v8-5338: Proposed fix to V8 issue 5338 (authored by kentonv) #24

KoenLav · 2018-04-16T19:16:00Z

This proposed patch is based on the work of @kentonv here: nodejs/node@0b88256

It intends to fix this issue:
https://bugs.chromium.org/p/v8/issues/detail?id=5338

As @kentonv mentions here (meteor/meteor#9796 (comment)) the patch created is probably not yet entirely suitable to be applied here, but placing this here for review.

Maybe someone with a better understanding of the internal workings of V8 can pick this up?

kentonv · 2018-04-16T19:22:33Z

This patch is NOT appropriate to merge as-is. It WILL BREAK users of V8 that use multiple isolates (not Node, but other users).

I've attached a better patch to the issue thread.

KoenLav · 2018-04-16T19:39:23Z

Updated the PR to reflect @kentonv's latest patch.

In the issue @kentonv requested to present the patch in an official manner if you decide to merge this (not via my account).

Leaving this here for review and feedback.

devsnek · 2018-04-16T19:39:40Z

v8 doesn't accept PRs from github, check out the contributing guide here: https://github.com/v8/v8/wiki/Contributing

Revision: 7bb79b9 BUG=chromium:831984 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true [email protected] Change-Id: I645a52e81c31397494e255d4b30f60a693fde56c Reviewed-on: https://chromium-review.googlesource.com/1018460 Reviewed-by: Sathya Gunasekaran <[email protected]> Cr-Commit-Position: refs/branch-heads/6.7@{#24} Cr-Branched-From: 8457e81-refs/heads/6.7.288@{#2} Cr-Branched-From: e921be5-refs/heads/master@{#52547}

Cr-Commit-Position: refs/branch-heads/6.0@{v8#24} Cr-Branched-From: 97dbf62-refs/heads/6.0.286@{#1} Cr-Branched-From: 12e6f1c-refs/heads/master@{#45439}

[email protected] Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Change-Id: Ic91ac67d3fcd97f3fb25ab01dd08067fe9b084fa Reviewed-on: https://chromium-review.googlesource.com/1094709 Reviewed-by: v8 autoroll <[email protected]> Cr-Commit-Position: refs/branch-heads/6.8@{#24} Cr-Branched-From: 44d7d7d-refs/heads/6.8.275@{#1} Cr-Branched-From: 5754f66-refs/heads/master@{#53286}

[email protected] Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Change-Id: I5a5dffa763e7b370953775ecf5402db716ad97f8 Reviewed-on: https://chromium-review.googlesource.com/1163296 Reviewed-by: V8 Autoroller <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/branch-heads/6.9@{#24} Cr-Branched-From: d7b61ab-refs/heads/6.9.427@{#1} Cr-Branched-From: b7e108d-refs/heads/master@{#54504}

