- 16 Aug, 2021 1 commit
-
-
Nico Weber authored
Bug: chromium:1066980 Change-Id: I03a6b5253043bfb9825a1a64a1d9b060958e5a98 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3094866 Auto-Submit: Nico Weber <thakis@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#76293}
-
- 24 Jun, 2021 3 commits
-
-
Dan Elphick authored
This is a reland of 9701d4a4 with a small fix for some code landed in between the dry-run and submission. Original change's description: > [base] Move most of src/numbers into base > > Moves all but conversions.*, hash-seed-inl.h and math-random.* into > base, in preparation for moving the parts of conversions that don't > access HeapObjects. > > Also moves uc16 and uc32 out of commons/globals.h into base/strings.h. > > Bug: v8:11917 > Change-Id: Ife359148bb0961a63833aff40d26331454b6afb6 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2979595 > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> > Reviewed-by: Clemens Backes <clemensb@chromium.org> > Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> > Auto-Submit: Dan Elphick <delphick@chromium.org> > Cr-Commit-Position: refs/heads/master@{#75354} Bug: v8:11917 Change-Id: Ie1ec9032fe56646a7c7303185cecc70fce5694ae Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2982607Reviewed-by: Clemens Backes <clemensb@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Commit-Queue: Dan Elphick <delphick@chromium.org> Cr-Commit-Position: refs/heads/master@{#75368}
-
Nico Hartmann authored
This reverts commit 9701d4a4. Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Mac64/40802/overview Original change's description: > [base] Move most of src/numbers into base > > Moves all but conversions.*, hash-seed-inl.h and math-random.* into > base, in preparation for moving the parts of conversions that don't > access HeapObjects. > > Also moves uc16 and uc32 out of commons/globals.h into base/strings.h. > > Bug: v8:11917 > Change-Id: Ife359148bb0961a63833aff40d26331454b6afb6 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2979595 > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> > Reviewed-by: Clemens Backes <clemensb@chromium.org> > Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> > Auto-Submit: Dan Elphick <delphick@chromium.org> > Cr-Commit-Position: refs/heads/master@{#75354} Bug: v8:11917 Change-Id: Iacf796c95256016fa74f0a910c5bb1a86baa425a No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2982605 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org> Cr-Commit-Position: refs/heads/master@{#75356}
-
Dan Elphick authored
Moves all but conversions.*, hash-seed-inl.h and math-random.* into base, in preparation for moving the parts of conversions that don't access HeapObjects. Also moves uc16 and uc32 out of commons/globals.h into base/strings.h. Bug: v8:11917 Change-Id: Ife359148bb0961a63833aff40d26331454b6afb6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2979595Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Auto-Submit: Dan Elphick <delphick@chromium.org> Cr-Commit-Position: refs/heads/master@{#75354}
-
- 18 Jun, 2021 1 commit
-
-
Dan Elphick authored
The adding of base:: was mostly prepared using git grep and sed: git grep -l <pattern> | grep -v base/vector.h | \ xargs sed -i 's/\b<pattern>\b/base::<pattern>/ with lots of manual clean-ups due to the resulting v8::internal::base::Vectors. #includes were fixed using: git grep -l "src/utils/vector.h" | \ axargs sed -i 's!src/utils/vector.h!src/base/vector.h!' Bug: v8:11879 Change-Id: I3e6d622987fee4478089c40539724c19735bd625 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2968412Reviewed-by: Clemens Backes <clemensb@chromium.org> Reviewed-by: Hannes Payer <hpayer@chromium.org> Commit-Queue: Dan Elphick <delphick@chromium.org> Cr-Commit-Position: refs/heads/master@{#75243}
-
- 07 Jun, 2021 1 commit
-
-
Camillo Bruni authored
- Add new Builtin enum - Move Builtins::Name:kXXX to Builtin::kXXX - Update existing code Follow CLs will unify the mix of using int builtin-ids and Builtins::Name to only use the new Builtin enum and changing it to an enum class. Change-Id: Ib39aa45a25696acdf147f46392901b1e051deaa4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2905592 Commit-Queue: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Mythri Alle <mythria@chromium.org> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#74995}
-
- 21 Apr, 2021 1 commit
-
-
Leszek Swirski authored
Similar to the recent change to --code-comments, make --debug-code a build-time enabled flag, enabled by default on debug builds. This also removes the emit_debug_code() option from the assembler, instead using the flag directly (there were no cases where this option didn't match the global flag). Change-Id: Ic26b0d37b615a055508c9dda099ffbe979eae030 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2843348 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#74095}
