diff options
Diffstat (limited to 'chromium/v8')
| -rw-r--r-- | chromium/v8/include/v8-version.h | 2 | ||||
| -rw-r--r-- | chromium/v8/src/compiler/access-builder.cc | 2 | ||||
| -rw-r--r-- | chromium/v8/src/compiler/effect-control-linearizer.cc | 6 | ||||
| -rw-r--r-- | chromium/v8/src/flag-definitions.h | 2 | ||||
| -rw-r--r-- | chromium/v8/src/heap/spaces.cc | 2 | ||||
| -rw-r--r-- | chromium/v8/src/ic/handler-configuration.cc | 10 | ||||
| -rw-r--r-- | chromium/v8/src/objects.cc | 133 | ||||
| -rw-r--r-- | chromium/v8/src/objects.h | 1 | ||||
| -rw-r--r-- | chromium/v8/src/runtime/runtime-test.cc | 6 | ||||
| -rw-r--r-- | chromium/v8/src/wasm/module-compiler.cc | 17 | ||||
| -rw-r--r-- | chromium/v8/src/wasm/wasm-code-manager.cc | 63 | ||||
| -rw-r--r-- | chromium/v8/tools/testrunner/local/variants.py | 1 | ||||
| -rw-r--r-- | chromium/v8/tools/whitespace.txt | 2 |
13 files changed, 144 insertions, 103 deletions
diff --git a/chromium/v8/include/v8-version.h b/chromium/v8/include/v8-version.h index 3d7bcda96a8..6cc98294ec5 100644 --- a/chromium/v8/include/v8-version.h +++ b/chromium/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 6 #define V8_MINOR_VERSION 5 #define V8_BUILD_NUMBER 254 -#define V8_PATCH_LEVEL 21 +#define V8_PATCH_LEVEL 31 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/chromium/v8/src/compiler/access-builder.cc b/chromium/v8/src/compiler/access-builder.cc index dfce11b37eb..13d6801c323 100644 --- a/chromium/v8/src/compiler/access-builder.cc +++ b/chromium/v8/src/compiler/access-builder.cc @@ -56,7 +56,7 @@ FieldAccess AccessBuilder::ForHeapNumberValue() { FieldAccess AccessBuilder::ForBigIntBitfield() { FieldAccess access = { kTaggedBase, BigInt::kBitfieldOffset, MaybeHandle<Name>(), - MaybeHandle<Map>(), TypeCache::Get().kInt32, MachineType::Int32(), + MaybeHandle<Map>(), TypeCache::Get().kInt32, MachineType::IntPtr(), kNoWriteBarrier}; return access; } diff --git a/chromium/v8/src/compiler/effect-control-linearizer.cc b/chromium/v8/src/compiler/effect-control-linearizer.cc index 2b7d1ef9ddf..a47941e28dc 100644 --- a/chromium/v8/src/compiler/effect-control-linearizer.cc +++ b/chromium/v8/src/compiler/effect-control-linearizer.cc @@ -1175,9 +1175,9 @@ void EffectControlLinearizer::TruncateTaggedPointerToBit( __ Bind(&if_bigint); { Node* bitfield = __ LoadField(AccessBuilder::ForBigIntBitfield(), value); - Node* length_is_zero = __ Word32Equal( - __ Word32And(bitfield, __ Int32Constant(BigInt::LengthBits::kMask)), - zero); + Node* length_is_zero = __ WordEqual( + __ WordAnd(bitfield, __ IntPtrConstant(BigInt::LengthBits::kMask)), + __ IntPtrConstant(0)); __ Goto(done, __ Word32Equal(length_is_zero, zero)); } } diff --git a/chromium/v8/src/flag-definitions.h b/chromium/v8/src/flag-definitions.h index 9aa437bc06f..e40e182dad5 100644 --- a/chromium/v8/src/flag-definitions.h +++ b/chromium/v8/src/flag-definitions.h @@ -497,6 +497,8 @@ DEFINE_DEBUG_BOOL(wasm_trace_native_heap, false, "trace wasm native heap events") DEFINE_BOOL(wasm_jit_to_native, true, "JIT wasm code to native (not JS GC) memory") +DEFINE_BOOL(wasm_write_protect_code_memory, false, + "write protect code memory on the wasm native heap") DEFINE_IMPLICATION(future, wasm_jit_to_native) DEFINE_BOOL(wasm_trace_serialization, false, "trace serialization/deserialization") diff --git a/chromium/v8/src/heap/spaces.cc b/chromium/v8/src/heap/spaces.cc index 