This reverts commit caed2cc. Reason for revert: Breaks layout tests, e.g. https://test-results.appspot.com/data/layout_results/V8-Blink_Linux_64__dbg_/14924/webkit_layout_tests%20%28with%20patch%29/layout-test-results/results.html crash log for renderer (pid <unknown>): STDOUT: <empty> STDERR: STDERR: STDERR: # STDERR: # Fatal error in ../../v8/src/base/platform/elapsed-timer.h, line 24 STDERR: # Debug check failed: !IsStarted(). STDERR: # STDERR: # STDERR: # STDERR: #FailureMessage Object: 0x7ffc46707640#0 0x565409263b6f base::debug::StackTrace::StackTrace() STDERR: #1 0x56540a8a32fb gin::(anonymous namespace)::PrintStackTrace() STDERR: #2 0x56540a8980d8 V8_Fatal() STDERR: #3 0x56540a897e35 v8::base::(anonymous namespace)::DefaultDcheckHandler() STDERR: v8#4 0x565407971f02 v8::base::ElapsedTimer::Start() STDERR: v8#5 0x565407d08edf v8::internal::TimedHistogram::Start() STDERR: v8#6 0x565407e500d5 v8::internal::IncrementalMarking::AdvanceIncrementalMarkingOnAllocation() STDERR: v8#7 0x565407e4f977 v8::internal::IncrementalMarking::Observer::Step() STDERR: v8#8 0x565407e48092 v8::internal::AllocationObserver::AllocationStep() STDERR: v8#9 0x565407eb0751 v8::internal::SpaceWithLinearArea::InlineAllocationStep() STDERR: v8#10 0x565407eb3e44 v8::internal::NewSpace::EnsureAllocation() STDERR: v8#11 0x565407e258ff v8::internal::NewSpace::AllocateRaw() STDERR: v8#12 0x565407e06b2d v8::internal::Heap::AllocateRaw() STDERR: v8#13 0x565407e432ef v8::internal::Heap::AllocateRawWithLightRetry() STDERR: v8#14 0x565407e433cf v8::internal::Heap::AllocateRawWithRetryOrFail() STDERR: v8#15 0x565407e04d48 v8::internal::Factory::NewFixedArrayWithFiller() STDERR: v8#16 0x565407fd6339 v8::internal::HashTable<>::New() STDERR: v8#17 0x565407fd7be8 v8::internal::HashTable<>::EnsureCapacity() STDERR: v8#18 0x565407fc7e95 v8::internal::Dictionary<>::Add() STDERR: v8#19 0x565407fcf453 v8::internal::BaseNameDictionary<>::Add() STDERR: v8#20 0x565407f89ee4 v8::internal::LookupIterator::ApplyTransitionToDataProperty() STDERR: v8#21 0x5654080036e2 v8::internal::Object::AddDataProperty() STDERR: v8#22 0x56540793061f v8::internal::(anonymous namespace)::DefineDataProperty() STDERR: v8#23 0x56540792da59 v8::internal::(anonymous namespace)::InstantiateObject() STDERR: v8#24 0x56540792b75a v8::internal::(anonymous namespace)::InstantiateFunction() STDERR: v8#25 0x56540792b4db v8::internal::ApiNatives::InstantiateFunction() STDERR: v8#26 0x5654079594bf v8::FunctionTemplate::GetFunction() STDERR: v8#27 0x56540a7af74e blink::V8ObjectConstructor::CreateInterfaceObject() STDERR: v8#28 0x56540a7afe01 blink::V8PerContextData::ConstructorForTypeSlowCase() STDERR: v8#29 0x56540a7afdd6 blink::V8PerContextData::ConstructorForTypeSlowCase() STDERR: v8#30 0x56540a7afdd6 blink::V8PerContextData::ConstructorForTypeSlowCase() STDERR: v8#31 0x56540a7afcb4 blink::V8PerContextData::CreateWrapperFromCacheSlowCase() STDERR: v8#32 0x56540a7aef73 blink::V8DOMWrapper::CreateWrapper() STDERR: v8#33 0x56540a7abf6b blink::ScriptWrappable::Wrap() STDERR: v8#34 0x56540a677199 blink::V8Document::documentElementAttributeGetterCallback() STDERR: v8#35 0x565407a0aec3 v8::internal::FunctionCallbackArguments::Call() STDERR: v8#36 0x565407a097be v8::internal::(anonymous namespace)::HandleApiCallHelper<>() STDERR: v8#37 0x565407a0877b v8::internal::Builtins::InvokeApiFunction() STDERR: v8#38 0x565407fe785a v8::internal::Object::GetPropertyWithAccessor() STDERR: v8#39 0x565407fe697e v8::internal::Object::GetProperty() STDERR: v8#40 0x565407ec8c71 v8::internal::LoadIC::Load() STDERR: v8#41 0x565407ed6401 v8::internal::__RT_impl_Runtime_LoadIC_Miss() STDERR: v8#42 0x5654087593f2 <unknown> STDERR: [16162:16185:1122/143518.356897:WARNING:crash_handler_host_linux.cc(341)] Could not translate tid, attempt = 1 retry ... Original change's description: > [heap] Improve embedder tracing during incremental marking > > Add a path into embedder tracing on allocation. This is safe as as Blink > is not allowed to call into V8 during object construction. > > Bug: chromium:843903 > Change-Id: I5af053c3169f5a33778ebce5d7c5c43e4efb1aa4 > Reviewed-on: https://chromium-review.googlesource.com/c/1348749 > Commit-Queue: Michael Lippautz <[email protected]> > Reviewed-by: Ulan Degenbaev <[email protected]> > Cr-Commit-Position: refs/heads/master@{#57757} [email protected],[email protected] Change-Id: Ide2c0b284b52bee17573adcc89f14be4e40dab91 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:843903 Reviewed-on: https://chromium-review.googlesource.com/c/1349189 Reviewed-by: Yang Guo <[email protected]> Commit-Queue: Yang Guo <[email protected]> Cr-Commit-Position: refs/heads/master@{#57759}

TBR=v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com Change-Id: I22985e89ac6a6f2320c3b1efb330aa2617ef0a8b Reviewed-on: https://chromium-review.googlesource.com/c/1376033 Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/branch-heads/7.2@{v8#24} Cr-Branched-From: 6acd03c-refs/heads/7.2.502@{#1} Cr-Branched-From: b03041d-refs/heads/master@{#57910}

TBR=v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com Change-Id: I2fc53522428759c8aee3a2a767c8032bb0449a5d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1534258 Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/branch-heads/7.4@{v8#24} Cr-Branched-From: 3e8a733-refs/heads/7.4.288@{#1} Cr-Branched-From: d077f9b-refs/heads/master@{#60039}

TBR=v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com Change-Id: Ifad01498f9ae50799d79f4264659ded5befd19f0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2063590 Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/branch-heads/8.1@{v8#24} Cr-Branched-From: a4dcd39-refs/heads/8.1.307@{#1} Cr-Branched-From: f22c213-refs/heads/master@{#66031}

SSE requires operand0 to be a register, since we don't have memory alignment yet. AVX can have performance issues for unaligned access. (cherry picked from commit 418704b) Bug: v8:9198,chromium:1106285 Change-Id: I7871814e10f3542193c8bfc544a0050b63975d96 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2304718 Reviewed-by: Bill Budge <[email protected]> Commit-Queue: Zhi An Ng <[email protected]> Cr-Commit-Position: refs/branch-heads/8.5@{v8#24} Cr-Branched-From: a7f8bc4-refs/heads/8.5.210@{#1} Cr-Branched-From: dd58472-refs/heads/master@{#68510}

