Skip to content

V
V8
Switch branch/tag
  1. 18 May, 2018 1 commit
  3. 09 May, 2018 1 commit
  5. 08 May, 2018 1 commit
  7. 02 May, 2018 1 commit
  9. 30 Apr, 2018 1 commit
    • Jaroslav Sevcik's avatar
      Replace array index masking with the poisoning approach. · f53dfd93
      Jaroslav Sevcik authored 
      The idea is to mark all the branches and loads participating in array
bounds checks, and let them contribute-to/use the poisoning register.
In the code, the marks for array indexing operations now contain
"Critical" in their name. By default (--untrusted-code-mitigations),
we only instrument the "critical" operations with poisoning.

With that in place, we also remove the array masking approach based
on arithmetic.

Since we do not propagate the poison through function calls,
we introduce a node for poisoning an index that is passed through
function call - the typical example is the bounds-checked index
that is passed to the CharCodeAt builtin.

Most of the code in this CL is threads through the three levels of
protection (safe, critical, unsafe) for loads, branches and flags.

Bug: chromium:798964

Change-Id: Ief68e2329528277b3ba9156115b2a6dcc540d52b
Reviewed-on: https://chromium-review.googlesource.com/995413
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52883}
      f53dfd93
  11. 26 Apr, 2018 4 commits
  13. 25 Apr, 2018 1 commit
    • Andreas Haas's avatar
      Reland: [refactoring] Remove the isolate from signatures of ExternalReferences · 2a3c2c73
      Andreas Haas authored 
      I missed one required change which was hidden behind an #if. The fix is in
the diff between Patch 1 and Patch 3.

Original message:
In this CL I remove the isolate from signatures of ExternalReference
accessor functions where the isolate is not used. The uses of the
isolate were already removed in previous CLs.

Changes:
* I split the ExternalReference list in external-reference.h into
those which need the isolate for initialization and those which do not.

* I removed the public constructors and replaced them by
  ExternalReference::Create(). The reason is to separate external
  creation more clearly from internal creation, because externally
  created ExternalReferences sometimes need redirection, whereas
  internally created ExternalReferences are just stored as they are.
  In addition, by removing the isolate from the signature of the
  public constructors, they suddenly exactly matched the interal
  constructor.

* Replace all uses of the public constructors with
  ExternalReference::Create().

* Remove the isolate from all call sites where necessary.


This is a step towards making WebAssembly compilation independent of
the isolate.

R=mstarzinger@chromium.org

Bug: v8:7570
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I750c162f5d58ed32e866722b0db920f8b9bd8057
Reviewed-on: https://chromium-review.googlesource.com/1026673Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52777}
      2a3c2c73
  15. 24 Apr, 2018 2 commits
    • Andreas Haas's avatar
      Revert "[refactoring] Remove the isolate from signatures of ExternalReferences" · 7bfed2ad
      Andreas Haas authored 
      This reverts commit 44ea425a.

Reason for revert: https://ci.chromium.org/buildbot/client.v8.ports/V8%20Arm%20-%20debug%20builder/13575

Original change's description:
> [refactoring] Remove the isolate from signatures of ExternalReferences
> 
> In this CL I remove the isolate from signatures of ExternalReference
> accessor functions where the isolate is not used. The uses of the
> isolate were already removed in previous CLs.
> 
> Changes:
> * I split the ExternalReference list in external-reference.h into
> those which need the isolate for initialization and those which do not.
> 
> * I removed the public constructors and replaced them by
>   ExternalReference::Create(). The reason is to separate external
>   creation more clearly from internal creation, because externally
>   created ExternalReferences sometimes need redirection, whereas
>   internally created ExternalReferences are just stored as they are.
>   In addition, by removing the isolate from the signature of the
>   public constructors, they suddenly exactly matched the interal
>   constructor.
> 
> * Replace all uses of the public constructors with
>   ExternalReference::Create().
> 
> * Remove the isolate from all call sites where necessary.
> 
> 
> This is a step towards making WebAssembly compilation independent of
> the isolate.
> 
> Bug: v8:7570
> R=​mstarzinger@chromium.org
> 
> Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
> Change-Id: I14f511fc6acc50ab2d6a6641299f5ddbeabef0da
> Reviewed-on: https://chromium-review.googlesource.com/1018982
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#52768}

TBR=mstarzinger@chromium.org,ahaas@chromium.org

Change-Id: I7c0d8d420f815cede23d550dee8942ac4d7791cc
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7570
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/1026570Reviewed-by: 's avatarAndreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52769}
      7bfed2ad
    • Andreas Haas's avatar
      [refactoring] Remove the isolate from signatures of ExternalReferences · 44ea425a
      Andreas Haas authored 
      In this CL I remove the isolate from signatures of ExternalReference
accessor functions where the isolate is not used. The uses of the
isolate were already removed in previous CLs.

