diff --git a/deps/v8/BUILD.gn b/deps/v8/BUILD.gn index 17759e1fbd233b..4d3fcd96488517 100644 --- a/deps/v8/BUILD.gn +++ b/deps/v8/BUILD.gn @@ -827,7 +827,6 @@ action("v8_dump_build_config") { is_gcov_coverage = v8_code_coverage && !is_clang args = [ rebase_path("$root_out_dir/v8_build_config.json", root_build_dir), - "current_cpu=\"$current_cpu\"", "dcheck_always_on=$dcheck_always_on", "is_asan=$is_asan", "is_cfi=$is_cfi", @@ -838,7 +837,6 @@ action("v8_dump_build_config") { "is_tsan=$is_tsan", "is_ubsan_vptr=$is_ubsan_vptr", "target_cpu=\"$target_cpu\"", - "v8_current_cpu=\"$v8_current_cpu\"", "v8_enable_i18n_support=$v8_enable_i18n_support", "v8_target_cpu=\"$v8_target_cpu\"", "v8_use_snapshot=$v8_use_snapshot", diff --git a/deps/v8/DEPS b/deps/v8/DEPS index ee8526106aad70..4b64895ced3a6e 100644 --- a/deps/v8/DEPS +++ b/deps/v8/DEPS @@ -12,7 +12,7 @@ deps = { "v8/tools/gyp": Var("chromium_url") + "/external/gyp.git" + "@" + "d61a9397e668fa9843c4aa7da9e79460fe590bfb", "v8/third_party/icu": - Var("chromium_url") + "/chromium/deps/icu.git" + "@" + "08cb956852a5ccdba7f9c941728bb833529ba3c6", + Var("chromium_url") + "/chromium/deps/icu.git" + "@" + "21d33b1a09a77f033478ea4ffffb61e6970f83bd", "v8/third_party/instrumented_libraries": Var("chromium_url") + "/chromium/src/third_party/instrumented_libraries.git" + "@" + "644afd349826cb68204226a16c38bde13abe9c3c", "v8/buildtools": diff --git a/deps/v8/Makefile b/deps/v8/Makefile index eb146ac24472af..167ebf8c082015 100644 --- a/deps/v8/Makefile +++ b/deps/v8/Makefile @@ -338,32 +338,32 @@ $(ANDROID_BUILDS): $(GYPFILES) $(ENVFILE) Makefile.android # Test targets. check: all - @tools/run-tests.py $(TESTJOBS) --outdir=$(OUTDIR) \ + @gypfiles/run-tests-legacy.py $(TESTJOBS) --outdir=$(OUTDIR) \ --arch=$(shell echo $(DEFAULT_ARCHES) | sed -e 's/ /,/g') \ $(TESTFLAGS) $(addsuffix .check,$(MODES)): $$(basename $$@) - @tools/run-tests.py $(TESTJOBS) --outdir=$(OUTDIR) \ + @gypfiles/run-tests-legacy.py $(TESTJOBS) --outdir=$(OUTDIR) \ --mode=$(basename $@) $(TESTFLAGS) $(addsuffix .check,$(ARCHES)): $$(basename $$@) - @tools/run-tests.py $(TESTJOBS) --outdir=$(OUTDIR) \ + @gypfiles/run-tests-legacy.py $(TESTJOBS) --outdir=$(OUTDIR) \ --arch=$(basename $@) $(TESTFLAGS) $(CHECKS): $$(basename $$@) - @tools/run-tests.py $(TESTJOBS) --outdir=$(OUTDIR) \ + @gypfiles/run-tests-legacy.py $(TESTJOBS) --outdir=$(OUTDIR) \ --arch-and-mode=$(basename $@) $(TESTFLAGS) $(addsuffix .quickcheck,$(MODES)): $$(basename $$@) - @tools/run-tests.py $(TESTJOBS) --outdir=$(OUTDIR) \ + @gypfiles/run-tests-legacy.py $(TESTJOBS) --outdir=$(OUTDIR) \ --mode=$(basename $@) $(TESTFLAGS) --quickcheck $(addsuffix .quickcheck,$(ARCHES)): $$(basename $$@) - @tools/run-tests.py $(TESTJOBS) --outdir=$(OUTDIR) \ + @gypfiles/run-tests-legacy.py $(TESTJOBS) --outdir=$(OUTDIR) \ --arch=$(basename $@) $(TESTFLAGS) --quickcheck $(QUICKCHECKS): $$(basename $$@) - @tools/run-tests.py $(TESTJOBS) --outdir=$(OUTDIR) \ + @gypfiles/run-tests-legacy.py $(TESTJOBS) --outdir=$(OUTDIR) \ --arch-and-mode=$(basename $@) $(TESTFLAGS) --quickcheck $(addsuffix .sync, $(ANDROID_BUILDS)): $$(basename $$@) @@ -371,7 +371,7 @@ $(addsuffix .sync, $(ANDROID_BUILDS)): $$(basename $$@) $(shell pwd) $(ANDROID_V8) $(addsuffix .check, $(ANDROID_BUILDS)): $$(basename $$@).sync - @tools/run-tests.py $(TESTJOBS) --outdir=$(OUTDIR) \ + @gypfiles/run-tests-legacy.py $(TESTJOBS) --outdir=$(OUTDIR) \ --arch-and-mode=$(basename $@) \ --timeout=600 \ --command-prefix="tools/android-run.py" $(TESTFLAGS) @@ -380,7 +380,7 @@ $(addsuffix .check, $(ANDROID_ARCHES)): \ $(addprefix $$(basename $$@).,$(MODES)).check native.check: native - @tools/run-tests.py $(TESTJOBS) --outdir=$(OUTDIR)/native \ + @gypfiles/run-tests-legacy.py $(TESTJOBS) --outdir=$(OUTDIR)/native \ --arch-and-mode=. $(TESTFLAGS) SUPERFASTTESTMODES = ia32.release @@ -391,18 +391,18 @@ COMMA = , EMPTY = SPACE = $(EMPTY) $(EMPTY) quickcheck: $(subst $(COMMA),$(SPACE),$(FASTCOMPILEMODES)) - tools/run-tests.py $(TESTJOBS) --outdir=$(OUTDIR) \ + gypfiles/run-tests-legacy.py $(TESTJOBS) --outdir=$(OUTDIR) \ --arch-and-mode=$(SUPERFASTTESTMODES) $(TESTFLAGS) --quickcheck \ --download-data mozilla webkit - tools/run-tests.py $(TESTJOBS) --outdir=$(OUTDIR) \ + gypfiles/run-tests-legacy.py $(TESTJOBS) --outdir=$(OUTDIR) \ --arch-and-mode=$(FASTTESTMODES) $(TESTFLAGS) --quickcheck qc: quickcheck turbocheck: $(subst $(COMMA),$(SPACE),$(FASTCOMPILEMODES)) - tools/run-tests.py $(TESTJOBS) --outdir=$(OUTDIR) \ + gypfiles/run-tests-legacy.py $(TESTJOBS) --outdir=$(OUTDIR) \ --arch-and-mode=$(SUPERFASTTESTMODES) $(TESTFLAGS) \ --quickcheck --variants=turbofan --download-data mozilla webkit - tools/run-tests.py $(TESTJOBS) --outdir=$(OUTDIR) \ + gypfiles/run-tests-legacy.py $(TESTJOBS) --outdir=$(OUTDIR) \ --arch-and-mode=$(FASTTESTMODES) $(TESTFLAGS) \ --quickcheck --variants=turbofan tc: turbocheck diff --git a/deps/v8/gni/isolate.gni b/deps/v8/gni/isolate.gni index 82dc8cf3fbc005..f5453e560653e6 100644 --- a/deps/v8/gni/isolate.gni +++ b/deps/v8/gni/isolate.gni @@ -156,8 +156,6 @@ template("v8_isolate_run") { "--config-variable", "icu_use_data_file_flag=$icu_use_data_file_flag", "--config-variable", - "is_gn=1", - "--config-variable", "msan=$msan", "--config-variable", "tsan=$tsan", diff --git a/deps/v8/gypfiles/isolate.gypi b/deps/v8/gypfiles/isolate.gypi index 11b05705307625..149818c8d0636f 100644 --- a/deps/v8/gypfiles/isolate.gypi +++ b/deps/v8/gypfiles/isolate.gypi @@ -74,7 +74,6 @@ '--config-variable', 'gcmole=<(gcmole)', '--config-variable', 'has_valgrind=<(has_valgrind)', '--config-variable', 'icu_use_data_file_flag=<(icu_use_data_file_flag)', - '--config-variable', 'is_gn=0', '--config-variable', 'msan=<(msan)', '--config-variable', 'tsan=<(tsan)', '--config-variable', 'coverage=<(coverage)', diff --git a/deps/v8/gypfiles/run-tests-legacy.py b/deps/v8/gypfiles/run-tests-legacy.py new file mode 100755 index 00000000000000..f1ea478c62d62e --- /dev/null +++ b/deps/v8/gypfiles/run-tests-legacy.