolines must not clobber and thus also need to use a pc-relative call/jump. Drive-by: Use PreserveRootIA32 config only for whitelisted builtins to build successfully by default. Bug: v8:6666 Change-Id: I2b72147c6c70036cd13d8b22e2c80ade786c47b8 Reviewed-on: https://chromium-review.googlesource.com/1188316 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by:
Sigurd Schneider <sigurds@chromium.org> Cr-Commit-Position: refs/heads/master@{#55397}
-
Sreten Kovacevic authored
Original commit d67d91db Change-Id: I2787a090e8794b91a7f08635ce73f925e1021477 Reviewed-on: https://chromium-review.googlesource.com/1188317Reviewed-by:
Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Sreten Kovacevic <skovacevic@wavecomp.com> Cr-Commit-Position: refs/heads/master@{#55396}
-
Michael Starzinger authored
R=sigurds@chromium.org TEST=cctest/test-jump-table-assembler/JumpTablePatchingStress BUG=v8:8085 Change-Id: Iad786172541a2a72d2b774b60da87f40d70ca71d Reviewed-on: https://chromium-review.googlesource.com/1188135 Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by:
-
Maya Lekova authored
Bug: v8:8090 Change-Id: I6f8a4d2bcfa25bcc83f29e5fd39f9e72ba18d4ac Reviewed-on: https://chromium-review.googlesource.com/1188132Reviewed-by:
-
Hannes Payer authored
This reverts commit 5876d8f5. Bug: chromium:852420 Change-Id: I318587f20409f98d05278fc0b4c14da09d259cd3 Reviewed-on: https://chromium-review.googlesource.com/1188128Reviewed-by:
Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Hannes Payer <hpayer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55393}
-
Michael Starzinger authored
This method introduces an inherent race because it allows changing global static flag variables from concurrently running Isolates (or Workers). Since there are not too many use-cases left, the method in question can be removed entirely. R=hpayer@chromium.org Change-Id: I9798730dd775b04f0bc83f18ed5982672e76e5d5 Reviewed-on: https://chromium-review.googlesource.com/1186731Reviewed-by:
Hannes Payer <hpayer@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#55392}
-
Ross McIlroy authored
This reverts commit bca38dbf. Reason for revert: Makes ODROIDs flaky. BUG=v8:8086 Original change's description: > [Tests] Fix some OOM failures on Android by explicitly setting max_old_space_size. > > BUG=v8:8040 > > Change-Id: I8de22af3978f2a8eb844eabdb757bd635050f901 > Reviewed-on: https://chromium-review.googlesource.com/1181432 > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> > Cr-Commit-Position: refs/heads/master@{#55227} TBR=ulan@chromium.org,rmcilroy@chromium.org Bug: v8:8040 Change-Id: Ife980e8706ebbff4d86d87739c2f621d7a976039 Reviewed-on: https://chromium-review.googlesource.com/1188322 Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by:
Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#55391}
-
Benedikt Meurer authored
Place the LoadField for the backing store of the [[IteratedObject]] before the diamond to make it possible to eliminate this LoadField in LoadElimination later, when used in `for..of` or destructing. This further improves the performance of `for..of` in the micro benchmark on the tracking bug from console.timeEnd: forOf, 191.726000 console.timeEnd: traditional, 107.572000 console.timeEnd: forOf, 137.288000 console.timeEnd: traditional, 102.976000 console.timeEnd: forOf, 137.506000 console.timeEnd: traditional, 103.089000 to around console.timeEnd: forOf, 195.238000 console.timeEnd: traditional, 107.078000 console.timeEnd: forOf, 128.980000 console.timeEnd: traditional, 103.106000 console.timeEnd: forOf, 128.525000 console.timeEnd: traditional, 103.072000 so roughly another ~7% improvement (with untrusted code mitigations turned off). Bug: v8:8070 Change-Id: I34831c503384f0cc44b95317dd84403f2ed8ecd5 Reviewed-on: https://chromium-review.googlesource.com/1188138Reviewed-by:
-
Stephan Herhut authored
