1. 12 Aug, 2021 1 commit
  2. 23 Mar, 2021 1 commit
    • Manos Koukoutos's avatar
      [turbofan] Introduce LoadImmutable, use it in wasm compiler · f6ee9ed0
      Manos Koukoutos authored
      LoadImmutable represents a load from a position in memory that is known
      to be immutable, e.g. an immutable IsolateRoot or an immutable field of
      a WasmInstanceObject. Because the returned value cannot change through
      the execution of a function, LoadImmutable is a pure operator and does
      not have effect or control edges.
      This will allow more aggressive optimizations of loads of fields of
      the Isolate and Instance that are known to be immutable.
      Requires that the memory in question has been initialized at function
      start even through inlining.
      
      Note: We may reconsider this approach once we have escape analysis for
      wasm, and replace it with immutable load/initialize operators that live
      inside the effect chain and are less restriced.
      
      Bug: v8:11510
      Change-Id: I5e8e4f27d7008f39f01175ffa95a9c531ba63e66
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2775568Reviewed-by: 's avatarAndreas Haas <ahaas@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#73594}
      f6ee9ed0
  3. 08 Mar, 2021 1 commit
  4. 26 Feb, 2021 1 commit
  5. 29 Apr, 2020 1 commit
    • Tobias Tebbi's avatar
      Reland "Reland "[turbofan][csa] optimize Smi untagging better"" · 9e9cd5df
      Tobias Tebbi authored
      This is a reland of 43b885a8
      This fixes another signed overflow in the unit test.
      
      Original change's description:
      > Reland "[turbofan][csa] optimize Smi untagging better"
      >
      > This is a reland of ff22ae80
      >
      > Original change's description:
      > > [turbofan][csa] optimize Smi untagging better
      > >
      > > - Introduce new operator variants for signed right-shifts with the
      > >   additional information that they always shift out zeros.
      > > - Use these new operators for Smi untagging.
      > > - Merge left-shifts with a preceding Smi-untagging shift.
      > > - Optimize comparisons of Smi-untagging shifts to operate on the
      > >   unshifted word.
      > > - Optimize 64bit comparisons of values expanded from 32bit to use
      > >   a 32bit comparison instead.
      > > - Change CodeStubAssembler::UntagSmi to first sign-extend and then
      > >   right-shift to enable better address computations for Smi indices.
      > >
      > > Bug: v8:9962
      > > Change-Id: If91300f365e8f01457aebf0bd43bdf88b305c460
      > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2135734
      > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > Reviewed-by: Georg Neis <neis@chromium.org>
      > > Cr-Commit-Position: refs/heads/master@{#67378}
      >
      > Bug: v8:9962
      > Change-Id: Ieab0755806c95fb50022eb17596fb0c95f36004c
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170001
      > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > Commit-Queue: Georg Neis <neis@chromium.org>
      > Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
      > Reviewed-by: Georg Neis <neis@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#67430}
      
      Bug: v8:9962
      TBR: neis@chromium.org
      Change-Id: I79883db546bf37873b3727b8023ef688507091d9
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2169103
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67464}
      9e9cd5df
  6. 28 Apr, 2020 2 commits
    • Clemens Backes's avatar
      Revert "Reland "[turbofan][csa] optimize Smi untagging better"" · bef5b85d
      Clemens Backes authored
      This reverts commit 43b885a8.
      
      Reason for revert: Still fails on UBSan: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20UBSan/10873
      
      Original change's description:
      > Reland "[turbofan][csa] optimize Smi untagging better"
      > 
      > This is a reland of ff22ae80
      > 
      > Original change's description:
      > > [turbofan][csa] optimize Smi untagging better
      > > 
      > > - Introduce new operator variants for signed right-shifts with the
      > >   additional information that they always shift out zeros.
      > > - Use these new operators for Smi untagging.
      > > - Merge left-shifts with a preceding Smi-untagging shift.
      > > - Optimize comparisons of Smi-untagging shifts to operate on the
      > >   unshifted word.
      > > - Optimize 64bit comparisons of values expanded from 32bit to use
      > >   a 32bit comparison instead.
      > > - Change CodeStubAssembler::UntagSmi to first sign-extend and then
      > >   right-shift to enable better address computations for Smi indices.
      > > 
      > > Bug: v8:9962
      > > Change-Id: If91300f365e8f01457aebf0bd43bdf88b305c460
      > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2135734
      > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > Reviewed-by: Georg Neis <neis@chromium.org>
      > > Cr-Commit-Position: refs/heads/master@{#67378}
      > 
      > Bug: v8:9962
      > Change-Id: Ieab0755806c95fb50022eb17596fb0c95f36004c
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170001
      > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > Commit-Queue: Georg Neis <neis@chromium.org>
      > Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
      > Reviewed-by: Georg Neis <neis@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#67430}
      