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python +# Copyright 2017 the V8 project authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +""" +Legacy test-runner wrapper supporting a product of multiple architectures and +modes. +""" + +import argparse +import itertools +from os.path import abspath, dirname, join +import subprocess +import sys + +BASE_DIR = dirname(dirname(abspath(__file__))) +RUN_TESTS = join(BASE_DIR, 'tools', 'run-tests.py') + +def main(): + parser = argparse.ArgumentParser(description='Legacy test-runner wrapper') + parser.add_argument( + '--arch', help='Comma-separated architectures to run tests on') + parser.add_argument( + '--mode', help='Comma-separated modes to run tests on') + parser.add_argument( + '--arch-and-mode', + help='Architecture and mode in the format \'arch.mode\'', + ) + + args, remaining_args = parser.parse_known_args(sys.argv) + if (args.arch or args.mode) and args.arch_and_mode: + parser.error('The flags --arch-and-mode and --arch/--mode are exclusive.') + arch = (args.arch or 'ia32,x64,arm').split(',') + mode = (args.mode or 'release,debug').split(',') + if args.arch_and_mode: + arch_and_mode = map( + lambda am: am.split('.'), + args.arch_and_mode.split(',')) + arch = map(lambda am: am[0], arch_and_mode) + mode = map(lambda am: am[1], arch_and_mode) + + ret_code = 0 + for a, m in itertools.product(arch, mode): + ret_code |= subprocess.check_call( + [RUN_TESTS] + remaining_args[1:] + ['--arch', a, '--mode', m]) + return ret_code + +if __name__ == '__main__': + sys.exit(main()) diff --git a/deps/v8/gypfiles/toolchain.gypi b/deps/v8/gypfiles/toolchain.gypi index 5733d2d54ca130..80844cecc671ef 100644 --- a/deps/v8/gypfiles/toolchain.gypi +++ b/deps/v8/gypfiles/toolchain.gypi @@ -32,6 +32,7 @@ 'msvs_use_common_release': 0, 'clang%': 0, 'asan%': 0, + 'cfi_vptr%': 0, 'lsan%': 0, 'msan%': 0, 'tsan%': 0, diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index bcd166b03e7153..0e3fa434a4c608 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 6 #define V8_MINOR_VERSION 2 #define V8_BUILD_NUMBER 414 -#define V8_PATCH_LEVEL 32 +#define V8_PATCH_LEVEL 44 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/asmjs/asm-js.cc b/deps/v8/src/asmjs/asm-js.cc index ef4e9a287ec4d9..2017bf6f3e1b81 100644 --- a/deps/v8/src/asmjs/asm-js.cc +++ b/deps/v8/src/asmjs/asm-js.cc @@ -357,6 +357,7 @@ MaybeHandle AsmJs::InstantiateAsmWasm(Isolate* isolate, ReportInstantiationFailure(script, position, "Requires heap buffer"); return MaybeHandle(); } + memory->set_is_growable(false); size_t size = NumberToSize(memory->byte_length()); // TODO(mstarzinger): We currently only limit byte length of the buffer to // be a multiple of 8, we should enforce the stricter spec limits here. diff --git a/deps/v8/src/builtins/builtins-proxy-gen.cc b/deps/v8/src/builtins/builtins-proxy-gen.cc index 745c2cce3e29e9..d6f5697b38f1b7 100644 --- a/deps/v8/src/builtins/builtins-proxy-gen.cc +++ b/deps/v8/src/builtins/builtins-proxy-gen.cc @@ -339,7 +339,7 @@ void ProxiesCodeStubAssembler::CheckHasTrapResult(Node* context, Node* target, Node* instance_type = LoadInstanceType(target); TryGetOwnProperty(context, target, target, target_map, instance_type, name, &if_found_value, &var_value, &var_details, &var_raw_value, - check_passed, if_bailout); + check_passed, if_bailout, kReturnAccessorPair); // 9.b. If targetDesc is not undefined, then (see 9.b.i. below). BIND(&if_found_value); diff --git a/deps/v8/src/builtins/builtins-proxy-helpers-gen.cc b/deps/v8/src/builtins/builtins-proxy-helpers-gen.cc index ca2e9bb6d7bdac..06345d44f40fb4 100644 --- a/deps/v8/src/builtins/builtins-proxy-helpers-gen.cc +++ b/deps/v8/src/builtins/builtins-proxy-helpers-gen.cc @@ -95,7 +95,7 @@ void ProxyAssembler::CheckGetTrapResult(Node* context, Node* target, Node* instance_type = LoadInstanceType(target); TryGetOwnProperty(context, proxy, target, map, instance_type, name, &if_found_value, &var_value, &var_details, &var_raw_value, - check_passed, if_bailout); + check_passed, if_bailout, kReturnAccessorPair); BIND(&if_found_value); { diff --git a/deps/v8/src/builtins/builtins-string-gen.cc b/deps/v8/src/builtins/builtins-string-gen.cc index 90e4d3f542ddf1..2f8d2f583593c8 100644 --- a/deps/v8/src/builtins/builtins-string-gen.cc +++ b/deps/v8/src/builtins/builtins-string-gen.cc @@ -1051,9 +1051,9 @@ void StringBuiltinsAssembler::RequireObjectCoercible(Node* const context, } void StringBuiltinsAssembler::MaybeCallFunctionAtSymbol( - Node* const context, Node* const object, Handle symbol, - const NodeFunction0& regexp_call, const NodeFunction1& generic_call, - CodeStubArguments* args) { + Node* const context, Node* const object, Node* const maybe_string, + Handle symbol, const NodeFunction0& regexp_call, + const NodeFunction1& generic_call, CodeStubArguments* args) { Label out(this); // Smis definitely don't have an attached symbol. @@ -1083,14 +1083,21 @@ void StringBuiltinsAssembler::MaybeCallFunctionAtSymbol( } // Take the fast path for RegExps. + // There's two conditions: {object} needs to be a fast regexp, and + // {maybe_string} must be a string (we can't call ToString on the fast path + // since it may mutate {object}). { Label stub_call(this), slow_lookup(this); + GotoIf(TaggedIsSmi(maybe_string), &slow_lookup); + GotoIfNot(IsString(maybe_string), &slow_lookup); + RegExpBuiltinsAssembler regexp_asm(state()); regexp_asm.BranchIfFastRegExp(context, object, object_map, &stub_call, &slow_lookup); BIND(&stub_call); + // TODO(jgruber): Add a no-JS scope once it exists. Node* const result = regexp_call(); if (args == nullptr) { Return(result); @@ -1196,12 +1203,10 @@ TF_BUILTIN(StringPrototypeReplace, StringBuiltinsAssembler) { // Redirect to replacer method if {search[@@replace]} is not undefined. MaybeCallFunctionAtSymbol( - context, search, isolate()->factory()->replace_symbol(), + context, search, receiver, isolate()->factory()->replace_symbol(), [=]() { - Node* const subject_string = ToString_Inline(context, receiver); - - return CallBuiltin(Builtins::kRegExpReplace, context, search, - subject_string, replace); + return CallBuiltin(Builtins::kRegExpReplace, context, search, receiver, + replace); }, [=](Node* fn) { Callable call_callable = CodeFactory::Call(isolate()); @@ -1439,12 +1444,10 @@ TF_BUILTIN(StringPrototypeSplit, StringBuiltinsAssembler) { // Redirect to splitter method if {separator[@@split]} is not undefined. MaybeCallFunctionAtSymbol( - context, separator, isolate()->factory()->split_symbol(), + context, separator, receiver, isolate()->factory()->split_symbol(), [=]() { - Node* const subject_string = ToString_Inline(context, receiver); - - return CallBuiltin(Builtins::kRegExpSplit, context, separator, - subject_string, limit); + return CallBuiltin(Builtins::kRegExpSplit, context, separator, receiver, + limit); }, [=](Node* fn) { Callable call_callable = CodeFactory::Call(isolate()); diff --git a/deps/v8/src/builtins/builtins-string-gen.h b/deps/v8/src/builtins/builtins-string-gen.h index 851fab6181932d..5c0b6f0eaa4091 100644 --- a/deps/v8/src/builtins/builtins-string-gen.h +++ b/deps/v8/src/builtins/builtins-string-gen.h @@ -82,9 +82,11 @@ class StringBuiltinsAssembler : public CodeStubAssembler { // } // // Contains fast paths for Smi and RegExp objects. + // Important: {regexp_call} may not contain any code that can call into JS. typedef std::function NodeFunction0; typedef std::function NodeFunction1; void MaybeCallFunctionAtSymbol(Node* const context, Node* const object, + Node* const maybe_string, Handle symbol, const NodeFunction0& regexp_call, const NodeFunction1& generic_call, diff --git a/deps/v8/src/code-stub-assembler.cc b/deps/v8/src/code-stub-assembler.cc index 6068eff2383203..35261955db2576 100644 --- a/deps/v8/src/code-stub-assembler.cc +++ b/deps/v8/src/code-stub-assembler.cc @@ -5969,7 +5969,8 @@ void CodeStubAssembler::LoadPropertyFromGlobalDictionary(Node* dictionary, // Returns either the original value, or the result of the getter call. Node* CodeStubAssembler::CallGetterIfAccessor(Node* value, Node* details, Node* context, Node* receiver, - Label* if_bailout) { + Label* if_bailout, + GetOwnPropertyMode mode) { VARIABLE(var_value, MachineRepresentation::kTagged, value); Label done(this), if_accessor_info(this, Label::kDeferred); @@ -5981,23 +5982,26 @@ Node* CodeStubAssembler::CallGetterIfAccessor(Node* value, Node* details, // AccessorPair case. { - Node* accessor_pair = value; - Node* getter = LoadObjectField(accessor_pair, AccessorPair::kGetterOffset); - Node* getter_map = LoadMap(getter); - Node* instance_type = LoadMapInstanceType(getter_map); - // FunctionTemplateInfo getters are not supported yet. - GotoIf( - Word32Equal(instance_type, Int32Constant(FUNCTION_TEMPLATE_INFO_TYPE)), - if_bailout); - - // Return undefined if the {getter} is not callable. - var_value.Bind(UndefinedConstant()); - GotoIfNot(IsCallableMap(getter_map), &done); - - // Call the accessor. - Callable callable = CodeFactory::Call(isolate()); - Node* result = CallJS(callable, context, getter, receiver); - var_value.Bind(result); + if (mode == kCallJSGetter) { + Node* accessor_pair = value; + Node* getter = + LoadObjectField(accessor_pair, AccessorPair::kGetterOffset); + Node* getter_map = LoadMap(getter); + Node* instance_type = LoadMapInstanceType(getter_map); + // FunctionTemplateInfo getters are not supported yet. + GotoIf(Word32Equal(instance_type, + Int32Constant(FUNCTION_TEMPLATE_INFO_TYPE)), + if_bailout); + + // Return undefined if the {getter} is not callable. + var_value.Bind(UndefinedConstant()); + GotoIfNot(IsCallableMap(getter_map), &done); + + // Call the accessor. + Callable callable = CodeFactory::Call(isolate()); + Node* result = CallJS(callable, context, getter, receiver); + var_value.Bind(result); + } Goto(&done); } @@ -6067,14 +6071,14 @@ void CodeStubAssembler::TryGetOwnProperty( Label* if_not_found, Label* if_bailout) { TryGetOwnProperty(context, receiver, object, map, instance_type, unique_name, if_found_value, var_value, nullptr, nullptr, if_not_found, - if_bailout); + if_bailout, kCallJSGetter); } void CodeStubAssembler::TryGetOwnProperty( Node* context, Node* receiver, Node* object, Node* map, Node* instance_type, Node* unique_name, Label* if_found_value, Variable* var_value, Variable* var_details, Variable* var_raw_value, Label* if_not_found, - Label* if_bailout) { + Label* if_bailout, GetOwnPropertyMode mode) { DCHECK_EQ(MachineRepresentation::kTagged, var_value->rep()); Comment("TryGetOwnProperty"); @@ -6125,7 +6129,7 @@ void CodeStubAssembler::TryGetOwnProperty( var_raw_value->Bind(var_value->value()); } Node* value = CallGetterIfAccessor(var_value->value(), var_details->value(), - context, receiver, if_bailout); + context, receiver, if_bailout, mode); var_value->Bind(value); Goto(if_found_value); } diff --git a/deps/v8/src/code-stub-assembler.h b/deps/v8/src/code-stub-assembler.h index 5ab6b8af330fbe..8379663297d6e7 100644 --- a/deps/v8/src/code-stub-assembler.h +++ b/deps/v8/src/code-stub-assembler.h @@ -1299,6 +1299,9 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler { Node* unique_name, Label* if_found, Label* if_not_found, Label* if_bailout); + // Operating mode for TryGetOwnProperty and CallGetterIfAccessor + // kReturnAccessorPair is used when we're only getting the property descriptor + enum GetOwnPropertyMode { kCallJSGetter, kReturnAccessorPair }; // Tries to get {object}'s own {unique_name} property value. If the property // is an accessor then