1. 13 Apr, 2022 1 commit
  2. 29 Mar, 2022 1 commit
  3. 23 Mar, 2022 1 commit
  4. 14 Jan, 2022 1 commit
    • Samuel Groß's avatar
      [sandbox] Improve sandboxed pointer support · 549ee6f3
      Samuel Groß authored
      This CL removes the global IsValidBackingStorePointer function and turns
      the DCHECKs that ensure that sandboxed pointers point into the sandbox,
      which essentially cover the same condition, into CHECKs. This is mostly
      to facilitate debugging during the initial rollout, and the CHECKs can
      later be turned back into DCHECKs.
      
      In addition, this CL adds a fallback to a partially-reserved sandbox
      when sandboxed pointers are enabled and when the regular initialization
      fails.
      
      Bug: chromium:1218005
      Change-Id: I75526f1a00ddb9095ae0e797dc9bb80a210f867b
      Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3367617Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Commit-Queue: Samuel Groß <saelo@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#78620}
      549ee6f3
  5. 10 Dec, 2021 1 commit
  6. 02 Dec, 2021 1 commit
    • Samuel Groß's avatar
      Use CagedPointers for ArrayBuffer backing stores · 42ed4928
      Samuel Groß authored
      This CL turns references to ArrayBuffer backing stores from
      JSArrayBuffers, JSTypedArrays, and JSDataViews into CagedPointers
      when those are enabled.
      
      CagedPointers cannot generally represent nullptr, as NULL usually lies
      outside the cage. As such, nullptr backing stores are replaced with a
      special empty backing store value, which, in the current implementation,
      points to the end of the cage, right in front of the trailing guard
      regions. Due to this, it is no longer correct to compare a backing store
      pointer against nullptr.
      
      Bug: chromium:1218005
      Change-Id: I4a6c7a82aabb4debcb6bb2babe4035ba2da8e79f
      Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3244419
      Commit-Queue: Samuel Groß <saelo@chromium.org>
      Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
      Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
      Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#78218}
      42ed4928
  7. 24 Nov, 2021 1 commit
    • Samuel Groß's avatar
      ArrayBuffer refactoring in preparation for CagedPointers · 6e68daf7
      Samuel Groß authored
      The main changes of this CL are:
      
      It should no longer be assumed that an empty ArrayBuffer has a nullptr
      backing store. This is in preparation for the move to caged pointers,
      which cannot represent nullptr, and will instead likely provide a
      EmptyBackingStore constant pointing inside the virtual memory cage. For
      that reason, a new JSArrayBuffer::IsEmpty() helper is introduced, which
      should be used instead of checking against nullptr.
      
      CodeStubAssembler::GetTypedArrayBuffer now checks for on-heap
      TypedArrays instead of comparing the backing store pointer to nullptr.
      This is consistent with the implementation in JSTypedArray::GetBuffer.
      
      v8::ArrayBufferView::CopyContents now uses JSTypedArray::DataPtr instead
      of relying on nullptr backing stores to handle on-heap TypedArrays.
      
      The serializer and deserializer now check for IsEmpty() and use the
      kEmptyBackingStoreRefSentinel value to serialize empty backing stores.
      
      Empty ArrayBuffers allocated for on-heap TypedArrays now have a
      byte_length of zero. This allows removing the allocation_length() (and
      allocation_buffer()) methods, which were only (incorrectly, as they
      don't account for GSABs) used for memory measurements.
      
      Bug: chromium:1218005
      Change-Id: Ib889ccf855f68525f7a614f3963e46ea56865fa3
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3297709Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
      Reviewed-by: 's avatarMichael Lippautz <mlippautz@chromium.org>
      Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Reviewed-by: 's avatarMarja Hölttä <marja@chromium.org>
      Commit-Queue: Samuel Groß <saelo@chromium.org>
      Cr-Commit-Position: refs/heads/main@{#78069}
      6e68daf7
  8. 23 Nov, 2021 2 commits
  9. 22 Nov, 2021 1 commit
  10. 05 Oct, 2021 1 commit
  11. 22 Sep, 2021 1 commit
  12. 17 Aug, 2021 1 commit
  13. 11 Aug, 2021 1 commit
  14. 23 Jul, 2021 1 commit
  15. 23 Jun, 2021 1 commit
  16. 10 Jun, 2021 1 commit
  17. 10 May, 2021 1 commit
  18. 07 May, 2021 1 commit
    • Dominik Inführ's avatar
      [heap] Immediately update external memory on JSArrayBuffer::Detach · edd27c77
      Dominik Inführ authored
      This CL changes the accounting of array buffers, such that Detach
      deducts the backing store immediately. Previously this was corrected
      in the next GC cycle.
      
      Not updating backing_store_bytes_ immediately could cause an overflow
      in WasmMemoryObject::Grow. Grow first detaches the backing store from
      the old JSArrayBuffer and then attaches it to a new one. This results
      in the backing store being accounted twice temporarily, this could cause
      overflows on 32-bit systems.
      