TBR=v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com Change-Id: I6b821e5f113cc0096f955940d667c916f5bd6748 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1833644 Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/branch-heads/7.8@{v8#24} Cr-Branched-From: 73694fd-refs/heads/7.8.279@{#1} Cr-Branched-From: 2314928-refs/heads/master@{#63555}

TBR=v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com Change-Id: I6002ce1cc1d34f7d456722edd4c54658ee7d9a88 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1831189 Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/branch-heads/7.7@{v8#24} Cr-Branched-From: 4035531-refs/heads/7.7.299@{#1} Cr-Branched-From: 1320c91-refs/heads/master@{#62881}

TBR=v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com Change-Id: I0983f6fdac5af8da59606e78fc82e7fb47d9905e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1876518 Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/branch-heads/7.9@{v8#24} Cr-Branched-From: be181e2-refs/heads/7.9.317@{#1} Cr-Branched-From: 0d7889d-refs/heads/master@{#64307}

MSVC wants the static cast, even if the constant fits in the narrower type anyway. TBR=[email protected] (cherry picked from commit d69bfcf) Bug: v8:10075 No-Try: true No-Presubmit: true No-Tree-Checks: true Change-Id: Icebb2ca8df5a0e98e45f5d2262c047ac705157c5 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2002392 Reviewed-by: Clemens Backes <[email protected]> Commit-Queue: Clemens Backes <[email protected]> Cr-Commit-Position: refs/branch-heads/8.0@{v8#24} Cr-Branched-From: 69827db-refs/heads/8.0.426@{v8#2} Cr-Branched-From: 2fe1552-refs/heads/master@{#65318}

Revision: 66eaf9f BUG=chromium:923675 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true [email protected] Change-Id: I2d11b4c64340a8e7b6482845ecbedb066adc1796 Reviewed-on: https://chromium-review.googlesource.com/c/1475767 Reviewed-by: Sigurd Schneider <[email protected]> Commit-Queue: Georg Neis <[email protected]> Cr-Commit-Position: refs/branch-heads/7.3@{v8#24} Cr-Branched-From: 9df9418-refs/heads/7.3.492@{v8#2} Cr-Branched-From: be213cf-refs/heads/master@{#59024}

… frame. Revision: 2d11dda BUG=chromium:895799 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true [email protected] Change-Id: Ice830d0fca0cad7d8578b0204c788b192ae034c0 Reviewed-on: https://chromium-review.googlesource.com/c/1309639 Reviewed-by: Sigurd Schneider <[email protected]> Commit-Queue: Georg Neis <[email protected]> Cr-Commit-Position: refs/branch-heads/7.1@{v8#24} Cr-Branched-From: f70aaa8-refs/heads/7.1.302@{#1} Cr-Branched-From: 1dbcc78-refs/heads/master@{#56462}

The platform is allowed to remove the foreground task without ever executing it if the isolate is shutting down. This can happen immediately when spawning the task. This would leave a stale pointer to the deleted task in the engine, and can lead to UAF. Thus deregister the task also from the destructor. At that point, we do not need to report back any live code for that isolate. TBR=[email protected] (cherry picked from commit 3ea51d4) Bug: chromium:971293 No-Try: true No-Presubmit: true No-Tree-Checks: true Originally-reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1669694 Change-Id: Ie3e84e85121e951f6313903a126592403fec443f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1679497 Commit-Queue: Clemens Hammacher <[email protected]> Reviewed-by: Clemens Hammacher <[email protected]> Cr-Commit-Position: refs/branch-heads/7.6@{v8#24} Cr-Branched-From: 2cb2573-refs/heads/7.6.303@{#1} Cr-Branched-From: 201c509-refs/heads/master@{#61902}

Revision: 3ce92ce BUG=chromium:952682 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true [email protected] Change-Id: I42907c53d6d227c37af43408b341d675c84181e2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1598752 Reviewed-by: Benedikt Meurer <[email protected]> Commit-Queue: Jaroslav Sevcik <[email protected]> Cr-Commit-Position: refs/branch-heads/7.5@{v8#24} Cr-Branched-From: 35b9bf5-refs/heads/7.5.288@{#1} Cr-Branched-From: 912b391-refs/heads/master@{#60911}

Reland, this time with 8.3-compatible Torque formatting. (cherry picked from commit 85bc1b0) Bug: chromium:1086890 TBR: [email protected] No-Try: true No-Presubmit: true No-Tree-Checks: true Change-Id: Id6a918aecf344660de47ecf5d9f06c8fecf2cccf Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2238575 Reviewed-by: Tobias Tebbi <[email protected]> Commit-Queue: Tobias Tebbi <[email protected]> Cr-Commit-Position: refs/branch-heads/8.3@{v8#24} Cr-Branched-From: 1668abd-refs/heads/8.3.110@{#1} Cr-Branched-From: 04a7a68-refs/heads/master@{#66926}