it also calls a getter. If the property is a double // field it re-wraps value in an immutable heap number. @@ -1310,7 +1313,8 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler { Node* instance_type, Node* unique_name, Label* if_found, Variable* var_value, Variable* var_details, Variable* var_raw_value, - Label* if_not_found, Label* if_bailout); + Label* if_not_found, Label* if_bailout, + GetOwnPropertyMode mode); Node* GetProperty(Node* context, Node* receiver, Handle name) { return GetProperty(context, receiver, HeapConstant(name)); @@ -1645,7 +1649,8 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler { Node* DescriptorArrayGetKey(Node* descriptors, Node* descriptor_number); Node* CallGetterIfAccessor(Node* value, Node* details, Node* context, - Node* receiver, Label* if_bailout); + Node* receiver, Label* if_bailout, + GetOwnPropertyMode mode = kCallJSGetter); Node* TryToIntptr(Node* key, Label* miss); diff --git a/deps/v8/src/compiler/wasm-compiler.cc b/deps/v8/src/compiler/wasm-compiler.cc index f2a0e3b3249f1a..fe90492e73864c 100644 --- a/deps/v8/src/compiler/wasm-compiler.cc +++ b/deps/v8/src/compiler/wasm-compiler.cc @@ -3215,6 +3215,10 @@ Node* WasmGraphBuilder::LoadMem(wasm::ValueType type, MachineType memtype, BoundsCheckMem(memtype, index, offset, position); } + if (jsgraph()->machine()->Is64()) { + index = + graph()->NewNode(jsgraph()->machine()->ChangeUint32ToUint64(), index); + } if (memtype.representation() == MachineRepresentation::kWord8 || jsgraph()->machine()->UnalignedLoadSupported(memtype.representation())) { if (FLAG_wasm_trap_handler && V8_TRAP_HANDLER_SUPPORTED) { @@ -3267,6 +3271,10 @@ Node* WasmGraphBuilder::StoreMem(MachineType memtype, Node* index, BoundsCheckMem(memtype, index, offset, position); } + if (jsgraph()->machine()->Is64()) { + index = + graph()->NewNode(jsgraph()->machine()->ChangeUint32ToUint64(), index); + } #if defined(V8_TARGET_BIG_ENDIAN) val = BuildChangeEndiannessStore(val, memtype, type); #endif @@ -3301,6 +3309,10 @@ Node* WasmGraphBuilder::StoreMem(MachineType memtype, Node* index, Node* WasmGraphBuilder::BuildAsmjsLoadMem(MachineType type, Node* index) { // TODO(turbofan): fold bounds checks for constant asm.js loads. // asm.js semantics use CheckedLoad (i.e. OOB reads return 0ish). + if (jsgraph()->machine()->Is64()) { + index = + graph()->NewNode(jsgraph()->machine()->ChangeUint32ToUint64(), index); + } const Operator* op = jsgraph()->machine()->CheckedLoad(type); Node* load = graph()->NewNode(op, MemBuffer(0), index, MemSize(), *effect_, *control_); @@ -3312,6 +3324,10 @@ Node* WasmGraphBuilder::BuildAsmjsStoreMem(MachineType type, Node* index, Node* val) { // TODO(turbofan): fold bounds checks for constant asm.js stores. // asm.js semantics use CheckedStore (i.e. ignore OOB writes). + if (jsgraph()->machine()->Is64()) { + index = + graph()->NewNode(jsgraph()->machine()->ChangeUint32ToUint64(), index); + } const Operator* op = jsgraph()->machine()->CheckedStore(type.representation()); Node* store = graph()->NewNode(op, MemBuffer(0), index, MemSize(), val, diff --git a/deps/v8/src/flag-definitions.h b/deps/v8/src/flag-definitions.h index ad8f9b23428047..bcb5a2c982b5a7 100644 --- a/deps/v8/src/flag-definitions.h +++ b/deps/v8/src/flag-definitions.h @@ -418,7 +418,7 @@ DEFINE_BOOL(polymorphic_inlining, true, "polymorphic inlining") DEFINE_BOOL(trace_turbo_inlining, false, "trace TurboFan inlining") DEFINE_BOOL(inline_accessors, true, "inline JavaScript accessors") DEFINE_BOOL(inline_into_try, true, "inline into try blocks") -DEFINE_BOOL(turbo_inline_array_builtins, true, +DEFINE_BOOL(turbo_inline_array_builtins, false, "inline array builtins in TurboFan code") DEFINE_BOOL(use_osr, true, "use on-stack replacement") DEFINE_BOOL(trace_osr, false, "trace on-stack replacement") diff --git a/deps/v8/src/objects-inl.h b/deps/v8/src/objects-inl.h index 5fe1b738e8ce50..82b7eb05a6e7b4 100644 --- a/deps/v8/src/objects-inl.h +++ b/deps/v8/src/objects-inl.h @@ -5156,12 +5156,12 @@ void JSArrayBuffer::set_has_guard_region(bool value) { set_bit_field(HasGuardRegion::update(bit_field(), value)); } -bool JSArrayBuffer::is_wasm_buffer() { - return IsWasmBuffer::decode(bit_field()); +bool JSArrayBuffer::is_growable() { + return IsGrowable::decode(bit_field()); } -void JSArrayBuffer::set_is_wasm_buffer(bool value) { - set_bit_field(IsWasmBuffer::update(bit_field(), value)); +void JSArrayBuffer::set_is_growable(bool value) { + set_bit_field(IsGrowable::update(bit_field(), value)); } Object* JSArrayBufferView::byte_offset() const { diff --git a/deps/v8/src/objects-printer.cc b/deps/v8/src/objects-printer.cc index e81c3d1a607a73..190117b0201eea 100644 --- a/deps/v8/src/objects-printer.cc +++ b/deps/v8/src/objects-printer.cc @@ -970,7 +970,7 @@ void JSArrayBuffer::JSArrayBufferPrint(std::ostream& os) { // NOLINT if (was_neutered()) os << "\n - neutered"; if (is_shared()) os << "\n - shared"; if (has_guard_region()) os << "\n - has_guard_region"; - if (is_wasm_buffer()) os << "\n - wasm_buffer"; + if (is_growable()) os << "\n - growable"; JSObjectPrintBody(os, this, !was_neutered()); } diff --git a/deps/v8/src/objects.h b/deps/v8/src/objects.h index a05385d0428523..a5acf7c6c4f3d4 100644 --- a/deps/v8/src/objects.h +++ b/deps/v8/src/objects.h @@ -6351,10 +6351,8 @@ class JSArrayBuffer: public JSObject { inline bool has_guard_region() const; inline void set_has_guard_region(bool value); - // TODO(gdeepti): This flag is introduced to disable asm.js optimizations in - // js-typer-lowering.cc, remove when the asm.js case is fixed. - inline bool is_wasm_buffer(); - inline void set_is_wasm_buffer(bool value); + inline bool is_growable(); + inline void set_is_growable(bool value); DECL_CAST(JSArrayBuffer) @@ -6414,7 +6412,7 @@ class JSArrayBuffer: public JSObject { class WasNeutered : public BitField {}; class IsShared : public BitField {}; class HasGuardRegion : public BitField {}; - class IsWasmBuffer : public BitField {}; + class IsGrowable : public BitField {}; private: DISALLOW_IMPLICIT_CONSTRUCTORS(JSArrayBuffer); diff --git a/deps/v8/src/runtime/runtime-intl.cc b/deps/v8/src/runtime/runtime-intl.cc index 22acba28cd1c29..783450c8ef1857 100644 --- a/deps/v8/src/runtime/runtime-intl.cc +++ b/deps/v8/src/runtime/runtime-intl.cc @@ -68,18 +68,21 @@ RUNTIME_FUNCTION(Runtime_CanonicalizeLanguageTag) { v8::String::Utf8Value locale_id(v8_isolate, v8::Utils::ToLocal(locale_id_str)); + // TODO(jshin): uloc_{for,to}TanguageTag can fail even for a structually valid + // language tag if it's too long (much longer than 100 chars). Even if we + // allocate a longer buffer, ICU will still fail if it's too long. Either + // propose to Ecma 402 to put a limit on the locale length or change ICU to + // handle long locale names better. See + // https://ssl.icu-project.org/trac/ticket/13417 . + // Return value which denotes invalid language tag. - // TODO(jshin): Can uloc_{for,to}TanguageTag fail even for structually valid - // language tags? If not, just add CHECK instead of returning 'invalid-tag'. const char* const kInvalidTag = "invalid-tag"; UErrorCode error = U_ZERO_ERROR; char icu_result[ULOC_FULLNAME_CAPACITY]; - int icu_length = 0; - - uloc_forLanguageTag(*locale_id, icu_result, ULOC_FULLNAME_CAPACITY, - &icu_length, &error); - if (U_FAILURE(error) || icu_length == 0) { + uloc_forLanguageTag(*locale_id, icu_result, ULOC_FULLNAME_CAPACITY, nullptr, + &error); + if (U_FAILURE(error) || error == U_STRING_NOT_TERMINATED_WARNING) { return *factory->NewStringFromAsciiChecked(kInvalidTag); } @@ -88,7 +91,7 @@ RUNTIME_FUNCTION(Runtime_CanonicalizeLanguageTag) { // Force strict BCP47 rules. uloc_toLanguageTag(icu_result, result, ULOC_FULLNAME_CAPACITY, TRUE, &error); - if (U_FAILURE(error)) { + if (U_FAILURE(error) || error == U_STRING_NOT_TERMINATED_WARNING) { return *factory->NewStringFromAsciiChecked(kInvalidTag); } @@ -134,7 +137,7 @@ RUNTIME_FUNCTION(Runtime_AvailableLocalesOf) { error = U_ZERO_ERROR; // No need to force strict BCP47 rules. uloc_toLanguageTag(icu_name, result, ULOC_FULLNAME_CAPACITY, FALSE, &error); - if (U_FAILURE(error)) { + if (U_FAILURE(error) || error == U_STRING_NOT_TERMINATED_WARNING) { // This shouldn't happen, but lets not break the user. continue; } @@ -173,91 +176,6 @@ RUNTIME_FUNCTION(Runtime_GetDefaultICULocale) { return *factory->NewStringFromStaticChars("und"); } -RUNTIME_FUNCTION(Runtime_GetLanguageTagVariants) { - HandleScope scope(isolate); - v8::Isolate* v8_isolate = reinterpret_cast(isolate); - Factory* factory = isolate->factory(); - - DCHECK_EQ(1, args.length()); - - CONVERT_ARG_HANDLE_CHECKED(JSArray, input, 0); - - uint32_t length = static_cast(input->length()->Number()); - // Set some limit to prevent fuzz tests from going OOM. - // Can be bumped when callers' requirements change. - if (length >= 100) return isolate->ThrowIllegalOperation(); - Handle output = factory->NewFixedArray(length); - Handle maximized = factory->NewStringFromStaticChars("maximized"); - Handle base = factory->NewStringFromStaticChars("base"); - for (unsigned int i = 0; i < length; ++i) { - Handle locale_id; - ASSIGN_RETURN_FAILURE_ON_EXCEPTION( - isolate, locale_id, JSReceiver::GetElement(isolate, input, i)); - if (!locale_id->IsString()) { - return isolate->Throw(*factory->illegal_argument_string()); - } - - v8::String::Utf8Value utf8_locale_id( - v8_isolate, v8::Utils::ToLocal(Handle::cast(locale_id))); - - UErrorCode error = U_ZERO_ERROR; - - // Convert from BCP47 to ICU format. - // de-DE-u-co-phonebk -> de_DE@collation=phonebook - char icu_locale[ULOC_FULLNAME_CAPACITY]; - int icu_locale_length = 0; - uloc_forLanguageTag(*utf8_locale_id, icu_locale, ULOC_FULLNAME_CAPACITY, - &icu_locale_length, &error); - if (U_FAILURE(error) || icu_locale_length == 0) { - return isolate->Throw(*factory->illegal_argument_string()); - } - - // Maximize the locale. - // de_DE@collation=phonebook -> de_Latn_DE@collation=phonebook - char icu_max_locale[ULOC_FULLNAME_CAPACITY]; - uloc_addLikelySubtags(icu_locale, icu_max_locale, ULOC_FULLNAME_CAPACITY, - &error); - - // Remove extensions from maximized locale. - // de_Latn_DE@collation=phonebook -> de_Latn_DE - char icu_base_max_locale[ULOC_FULLNAME_CAPACITY]; - uloc_getBaseName(icu_max_locale, icu_base_max_locale, - ULOC_FULLNAME_CAPACITY, &error); - - // Get original name without extensions. - // de_DE@collation=phonebook -> de_DE - char icu_base_locale[ULOC_FULLNAME_CAPACITY]; - uloc_getBaseName(icu_locale, icu_base_locale, ULOC_FULLNAME_CAPACITY, - &error); - - // Convert from ICU locale format to BCP47 format. - // de_Latn_DE -> de-Latn-DE - char base_max_locale[ULOC_FULLNAME_CAPACITY]; - uloc_toLanguageTag(icu_base_max_locale, base_max_locale, - ULOC_FULLNAME_CAPACITY, FALSE, &error); - - // de_DE -> de-DE - char base_locale[ULOC_FULLNAME_CAPACITY]; - uloc_toLanguageTag(icu_base_locale, base_locale, ULOC_FULLNAME_CAPACITY, - FALSE, &error); - - if (U_FAILURE(error)) { - return isolate->Throw(*factory->illegal_argument_string()); - } - - Handle result = factory->NewJSObject(isolate->object_function()); - Handle value = factory->NewStringFromAsciiChecked(base_max_locale); - JSObject::AddProperty(result, maximized, value, NONE); - value = factory->NewStringFromAsciiChecked(base_locale); - JSObject::AddProperty(result, base, value, NONE); - output->set(i, *result); - } - - Handle result = factory->NewJSArrayWithElements(output); - result->set_length(Smi::FromInt(length)); - return *result; -} - RUNTIME_FUNCTION(Runtime_IsInitializedIntlObject) { HandleScope scope(isolate); diff --git a/deps/v8/src/runtime/runtime.h b/deps/v8/src/runtime/runtime.h index 1c95e28278023e..a78966f226ac8f 