750a8dc3769..2dd5e9b24de 100644 --- a/chromium/v8/src/heap/spaces.cc +++ b/chromium/v8/src/heap/spaces.cc @@ -352,8 +352,8 @@ void MemoryAllocator::Unmapper::WaitUntilCompleted() { CancelableTaskManager::kTaskAborted) { pending_unmapping_tasks_semaphore_.Wait(); } - concurrent_unmapping_tasks_active_ = 0; } + concurrent_unmapping_tasks_active_ = 0; } template <MemoryAllocator::Unmapper::FreeMode mode> diff --git a/chromium/v8/src/ic/handler-configuration.cc b/chromium/v8/src/ic/handler-configuration.cc index 94d3b33fb18..19614a4322c 100644 --- a/chromium/v8/src/ic/handler-configuration.cc +++ b/chromium/v8/src/ic/handler-configuration.cc @@ -121,9 +121,15 @@ Handle<Object> LoadHandler::LoadFromPrototype(Isolate* isolate, int checks_count = GetPrototypeCheckCount<LoadHandler>( isolate, &smi_handler, receiver_map, holder, data1, maybe_data2); - Handle<Cell> validity_cell = + Handle<Object> validity_cell = Map::GetOrCreatePrototypeChainValidityCell(receiver_map, isolate); - DCHECK(!validity_cell.is_null()); + if (validity_cell.is_null()) { + // Although in case of kApiGetter we load from receiver we still have to + // use the "prototype" shape of a handler in order to provide additional + // data to the dispatcher. + DCHECK_EQ(kApiGetter, GetHandlerKind(*smi_handler)); + validity_cell = handle(Smi::kZero, isolate); + } int data_count = 1 + checks_count; Handle<LoadHandler> handler = isolate->factory()->NewLoadHandler(data_count); diff --git a/chromium/v8/src/objects.cc b/chromium/v8/src/objects.cc index c5c563b4dbe..f8c55e57a63 100644 --- a/chromium/v8/src/objects.cc +++ b/chromium/v8/src/objects.cc @@ -12978,6 +12978,56 @@ void JSFunction::EnsureHasInitialMap(Handle<JSFunction> function) { map->StartInobjectSlackTracking(); } +namespace { +bool FastInitializeDerivedMap(Isolate* isolate, Handle<JSFunction> new_target, + Handle<JSFunction> constructor, + Handle<Map> constructor_initial_map) { + // Check that |function|'s initial map still in sync with the |constructor|, + // otherwise we must create a new initial map for |function|. + if (new_target->has_initial_map() && + new_target->initial_map()->GetConstructor() == *constructor) { + DCHECK(new_target->instance_prototype()->IsJSReceiver()); + return true; + } + InstanceType instance_type = constructor_initial_map->instance_type(); + DCHECK(CanSubclassHaveInobjectProperties(instance_type)); + // Create a new map with the size and number of in-object properties + // suggested by |function|. + + // Link initial map and constructor function if the new.target is actually a + // subclass constructor. + if (!IsDerivedConstructor(new_target->shared()->kind())) return false; + + int instance_size; + int in_object_properties; + int embedder_fields = + JSObject::GetEmbedderFieldCount(*constructor_initial_map); + bool success = JSFunction::CalculateInstanceSizeForDerivedClass( + new_target, instance_type, embedder_fields, &instance_size, + &in_object_properties); + + Handle<Map> map; + if (success) { + int pre_allocated = constructor_initial_map->GetInObjectProperties() - + constructor_initial_map->UnusedPropertyFields(); + CHECK_LE(constructor_initial_map->UsedInstanceSize(), instance_size); + int unused_property_fields = in_object_properties - pre_allocated; + map = Map::CopyInitialMap(constructor_initial_map, instance_size, + in_object_properties, unused_property_fields); + } else { + map = Map::CopyInitialMap(constructor_initial_map); + } + map->set_new_target_is_base(false); + Handle<Object> prototype(new_target->instance_prototype(), isolate); + JSFunction::SetInitialMap(new_target, map, prototype); + DCHECK(new_target->instance_prototype()->IsJSReceiver()); + map->SetConstructor(*constructor); + map->set_construction_counter(Map::kNoSlackTracking); + map->StartInobjectSlackTracking(); + return true; +} + +} // namespace // static MaybeHandle<Map> JSFunction::GetDerivedMap(Isolate* isolate, @@ -12988,55 +13038,16 @@ MaybeHandle<Map> JSFunction::GetDerivedMap(Isolate* isolate, Handle<Map> constructor_initial_map(constructor->initial_map(), isolate); if (*new_target == *constructor) return constructor_initial_map; + Handle<Map> result_map; // Fast case, new.target is a subclass of constructor. The map is cacheable // (and may already have been cached). new.target.prototype is guaranteed to // be a JSReceiver. if (new_target->IsJSFunction()) { Handle<JSFunction> function = Handle<JSFunction>::cast(new_target); - - // Check that |function|'s initial map still in sync with the |constructor|, - // otherwise we must create a new initial map for |function|. - if (function->has_initial_map() && - function->initial_map()->GetConstructor() == *constructor) { + if (FastInitializeDerivedMap(isolate, function, constructor, + constructor_initial_map)) { return handle(function->initial_map(), isolate); } - - // Create a new map with the size and number of in-object properties - // suggested by |function|. - - // Link initial map and constructor function if the new.target is actually a - // subclass constructor. - if (IsDerivedConstructor(function->shared()->kind())) { - Handle<Object> prototype(function->instance_prototype(), isolate); - InstanceType instance_type = constructor_initial_map->instance_type(); - DCHECK(CanSubclassHaveInobjectProperties(instance_type)); - int embedder_fields = - JSObject::GetEmbedderFieldCount(*constructor_initial_map); - int pre_allocated = constructor_initial_map->GetInObjectProperties() - - constructor_initial_map->UnusedPropertyFields(); - int instance_size; - int in_object_properties; - bool success = CalculateInstanceSizeForDerivedClass( - function, instance_type, embedder_fields, &instance_size, - &in_object_properties); - - int unused_property_fields = in_object_properties - pre_allocated; - - Handle<Map> map; - if (success) { - map = Map::CopyInitialMap(constructor_initial_map, instance_size, - in_object_properties, unused_property_fields); - } else { - map = Map::CopyInitialMap(constructor_initial_map); - } - map->set_new_target_is_base(false); - - JSFunction::SetInitialMap(function, map, prototype); - map->SetConstructor(*constructor); - map->set_construction_counter(Map::kNoSlackTracking); - map->StartInobjectSlackTracking(); - return map; - } } // Slow path, new.target is either a proxy or can't cache the map. @@ -13078,7 +13089,7 @@ MaybeHandle<Map> JSFunction::GetDerivedMap(Isolate* isolate, Handle<Map> map = Map::CopyInitialMap(constructor_initial_map); map->set_new_target_is_base(false); - DCHECK(prototype->IsJSReceiver()); + CHECK(prototype->IsJSReceiver()); if (map->prototype() != *prototype) Map::SetPrototype(map, prototype); map->SetConstructor(*constructor); return map; @@ -13773,15 +13784,17 @@ void JSFunction::CalculateInstanceSizeHelper(InstanceType instance_type, int* instance_size, int* in_object_properties) { int