It's possible for a one-byte string to wrap a two-byte string. For example: CONS_ONE_BYTE_STRING_TYPE wraps THIN_STRING_TYPE wraps EXTERNAL_INTERNALIZED_STRING_TYPE We thus have to validate the extracted instance type when relying on the string being one-byte. (cherry picked from commit 0e8c33a) Tbr: [email protected] No-Try: true No-Presubmit: true No-Treechecks: true Bug: chromium:1088179 Change-Id: Id0f996761a3ae2f1233e12c95e663e77d4a5ebf9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2226752 Reviewed-by: Leszek Swirski <[email protected]> Commit-Queue: Jakob Gruber <[email protected]> Cr-Original-Commit-Position: refs/heads/master@{#68124} Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2237130 Reviewed-by: Jakob Gruber <[email protected]> Cr-Commit-Position: refs/branch-heads/8.4@{v8#24} Cr-Branched-From: 88ed2e3-refs/heads/8.4.371@{#1} Cr-Branched-From: 35f88bf-refs/heads/master@{#67773}

AST reindexing has to skip visiting fields that are already in the member initializer, as they will have already been visited when visiting said initializer. This is the case for private fields and fields with computed names. However, the reindexer was incorrectly assuming that all properties with a FunctionLiteral value are methods (and thus not fields, and can safely be visited). This is not the case for fields with function expression values. Now, we correctly use the class property's "kind" when making this visitation decision. (cherry picked from commit a769ea7) Bug: chromium:1132111 Tbr: [email protected] No-Try: true No-Presubmit: true No-Tree-Checks: true Change-Id: I33ac5664bb5334e964d351de1ba7e2c57f3398f8 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2465056 Commit-Queue: Adam Klein <[email protected]> Reviewed-by: Adam Klein <[email protected]> Cr-Commit-Position: refs/branch-heads/8.6@{v8#24} Cr-Branched-From: a64aed2-refs/heads/8.6.395@{#1} Cr-Branched-From: a626bc0-refs/heads/master@{#69472}

Revision: b837e03 BUG=chromium:1161357 NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true [email protected] Change-Id: Ic95dfd20d45d895934dee1592ebf427544eec73b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2616223 Reviewed-by: Mythri Alle <[email protected]> Commit-Queue: Georg Neis <[email protected]> Cr-Commit-Position: refs/branch-heads/8.8@{v8#24} Cr-Branched-From: 2dbcdc1-refs/heads/8.8.278@{#1} Cr-Branched-From: 366d30c-refs/heads/master@{#71094}

Revision: 3353a7d BUG=chromium:1182647 NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true [email protected] Change-Id: Ifd0770913875e97265fd90b016deee09fe40b1a3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2764747 Reviewed-by: Georg Neis <[email protected]> Commit-Queue: Georg Neis <[email protected]> Cr-Commit-Position: refs/branch-heads/9.0@{v8#24} Cr-Branched-From: bd0108b-refs/heads/9.0.257@{#1} Cr-Branched-From: 349bcc6-refs/heads/master@{#73001}

Revision: 9313c4c BUG=chromium:1199345 NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true [email protected] Change-Id: Ibfd303d48319f3996d85234514681068a8691497 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2839558 Reviewed-by: Nico Hartmann <[email protected]> Commit-Queue: Georg Neis <[email protected]> Cr-Commit-Position: refs/branch-heads/9.1@{v8#24} Cr-Branched-From: 0e4ac64-refs/heads/9.1.269@{#1} Cr-Branched-From: f565e72-refs/heads/master@{#73847}

Revision: 4a7eec5 BUG=chromium:786723,chromium:794394 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true [email protected] Change-Id: I3677b90514a710e6dcffe27a346de6ec895859f6 Reviewed-on: https://chromium-review.googlesource.com/847483 Reviewed-by: Jaroslav Sevcik <[email protected]> Commit-Queue: Jaroslav Sevcik <[email protected]> Cr-Commit-Position: refs/branch-heads/6.4@{v8#24} Cr-Branched-From: 0407506-refs/heads/6.4.388@{#1} Cr-Branched-From: a5fc4e0-refs/heads/master@{#49724}

(cherry picked from commit 970eb92) Bug: chromium:1455302 Change-Id: I9e90d7309f785f5a6672831a628394a155668bf8 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4614815 Reviewed-by: Liviu Rau <[email protected]> Auto-Submit: Michael Achenbach <[email protected]> Commit-Queue: Liviu Rau <[email protected]> Cr-Original-Commit-Position: refs/heads/main@{#88299} Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4645249 Cr-Commit-Position: refs/branch-heads/11.5@{v8#24} Cr-Branched-From: 0c4044b-refs/heads/11.5.150@{#1} Cr-Branched-From: b71d303-refs/heads/main@{#87781}

The load into the result register could clobber the is_little_endian_input register. Bug: v8:7700 Fixed: chromium:1467057 (cherry picked from commit f0d3d4a) Change-Id: I66698e9353a0bb40be1ec0d5b2c131c8a1bcd12a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4707917 Reviewed-by: Victor Gomes <[email protected]> Commit-Queue: Leszek Swirski <[email protected]> Cr-Commit-Position: refs/branch-heads/11.6@{v8#24} Cr-Branched-From: e29c028-refs/heads/11.6.189@{v8#3} Cr-Branched-From: 95cbef2-refs/heads/main@{#88340}