100644 --- a/deps/v8/src/runtime/runtime.h +++ b/deps/v8/src/runtime/runtime.h @@ -249,7 +249,6 @@ namespace internal { F(CanonicalizeLanguageTag, 1, 1) \ F(AvailableLocalesOf, 1, 1) \ F(GetDefaultICULocale, 0, 1) \ - F(GetLanguageTagVariants, 1, 1) \ F(IsInitializedIntlObject, 1, 1) \ F(IsInitializedIntlObjectOfType, 2, 1) \ F(MarkAsInitializedIntlObjectOfType, 2, 1) \ diff --git a/deps/v8/src/v8.gyp b/deps/v8/src/v8.gyp index e6665db2038cc1..bf7635ee339e2a 100644 --- a/deps/v8/src/v8.gyp +++ b/deps/v8/src/v8.gyp @@ -42,7 +42,7 @@ { 'target_name': 'v8', 'dependencies_traverse': 1, - 'dependencies': ['v8_maybe_snapshot'], + 'dependencies': ['v8_maybe_snapshot', 'v8_dump_build_config#target'], 'conditions': [ ['want_separate_host_toolset==1', { 'toolsets': ['host', 'target'], @@ -2499,5 +2499,42 @@ }], ], }, + { + 'target_name': 'v8_dump_build_config', + 'type': 'none', + 'variables': { + }, + 'actions': [ + { + 'action_name': 'v8_dump_build_config', + 'inputs': [ + '../tools/testrunner/utils/dump_build_config_gyp.py', + ], + 'outputs': [ + '<(PRODUCT_DIR)/v8_build_config.json', + ], + 'action': [ + 'python', + '../tools/testrunner/utils/dump_build_config_gyp.py', + '<(PRODUCT_DIR)/v8_build_config.json', + 'dcheck_always_on=<(dcheck_always_on)', + 'is_asan=<(asan)', + 'is_cfi=<(cfi_vptr)', + 'is_component_build=<(component)', + 'is_debug=<(CONFIGURATION_NAME)', + # Not available in gyp. + 'is_gcov_coverage=0', + 'is_msan=<(msan)', + 'is_tsan=<(tsan)', + # Not available in gyp. + 'is_ubsan_vptr=0', + 'target_cpu=<(target_arch)', + 'v8_enable_i18n_support=<(v8_enable_i18n_support)', + 'v8_target_cpu=<(v8_target_arch)', + 'v8_use_snapshot=<(v8_use_snapshot)', + ], + }, + ], + }, ], } diff --git a/deps/v8/src/wasm/module-compiler.cc b/deps/v8/src/wasm/module-compiler.cc index 6158499f00b7fa..e1523e17d9d2ab 100644 --- a/deps/v8/src/wasm/module-compiler.cc +++ b/deps/v8/src/wasm/module-compiler.cc @@ -956,7 +956,6 @@ MaybeHandle InstanceBuilder::Build() { Handle memory = memory_.ToHandleChecked(); // Set externally passed ArrayBuffer non neuterable. memory->set_is_neuterable(false); - memory->set_is_wasm_buffer(true); DCHECK_IMPLIES(EnableGuardRegions(), module_->is_asm_js() || memory->has_guard_region()); @@ -998,27 +997,29 @@ MaybeHandle InstanceBuilder::Build() { //-------------------------------------------------------------------------- // Initialize memory. //-------------------------------------------------------------------------- + uint32_t mem_size = 0; + Address mem_start = nullptr; + + // Stash old values of mem_start, and mem_size before + // SetSpecializationMemInfoFrom, to patch memory references + uint32_t old_mem_size = compiled_module_->GetEmbeddedMemSizeOrZero(); + Address old_mem_start = compiled_module_->GetEmbeddedMemStartOrNull(); if (!memory_.is_null()) { Handle memory = memory_.ToHandleChecked(); - Address mem_start = static_cast
(memory->backing_store()); - uint32_t mem_size; + mem_start = static_cast
(memory->backing_store()); CHECK(memory->byte_length()->ToUint32(&mem_size)); LoadDataSegments(mem_start, mem_size); - uint32_t old_mem_size = compiled_module_->GetEmbeddedMemSizeOrZero(); - Address old_mem_start = compiled_module_->GetEmbeddedMemStartOrNull(); - // We might get instantiated again with the same memory. No patching - // needed in this case. - if (old_mem_start != mem_start || old_mem_size != mem_size) { - code_specialization.RelocateMemoryReferences(old_mem_start, old_mem_size, - mem_start, mem_size); - } // Just like with globals, we need to keep both the JSArrayBuffer // and save the start pointer. instance->set_memory_buffer(*memory); WasmCompiledModule::SetSpecializationMemInfoFrom(factory, compiled_module_, memory); } + // We might get instantiated again with the same memory. No patching + // needed in this case. + code_specialization.RelocateMemoryReferences(old_mem_start, old_mem_size, + mem_start, mem_size); //-------------------------------------------------------------------------- // Set up the runtime support for the new instance. diff --git a/deps/v8/src/wasm/wasm-js.cc b/deps/v8/src/wasm/wasm-js.cc index a85df786f487f6..ce2e3f1341a9ed 100644 --- a/deps/v8/src/wasm/wasm-js.cc +++ b/deps/v8/src/wasm/wasm-js.cc @@ -751,6 +751,10 @@ void WebAssemblyMemoryGrow(const v8::FunctionCallbackInfo& args) { max_size64 = i::FLAG_wasm_max_mem_pages; } i::Handle old_buffer(receiver->array_buffer()); + if (!old_buffer->is_growable()) { + thrower.RangeError("This memory cannot be grown"); + return; + } uint32_t old_size = old_buffer->byte_length()->Number() / i::wasm::kSpecMaxWasmMemoryPages; int64_t new_size64 = old_size + delta_size; diff --git a/deps/v8/src/wasm/wasm-module.cc b/deps/v8/src/wasm/wasm-module.cc index bb8330fa1c46cc..4adc9ef3755602 100644 --- a/deps/v8/src/wasm/wasm-module.cc +++ b/deps/v8/src/wasm/wasm-module.cc @@ -266,7 +266,7 @@ Handle wasm::SetupArrayBuffer( allocation_length, backing_store, static_cast(size), shared); buffer->set_is_neuterable(false); - buffer->set_is_wasm_buffer(true); + buffer->set_is_growable(true); buffer->set_has_guard_region(enable_guard_regions); return buffer; } diff --git a/deps/v8/src/wasm/wasm-objects.cc b/deps/v8/src/wasm/wasm-objects.cc index 56a26d1fcc2b94..779a2d84309d0b 100644 --- a/deps/v8/src/wasm/wasm-objects.cc +++ b/deps/v8/src/wasm/wasm-objects.cc @@ -290,6 +290,7 @@ Handle GrowMemoryBuffer(Isolate* isolate, Address old_mem_start = nullptr; uint32_t old_size = 0; if (!old_buffer.is_null()) { + if (!old_buffer->is_growable()) return Handle::null(); old_mem_start = static_cast