-
- 08 Apr, 2021 1 commit
-
-
Igor Sheludko authored
This CL fixes a segfault when Wasm tried to generate a builtin call from background compilation job when the Isolate was already teared down by the main thread. Drive-by: Use CallBuiltin in RegExpMacroAssemblerARM64. Bug: v8:11527, chromium:1195552 Change-Id: I8048ffcb212bda4d19d07b5ec6b487d6fb16b30d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2811739 Auto-Submit: Igor Sheludko <ishell@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#73850}
-
- 19 Mar, 2021 1 commit
-
-
Georgia Kouveli authored
This use of LR previously allowed overwriting it with arbitrary addresses that aren't signed. Change this so we never return to an arbitrary LR. Instead of loading the InterpreterTrampolineEntry address into LR directly, use an ADR instruction to place into LR the address of a piece of code that jumps to the InterpreterTrampolineEntry instead. This makes a difference because BR is also constrained by BTI, whereas RET isn't. An alternative would have been to `Call` instead of `Jump` to the target bytecode and avoid the ADR instruction altogether, but I wanted to keep the same behaviour with respect to the return stack that the existing code exhibits. Also add a comment to src/regexp/arm64/regexp-macro-assembler-arm64.cc for a similar use of LR that should eventually be removed. Bug: v8:10026 Change-Id: I24a13481f3fa416247dab8f9e5ae6f52f6b2ad42 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2764761Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com> Cr-Commit-Position: refs/heads/master@{#73535}
-
- 17 Mar, 2021 2 commits
-
-
Igor Sheludko authored
... introduced in https://chromium-review.googlesource.com/c/v8/v8/+/2727502 Bug: v8:11527, v8:11421 Change-Id: I97d8711ad946789f8a39de5fcca41e77f20cde79 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2767019Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#73467}
-
Igor Sheludko authored
This is a speed-for-memory tradeoff, which can be achieved by re-mapping the builtins code blob into existing code range. The feature can be enabled by v8_enable_short_builtin_calls flag and it's off by default. This CL adds GN flag and updates code generator to emit shorter pc-relative calls/jumps to builtins. However, the runtime doesn't support appearance of the off-heap builtins' PCs that point to the embedded code blob on the stack yet. Bug: v8:11527, v8:11421 Change-Id: Iaba384c549675852beae70739175976ee193ffef Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2727502Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#73458}
-
- 12 Jan, 2021 1 commit
-
-
Georgia Kouveli authored
The frame pointer did not point to the previous frame pointer, which made the stack non-iterable with SafeStackFrameIterator. This can cause pointer authentication failures when CFI is enabled, as we expect the value stored above the previous frame pointer to be a return address. Bug: v8:10026 Change-Id: Ia55181038b1b277d0a6df519f1e7f61859847b1a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2614429Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com> Cr-Commit-Position: refs/heads/master@{#72036}
-
- 16 Oct, 2020 1 commit
-
-
Jakob Gruber authored
- Use kNoBuiltinId instead of literal -1. - Remove support for non-embedded builtins. - Update Code object layout comment. Bug: v8:10933 Change-Id: Ie75c6ccc0a0f19348ae214249a8fc81f7e91df0c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2474115 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Auto-Submit: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#70557}
-
- 14 Oct, 2020 1 commit
-
-
Martin Bidlingmaier authored
We fall back from irregexp to the experimental engine if a backtrack limit is exceeded and the experimental engine can handle the regexp. The feature can be turned on with a boolean flag, and an uint-valued flag controls the default backtrack limit. For regexps that are constructed with an explicit backtrack limit (API, %NewRegExpWithBacktrackLimit), we choose the lower of the explicit and default backtrack limits. The default backtrack limit does not apply to regexps that can't be handled by the experimental engine, and for such regexps an explicitly specified backtrack limit is handled as before by returning null if we exceed it. Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel_ng Bug: v8:10765 Change-Id: I580df79bd847520985b6c2c2159bc427315c89d1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2436341 Commit-Queue: Martin Bidlingmaier <mbid@google.com> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#70500}
-
- 05 Aug, 2020 1 commit
-
-
Jakob Gruber authored