Changes:
* I split the ExternalReference list in external-reference.h into
those which need the isolate for initialization and those which do not.

* I removed the public constructors and replaced them by
  ExternalReference::Create(). The reason is to separate external
  creation more clearly from internal creation, because externally
  created ExternalReferences sometimes need redirection, whereas
  internally created ExternalReferences are just stored as they are.
  In addition, by removing the isolate from the signature of the
  public constructors, they suddenly exactly matched the interal
  constructor.

* Replace all uses of the public constructors with
  ExternalReference::Create().

* Remove the isolate from all call sites where necessary.


This is a step towards making WebAssembly compilation independent of
the isolate.

Bug: v8:7570
R=mstarzinger@chromium.org

Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I14f511fc6acc50ab2d6a6641299f5ddbeabef0da
Reviewed-on: https://chromium-review.googlesource.com/1018982
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52768}
      44ea425a
  17. 17 Apr, 2018 1 commit
  19. 16 Apr, 2018 2 commits
  21. 14 Apr, 2018 1 commit
    • Jakob Kummerow's avatar
      [ubsan] Change Address typedef to uintptr_t · 2459046c
      Jakob Kummerow authored 
      The "Address" type is V8's general-purpose type for manipulating memory
addresses. Per the C++ spec, pointer arithmetic and pointer comparisons
are undefined behavior except within the same array; since we generally
don't operate within a C++ array, our general-purpose type shouldn't be
a pointer type.

Bug: v8:3770
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ib96016c24a0f18bcdba916dabd83e3f24a1b5779
Reviewed-on: https://chromium-review.googlesource.com/988657
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52601}
      2459046c
  23. 13 Apr, 2018 2 commits
    • Ivica Bogosavljevic's avatar
      MIPS[64]: Fix register overwrite in ShiftPair instructions · fcb8061e
      Ivica Bogosavljevic authored 
      This patch fixes register overwrite in ShrPair, ShlPair and SarPair
instructions. Additionally, we rename kLithiumScratch register
register since lithium is not present anymore.

Change-Id: I65861c4f27d2161bcf49cf02ca8987eb82c997ea
Reviewed-on: https://chromium-review.googlesource.com/1012110Reviewed-by: 's avatarSreten Kovacevic <sreten.kovacevic@mips.com>
Commit-Queue: Sreten Kovacevic <sreten.kovacevic@mips.com>
Cr-Commit-Position: refs/heads/master@{#52593}
      fcb8061e
    • jgruber's avatar
      [stubs] Convert DoubleToIStub and MathPowStub to builtins · a3b60675
      jgruber authored 
      This is mostly a simple copy & paste of the stub implementation from
code-stubs-arch.cc to builtins-arch.cc.

The conversion allows removal of a special case for the DoubleToIStub
within the compiler & wasm pipelines, and also makes the following
builtins isolate-independent (in conjunction with
https://crrev.com/c/1006581):

TFC BitwiseAnd
TFC BitwiseOr
TFC BitwiseXor
TFC Exponentiate
TFC ShiftLeft
TFC ShiftRight
TFC ShiftRightLogical
TFJ AtomicsAdd
TFJ AtomicsAnd
TFJ AtomicsCompareExchange
TFJ AtomicsExchange
TFJ AtomicsLoad
TFJ AtomicsOr
TFJ AtomicsStore
TFJ AtomicsSub
TFJ AtomicsXor
TFJ MathClz32
TFJ MathImul
TFJ MathPow
TFJ NumberParseInt
TFJ StringFromCharCode
TFJ TypedArrayFrom
TFJ TypedArrayOf
TFJ TypedArrayPrototypeMap

Drive-by: dead code removal & TODOs in code-stubs.h.

Bug: v8:6666
Change-Id: I763cba2242bcadc2d130b0aaa16a9787212b466a
Reviewed-on: https://chromium-review.googlesource.com/1012024
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52591}
      a3b60675
  25. 12 Apr, 2018 1 commit
  27. 11 Apr, 2018 1 commit
  29. 04 Apr, 2018 1 commit
  31. 03 Apr, 2018 1 commit
  33. 27 Mar, 2018 2 commits
  35. 21 Mar, 2018 1 commit
    • Mike Stanton's avatar
      [turbofan] Masking/poisoning in codegen (optimized code, mips & mips64) · 1177f703
      Mike Stanton authored 
      This introduces masking of loads with speculation bit during code generation.
At the moment, this is done only under the
--branch-load-poisoning flag, and this CL enlarges the set of supported
platforms from {x64, arm, arm64} to {x64, arm, arm64, mips, mips64}.