A ReduceCall inside a DeoptFrameScope that has a lazy deopt continuation can try to reduce a builtin call inline. These builtin reductions can eager deopt, where the creation of the eager deopt will find the deopt frame scope and will pick up the lazy deopt continuation. This is not a problem for inlined functions since they'll have their own frame on top of the lazy deopt continuation. Fortunately these eager deopts will be before there are any side effects (because if there were side effects, we'd have to have an eager deopt continuation), so we can checkpoint the deopt state before the lazy deopt continuation is registered, and the eager deopts will grab that checkpoint. Also, add DCHECKs that the deopt continuation frame is valid for the deopt kind, to catch these issues if they show up again. Bug: v8:7700 Bug: chromium:1474312 (cherry picked from commit 4433873) Change-Id: If1a6ba1fee339904765dc9acd4c08fd16ff08129 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4827606 Reviewed-by: Olivier Flückiger <[email protected]> Auto-Submit: Leszek Swirski <[email protected]> Commit-Queue: Olivier Flückiger <[email protected]> Commit-Queue: Leszek Swirski <[email protected]> Cr-Commit-Position: refs/branch-heads/11.7@{v8#24} Cr-Branched-From: fe60869-refs/heads/11.7.439@{#1} Cr-Branched-From: aeb4552-refs/heads/main@{#89415}

Set a hard max inlining depth that also counts for small functions. Bug: chromium:1487583 (cherry picked from commit 9c6afe3) Change-Id: Ifc9fd9dd9fb96d50d6aa4e2dfe06a7b8cc1a5f26 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4915797 Reviewed-by: Toon Verwaest <[email protected]> Commit-Queue: Toon Verwaest <[email protected]> Auto-Submit: Olivier Flückiger <[email protected]> Cr-Commit-Position: refs/branch-heads/11.8@{v8#24} Cr-Branched-From: 935bdbf-refs/heads/11.8.172@{#1} Cr-Branched-From: b82a911-refs/heads/main@{#89779}

Change-Id: I4787e4d74fdbfbb9341c3917b6f1577532288a1b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5115360 Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/branch-heads/12.1@{v8#24} Cr-Branched-From: b74ef6f-refs/heads/12.1.285@{#1} Cr-Branched-From: 32857fb-refs/heads/main@{#91313}

…ne() type This is a follow-up to commit 949bbdf. It repeats the same fix for struct.set that was done for struct.get. I also added a comment that explains how we can potentially end up in that situation. We also have already precedent for checking for kDeadValue in commit 9ece4a1 and commit c0cd50f among others. As a more long-term solution we should probably adapt all checks for kDead in these reducers (WasmLoadElimination and WasmGCOperatorReducer to always also check for kDeadValue. (cherry picked from commit 2de2470) Bug: chromium:1507106 Change-Id: I4e12247aaff654e6962d82710b70c3ac8e13c170 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5131009 Reviewed-by: Andreas Haas <[email protected]> Commit-Queue: Eva Herencsárová <[email protected]> Cr-Commit-Position: refs/branch-heads/12.0@{v8#24} Cr-Branched-From: ed7b4ca-refs/heads/12.0.267@{#1} Cr-Branched-From: 210e75b-refs/heads/main@{#90651}

We're pkey-tagging the trusted thread isolation data to make sure it can't be overwritten by an attacker. This can lead to problems if there's a thread that doesn't have read access to the pkey. What we really want is to make the mapping read-only and to seal it, which we can use the mseal syscall for in the future. Bug: v8:13355, chromium:1521358, chromium:1522236 (cherry picked from commit 23889e3) Change-Id: Ie1d8868228005e85d4c020be7f9c3d8208b7176c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5272329 Auto-Submit: Stephen Röttger <[email protected]> Commit-Queue: Samuel Groß <[email protected]> Reviewed-by: Samuel Groß <[email protected]> Cr-Commit-Position: refs/branch-heads/12.2@{#24} Cr-Branched-From: 6eb5a96-refs/heads/12.2.281@{#1} Cr-Branched-From: 44cf56d-refs/heads/main@{#91934}

Bug: chromium:330575498, chromium:330589218 (cherry picked from commit 7058e46) Change-Id: Ied4fe91284b78b0ae827b6400c713c667d9f685c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5385329 Commit-Queue: Matthias Liedtke <[email protected]> Reviewed-by: Matthias Liedtke <[email protected]> Auto-Submit: Nico Hartmann <[email protected]> Cr-Commit-Position: refs/branch-heads/12.3@{#24} Cr-Branched-From: a86e197-refs/heads/12.3.219@{#1} Cr-Branched-From: 21869f7-refs/heads/main@{#92385}

After https://crrev.com/c/3859787 those frames would be printed like standard Wasm frames, but in the place of the WasmInstanceObject, they have a WasmApiFunctionRef object instead. So special-case the {WasmToJsFrame::instance()} to load the instance properly. Also special-case the {position()} accessor for imported functions. [email protected] (cherry picked from commit e17eee4) Bug: chromium:1402270 Change-Id: I0a287afbf14dd64edb859c6407ce7c0a3d159023 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4204087 Reviewed-by: Darius Mercadier <[email protected]> Reviewed-by: Victor Gomes <[email protected]> Commit-Queue: Clemens Backes <[email protected]> Reviewed-by: Maya Lekova <[email protected]> Cr-Commit-Position: refs/branch-heads/11.0@{v8#24} Cr-Branched-From: 06097c6-refs/heads/11.0.226@{#1} Cr-Branched-From: 6bf3344-refs/heads/main@{#84857}