header_size = JSObject::GetHeaderSize(instance_type, has_prototype_slot); - DCHECK_LE(requested_embedder_fields, - (JSObject::kMaxInstanceSize - header_size) >> kPointerSizeLog2); + int max_nof_fields = + (JSObject::kMaxInstanceSize - header_size) >> kPointerSizeLog2; + CHECK_LE(max_nof_fields, JSObject::kMaxInObjectProperties); + *in_object_properties = Min(requested_in_object_properties, max_nof_fields); + CHECK_LE(requested_embedder_fields, max_nof_fields - *in_object_properties); *instance_size = - Min(header_size + - ((requested_embedder_fields + requested_in_object_properties) - << kPointerSizeLog2), - JSObject::kMaxInstanceSize); - *in_object_properties = ((*instance_size - header_size) >> kPointerSizeLog2) - - requested_embedder_fields; + header_size + + ((requested_embedder_fields + *in_object_properties) << kPointerSizeLog2); + CHECK_EQ(*in_object_properties, + ((*instance_size - header_size) >> kPointerSizeLog2) - + requested_embedder_fields); } // static @@ -13791,7 +13804,6 @@ bool JSFunction::CalculateInstanceSizeForDerivedClass( int* in_object_properties) { Isolate* isolate = function->GetIsolate(); int expected_nof_properties = 0; - bool result = true; for (PrototypeIterator iter(isolate, function, kStartAtReceiver); !iter.IsAtEnd(); iter.Advance()) { Handle<JSReceiver> current = @@ -13804,21 +13816,24 @@ bool JSFunction::CalculateInstanceSizeForDerivedClass( if (shared->is_compiled() || Compiler::Compile(func, Compiler::CLEAR_EXCEPTION)) { DCHECK(shared->is_compiled()); - expected_nof_properties += shared->expected_nof_properties(); + int count = shared->expected_nof_properties(); + // Check that the estimate is sane. + if (expected_nof_properties <= JSObject::kMaxInObjectProperties - count) { + expected_nof_properties += count; + } else { + expected_nof_properties = JSObject::kMaxInObjectProperties; + } } else if (!shared->is_compiled()) { // In case there was a compilation error for the constructor we will // throw an error during instantiation. Hence we directly return 0; - result = false; - break; - } - if (!IsDerivedConstructor(shared->kind())) { - break; + return false; } + if (!IsDerivedConstructor(shared->kind())) break; } CalculateInstanceSizeHelper(instance_type, true, requested_embedder_fields, expected_nof_properties, instance_size, in_object_properties); - return result; + return true; } diff --git a/chromium/v8/src/objects.h b/chromium/v8/src/objects.h index 4011054c39d..93f4a4eb95b 100644 --- a/chromium/v8/src/objects.h +++ b/chromium/v8/src/objects.h @@ -2672,6 +2672,7 @@ class JSObject: public JSReceiver { STATIC_ASSERT(kHeaderSize == Internals::kJSObjectHeaderSize); static const int kMaxInObjectProperties = (kMaxInstanceSize - kHeaderSize) >> kPointerSizeLog2; + STATIC_ASSERT(kMaxInObjectProperties <= kMaxNumberOfDescriptors); class BodyDescriptor; // No weak fields. diff --git a/chromium/v8/src/runtime/runtime-test.cc b/chromium/v8/src/runtime/runtime-test.cc index c2eefcbd4e2..01e2b198a64 100644 --- a/chromium/v8/src/runtime/runtime-test.cc +++ b/chromium/v8/src/runtime/runtime-test.cc @@ -617,10 +617,12 @@ RUNTIME_FUNCTION(Runtime_NotifyContextDisposed) { RUNTIME_FUNCTION(Runtime_SetAllocationTimeout) { SealHandleScope shs(isolate); DCHECK(args.length() == 2 || args.length() == 3); -#ifdef DEBUG - CONVERT_INT32_ARG_CHECKED(interval, 0); +#ifdef V8_ENABLE_ALLOCATION_TIMEOUT CONVERT_INT32_ARG_CHECKED(timeout, 