      Bug: chromium:1204455
      Change-Id: I7cf2ca9a12bb5caf7bcffa25a34567774cf155b8
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2871458
      Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
      Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#74429}
      edd27c77
  19. 07 Jan, 2021 1 commit
  20. 17 Nov, 2020 1 commit
  21. 29 Sep, 2020 1 commit
  22. 12 Aug, 2020 1 commit
  23. 04 May, 2020 1 commit
  24. 01 May, 2020 1 commit
  25. 17 Mar, 2020 1 commit
  26. 02 Mar, 2020 1 commit
  27. 27 Feb, 2020 1 commit
  28. 26 Feb, 2020 1 commit
  29. 10 Feb, 2020 1 commit
    • Dominik Inführ's avatar
      [heap] Improve accounting with ArrayBufferExtensions · 83dfd058
      Dominik Inführ authored
      Update external memory counters when using ArrayBufferExtensions. In
      case the array buffers are swept concurrently, the counters are updated
      at the beginning of the next minor/full GC. A subsequent GC is going
      to update counters faster.
      
      ArrayBufferExtension now stores the accounting_length such that
      the sweeper always knows how much memory to deduct from the external
      memory on destruction.
      
      ArrayBufferList now also tracks the size of all ArrayBuffers in it.
      
      Bug: v8:10064
      Change-Id: I50a8b1180aa837b6932f834df1610255bd2bd9fd
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2041441
      Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
      Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#66195}
      83dfd058
  30. 17 Jan, 2020 1 commit
  31. 13 Jan, 2020 1 commit
    • Dominik Inführ's avatar
      [objects] Add ArrayBufferExtension class · 69fda08a
      Dominik Inführ authored
      This CL adds the ArrayBufferExtension class, which is used to track
      JSArrayBuffers in a linked list. The ArrayBufferExtension is going to
      replace the ArrayBufferTracker in the future but is currently behind
      the v8_enable_array_buffer_extension feature flag.
      
      When enabled, each JSArrayBuffer has a corresponding native-heap
      allocated ArrayBufferExtension object. All extensions are currently
      tracked in a single linked list. During marking the GC not only
      marks the JSArrayBuffer but also its extension object. At the end of
      mark-compact the GC iterates all extensions and removes unmarked ones.
      
      Change-Id: I88298be255944d5ae1327c91b0d7f0fdbcd486d5
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1969791Reviewed-by: 's avatarPeter Marshall <petermarshall@chromium.org>
      Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#65724}
      69fda08a
  32. 17 Dec, 2019 1 commit
  33. 02 Dec, 2019 1 commit
  34. 20 Nov, 2019 1 commit
  35. 15 Nov, 2019 1 commit
  36. 11 Oct, 2019 1 commit
    • Ulan Degenbaev's avatar
      Refactor construction of [Shared]ArrayBuffers. · 77ff0a55
      Ulan Degenbaev authored
      The backing store is now propagated to the constructors directly,
      instead of being attached after the construction. This ensures that
      the backing store is allocated before the array buffer so that we can
      trigger GCs on backing store allocation (if allocation fails).
      
      The only exception is builtin where we have to allocate the array buffer
      before the backing store to comply with the spec.
      
      Bug: v8:9380
      Tbr: verwaest@chromium.org
      Change-Id: Ib37db65853f3673dd769368cc3e8b6538ad07ff2
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1853444
      Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
      Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#64240}
      77ff0a55
  37. 24 Sep, 2019 1 commit
  38. 23 Sep, 2019 1 commit
  39. 19 Sep, 2019 1 commit
    • Igor Sheludko's avatar
      Reland "[ptr-compr] Make on-heap JSTypedArrays smi-corrupting friendly" · dc1a93b8
      Igor Sheludko authored
      This is a reland of 6f9b2bd4
      
      We must load JSTypedArray::base_pointer in TurboFan as tagged value otherwise
      this value may become stale pointer after GC.
      
      Original change's description:
      > [ptr-compr] Make on-heap JSTypedArrays smi-corrupting friendly
      >
      > On-heap typed arrays contain HeapObject value in |base_pointer| field
      > and an offset in |external_pointer| field. When pointer compression is
      > enabled we want to combine decompression with the offset addition.
      > In order to do that we add an isolate root to the external_pointer value
      > and therefore the data pointer computation can is a simple addition of
      > a (potentially sign-extended) |base_pointer| loaded as Tagged_t value
      > and an |external_pointer| value.
      >
      > Bug: v8:9706
      > Change-Id: Id5c546c353c81fb25e3598921bc78165d10a9c44
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1807369
      > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > Reviewed-by: Jakob Gruber <jgruber@chromium.org>
      > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
      > Reviewed-by: Georg Neis <neis@chromium.org>
      > Commit-Queue: Igor Sheludko <ishell@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#63874}
      
      Bug: v8:9706, chromium:1005599
      Cq-Include-Trybots: luci.chromium.try:gpu-fyi-try-win10-nvidia-rel-64
      Change-Id: I7bbd2a439306cdd11f2bb0dab5863498624d9740
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1813744Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
      Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Commit-Queue: Igor Sheludko <ishell@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63898}
      dc1a93b8