(old_buffer->backing_store()); CHECK(old_buffer->byte_length()->ToUint32(&old_size)); } @@ -392,6 +393,7 @@ int32_t WasmMemoryObject::Grow(Isolate* isolate, Handle memory_object, uint32_t pages) { Handle old_buffer(memory_object->array_buffer()); + if (!old_buffer->is_growable()) return -1; uint32_t old_size = 0; CHECK(old_buffer->byte_length()->ToUint32(&old_size)); Handle new_buffer; diff --git a/deps/v8/test/intl/general/invalid-locale.js b/deps/v8/test/intl/general/invalid-locale.js new file mode 100644 index 00000000000000..c85ed83cce888b --- /dev/null +++ b/deps/v8/test/intl/general/invalid-locale.js @@ -0,0 +1,39 @@ +// Copyright 2017 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Make sure that invalid locales throw RangeError + +var invalid_locales = ["arcdefghl-Latn", "fil-Latn-kxx", "fr-Latn-CAK", + "en-Latin-US", "en-a-foo-9charlong", "en-a-b", + ]; + +for (let locale of invalid_locales) { + assertThrows("var nf = new Intl.NumberFormat('" + locale + "')", RangeError); +} + +var not_so_long_locales = [ + "bs-u-nu-bzcu-cab-cabs-avnlubs-avnihu-zcu-cab-cbs-avnllubs-avnihq-zcu-cab-cbs-ubs-avnihu-cabs-flus-xxd-vnluy", + "bs-u-nu-bzcu-cab-cabs-avnlubs-avnihu-zcu-cab-cbs-avnllubs-avnihq-zcu-cab-cbs-ubs-avnihu-cabs-flus-xxd", + "bs-u-nu-bzcu-cab-cabs-avnlubs-avnihu-zcu", +]; + +for (let locale of not_so_long_locales) { + assertEquals((new Intl.NumberFormat(locale)).resolvedOptions().numberingSystem, + "latn"); +} + +// The point of this test is to make sure that there's no ill-effect with too +// long a locale name. Because, thhere's no provision in the Ecma 402 on the +// length limit of a locale ID and BCP 47 (RFC 5646 section 2.1). So, it's +// a spec violation to treat this as invalid. See TODO(jshin) comment +// in Runtime_CanonicalizeLanguageTag in runtime-intl.cc . +var overlong_locales = [ + "he-up-a-caiaup-araup-ai-pdu-sp-bs-up-arscna-zeieiaup-araup-arscia-rews-us-up-arscna-zeieiaup-araup-arsciap-arscna-zeieiaup-araup-arscie-u-sp-bs-uaup-arscia", + "he-up-a-caiaup-araup-ai-pdu-sp-bs-up-arscna-zeieiaup-araup-arscia-rews-us-up-arscna-zeieiaup-araup-arsciap-arscna-zeieiaup-araup-arscie-u-sp-bs-uaup-arscia-xyza", + "bs-u-nu-bzcu-cab-cabs-avnlubs-avnihu-zcu-cab-cbs-avnllubs-avnihq-zcu-cab-cbs-ubs-avnihu-cabs-flus-xxd-vnluy-abcd", +]; + +for (let locale of overlong_locales) { + assertThrows("var nf = new Intl.NumberFormat('" + locale + "')", RangeError) +} diff --git a/deps/v8/test/mjsunit/regress/regress-776338.js b/deps/v8/test/mjsunit/regress/regress-776338.js new file mode 100644 index 00000000000000..ce0cf40d8c7bf2 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-776338.js @@ -0,0 +1,44 @@ +// Copyright 2017 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +const obj = {}; +Object.defineProperty(obj, 'value', { + enumerable: true, + configurable: true, + get: assertUnreachable, + set: assertUnreachable, +}); + +let called_get = false; +let called_has = false; +let called_set = false; + +const has = function(target, prop) { + assertEquals('value', prop); + called_has = true; + return false; // Need to return false to trigger GetOwnProperty call. +}; + +const get = function(target, prop) { + assertEquals('value', prop); + called_get = true; + return 'yep'; +}; + +const set = function(target, prop, value) { + assertEquals('value', prop); + called_set = true; + return true; // Need to return true to trigger GetOwnProperty call. +}; + +const proxy = new Proxy(obj, { has, get, set }); + +assertFalse(Reflect.has(proxy, 'value')); +assertTrue(called_has); + +assertEquals('nope', proxy.value = 'nope'); +assertTrue(called_set); + +assertEquals('yep', proxy.value); +assertTrue(called_get); diff --git a/deps/v8/test/mjsunit/regress/regress-782145.js b/deps/v8/test/mjsunit/regress/regress-782145.js new file mode 100644 index 00000000000000..65464e23cd7636 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-782145.js @@ -0,0 +1,21 @@ +// Copyright 2017 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +function newFastRegExp() { return new RegExp('.'); } +function toSlowRegExp(re) { re.exec = 42; } + +let re = newFastRegExp(); +const evil_nonstring = { [Symbol.toPrimitive]: () => toSlowRegExp(re) }; +const empty_string = ""; + +String.prototype.replace.call(evil_nonstring, re, empty_string); + +re = newFastRegExp(); +String.prototype.match.call(evil_nonstring, re, empty_string); + +re = newFastRegExp(); +String.prototype.search.call(evil_nonstring, re, empty_string); + +re = newFastRegExp(); +String.prototype.split.call(evil_nonstring, re, empty_string); diff --git a/deps/v8/test/mjsunit/regress/wasm/regress-776677.js b/deps/v8/test/mjsunit/regress/wasm/regress-776677.js new file mode 100644 index 00000000000000..1b2357dcf283b0 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/wasm/regress-776677.js @@ -0,0 +1,30 @@ +// Copyright 2017 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +function module(stdlib,foreign,buffer) { + "use asm"; + var fl = new stdlib.Uint32Array(buffer); + function f1(x) { + x = x | 0; + fl[0] = x; + fl[0x10000] = x; + fl[0x100000] = x; + } + return f1; +} + +var global = {Uint32Array:Uint32Array}; +var env = {}; +memory = new WebAssembly.Memory({initial:200}); +var buffer = memory.buffer; +evil_f = module(global,env,buffer); + +zz = {}; +zz.toString = function() { + Array.prototype.slice.call([]); + return 0xffffffff; +} +evil_f(3); +assertThrows(() => memory.grow(1), RangeError); +evil_f(zz); diff --git a/deps/v8/test/mjsunit/regress/wasm/regression-763439.js b/deps/v8/test/mjsunit/regress/wasm/regression-763439.js new file mode 100644 index 00000000000000..0f9d2b24d82e26 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/wasm/regression-763439.js @@ -0,0 +1,22 @@ +// Copyright 2017 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +load('test/mjsunit/wasm/wasm-constants.js'); +load('test/mjsunit/wasm/wasm-module-builder.js'); + +var builder = new WasmModuleBuilder(); +builder.addMemory(0, 1234, false); +builder.addFunction('f', kSig_i_v) + .addBody([ + kExprI32Const, 0x1d, // -- + kExprGrowMemory, 0x00, // -- + kExprI32LoadMem, 0x00, 0xff, 