1); isolate->heap()->set_allocation_timeout(timeout); +#endif +#ifdef DEBUG + CONVERT_INT32_ARG_CHECKED(interval, 0); FLAG_gc_interval = interval; if (args.length() == 3) { // Enable/disable inline allocation if requested. diff --git a/chromium/v8/src/wasm/module-compiler.cc b/chromium/v8/src/wasm/module-compiler.cc index 476afb52c2e..4a2e610b99b 100644 --- a/chromium/v8/src/wasm/module-compiler.cc +++ b/chromium/v8/src/wasm/module-compiler.cc @@ -891,7 +891,8 @@ compiler::ModuleEnv CreateModuleEnvFromCompiledModule( std::vector<GlobalHandleAddress> function_tables; int num_function_tables = static_cast<int>(module->function_tables.size()); - FixedArray* ft = compiled_module->function_tables(); + FixedArray* ft = + num_function_tables == 0 ? nullptr : compiled_module->function_tables(); for (int i = 0; i < num_function_tables; ++i) { // TODO(clemensh): defer these handles for concurrent compilation. function_tables.push_back(WasmCompiledModule::GetTableValue(ft, i)); @@ -3466,14 +3467,20 @@ void InstanceBuilder::LoadTableSegments(Handle<FixedArray> code_table, Code::cast(code_table->get(static_cast<int>(func_index))); // Only increase the counter for lazy compile builtins (it's not // needed otherwise). - if (code->is_wasm_code()) continue; - DCHECK_EQ(Builtins::kWasmCompileLazy, code->builtin_index()); + if (code->builtin_index() != Builtins::kWasmCompileLazy) { + DCHECK(code->kind() == Code::WASM_FUNCTION || + code->kind() == Code::WASM_TO_JS_FUNCTION); + continue; + } } else { const wasm::WasmCode* code = native_module->GetCode(func_index); // Only increase the counter for lazy compile builtins (it's not // needed otherwise). - if (code->kind() == wasm::WasmCode::kFunction) continue; - DCHECK_EQ(wasm::WasmCode::kLazyStub, code->kind()); + if (code->kind() != wasm::WasmCode::kLazyStub) { + DCHECK(code->kind() == wasm::WasmCode::kFunction || + code->kind() == wasm::WasmCode::kWasmToJsWrapper); + continue; + } } ++num_table_exports[func_index]; } diff --git a/chromium/v8/src/wasm/wasm-code-manager.cc b/chromium/v8/src/wasm/wasm-code-manager.cc index 3dab47702c1..8e46f33b012 100644 --- a/chromium/v8/src/wasm/wasm-code-manager.cc +++ b/chromium/v8/src/wasm/wasm-code-manager.cc @@ -734,7 +734,11 @@ bool WasmCodeManager::Commit(Address start, size_t size) { remaining_uncommitted_.Increment(size); return false; } - bool ret = SetPermissions(start, size, PageAllocator::kReadWrite); + PageAllocator::Permission permission = FLAG_wasm_write_protect_code_memory + ? PageAllocator::kReadWrite + : PageAllocator::kReadWriteExecute; + + bool ret = SetPermissions(start, size, permission); TRACE_HEAP("Setting rw permissions for %p:%p\n", reinterpret_cast<void*>(start), reinterpret_cast<void*>(start + size)); @@ -828,6 +832,7 @@ std::unique_ptr<NativeModule> WasmCodeManager::NewNativeModule( return ret; } + V8::FatalProcessOutOfMemory("WasmCodeManager::NewNativeModule"); return nullptr; } @@ -838,38 +843,40 @@ bool NativeModule::SetExecutable(bool executable) { PageAllocator::Permission permission = executable ? PageAllocator::kReadExecute : PageAllocator::kReadWrite; + if (FLAG_wasm_write_protect_code_memory) { #if V8_OS_WIN - // On windows, we need to switch permissions per separate virtual memory - // reservation. This is really just a problem when the NativeModule is - // growable (meaning can_request_more_memory_). That's 32-bit in production, - // or unittests. - // For