Due to the ArrayBuffer possibly being modified in the script, the serialized value type can be changed to 'h' which means a half-precision floating point. Since float16 is an experimental feature and should not be exposed without a flag, on reading the array buffer, Split the code path float16 or not and add a conditional statement that checks the float16 enabled. Bug: 330922408 (cherry picked from commit dce58c6) Change-Id: I00cf4d55e22520b66faedc298c8b615cbe0c09cd Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5449136 Commit-Queue: Seokho Song <[email protected]> Reviewed-by: Darius Mercadier <[email protected]> Reviewed-by: Camillo Bruni <[email protected]> Cr-Commit-Position: refs/branch-heads/12.4@{#24} Cr-Branched-From: 309640d-refs/heads/12.4.254@{#1} Cr-Branched-From: 5dc2470-refs/heads/main@{#92862}

…blocks Class static blocks contain statements, don't inherit the ExpressionScope stack. (cherry picked from commit 3e037e1) Bug: 341663589 Change-Id: Ifc8f921be8e485e290fe1d5c4ec2cf5ae3c467e5 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5558537 Owners-Override: Adam Klein <[email protected]> Bot-Commit: Rubber Stamper <[email protected]> Commit-Queue: Adam Klein <[email protected]> Reviewed-by: Shu-yu Guo <[email protected]> Cr-Commit-Position: refs/branch-heads/12.5@{#24} Cr-Branched-From: 15b9756-refs/heads/12.5.227@{#1} Cr-Branched-From: 497d857-refs/heads/main@{#93350}

... because we might update to a dictionary map. Instead, DCHECK that the map isn't deprecated, and fix callers to first update the map. (cherry picked from commit cbd847c) Bug: 342456991 Change-Id: If6cbcac18201a36716c649d85358b57707b21332 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5615934 Auto-Submit: Adam Klein <[email protected]> Bot-Commit: Rubber Stamper <[email protected]> Commit-Queue: Rubber Stamper <[email protected]> Cr-Commit-Position: refs/branch-heads/12.6@{#24} Cr-Branched-From: 3c9fa12-refs/heads/12.6.228@{#2} Cr-Branched-From: 981bb15-refs/heads/main@{#93835}

Given we have a phi (29) assumed to be smi at graph building time, we must not untag it's input phis (10,12) to float64. ╭─────►Block b2 │ 10: φᵀ r0 (n4, n29) (compressed) → (x), 3 uses │ 12: φᵀ r2 (n6, n39) (compressed) → (x), 6 uses ... │ 13: CheckedSmiUntag [n10:(x)] → (x), 2 uses │ 14: CheckedSmiUntag [n12:(x)] → (x), 1 uses ... │╭──────17: BranchIfToBooleanTrue [n16:(x)] b3 b9 ... ││ │ 29: φᵀ <accumulator> (n10, n12) (compressed) → (x), 4 uses ... ││ │ 33: UnsafeSmiUntag [n29:(x)] → (x), 1 uses Doing so could invalidate the `UnsafeSmiUntag` instruction. This can only happen when hoisting the untagging out of the loop, as this will remove the original `CheckedSmiUntag` instruction. Fixed: 348567825 (cherry picked from commit bb28367) Change-Id: I4e9f435b916c420f95f3d79415734d527bce89d1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5692021 Auto-Submit: Olivier Flückiger <[email protected]> Reviewed-by: Darius Mercadier <[email protected]> Commit-Queue: Darius Mercadier <[email protected]> Cr-Commit-Position: refs/branch-heads/12.7@{#24} Cr-Branched-From: 35cc908-refs/heads/12.7.224@{#1} Cr-Branched-From: 6d60e67-refs/heads/main@{#94324}

- Also reuse the scope_info of the function itself. It might be in RO_SPACE in case the script is in the snapshot, and it would be a shame to recreate it. - Make sure we don't drop (or forget to pick up) scope infos for newly compiled sfis that already existed in the script - Make sure to reattach scope info chains wherever an outer scope info exists first. Due to code caches with spotty coverage we might see unexpected SFI/scope info combinations. This also adds a flag to run verification on scope info reuse after merging. Bug: 352673356 (cherry picked from commit 67dd629) Change-Id: I79d4b24b248720a2f0f5fd7c0df3975282459f2c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5785868 Reviewed-by: Shu-yu Guo <[email protected]> Commit-Queue: Deepti Gandluri <[email protected]> Cr-Commit-Position: refs/branch-heads/12.8@{#24} Cr-Branched-From: 70cbb39-refs/heads/12.8.374@{#1} Cr-Branched-From: 451b63e-refs/heads/main@{#95151}