With the new Turbofan variants (NCI and Turboprop), we need a way to distinguish between them both during and after compilation. We initially introduced CompilationTarget to track the variant during compilation, but decided to reuse the code kind as the canonical spot to store this information instead. Why? Because it is an established mechanism, already available in most of the necessary spots (inside the pipeline, on Code objects, in profiling traces). This CL removes CompilationTarget and adds a new NATIVE_CONTEXT_INDEPENDENT kind, plus helper functions to determine various things about a given code kind (e.g.: does this code kind deopt?). As a (very large) drive-by, refactor both Code::Kind and AbstractCode::Kind into a new CodeKind enum class. Bug: v8:8888 Change-Id: Ie858b9a53311b0731630be35cf5cd108dee95b39 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2336793 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#69244}
-
- 03 Jun, 2020 1 commit
-
-
Iain Ireland authored
https://crrev.com/c/2072858 rewrote the implementation of non-unicode ignore-case matches to comply with the JS spec in some corner cases. It fixed character matches and character class matches. We missed a similar bug in the implementation of back references. This CL fixes that bug. The main change is in regexp-macro-assembler.cc, where CaseInsensitiveCompareUC16 is split into CaseInsensitiveCompareUnicode (which has the same semantics as before) and CaseInsensitiveCompareNonUnicode (which has the semantics described here: https://tc39.es/ecma262/#sec-runtime-semantics-canonicalize-ch). Most of the rest of the patch undoes https://crrev.com/c/2081816 to once again make the unicode flag available to the macroassembler, so that we can decide which helper function to call. The testcase is a version of test/intl/regress-10248.js, modified to test backreferences. Bug: v8:10573 Change-Id: I70ef7d134d37f99b1f75a5eba17020e82d59f1b9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2219284Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#68129}
-
- 21 Apr, 2020 1 commit
-
-
Iain Ireland authored
LoadCurrentCharacterImpl is implemented once in each of the eight regexp-macro-assembler-<arch>.cc files. Aside from small differences in comment wording, those eight implementations are identical. The architecture-specific code for LoadCurrentCharacter is all in LoadCurrentCharacterUnchecked. This patch hoists the definition of LoadCurrentCharacterImpl into NativeRegExpMacroAssembler and turns LoadCurrentCharacterUnchecked into a virtual function. Note: The arm64 version of LoadCurrentCharacterImpl contained the following six-year-old comment, which I don't think is worth preserving: // TODO(pielan): Make sure long strings are caught before this, and // not just asserted in debug mode. R=jgruber@chromium.org Bug: v8:10406 Change-Id: Ic81283ad3b618d6b06f4206fb77d30de617dccb7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2140003 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#67260}
-
- 17 Mar, 2020 1 commit
-
-
Georgia Kouveli authored
Generate a BTI instruction at each target of an indirect branch (BR/BLR). An indirect branch that doesn't jump to a BTI instruction will generate an exception on a BTI-enabled core. On cores that do not support the BTI extension, the BTI instruction is a NOP. Targets of indirect branch instructions include, among other things, function entrypoints, exception handlers and jump tables. Lazy deopt exits can potentially be reached through an indirect branch when an exception is thrown, so they also get an additional BTI instruction. Bug: v8:10026 Change-Id: I0ebf51071f1b604f60f524096e013dfd64fcd7ff Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1967315 Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#66751}
-
- 02 Mar, 2020 1 commit
-
-
Jakob Gruber authored
In the past we've used the isolate argument to signal whether we were in unicode mode (nullptr) or not (the real isolate). This is no longer needed, and in fact breaks no-i18n mode which always expects to have a real isolate. Bug: v8:10120 Change-Id: I2f848c4ff8c2ff0e9b84278cbcdf3c3670e44e58 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2081816Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#66520}
-
- 28 Feb, 2020 1 commit
-
-
Emanuel Ziegler authored
This fixes a crash related to access after free on platforms that store the MacroAssembler as a pointer. The intended behavior is restored by explicitly setting the flag in the macro assembler instead of using NoRootArrayScope. Landing as TBR as it's blocking fuzzers and fix seems simple enough. TBR=jgruber@chromium.org R=jyan@ca.ibm.com R=miladfar@ca.ibm.com Bug: chromium:1057018 Change-Id: Ib6de82b47bb1abb74da58b3d476b359669372bb5 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2080242 Commit-Queue: Emanuel Ziegler <ecmziegler@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#66500}
-