      TBR=neis@chromium.org,tebbi@chromium.org
      
      Change-Id: I49e19811ebcecb846f61291bc0c4a0d8b0bc4cff
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: v8:9962
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2168876Reviewed-by: 's avatarClemens Backes <clemensb@chromium.org>
      Commit-Queue: Clemens Backes <clemensb@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67431}
      bef5b85d
    • Tobias Tebbi's avatar
      Reland "[turbofan][csa] optimize Smi untagging better" · 43b885a8
      Tobias Tebbi authored
      This is a reland of ff22ae80
      
      Original change's description:
      > [turbofan][csa] optimize Smi untagging better
      > 
      > - Introduce new operator variants for signed right-shifts with the
      >   additional information that they always shift out zeros.
      > - Use these new operators for Smi untagging.
      > - Merge left-shifts with a preceding Smi-untagging shift.
      > - Optimize comparisons of Smi-untagging shifts to operate on the
      >   unshifted word.
      > - Optimize 64bit comparisons of values expanded from 32bit to use
      >   a 32bit comparison instead.
      > - Change CodeStubAssembler::UntagSmi to first sign-extend and then
      >   right-shift to enable better address computations for Smi indices.
      > 
      > Bug: v8:9962
      > Change-Id: If91300f365e8f01457aebf0bd43bdf88b305c460
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2135734
      > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > Reviewed-by: Georg Neis <neis@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#67378}
      
      Bug: v8:9962
      Change-Id: Ieab0755806c95fb50022eb17596fb0c95f36004c
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170001
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Commit-Queue: Georg Neis <neis@chromium.org>
      Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67430}
      43b885a8
  7. 24 Apr, 2020 2 commits
    • Bill Budge's avatar
      Revert "[turbofan][csa] optimize Smi untagging better" · cdea7999
      Bill Budge authored
      This reverts commit ff22ae80.
      
      Reason for revert: new test fails on UBSAN
      https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20UBSan/10831
      
      Original change's description:
      > [turbofan][csa] optimize Smi untagging better
      > 
      > - Introduce new operator variants for signed right-shifts with the
      >   additional information that they always shift out zeros.
      > - Use these new operators for Smi untagging.
      > - Merge left-shifts with a preceding Smi-untagging shift.
      > - Optimize comparisons of Smi-untagging shifts to operate on the
      >   unshifted word.
      > - Optimize 64bit comparisons of values expanded from 32bit to use
      >   a 32bit comparison instead.
      > - Change CodeStubAssembler::UntagSmi to first sign-extend and then
      >   right-shift to enable better address computations for Smi indices.
      > 
      > Bug: v8:9962
      > Change-Id: If91300f365e8f01457aebf0bd43bdf88b305c460
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2135734
      > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > Reviewed-by: Georg Neis <neis@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#67378}
      
      TBR=neis@chromium.org,tebbi@chromium.org
      
      Change-Id: I2617d7a44e5ae33fd79322d37c8b722c00162d22
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: v8:9962
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2165873Reviewed-by: 's avatarBill Budge <bbudge@chromium.org>
      Commit-Queue: Bill Budge <bbudge@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67380}
      cdea7999
    • Tobias Tebbi's avatar
      [turbofan][csa] optimize Smi untagging better · ff22ae80
      Tobias Tebbi authored
      - Introduce new operator variants for signed right-shifts with the
        additional information that they always shift out zeros.
      - Use these new operators for Smi untagging.
      - Merge left-shifts with a preceding Smi-untagging shift.
      - Optimize comparisons of Smi-untagging shifts to operate on the
        unshifted word.
      - Optimize 64bit comparisons of values expanded from 32bit to use
        a 32bit comparison instead.
      - Change CodeStubAssembler::UntagSmi to first sign-extend and then
        right-shift to enable better address computations for Smi indices.
      