This reverts commit bedbc5a. Reason for revert: Crashes on 128 branch Original change's description: > Merged: [compiler] Multiple fixes for reuse_scope_infos > > - Also reuse the scope_info of the function itself. It might be in > RO_SPACE in case the script is in the snapshot, and it would be a > shame to recreate it. > - Make sure we don't drop (or forget to pick up) scope infos for newly > compiled sfis that already existed in the script > - Make sure to reattach scope info chains wherever an outer scope info > exists first. Due to code caches with spotty coverage we might see > unexpected SFI/scope info combinations. > > This also adds a flag to run verification on scope info reuse after > merging. > > Bug: 352673356 > > (cherry picked from commit 67dd629) > > Change-Id: I79d4b24b248720a2f0f5fd7c0df3975282459f2c > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5785868 > Reviewed-by: Shu-yu Guo <[email protected]> > Commit-Queue: Deepti Gandluri <[email protected]> > Cr-Commit-Position: refs/branch-heads/12.8@{#24} > Cr-Branched-From: 70cbb39-refs/heads/12.8.374@{#1} > Cr-Branched-From: 451b63e-refs/heads/main@{#95151} Bug: 352673356 Change-Id: I69243a44727dbde5c0e7cfe9591fb77e53b8b46b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5797858 Auto-Submit: Deepti Gandluri <[email protected]> Bot-Commit: Rubber Stamper <[email protected]> Commit-Queue: Rubber Stamper <[email protected]> Cr-Commit-Position: refs/branch-heads/12.8@{#40} Cr-Branched-From: 70cbb39-refs/heads/12.8.374@{#1} Cr-Branched-From: 451b63e-refs/heads/main@{#95151}

Change-Id: Id09d005818f66a7b53cf7599f390ff2260177125 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5836781 Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/branch-heads/12.9@{#24} Cr-Branched-From: 64a21d7-refs/heads/12.9.202@{#1} Cr-Branched-From: da4200b-refs/heads/main@{#95679}

Change-Id: I945b85644f2eb8d24dfc375d89e6982a417ba2e5 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5890997 Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/branch-heads/13.0@{#24} Cr-Branched-From: 4be854b-refs/heads/13.0.245@{#1} Cr-Branched-From: 1f5183f-refs/heads/main@{#96103}

Those relative types were leaking from the type canonicalizer, which leads to type confusion in callers. This CL fully removes the concept of relative type indexes (and thus removes the `CanonicalRelativeField` bit from the bitfield in `ValueTypeBase`). During canonicalization we pass the start and end of the recursion group into hashing and equality checking, and use this to compute relative indexes within the recursion group on demand. The stored version will always have absolute indexes though. [email protected] Bug: 379009132 (cherry picked from commit 20d9a7f) Change-Id: I8f89186bdd826febbaa57711e6ce4bb29c82e879 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6049646 Reviewed-by: Jakob Kummerow <[email protected]> Commit-Queue: Clemens Backes <[email protected]> Cr-Commit-Position: refs/branch-heads/13.1@{#24} Cr-Branched-From: 7998da6-refs/heads/13.1.201@{#1} Cr-Branched-From: 5e9af2a-refs/heads/main@{#96554}

…ValueKind (cherry picked from commit a7ea17f) Bug: chromium:380308813 Change-Id: I85723125bea358cb90ac45b5d908bb4b0514835c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6054600 Auto-Submit: Matthias Liedtke <[email protected]> Commit-Queue: Jakob Kummerow <[email protected]> Reviewed-by: Jakob Kummerow <[email protected]> Cr-Commit-Position: refs/branch-heads/13.2@{#24} Cr-Branched-From: 24068c5-refs/heads/13.2.152@{#1} Cr-Branched-From: 6054ba9-refs/heads/main@{#97085}

Bug: 390160291 Fixed: 390609213 (cherry picked from commit 0e5b436) Change-Id: I6dd8014bba68a9fd39de1a1e93cb8627a1ed2ced Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6179804 Commit-Queue: Igor Sheludko <[email protected]> Reviewed-by: Toon Verwaest <[email protected]> Cr-Commit-Position: refs/branch-heads/13.3@{#24} Cr-Branched-From: 41dacff-refs/heads/13.3.415@{#1} Cr-Branched-From: 3348638-refs/heads/main@{#97937}

Version incremented at https://cr-buildbucket.appspot.com/build/8722291284581131153 Change-Id: I7c21aa748f231fb30ff98e90c0d236ab912e6ba9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6292844 Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/branch-heads/13.4@{#24} Cr-Branched-From: 0f87a54-refs/heads/13.4.114@{#1} Cr-Branched-From: 27af2e9-refs/heads/main@{#98459}

... when a known type range contains only positive values. Bug: 420637585 (cherry picked from commit 45eb42c) Change-Id: I4cdf97e4c00b7436f8c71da60ee4e4ef13508e02 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6604641 Reviewed-by: Rezvan Mahdavi Hezaveh <[email protected]> Auto-Submit: Shu-yu Guo <[email protected]> Commit-Queue: Shu-yu Guo <[email protected]> Commit-Queue: Rezvan Mahdavi Hezaveh <[email protected]> Cr-Commit-Position: refs/branch-heads/13.6@{#24} Cr-Branched-From: 04fa9cb-refs/heads/13.6.233@{#1} Cr-Branched-From: f6be482-refs/heads/main@{#99571}

(cherry picked from commit a8c92dd) Bug: 414724525 Change-Id: I6323a40d7b1756593284e6164771f9842a61a394 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6606959 Reviewed-by: Liviu Rau <[email protected]> Commit-Queue: Michael Achenbach <[email protected]> Cr-Original-Commit-Position: refs/heads/main@{#100584} Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6607240 Commit-Queue: Liviu Rau <[email protected]> Auto-Submit: Michael Achenbach <[email protected]> Cr-Commit-Position: refs/branch-heads/13.7@{#24} Cr-Branched-From: dd5370d-refs/heads/13.7.152@{#1} Cr-Branched-From: fa9b753-refs/heads/main@{#99927}