- 27 Feb, 2020 1 commit
-
-
Emanuel Ziegler authored
Added implementations for ia32, arm, arm64. mips/mips64 will be committed in separate CL once the build is green again in order not to stall this CL with the supported architectures. Drive-by: Fixed issues with kScratchRegister being overwritten in case of RegExp compilation by using alternative temp register for x64. Drive-by: Added missing NoRootArrayScope to ia32, arm and arm64 RegExp macro assemblers. R=clemensb@chromium.org R=petermarshall@chromium.org R=jgruber@chromium.org Bug: chromium:1045860 Change-Id: I716d852b9bf780ae7b8d61376c6505dd3af96a50 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2071866 Commit-Queue: Emanuel Ziegler <ecmziegler@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#66482}
-
- 19 Feb, 2020 1 commit
-
-
Georgia Kouveli authored
There are cases where we push FP and LR to the stack even though we have already created a frame and already stored them. Avoid doing this, by cleaning up the caller- and callee-saved register lists, and passing a LinkRegisterStatus argument to TruncateDoubleToI. Change-Id: I652e7ec346a99e94617f1ec6b13935f5d2f73e7f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2060505 Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#66330}
-
- 13 Feb, 2020 1 commit
-
-
Georgia Kouveli authored
This is a reland of 137bfe47 Original change's description: > [arm64] Protect return addresses stored on stack > > This change uses the Arm v8.3 pointer authentication instructions in > order to protect return addresses stored on the stack. The generated > code signs the return address before storing on the stack and > authenticates it after loading it. This also changes the stack frame > iterator in order to authenticate stored return addresses and re-sign > them when needed, as well as the deoptimizer in order to sign saved > return addresses when creating new frames. This offers a level of > protection against ROP attacks. > > This functionality is enabled with the v8_control_flow_integrity flag > that this CL introduces. > > The code size effect of this change is small for Octane (up to 2% in > some cases but mostly much lower) and negligible for larger benchmarks, > however code size measurements are rather noisy. The performance impact > on current cores (where the instructions are NOPs) is single digit, > around 1-2% for ARES-6 and Octane, and tends to be smaller for big > cores than for little cores. > > Bug: v8:10026 > Change-Id: I0081f3938c56e2f24d8227e4640032749f4f8368 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1373782 > Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com> > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> > Reviewed-by: Georg Neis <neis@chromium.org> > Cr-Commit-Position: refs/heads/master@{#66239} Bug: v8:10026 Change-Id: Id1adfa2e6c713f6977d69aa467986e48fe67b3c2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2051958Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com> Cr-Commit-Position: refs/heads/master@{#66254}
-
- 12 Feb, 2020 2 commits
-
-
Nico Hartmann authored
This reverts commit 137bfe47. Reason for revert: https://ci.chromium.org/p/v8/builders/ci/V8%20Arm%20-%20debug/13072 Original change's description: > [arm64] Protect return addresses stored on stack > > This change uses the Arm v8.3 pointer authentication instructions in > order to protect return addresses stored on the stack. The generated > code signs the return address before storing on the stack and > authenticates it after loading it. This also changes the stack frame > iterator in order to authenticate stored return addresses and re-sign > them when needed, as well as the deoptimizer in order to sign saved > return addresses when creating new frames. This offers a level of > protection against ROP attacks. > > This functionality is enabled with the v8_control_flow_integrity flag > that this CL introduces. > > The code size effect of this change is small for Octane (up to 2% in > some cases but mostly much lower) and negligible for larger benchmarks, > however code size measurements are rather noisy. The performance impact > on current cores (where the instructions are NOPs) is single digit, > around 1-2% for ARES-6 and Octane, and tends to be smaller for big > cores than for little cores. > > Bug: v8:10026 > Change-Id: I0081f3938c56e2f24d8227e4640032749f4f8368 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1373782 > Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com> > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> > Reviewed-by: Georg Neis <neis@chromium.org> > Cr-Commit-Position: refs/heads/master@{#66239} TBR=rmcilroy@chromium.org,mstarzinger@chromium.org,neis@chromium.org,georgia.kouveli@arm.com Change-Id: I57d5928949b0d403774550b9bf7dc0b08ce4e703 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:10026 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2051952Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org> Cr-Commit-Position: refs/heads/master@{#66242}