      Bug: v8:9962
      Change-Id: If91300f365e8f01457aebf0bd43bdf88b305c460
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2135734
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67378}
      ff22ae80
  8. 03 Apr, 2020 1 commit
    • Ross McIlroy's avatar
      [TurboProp] Remove unreachable successor basic blocks from schedule. · 4a2ef63c
      Ross McIlroy authored
      Effect-control-linearizer will update a basic block to connect it
      directly to the end node if it has an Unreachable node. Usually the
      block would already have been connected directly to end (via a Throw
      node) already, however in some cases it can be connected indirectly
      (via a branch, where both end in a throw node).
      
      If this happens, and the Effect-control-linearizer is maintaining the
      schedule (e.g., for TurboProp), it will cause the end block to have
      unreachable predecessor blocks, which can cause issues with the
      register allocator.
      
      To fix this, have the BasicBlockUpdater remove all successor blocks
      from the schedule, when they become Unreachable. Also add some tests
      to cover this in effect-control-linearizer-unittests.
      
      BUG=v8:10332,v8:9684
      
      Change-Id: Ibce140e6d1f61751a86247e6f8c36075723a1e55
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2120537
      Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
      Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#66994}
      4a2ef63c
  9. 11 Nov, 2019 1 commit
  10. 19 Aug, 2019 2 commits
    • Santiago Aboy Solanes's avatar
      Reland "[CSA][cleanup] TNodify some methods related to prototype and property lookup" · 007cbd2c
      Santiago Aboy Solanes authored
      This is a reland of 82111e22
      
      Relanding since we now have more shards:
      https://chromium-review.googlesource.com/c/v8/v8/+/1760810
      
      Original change's description:
      > [CSA][cleanup] TNodify some methods related to prototype and property lookup
      >
      > This is a CL in a string of CLs that aims to TNodify CSA. In particular,
      > there were some loads that were done in AnyTagged instead of
      > TaggedPointer. TNode-ifying them brings improvement in pointer
      > compression since we are able to decompress using the Pointer
      > decompression.
      >
      > TNodified:
      >  * LoadJSFunctionPrototype
      >  * TryPrototypeChainLookup
      >  * OrdinaryHasInstance
      >
      > Also TNodified loads regarding:
      >  * FeedbackCell::kValueOffset
      >  * HeapObject::kMapOffset
      >  * JSFunction::kSharedFunctionInfoOffset
      >  * JSFunction::kFeedbackCellOffset
      >  * Map::kInstanceTypeOffset
      >  * Map::kInstanceDescriptorsOffset
      >  * Map::kPrototypeOffset
      >
      > Drive-by cleanup: StoreJSArrayLength and StoreElements were unused.
      >
      > Bug: v8:6949, v8:9396
      > Change-Id: I89697b5c02490906be1eee63cf3d9e60a1094d48
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1755844
      > Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
      > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#63216}
      
      Bug: v8:6949, v8:9396
      Change-Id: I040aefcf8af60611f7b3c24f3bd5c661e03b6ada
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1760811Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63249}
      007cbd2c
    • Maya Lekova's avatar
      Revert "[CSA][cleanup] TNodify some methods related to prototype and property lookup" · 3a7a4a2f
      Maya Lekova authored
      This reverts commit 82111e22.
      
      Reason for revert: Speculative revert, could be causing timeouts - https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm%20-%20sim%20-%20debug/17567
      
      Original change's description:
      > [CSA][cleanup] TNodify some methods related to prototype and property lookup
      > 
      > This is a CL in a string of CLs that aims to TNodify CSA. In particular,
      > there were some loads that were done in AnyTagged instead of
      > TaggedPointer. TNode-ifying them brings improvement in pointer
      > compression since we are able to decompress using the Pointer
      > decompression.
      > 
      > TNodified:
      >  * LoadJSFunctionPrototype
      >  * TryPrototypeChainLookup
      >  * OrdinaryHasInstance
      > 
      > Also TNodified loads regarding:
      >  * FeedbackCell::kValueOffset
      >  * HeapObject::kMapOffset
      >  * JSFunction::kSharedFunctionInfoOffset
      >  * JSFunction::kFeedbackCellOffset
      >  * Map::kInstanceTypeOffset
      >  * Map::kInstanceDescriptorsOffset
      >  * Map::kPrototypeOffset
      > 
      > Drive-by cleanup: StoreJSArrayLength and StoreElements were unused.
      > 
      > Bug: v8:6949, v8:9396
      > Change-Id: I89697b5c02490906be1eee63cf3d9e60a1094d48
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1755844
      > Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
      > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#63216}
      