The signature hash allows for i64/i32 collisions. To compensate for that we already did zero-extend all parameters in the Liftoff prologue. This does the same for returned values, which have the same problem. [email protected] Bug: 421403261 (cherry picked from commit df38747) Change-Id: Ic0463a7f107331a86ca67fca75e75d4a9f8a8ce2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6632488 Auto-Submit: Clemens Backes <[email protected]> Reviewed-by: Jakob Kummerow <[email protected]> Commit-Queue: Jakob Kummerow <[email protected]> Cr-Commit-Position: refs/branch-heads/13.8@{#24} Cr-Branched-From: 61ddd47-refs/heads/13.8.258@{#1} Cr-Branched-From: fdb5de2-refs/heads/main@{#100480}

Bug: 430572435 (cherry picked from commit f22ca7b) Change-Id: I8b40910da72d695822250c3d832e931ea49f53d3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6771727 Auto-Submit: Toon Verwaest <[email protected]> Reviewed-by: Olivier Flückiger <[email protected]> Commit-Queue: Olivier Flückiger <[email protected]> Commit-Queue: Toon Verwaest <[email protected]> Cr-Commit-Position: refs/branch-heads/13.9@{#24} Cr-Branched-From: 76ea409-refs/heads/13.9.205@{#1} Cr-Branched-From: 2824212-refs/heads/main@{#100941}

Version incremented at https://cr-buildbucket.appspot.com/build/8700414946798185777 Change-Id: Ib7398d37f654ff12738ed0a4f04a50fb067ec0d6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7063914 Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/branch-heads/14.1@{#24} Cr-Branched-From: 1f4839b-refs/heads/14.1.146@{#1} Cr-Branched-From: cd6944c-refs/heads/main@{#102149}

Version incremented at https://cr-buildbucket.appspot.com/build/8700413248767608465 Change-Id: Idcc418d935fcaeb381a7d68fc30fbfa521d28b38 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7063018 Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/branch-heads/14.2@{#24} Cr-Branched-From: 37f82db-refs/heads/14.2.231@{#1} Cr-Branched-From: d1a6089-refs/heads/main@{#102804}

Bug: 460166688 (cherry picked from commit 8245592) Change-Id: I87fdb013d8e3aa12f256d1aca15b44a101ddea2b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7157258 Reviewed-by: Toon Verwaest <[email protected]> Commit-Queue: Toon Verwaest <[email protected]> Auto-Submit: Leszek Swirski <[email protected]> Cr-Commit-Position: refs/branch-heads/14.3@{#24} Cr-Branched-From: 13c7e31-refs/heads/14.3.127@{#1} Cr-Branched-From: 01af089-refs/heads/main@{#103352}

(cherry picked from commit 3ab87be) Change-Id: Id2647a2710fa9aafa6a2c97063b24756e4e41530 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7234874 Commit-Queue: Liu Yu <[email protected]> Reviewed-by: Toon Verwaest <[email protected]> Cr-Original-Commit-Position: refs/heads/main@{#104219} Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7264345 Reviewed-by: Darius Mercadier <[email protected]> Reviewed-by: Lutz Vahl <[email protected]> Commit-Queue: Lutz Vahl <[email protected]> Auto-Submit: Lutz Vahl <[email protected]> Owners-Override: Lutz Vahl <[email protected]> Cr-Commit-Position: refs/branch-heads/14.4@{#24} Cr-Branched-From: 80acc26-refs/heads/14.4.258@{#1} Cr-Branched-From: ce7e597-refs/heads/main@{#104020}

v8-5338: Proposed fix to V8 issue 5338 (authored by kentonv)

c816c87

v8-5338: Updated to reflect latest changes by @kentonv

2fdaa42

KoenLav mentioned this pull request Apr 16, 2018

100% CPU caused by thread spike (in Fibers, Meteor) nodejs/node#20083

Closed

KoenLav closed this Apr 17, 2018

dumganhar pushed a commit to dumganhar/v8_fork that referenced this pull request Jun 5, 2018

Version 6.0.286.12

ae62ea8

Cr-Commit-Position: refs/branch-heads/6.0@{v8#24} Cr-Branched-From: 97dbf62-refs/heads/6.0.286@{#1} Cr-Branched-From: 12e6f1c-refs/heads/master@{#45439}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

v8-5338: Proposed fix to V8 issue 5338 (authored by kentonv) #24

v8-5338: Proposed fix to V8 issue 5338 (authored by kentonv) #24

Uh oh!

KoenLav commented Apr 16, 2018

Uh oh!

kentonv commented Apr 16, 2018

Uh oh!

KoenLav commented Apr 16, 2018

Uh oh!

devsnek commented Apr 16, 2018 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

v8-5338: Proposed fix to V8 issue 5338 (authored by kentonv) #24

v8-5338: Proposed fix to V8 issue 5338 (authored by kentonv) #24

Uh oh!

Conversation

KoenLav commented Apr 16, 2018

Uh oh!

kentonv commented Apr 16, 2018

Uh oh!

KoenLav commented Apr 16, 2018

Uh oh!

devsnek commented Apr 16, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

devsnek commented Apr 16, 2018 •

edited

Loading