now, in that case, we commit at reserved memory granularity. - // Technically, that may be a waste, because we may reserve more than we use. - // On 32-bit though, the scarce resource is the address space - committed or - // not. - if (can_request_more_memory_) { - for (auto& vmem : owned_memory_) { - if (!SetPermissions(vmem.address(), vmem.size(), permission)) { - return false; + // On windows, we need to switch permissions per separate virtual memory + // reservation. This is really just a problem when the NativeModule is + // growable (meaning can_request_more_memory_). That's 32-bit in production, + // or unittests. + // For now, in that case, we commit at reserved memory granularity. + // Technically, that may be a waste, because we may reserve more than we + // use. On 32-bit though, the scarce resource is the address space - + // committed or not. + if (can_request_more_memory_) { + for (auto& vmem : owned_memory_) { + if (!SetPermissions(vmem.address(), vmem.size(), permission)) { + return false; + } + TRACE_HEAP("Set %p:%p to executable:%d\n", vmem.address(), vmem.end(), + executable); } - TRACE_HEAP("Set %p:%p to executable:%d\n", vmem.address(), vmem.end(), - executable); + is_executable_ = executable; + return true; } - is_executable_ = executable; - return true; - } #endif - for (auto& range : allocated_memory_.ranges()) { - // allocated_memory_ is fine-grained, so we need to - // page-align it. - size_t range_size = RoundUp(static_cast<size_t>(range.second - range.first), - AllocatePageSize()); - if (!SetPermissions(range.first, range_size, permission)) { - return false; + for (auto& range : allocated_memory_.ranges()) { + // allocated_memory_ is fine-grained, so we need to + // page-align it. + size_t range_size = RoundUp( + static_cast<size_t>(range.second - range.first), AllocatePageSize()); + if (!SetPermissions(range.first, range_size, permission)) { + return false; + } + TRACE_HEAP("Set %p:%p to executable:%d\n", + reinterpret_cast<void*>(range.first), + reinterpret_cast<void*>(range.second), executable); } - TRACE_HEAP("Set %p:%p to executable:%d\n", - reinterpret_cast<void*>(range.first), - reinterpret_cast<void*>(range.second), executable); } is_executable_ = executable; return true; diff --git a/chromium/v8/tools/testrunner/local/variants.py b/chromium/v8/tools/testrunner/local/variants.py index 73e9a6e6440..f1e9ad301e8 100644 --- a/chromium/v8/tools/testrunner/local/variants.py +++ b/chromium/v8/tools/testrunner/local/variants.py @@ -23,6 +23,7 @@ ALL_VARIANT_FLAGS = { "stress_sampling": [["--stress-sampling-allocation-profiler=16384"]], "trusted": [["--no-untrusted-code-mitigations"]], "wasm_traps": [["--wasm_trap_handler", "--invoke-weak-callbacks", "--wasm-jit-to-native"]], + "wasm_no_native": [["--no-wasm-jit-to-native"]], } ALL_VARIANTS = set(ALL_VARIANT_FLAGS.keys()) diff --git a/chromium/v8/tools/whitespace.txt b/chromium/v8/tools/whitespace.txt index 3650eb88c46..ed5e51f96a6 100644 --- a/chromium/v8/tools/whitespace.txt +++ b/chromium/v8/tools/whitespace.txt @@ -7,6 +7,6 @@ A Smi balks into a war and says: The doubles heard this and started to unbox. The Smi looked at them when a crazy v8-autoroll account showed up... The autoroller bought a round of Himbeerbrause. Suddenly... -The bartender starts to shake the bottles...................... +The bartender starts to shake the bottles....................... . . |