      TBR=rmcilroy@chromium.org,solanes@chromium.org
      
      # Not skipping CQ checks because original CL landed > 1 day ago.
      
      Bug: v8:6949, v8:9396
      Change-Id: Ib6ae8fe86a598ed1066894595565e1162cf7dd1f
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758310Reviewed-by: 's avatarMaya Lekova <mslekova@chromium.org>
      Reviewed-by: 's avatarSantiago Aboy Solanes <solanes@chromium.org>
      Commit-Queue: Maya Lekova <mslekova@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63233}
      3a7a4a2f
  11. 15 Aug, 2019 1 commit
    • Santiago Aboy Solanes's avatar
      [CSA][cleanup] TNodify some methods related to prototype and property lookup · 82111e22
      Santiago Aboy Solanes authored
      This is a CL in a string of CLs that aims to TNodify CSA. In particular,
      there were some loads that were done in AnyTagged instead of
      TaggedPointer. TNode-ifying them brings improvement in pointer
      compression since we are able to decompress using the Pointer
      decompression.
      
      TNodified:
       * LoadJSFunctionPrototype
       * TryPrototypeChainLookup
       * OrdinaryHasInstance
      
      Also TNodified loads regarding:
       * FeedbackCell::kValueOffset
       * HeapObject::kMapOffset
       * JSFunction::kSharedFunctionInfoOffset
       * JSFunction::kFeedbackCellOffset
       * Map::kInstanceTypeOffset
       * Map::kInstanceDescriptorsOffset
       * Map::kPrototypeOffset
      
      Drive-by cleanup: StoreJSArrayLength and StoreElements were unused.
      
      Bug: v8:6949, v8:9396
      Change-Id: I89697b5c02490906be1eee63cf3d9e60a1094d48
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1755844
      Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
      Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63216}
      82111e22
  12. 17 Jun, 2019 1 commit
  13. 14 Jun, 2019 2 commits
  14. 23 May, 2019 2 commits
  15. 16 Apr, 2019 1 commit
  16. 13 Feb, 2019 1 commit
  17. 12 Dec, 2018 1 commit
  18. 13 Nov, 2018 1 commit
  19. 19 Oct, 2018 1 commit
  20. 18 Oct, 2018 1 commit
  21. 07 Oct, 2018 1 commit
    • Benedikt Meurer's avatar
      [turbofan] Eliminate redundant Smi checks around array accesses. · bcdede0c
      Benedikt Meurer authored
      As identified in the web-tooling-benchmark, there are specific code
      patterns involving array indexed property accesses and subsequent
      comparisons of those indices that lead to repeated Smi checks in the
      optimized code, which in turn leads to high register pressure and
      generally bad register allocation. An example of this pattern is
      code like this:
      
      ```js
      function f(a, n) {
        const i = a[n];
        if (n >= 1) return i;
      }
      ```
      
      The `a[n]` property access introduces a CheckBounds on `n`, which
      later lowers to a `CheckedTaggedToInt32[dont-check-minus-zero]`,
      however the `n >= 1` comparison has collected `SignedSmall` feedback
      and so it introduces a `CheckedTaggedToTaggedSigned` operation. This
      second Smi check is redundant and cannot easily be combined with the
      earlier tagged->int32 conversion, since that also deals with heap
      numbers and even truncates -0 to 0.
      
      So we teach the RedundancyElimination to look at the inputs of these
      speculative number comparisons and if there's a leading bounds check
      on either of these inputs, we change the input to the result of the
      bounds check. This avoids the redundant Smi checks later and generally
      allows the SimplifiedLowering to do a significantly better job on the
      number comparisons. We only do this in case of SignedSmall feedback
      and only for inputs that are not already known to be in UnsignedSmall
      range, to avoid doing too many (unnecessary) expensive lookups during
      RedundancyElimination.
      
      All of this is safe despite the fact that CheckBounds truncates -0
      to 0, since the regular number comparisons in JavaScript identify
      0 and -0 (unlike Object.is()). This also adds appropriate tests,
      especially for the interesting cases where -0 is used only after
      the code was optimized.
      