Overview of changes:
- new register configuration configuration with one register reserved for
  the speculation poison/mask (kSpeculationPoisonRegister).
- in codegen, we introduce an update to the poison register at the starts
  of all successors of branches (and deopts) that are marked as safety
  branches (deopts).
- in memory optimizer, we lower all field and element loads to PoisonedLoads.
- poisoned loads are then masked in codegen with the poison register.
  (In this CL, this last step is left as a TODO. You can run with the flag,
   though mitigations will just not be effective at this time).
  * only integer loads are masked at the moment.

TBR=mstarzinger@chromium.org

Change-Id: Ie6eb8719bf85d49c03b4a28e2f054480195a1471
Reviewed-on: https://chromium-review.googlesource.com/973616
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
Reviewed-by: 's avatarMichael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52123}
      1177f703
  37. 20 Mar, 2018 1 commit
  39. 19 Mar, 2018 2 commits
    • Michael Stanton's avatar
      Revert "[turbofan] Masking/poisoning in codegen (optimized code, mips & mips64)" · 11831378
      Michael Stanton authored 
      This reverts commit 46a3c772.

Reason for revert: This is actually not quite ready. What we need is a speculation free poisoning, and if we do another branch, then I think that won't happen.

Original change's description:
> [turbofan] Masking/poisoning in codegen (optimized code, mips & mips64)
> 
> This introduces masking of loads with speculation bit during code generation.
> At the moment, this is done only under the
> --branch-load-poisoning flag, and this CL enlarges the set of supported
> platforms from {x64, arm, arm64} to {x64, arm, arm64, mips, mips64}.
> 
> Overview of changes:
> - new register configuration configuration with one register reserved for
>   the speculation poison/mask (kSpeculationPoisonRegister).
> - in codegen, we introduce an update to the poison register at the starts
>   of all successors of branches (and deopts) that are marked as safety
>   branches (deopts).
> - in memory optimizer, we lower all field and element loads to PoisonedLoads.
> - poisoned loads are then masked in codegen with the poison register.
>   * only integer loads are masked at the moment.
> 
> Bug: chromium:798964
> Change-Id: I211395b8305ed0ad9288d6da48fa159fa970c827
> Reviewed-on: https://chromium-review.googlesource.com/951382
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
> Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
> Cr-Commit-Position: refs/heads/master@{#52042}

TBR=mvstanton@chromium.org,mstarzinger@chromium.org,ivica.bogosavljevic@mips.com

Change-Id: Ief4d9ef56d918172f0b545d321a64b1ab5b46915
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:798964
Reviewed-on: https://chromium-review.googlesource.com/969041Reviewed-by: 's avatarMichael Stanton <mvstanton@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52045}
      11831378
    • Mike Stanton's avatar
      [turbofan] Masking/poisoning in codegen (optimized code, mips & mips64) · 46a3c772
      Mike Stanton authored 
      This introduces masking of loads with speculation bit during code generation.
At the moment, this is done only under the
--branch-load-poisoning flag, and this CL enlarges the set of supported
platforms from {x64, arm, arm64} to {x64, arm, arm64, mips, mips64}.

Overview of changes:
- new register configuration configuration with one register reserved for
  the speculation poison/mask (kSpeculationPoisonRegister).
- in codegen, we introduce an update to the poison register at the starts
  of all successors of branches (and deopts) that are marked as safety
  branches (deopts).
- in memory optimizer, we lower all field and element loads to PoisonedLoads.
- poisoned loads are then masked in codegen with the poison register.
  * only integer loads are masked at the moment.

Bug: chromium:798964
Change-Id: I211395b8305ed0ad9288d6da48fa159fa970c827
Reviewed-on: https://chromium-review.googlesource.com/951382Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
Reviewed-by: 's avatarIvica Bogosavljevic <ivica.bogosavljevic@mips.com>
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Cr-Commit-Position: refs/heads/master@{#52042}
      46a3c772
  41. 16 Mar, 2018 1 commit
  43. 09 Mar, 2018 1 commit
  45. 08 Mar, 2018 1 commit
    • Tobias Tebbi's avatar
      [turbofan] [cleanup] remove UnalignedLoadRepresentation · 501f250c
      Tobias Tebbi authored 
      UnalignedLoad is the only kind of load operation that defines its own
UnalignedLoadRepresentation type alias and LoadRepresentationOf function.
This is a problem because it means we cannot use the LOAD_MATCHER
infrastructure without defining all of this boilerplate for all the other
kinds of load operations. Since these aliases serve no real purpose,
it is best to unify UnalignedLoad to how its peers are handled.

Change-Id: I51a591eb82fb85edee66512136b23276e851f767
Reviewed-on: https://chromium-review.googlesource.com/951683
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51802}
      501f250c
  47. 07 Mar, 2018 1 commit
  49. 06 Mar, 2018 1 commit
  51. 05 Mar, 2018 2 commits
  53. 02 Mar, 2018 3 commits
  55. 26 Feb, 2018 1 commit
  57. 23 Feb, 2018 1 commit