This is a reland of 524215be Original change's description: > Use new arraybuffer deleter interface in d8 > > With this cl we start using the custom deleter to free externalized > array buffers. This also allows us to keep wasm memories registered > with the wasm memory tracker and thereby to propagate that a memory > is wasm allocated over postMessage calls. > > Bug: v8:8073, chromium:836800 > Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng > Change-Id: I57e3ea44d9c6633ada7996677dd1de4da810ab64 > Reviewed-on: https://chromium-review.googlesource.com/1186681 > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> > Commit-Queue: Stephan Herhut <herhut@chromium.org> > Cr-Commit-Position: refs/heads/master@{#55361} Bug: v8:8073, chromium:836800 Change-Id: Ia3c057ced496363cfdd07eed16ed1d0c7a3f3084 Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Reviewed-on: https://chromium-review.googlesource.com/1188222Reviewed-by:
-
Florian Sattler authored
Restricting the enum to uint8_t and reorder type for better alignment. Bug: v8:7926 Change-Id: Ib37d600a189d12bac3c6aa8cf4b88970f8547548 Reviewed-on: https://chromium-review.googlesource.com/1188125 Commit-Queue: Florian Sattler <sattlerf@google.com> Reviewed-by:
Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#55388}
-
Dominik Inführ authored
Add location information in heap snapshot for objects where the constructor can be determined. Bug: chromium:854097 Change-Id: Ieb2ab70a65809ecc9dfa0d73a33fa57add430465 Reviewed-on: https://chromium-review.googlesource.com/1179156 Commit-Queue: Dominik Inführ <dinfuehr@google.com> Reviewed-by:
Alexei Filippov <alph@chromium.org> Cr-Commit-Position: refs/heads/master@{#55387}
-
Tobias Tebbi authored
[turbofan] escape analysis: remove TypeGuard renamings of dematerialized allocations from the effect chain Change-Id: Ie7b43feda381647523cb8cc3e7965823d3006063 Reviewed-on: https://chromium-review.googlesource.com/1188140Reviewed-by:
Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#55386}
-
Toon Verwaest authored
This embeds LiteralBuffers in the TokenDesc directly so that we do not need to figure out which one is free; as well as newline tracking. Instead of copying around TokenDesc we now just update the pointer to keep track of the state. Based on this architecture we'll be able to precompute more tokens at once. Change-Id: Ie2e1a95f91713f7ab619fc8632f1eb644884a51f Reviewed-on: https://chromium-review.googlesource.com/1184911 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by:
-
Simon Zünd authored
Instead of using the slow-path for COW arrays, we now properly copy them and use the fast-path. R=jgruber@chromium.org Change-Id: Iebbad5f761d97c5400c457877571c7930269d52f Reviewed-on: https://chromium-review.googlesource.com/1188130 Commit-Queue: Simon Zünd <szuend@google.com> Reviewed-by:
Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#55384}
-
Igor Sheludko authored
Bug: v8:7703, chromium:876696 Change-Id: Ida3243414215b2ef75a9875ca31cf5a68274f7e0 Reviewed-on: https://chromium-review.googlesource.com/1185186Reviewed-by:
-
Creddy authored
Change type elements kind in empty array boilerplate desc from PACKED_ELEMENTS to PACKED_SMI_ELEMENTS The default array elements kind should be PACKED_SMI_ELEMENTS (top of type lattice) to allow type transitions to other types. Change-Id: Icda969d0553628ef75d6c26bf6f32fef46512f0f Reviewed-on: https://chromium-review.googlesource.com/1188133Reviewed-by:
-
Lei Zhang authored
In LiftoffCompiler::EmitTypeConversion() there is a DCHECK_EQ() where one argument is implicitly converted to bool. This confuses MSVC, which causes it to think the two arguments to DCHECK_EQ() do not have the same type. Fix this with an explicit bool conversion!! This does not affect the "v8_win64_msvc_compile_rel" bot, presumably because it is a release bot with DCHECKs turned off. Change-Id: I602ddae7a970e17388730e895eafd4ec78de7602 Reviewed-on: https://chromium-review.googlesource.com/1187702Reviewed-by:
-
jgruber authored
Prior to this, it was possible to explicitly specify machine types for stack arguments, but these were simply ignored and treated as tagged-by-default when creating the actual CallDescriptor. This verifies that all stack args specified in the descriptor are actually given tagged types, and fails early if that is not the case. Bug: v8:6666 Change-Id: Idb543a11c976d0260fea60d31e30c21b15b32256 Reviewed-on: https://chromium-review.googlesource.com/1186642Reviewed-by:
-
Bret Sepulveda authored
Builtin functions were being logged via both LogCodeObjects and LogCompiledFunctions. The latter assumes the code in question has a Name and so would end up logging an unattributable entry. This patch stops logging that entry. Bug: v8:8061 Change-Id: Iebc9bfa9618986afdbf8b1b71b64bf17a1f4196a Reviewed-on: https://chromium-review.googlesource.com/1184923Reviewed-by:
Peter Marshall <petermarshall@chromium.org> Commit-Queue: Bret Sepulveda <bsep@chromium.org> Cr-Commit-Position: refs/heads/master@{#55379}
-
Florian Sattler authored
This reduces the enum size to only take up one byte, hence decreasing class size. Bug: v8:7926 Change-Id: Ie50cfcd48541e44394814f375fd72f2b65722fdf Reviewed-on: https://chromium-review.googlesource.com/1186582 Commit-Queue: Florian Sattler <sattlerf@google.com> Reviewed-by:
-
Michaël Zasso authored
Introduced in https://chromium-review.googlesource.com/1183431. The namespace was missing making compilation of Node.js with GCC fail. Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Change-Id: I55c1117ab347db17fd8acfa92c653e8cf737586f Reviewed-on: https://chromium-review.googlesource.com/1188126Reviewed-by:
-
Michael Lippautz authored
Bug: chromium:843903 Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Change-Id: Ie959e443fdf5dce92c4cd42ef62ec914a13b867e Reviewed-on: https://chromium-review.googlesource.com/1187151 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by:
-
Florian Sattler authored
This is a reland of d16bce9d Original change's description: > [parser] Removed unnecessary copies > > Bug: v8:8015 > Change-Id: I2ee074559484b9865dc1a27e6ea697ca311ee7ee > Reviewed-on: https://chromium-review.googlesource.com/1185198 > Reviewed-by: Marja Hölttä <marja@chromium.org> > Commit-Queue: Florian Sattler <sattlerf@google.com> > Cr-Commit-Position: refs/heads/master@{#55327} Bug: v8:8015 Change-Id: I63cf34898f4bbdba84f44e3769301d028ea49965 Reviewed-on: https://chromium-review.googlesource.com/1188142Reviewed-by:
-
Benedikt Meurer authored
The LoadElimination must be able to print Maps, so we need to allow handle dereferencing here. Change-Id: Id39a6db5a4f40ec6212404b3aa30a36fdd1ba57e Reviewed-on: https://chromium-review.googlesource.com/1188127 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by:
-
Benedikt Meurer authored
In LoadElimination leverage the fact that initializing stores (i.e. stores to freshly allocated objects) cannot touch existing objects, since the object can only escape once it's fully initialized and then all accesses will happen on the FinishRegion node instead of the naked Allocate node. This helps to eliminate the redundant map checks and "length" accesses to arrays, since TurboFan now knows that the iterated array cannot alias with neither the freshly allocated ArrayIterator nor the freshly allocated IterResultObject instances. This improves the times on the benchmark in the tracking bug from console.timeEnd: forOf, 188.111000 console.timeEnd: traditional, 116.380000 console.timeEnd: forOf, 170.721000 console.timeEnd: traditional, 108.209000 console.timeEnd: forOf, 168.491000 console.timeEnd: traditional, 108.839000 to console.timeEnd: forOf, 192.501000 console.timeEnd: traditional, 