      Bug: v8:6936, v8:7094
      Change-Id: Ie37114fb6192e941ae1a4f0bfe00e9c0a8305c07
      Reviewed-on: https://chromium-review.googlesource.com/c/1246181Reviewed-by: 's avatarSigurd Schneider <sigurds@chromium.org>
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#56428}
      bcdede0c
  22. 20 Sep, 2018 1 commit
  23. 14 Sep, 2018 1 commit
  24. 07 Sep, 2018 1 commit
    • Benedikt Meurer's avatar
      [turbofan] Introduce a pure StringConcat operator. · e56b6d24
      Benedikt Meurer authored
      This replaces the previous CheckStringAdd operator which deopts in case
      the combined length overflows with a dedicated pure StringConcat operator.
      This operator is similar to NewConsString in that it takes the resulting
      length plus the two input strings. The operator relies on the length
      being checked explicitly by the surrounding code instead of baking the
      check into the operator itself. This way TurboFan can eliminate
      redundant/unnecessary StringConcat operations, since they are pure now.
      
      This also unifies the treatment of string addition in JSTypedLowering,
      and generalizes the StringLength constant-folding to apply to more cases
      not just the JSAdd cases inside JSTypedLowering.
      
      Bug: v8:7902, v8:8015
      Change-Id: I987ec39815a9464fd5fd9c4f7b26b709f94f2b3f
      Reviewed-on: https://chromium-review.googlesource.com/1213205Reviewed-by: 's avatarMaya Lekova <mslekova@chromium.org>
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#55725}
      e56b6d24
  25. 29 Aug, 2018 1 commit
    • Maya Lekova's avatar
      [turbofan] Introduce a CheckStringAdd node instead of cons string lowering · 6a7872b7
      Maya Lekova authored
      The new node is introduced for literal string addition and calling
      String.prototype.concat in the typed lowering phase. It later might get optimized
      away during redundancy elimination, keeping the performance of already existing
      benchmarks with string addition. In case the operation is about to throw
      (due to too long string being constructed) we just deoptimize, reusing
      the interpreter logic for creating the error.
      
      Modify relevant mjsunit and unit tests for string concatenation.
      
      Bug: v8:7902
      Change-Id: Ie97d39534df4480fa8d4fe3ba276d02ed5e750e3
      Reviewed-on: https://chromium-review.googlesource.com/1193342
      Commit-Queue: Maya Lekova <mslekova@chromium.org>
      Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#55482}
      6a7872b7
  26. 30 Apr, 2018 1 commit
    • Jaroslav Sevcik's avatar
      Replace array index masking with the poisoning approach. · f53dfd93
      Jaroslav Sevcik authored
      The idea is to mark all the branches and loads participating in array
      bounds checks, and let them contribute-to/use the poisoning register.
      In the code, the marks for array indexing operations now contain
      "Critical" in their name. By default (--untrusted-code-mitigations),
      we only instrument the "critical" operations with poisoning.
      
      With that in place, we also remove the array masking approach based
      on arithmetic.
      
      Since we do not propagate the poison through function calls,
      we introduce a node for poisoning an index that is passed through
      function call - the typical example is the bounds-checked index
      that is passed to the CharCodeAt builtin.
      
      Most of the code in this CL is threads through the three levels of
      protection (safe, critical, unsafe) for loads, branches and flags.
      
      Bug: chromium:798964
      
      Change-Id: Ief68e2329528277b3ba9156115b2a6dcc540d52b
      Reviewed-on: https://chromium-review.googlesource.com/995413
      Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
      Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#52883}
      f53dfd93
  27. 28 Apr, 2018 1 commit
  28. 26 Apr, 2018 1 commit
  29. 23 Apr, 2018 1 commit
  30. 27 Mar, 2018 1 commit
    • Tobias Tebbi's avatar
      [turbofan] unify interpreter and JIT speculation poisoning · 1ef6c437
      Tobias Tebbi authored
      This CL changes the poisoning in the interpreter to use the
      infrastructure used in the JIT.
      
      This does not change the original flag semantics:
      
      --branch-load-poisoning enables JIT mitigations as before.
      
      --untrusted-code-mitigation enables the interpreter mitigations
        (now realized using the compiler back-end), but does not enable
        the back-end based mitigations for the Javascript JIT. So in effect
        --untrusted-code-mitigation makes the CSA pipeline for bytecode handlers
        use the same mechanics (including changed register allocation) that
        --branch-load-poisoning enables for the JIT.
      
      Bug: chromium:798964
      Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
      Change-Id: If7f6852ae44e32e6e0ad508e9237f24dec7e5b27
      Reviewed-on: https://chromium-review.googlesource.com/928881Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#52243}
      1ef6c437
  31. 23 Mar, 2018 1 commit
  32. 21 Mar, 2018 2 commits
  33. 16 Mar, 2018 2 commits