-
Georgia Kouveli authored
This change uses the Arm v8.3 pointer authentication instructions in order to protect return addresses stored on the stack. The generated code signs the return address before storing on the stack and authenticates it after loading it. This also changes the stack frame iterator in order to authenticate stored return addresses and re-sign them when needed, as well as the deoptimizer in order to sign saved return addresses when creating new frames. This offers a level of protection against ROP attacks. This functionality is enabled with the v8_control_flow_integrity flag that this CL introduces. The code size effect of this change is small for Octane (up to 2% in some cases but mostly much lower) and negligible for larger benchmarks, however code size measurements are rather noisy. The performance impact on current cores (where the instructions are NOPs) is single digit, around 1-2% for ARES-6 and Octane, and tends to be smaller for big cores than for little cores. Bug: v8:10026 Change-Id: I0081f3938c56e2f24d8227e4640032749f4f8368 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1373782 Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#66239}
-
- 02 Jan, 2020 1 commit
-
-
Peter Marshall authored
Just a cleanup, should not change behavior, although we will allocate more handles in some cases. Also re-orders some of the implementations of the interface to try and keep things consistent. Included cleanup: Change CodeEventDispatcher so that it now implements CodeEventListener, given that it had that exact interface already. Also remove the macro dispatch to try and make things a bit easier to read. Bug: chromium:1033407 Change-Id: Id943b10c49f102d9783d8f4cf3a8c43e04364c77 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1976390Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#65571}
-
- 14 Nov, 2019 1 commit
-
-
Clemens Backes authored
This removes {CPURegister::Is} and {CPURegister::is}, and just uses {CPURegister::operator==} instead. Drive-by: Use DCHECK_EQ and DCHECK_NE where possible. R=mstarzinger@chromium.org Bug: v8:9810 Change-Id: I03aad8b4223bd4ae37d468326a734f7a5c3c8061 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1916202Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#64956}
-
- 22 Oct, 2019 1 commit
-
-
Jakob Gruber authored
This CL removes the V8_EMBEDDED_BUILTINS define, FLAG_embedded_builtins, and all code for supporting non-embedded-builtin builds. Bug: v8:6666,v8:8519 Change-Id: I2ad7bd6614c7cd404b83d3d2bf5ff91d7b55ff2a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1866569 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#64461}
-
- 21 Oct, 2019 1 commit
-
-
Jakob Gruber authored
.. similar to how it is applied in the interpreter. We reserve a stack slot for the backtrack count, increment it on each backtrack, and fail if the limit is hit. Bug: v8:9695 Change-Id: I835888c612d6c8bfa2f34e73ab8c8241dcabc6ed Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1864938Reviewed-by: Peter Marshall <petermarshall@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#64426}
-
- 16 Sep, 2019 1 commit
-
-
Jakob Kummerow authored
Bug: v8:3770,v8:9666 Change-Id: I7b7652887d6b60fbb80e1100834bc7c9df0544d8 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1792909 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Martyn Capewell <martyn.capewell@arm.com> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#63801}
-
- 04 Sep, 2019 1 commit
-
-
Patrick Thier authored
Instead of checking code flags to decide if the irregexp code object is an off-heap trampoline, we now directly load the builtin index offset and treat the code as on-heap if the offset is -1. In addition the regexp stack now has its own external reference for top of stack address. This prevents calculating the top of stack address using the base address and size at every invocation. Bug: chromium:999993 Change-Id: I23649e8b410a56276f26846b0b12ad29310c3db7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1782565Reviewed-by: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Patrick Thier <pthier@google.com> Cr-Commit-Position: refs/heads/master@{#63548}
-
- 29 Aug, 2019 2 commits
-
-
Patrick Thier authored
The code fields in a JSRegExp object now either contain irregexp compiled code or a trampoline to the interpreter. This way the code can be executed without explicitly checking if the regexp shall be interpreted or executed natively. In case of interpreted regexp the generated bytecode is now stored in its own fields instead of the code fields for Latin1 and UC16 respectively. The signatures of the jitted irregexp match and the regexp interpreter have been equalized. Bug: v8:9516 Change-Id: I30e3d86f4702a902d3387bccc1ee91dea501fe4e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762513 Commit-Queue: Patrick Thier <pthier@google.com> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#63457}