106.909000 console.timeEnd: forOf, 138.364000 console.timeEnd: traditional, 103.232000 console.timeEnd: forOf, 138.755000 console.timeEnd: traditional, 102.928000 when running with untrusted code mitigations turned off, and thus corresponds to a ~18% performance improvement, roughly cutting the performance difference between the traditional for loop and the for..of loop in half. Besides for..of loops this will also help with array destructuring patterns where TurboFan also emitted redundant map checks on the array and didn't eliminate the redundant "length" accesses. Bug: v8:8070 Change-Id: Iab283247f6d304d1e3c7c147f32ab957577aad21 Reviewed-on: https://chromium-review.googlesource.com/1188124Reviewed-by:
-
Kanghua Yu authored
This also refactors CodeAssembler::Branch(condition,true_label,false_label) to support constant folding, and adds Branch(condition,true_label,false_body) variants for special cases. Change-Id: Ifc04442657295124a95c60f76efde5c46de6f1b5 Reviewed-on: https://chromium-review.googlesource.com/1186136 Commit-Queue: Kanghua Yu <kanghua.yu@intel.com> Reviewed-by:
Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#55372}
-
Simon Zünd authored
This CL fixes the "sort-lengths" benchmark so the ElementsKind of the array to sort is PACKED_SMI again. This was somehow broken. R=jgruber@chromium.org Change-Id: I129e001eae4c88e9f99174b3494193232d933c3f Reviewed-on: https://chromium-review.googlesource.com/1188122Reviewed-by:
-
Maya Lekova authored
This reverts commit 8093b4f3. Reason for revert: Breaks the following layout & non-layout bots in "fast/js/date-proto-generic-invocation.html" test https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8-Blink%20Win/14570 https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8-Blink%20Linux%2064/25795 https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8-Blink%20Linux%2064%20(dbg)/13317 https://ci.chromium.org/p/v8/builders/luci.v8.ci/Linux%20Tests%20(dbg)(1)/6565 Original change's description: > Reland "[Intl] move Date.prototype.toLocale{,Date,Time}String to C++" > > This is a reland of 8e57cd51 > > Original change's description: > > [Intl] move Date.prototype.toLocale{,Date,Time}String to C++ > > > > Bug: v8:7961 > > Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng > > Change-Id: Ie75eb443fc0907a4e1e4cafd4f5c06c23794f5a9 > > Reviewed-on: https://chromium-review.googlesource.com/1156123 > > Commit-Queue: Frank Tang <ftang@chromium.org> > > Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> > > Cr-Commit-Position: refs/heads/master@{#55239} > > Bug: v8:7961 > Change-Id: Ib7dd3b7b3d363b7b8cb2dcd89a5d591fab592c81 > Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng > Reviewed-on: https://chromium-review.googlesource.com/1185763 > Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> > Commit-Queue: Frank Tang <ftang@chromium.org> > Cr-Commit-Position: refs/heads/master@{#55368} TBR=jshin@chromium.org,gsathya@chromium.org,ftang@chromium.org Change-Id: I9ba94daecaca38e86a1f07b649931079ca88b28d No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:7961 Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Reviewed-on: https://chromium-review.googlesource.com/1188143Reviewed-by:
Maya Lekova <mslekova@chromium.org> Commit-Queue: Maya Lekova <mslekova@chromium.org> Cr-Commit-Position: refs/heads/master@{#55370}
-
Simon Zünd authored
This CL adds a baseline implementation for Array.p.reverse in Torque, as well as fastpaths for PACKED elements kinds. Support for sparse JSArrays was removed. R=jgruber@chromium.org, petermarshall@chromium.org Bug: v8:7624 Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Change-Id: I12900fbbb44746f1c5d36b78be826e14b88b4f69 Reviewed-on: https://chromium-review.googlesource.com/1185600 Commit-Queue: Simon Zünd <szuend@google.com> Reviewed-by:
-
Frank Tang authored