0xff, 0x45, // -- + ]) + .exportFunc(); + +var module = new WebAssembly.Module(builder.toBuffer()); +var instance1 = new WebAssembly.Instance(module); +instance1.exports.f(); +var instance2 = new WebAssembly.Instance(module); +instance2.exports.f(); diff --git a/deps/v8/test/mjsunit/wasm/bounds-check-64bit.js b/deps/v8/test/mjsunit/wasm/bounds-check-64bit.js new file mode 100644 index 00000000000000..8643093db01b58 --- /dev/null +++ b/deps/v8/test/mjsunit/wasm/bounds-check-64bit.js @@ -0,0 +1,33 @@ +// Copyright 2017 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +load("test/mjsunit/wasm/wasm-constants.js"); +load("test/mjsunit/wasm/wasm-module-builder.js"); + +const builder = new WasmModuleBuilder(); +builder.addMemory(1, kV8MaxPages, false); +builder.addFunction('load', kSig_i_ii) + .addBody([ + kExprGetLocal, 0, + kExprI64SConvertI32, + kExprGetLocal, 1, + kExprI64SConvertI32, + kExprI64Shl, + kExprI32ConvertI64, + kExprI32LoadMem, 0, 0]) + .exportFunc(); + +const module = builder.instantiate(); +let start = 12; +let address = start; +for (i = 1; i < 64; i++) { + // This is the address which will be accessed in the code. We cannot use + // shifts to calculate the address because JS shifts work on 32-bit integers. + address = (address * 2) % 4294967296; + if (address < kPageSize) { + assertEquals(0, module.exports.load(start, i)); + } else { + assertTraps(kTrapMemOutOfBounds, _ => { module.exports.load(start, i);}); + } +} diff --git a/deps/v8/test/mjsunit/wasm/import-memory.js b/deps/v8/test/mjsunit/wasm/import-memory.js index 1f0d8471312791..df4f0d3fe842ca 100644 --- a/deps/v8/test/mjsunit/wasm/import-memory.js +++ b/deps/v8/test/mjsunit/wasm/import-memory.js @@ -442,3 +442,29 @@ load("test/mjsunit/wasm/wasm-module-builder.js"); assertEquals(0, buffer.byteLength); assertEquals(3*kPageSize, memory.buffer.byteLength); })(); + +(function TestInitialMemorySharedModule() { + print("TestInitialMemorySharedModule"); + var builder = new WasmModuleBuilder(); + builder.addImportedMemory("m", "imported_mem"); + builder.addFunction('f', kSig_i_v) + .addBody([ + kExprI32Const, 0x1d, // -- + kExprI32Const, 0x20, // -- + kExprI32StoreMem, 0, 0, // -- + kExprI32Const, 0x1d, // -- + kExprI32LoadMem, 0, 0, // -- + ]) + .exportFunc(); + + // First instance load/store success + var module = new WebAssembly.Module(builder.toBuffer()); + let memory1= new WebAssembly.Memory({initial: 1, maximum: 20}); + let instance1 = new WebAssembly.Instance(module, {m: {imported_mem: memory1}}); + assertEquals(0x20, instance1.exports.f()); + + // Second instance should trap as it has no initial memory + let memory2= new WebAssembly.Memory({initial: 0, maximum: 2}); + let instance2 = new WebAssembly.Instance(module, {m: {imported_mem: memory2}}); + assertTraps(kTrapMemOutOfBounds, () => instance2.exports.f()); +})(); diff --git a/deps/v8/tools/foozzie/v8_foozzie.py b/deps/v8/tools/foozzie/v8_foozzie.py index 0c6d65d1e89ad6..217817865269e3 100755 --- a/deps/v8/tools/foozzie/v8_foozzie.py +++ b/deps/v8/tools/foozzie/v8_foozzie.py @@ -127,7 +127,7 @@ def infer_arch(d8): executable. """ with open(os.path.join(os.path.dirname(d8), 'v8_build_config.json')) as f: - arch = json.load(f)['v8_current_cpu'] + arch = json.load(f)['v8_target_cpu'] return 'ia32' if arch == 'x86' else arch diff --git a/deps/v8/tools/testrunner/testrunner.isolate b/deps/v8/tools/testrunner/testrunner.isolate index e29f1df98dfd00..56667c20215b51 100644 --- a/deps/v8/tools/testrunner/testrunner.isolate +++ b/deps/v8/tools/testrunner/testrunner.isolate @@ -7,6 +7,7 @@ '../run-tests.py', ], 'files': [ + '<(PRODUCT_DIR)/v8_build_config.json', '../run-tests.py', './' ], @@ -20,12 +21,5 @@ ], }, }], - ['is_gn==1', { - 'variables': { - 'files': [ - '<(PRODUCT_DIR)/v8_build_config.json', - ], - }, - }], ], } diff --git a/deps/v8/tools/testrunner/utils/dump_build_config.py b/deps/v8/tools/testrunner/utils/dump_build_config.py index bd57b5f34e2302..b691bb3dc8dc32 100644 --- a/deps/v8/tools/testrunner/utils/dump_build_config.py +++ b/deps/v8/tools/testrunner/utils/dump_build_config.py @@ -15,7 +15,7 @@ import os import sys -assert len(sys.argv) > 1 +assert len(sys.argv) > 2 def as_json(kv): assert '=' in kv @@ -23,4 +23,4 @@ def as_json(kv): return k, json.loads(v) with open(sys.argv[1], 'w') as f: - json.dump(dict(as_json(kv) for kv in sys.argv[2:]), f) + json.dump(dict(map(as_json, sys.argv[2:])), f) diff --git a/deps/v8/tools/testrunner/utils/dump_build_config_gyp.py b/deps/v8/tools/testrunner/utils/dump_build_config_gyp.py new file mode 100644 index 00000000000000..7f726271314aac --- /dev/null +++ b/deps/v8/tools/testrunner/utils/dump_build_config_gyp.py @@ -0,0 +1,54 @@ +# Copyright 2017 the V8 project authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +"""The same as dump_build_config.py but for gyp legacy. + +Expected to be called like: +dump_build_config.py path/to/file.json [key1=value1 ...] + +Raw gyp values are supported - they will be tranformed into valid json. +""" +# TODO(machenbach): Remove this when gyp is deprecated. + +import json +import os +import sys + +assert len(sys.argv) > 2 + + +GYP_GN_CONVERSION = { + 'is_component_build': { + 'shared_library': 'true', + 'static_library': 'false', + }, + 'is_debug': { + 'Debug': 'true', + 'Release': 'false', + }, +} + +DEFAULT_CONVERSION ={ + '0': 'false', + '1': 'true', + 'ia32': 'x86', +} + +def gyp_to_gn(key, value): + value = GYP_GN_CONVERSION.get(key, DEFAULT_CONVERSION).get(value, value) + value = value if value in ['true', 'false'] else '"{0}"'.format(value) + return value + +def as_json(kv): + assert '=' in kv + k, v = kv.split('=', 1) + v2 = gyp_to_gn(k, v) + try: + return k, json.loads(v2) + except ValueError as e: + print(k, v, v2) + raise e + +with open(sys.argv[1], 'w') as f: + json.dump(dict(map(as_json, sys.argv[2:])), f)