-
Jakob Gruber authored
Similar to CheckNotAtStart, one can now apply an offset to the CheckAtStart operation. Due to a recent change, all callsites of CheckNotAtStart now need to pass an offset, whereas previously the offset was just assumed to be zero. Bug: chromium:996391 Change-Id: Ia59a584e93e5384479f05abddef7859b420b023a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1773272 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Auto-Submit: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#63444}
-
- 13 Aug, 2019 1 commit
-
-
Jakob Gruber authored
Previously these were called (real) stack limit on one end, (real) jslimit on the other. With this CL we consistently use jslimit everywhere. Tbr: tebbi@chromium.org Bug: v8:9534 Change-Id: I9f86ac113bb9682544c365d54f666c1312a073a6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748738 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#63179}
-
- 25 Jul, 2019 1 commit
-
-
Seth Brenith authored
The motivating example is JetStream 2's UniPoker test, which tests whether a sorted string of Unicode playing cards contains a five-card straight using a regular expression. In the top-level generated loop for this RegExp, we see this loop exit condition: 00000350000C2067 27 83fffe cmpl rdi,0xfe 00000350000C206A 2a 0f8da8e40000 jge 00000350000D0518 <+0xe4d8> Meaning if the current position is pointing at the very last (16-bit) character, then we exit the loop. Otherwise we go on and try to find various matches starting at the current position. However, we can see in the original expression that any possible match is at least 10 characters (5 astral-plane Unicode values), so we're wasting a lot of time attempting to find matches in cases where we're too close to the end of the string for any match to succeed. This example might be a bit contrived, but I expect that an improvement in this bounds check would help a larger family of regular expressions, where the minimum match length is large relative to the string being matched and we don't meet the other necessary criteria for fast Boyer- Moore lookahead. To get the desired bounds check in this case, this patch does the following: 1. Compute accurate EatsAtLeast values for every node during the analysis phase. This could end up doing more work than the current implementation, but analysis already has to touch every node, so it seems like a cache-friendly time to compute these values. In some cases, this might be less total work than the current implementation, because the current implementation might recompute the same node multiple times. 2. When emitting a quick check, use the EatsAtLeast value from the predecessor ChoiceNode for the bounds check. This improves the UniPoker score on my machine by about 4%, because it cuts the time spent checking for straights roughly in half, and checking for straights originally accounted for about 8% of the total time. Bug: v8:9305 Change-Id: I110b190c2578f73b2263259d5aa5750e921b01be Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1702125 Commit-Queue: Seth Brenith <seth.brenith@microsoft.com> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#62919}
-
- 24 Jul, 2019 1 commit
-
-
Patrick Thier authored
This is a reland of c2ee4a79 Original change's description: > Reland "[regexp] Call the regexp interpreter without CEntry overhead" > > This is a reland of d4d28b73 > > Original change's description: > > [regexp] Call the regexp interpreter without CEntry overhead > > > > Previously all RegExp calls went through Runtime_RegExpExec when --regexp-interpret-all was set. > > > > This CL avoids the runtime overhead by calling into the interpreter directly from the RegExpExec Builtin when the regular expression subject was already compiled to ByteCode (i.e. after the first call). > > > > Bug: v8:8954 > > Change-Id: Iae9dfcef3370b772a05b2942305335d592f6f15a > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1698391 > > Commit-Queue: Patrick Thier <pthier@google.com> > > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > > Reviewed-by: Peter Marshall <petermarshall@chromium.org> > > Cr-Commit-Position: refs/heads/master@{#62753} > > Bug: v8:8954 > Change-Id: I1f0b6de9c6da65bcb582ddb41a37419116a5c510 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1706053 > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > Commit-Queue: Patrick Thier <pthier@google.com> > Cr-Commit-Position: refs/heads/master@{#62794} Bug: v8:8954 Change-Id: Ice77c05240f1fabd36bf97b8e789dd4c25a9718f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1715451Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#62904}