This is a reland of 8e57cd51 Original change's description: > [Intl] move Date.prototype.toLocale{,Date,Time}String to C++ > > Bug: v8:7961 > Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng > Change-Id: Ie75eb443fc0907a4e1e4cafd4f5c06c23794f5a9 > Reviewed-on: https://chromium-review.googlesource.com/1156123 > Commit-Queue: Frank Tang <ftang@chromium.org> > Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> > Cr-Commit-Position: refs/heads/master@{#55239} Bug: v8:7961 Change-Id: Ib7dd3b7b3d363b7b8cb2dcd89a5d591fab592c81 Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Reviewed-on: https://chromium-review.googlesource.com/1185763Reviewed-by:
Sathya Gunasekaran <gsathya@chromium.org> Commit-Queue: Frank Tang <ftang@chromium.org> Cr-Commit-Position: refs/heads/master@{#55368}
-
- 23 Aug, 2018 3 commits
-
-
Michael Achenbach authored
This reverts commit adea021b. Reason for revert: https://crbug.com/v8/8087 Original change's description: > [heap] Reuse object evacuation information for slot recording in Scavenger. > > Bug: chromium:852420 > Change-Id: If092b5c8b093b313807687a27bc29bebd1c4ee5f > Reviewed-on: https://chromium-review.googlesource.com/1187143 > Commit-Queue: Hannes Payer <hpayer@chromium.org> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > Cr-Commit-Position: refs/heads/master@{#55364} TBR=ulan@chromium.org,hpayer@chromium.org Change-Id: I480328e852c09f460a38e141eb7d2960c5001d35 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:852420 Reviewed-on: https://chromium-review.googlesource.com/1187301Reviewed-by:
Michael Achenbach <machenbach@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#55367}
-
Michael Achenbach authored
This reverts commit 524215be. Reason for revert: Breaks cfi: https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux64%20-%20cfi/16422 Original change's description: > Use new arraybuffer deleter interface in d8 > > With this cl we start using the custom deleter to free externalized > array buffers. This also allows us to keep wasm memories registered > with the wasm memory tracker and thereby to propagate that a memory > is wasm allocated over postMessage calls. > > Bug: v8:8073, chromium:836800 > Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng > Change-Id: I57e3ea44d9c6633ada7996677dd1de4da810ab64 > Reviewed-on: https://chromium-review.googlesource.com/1186681 > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> > Commit-Queue: Stephan Herhut <herhut@chromium.org> > Cr-Commit-Position: refs/heads/master@{#55361} TBR=mstarzinger@chromium.org,herhut@chromium.org Change-Id: I64c4e76d8d68bad8df4ba3297c099b9b44eabc7c No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:8073, chromium:836800 Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Reviewed-on: https://chromium-review.googlesource.com/1187241Reviewed-by:
-
Bruce Dawson authored
PAGE_TARGETS_INVALID tells CFG (Control Flow Guard) to mark all addresses as invalid indirect branch targets. This makes exploits more difficult. The benefit is minor because most of the code in the Chrome process doesn't use the CFG checks, but this will close off a few weaknesses and is the direction we will want to go in eventually anyway (with specific targets or call sites opted-in to allowing calls, using SetProcessValidCallTargets). PAGE_TARGETS_INVALID may ultimately cause CFG to not allocate memory - that is implied by Windows Internals 7th Edition - and if that is implemented then this change will save some modest amount of memory. PAGE_TARGETS_INVALID was introduced in Windows 10 - according to Windows Internals Part 1 7th Edition - prior to that it will cause VirtualAlloc to fail. Bug: chromium:870054 Change-Id: Ib1784fba37cc0ecb5fe5df595f1519531b3b3a20 Reviewed-on: https://chromium-review.googlesource.com/1186025 Commit-Queue: Bruce Dawson <brucedawson@chromium.org> Reviewed-by:
-