-
- 19 Jul, 2019 1 commit
-
-
Sathya Gunasekaran authored
This reverts commit c2ee4a79. Reason for revert: webgl_conformance_tests deqp/data/gles2/shaders/conversions.html crashes on Android FYI Release (Nexus 9) See https://bugs.chromium.org/p/chromium/issues/detail?id=985624 Original change's description: > Reland "[regexp] Call the regexp interpreter without CEntry overhead" > > This is a reland of d4d28b73 > > Original change's description: > > [regexp] Call the regexp interpreter without CEntry overhead > > > > Previously all RegExp calls went through Runtime_RegExpExec when --regexp-interpret-all was set. > > > > This CL avoids the runtime overhead by calling into the interpreter directly from the RegExpExec Builtin when the regular expression subject was already compiled to ByteCode (i.e. after the first call). > > > > Bug: v8:8954 > > Change-Id: Iae9dfcef3370b772a05b2942305335d592f6f15a > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1698391 > > Commit-Queue: Patrick Thier <pthier@google.com> > > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > > Reviewed-by: Peter Marshall <petermarshall@chromium.org> > > Cr-Commit-Position: refs/heads/master@{#62753} > > Bug: v8:8954 > Change-Id: I1f0b6de9c6da65bcb582ddb41a37419116a5c510 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1706053 > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > Commit-Queue: Patrick Thier <pthier@google.com> > Cr-Commit-Position: refs/heads/master@{#62794} TBR=jgruber@chromium.org,petermarshall@chromium.org,pthier@google.com # Not skipping CQ checks because original CL landed > 1 day ago. Bug: v8:8954, chromium:985624 Change-Id: I5bc2c397a09979f42f28670f80a5366f2a33d80f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709411 Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#62824}
-
- 18 Jul, 2019 1 commit
-
-
Patrick Thier authored
This is a reland of d4d28b73 Original change's description: > [regexp] Call the regexp interpreter without CEntry overhead > > Previously all RegExp calls went through Runtime_RegExpExec when --regexp-interpret-all was set. > > This CL avoids the runtime overhead by calling into the interpreter directly from the RegExpExec Builtin when the regular expression subject was already compiled to ByteCode (i.e. after the first call). > > Bug: v8:8954 > Change-Id: Iae9dfcef3370b772a05b2942305335d592f6f15a > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1698391 > Commit-Queue: Patrick Thier <pthier@google.com> > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > Reviewed-by: Peter Marshall <petermarshall@chromium.org> > Cr-Commit-Position: refs/heads/master@{#62753} Bug: v8:8954 Change-Id: I1f0b6de9c6da65bcb582ddb41a37419116a5c510 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1706053Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Patrick Thier <pthier@google.com> Cr-Commit-Position: refs/heads/master@{#62794}
-
- 17 Jul, 2019 2 commits
-
-
Sathya Gunasekaran authored
This reverts commit d4d28b73. Reason for revert: breaks TSAN bot: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20concurrent%20marking/9526 Original change's description: > [regexp] Call the regexp interpreter without CEntry overhead > > Previously all RegExp calls went through Runtime_RegExpExec when --regexp-interpret-all was set. > > This CL avoids the runtime overhead by calling into the interpreter directly from the RegExpExec Builtin when the regular expression subject was already compiled to ByteCode (i.e. after the first call). > > Bug: v8:8954 > Change-Id: Iae9dfcef3370b772a05b2942305335d592f6f15a > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1698391 > Commit-Queue: Patrick Thier <pthier@google.com> > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > Reviewed-by: Peter Marshall <petermarshall@chromium.org> > Cr-Commit-Position: refs/heads/master@{#62753} TBR=jgruber@chromium.org,petermarshall@chromium.org,pthier@google.com Change-Id: I3257220c4359a3b801dd80e0eff6c4534d8badee No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:8954 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1706050Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#62757}
-
Patrick Thier authored
Previously all RegExp calls went through Runtime_RegExpExec when --regexp-interpret-all was set. This CL avoids the runtime overhead by calling into the interpreter directly from the RegExpExec Builtin when the regular expression subject was already compiled to ByteCode (i.e. after the first call). Bug: v8:8954 Change-Id: Iae9dfcef3370b772a05b2942305335d592f6f15a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1698391 Commit-Queue: Patrick Thier <pthier@google.com> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#62753}
-