1. 07 May, 2018 1 commit
  2. 06 Feb, 2018 1 commit
  3. 19 Jan, 2018 1 commit
  4. 18 Jan, 2018 2 commits
  5. 13 Jul, 2017 1 commit
  6. 26 Apr, 2017 1 commit
  7. 19 Apr, 2017 1 commit
    • Peter Marshall's avatar
      [builtins] Use the ElementsAccessor to copy TypedArrays. · 356e9246
      Peter Marshall authored
      This includes a fastpath in the ElementsAccessor for the source
      array being a JSArray with FastSmi or FastDouble packed kinds. This
      is probably a pretty common usage, where an array is passed in as
      a way of initializing the TypedArray at creation (as there is not other
      syntax to do this). e.g. new Float64Array([1.0, 1.0, 1.0]) for some
      sort of vector application.
      
      BUG= v8:5977
      
      Change-Id: Ice4ad9fc29f56b1c4b0b30736a1330efdc289003
      Reviewed-on: https://chromium-review.googlesource.com/465126Reviewed-by: 's avatarCamillo Bruni <cbruni@chromium.org>
      Commit-Queue: Peter Marshall <petermarshall@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#44722}
      356e9246
  8. 10 Apr, 2017 1 commit
    • Peter Marshall's avatar
      [runtime] Fix spec bug in TypedArrayConstruct with mutating iterables. · cc75535d
      Peter Marshall authored
      The spec requires that we use IterableToList, which we skipped for
      some arrays as an optimization. We can't skip this for arrays with
      objects though, because the objects may mutate the array during
      the copying step via valueOf side effects.
      
      Also clean up the implementation to use a runtime function rather
      than a builtin as the helper. Also reverses the result of the helper
      because I think it is a bit more intuitive that way.
      
      Bug: v8:6224
      Change-Id: I9199491abede4479785df6d9068331bc2d6e9c5e
      Reviewed-on: https://chromium-review.googlesource.com/471986Reviewed-by: 's avatarCamillo Bruni <cbruni@chromium.org>
      Commit-Queue: Peter Marshall <petermarshall@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#44507}
      cc75535d
  9. 31 Mar, 2017 1 commit
    • Peter Marshall's avatar
      [builtins] Copy array contents using JS in ConstructByArrayLike. · a450c185
      Peter Marshall authored
      The last CL https://chromium-review.googlesource.com/c/456707/ caused
      some pretty heavy performance regressions. After experimenting, it
      seems the easiest and most straight-forward way to copy the elements
      into the new typed array is to do it in JS.
      
      Adds a fast path for typed arrays, where the source typed array has
      the same elements kind, in which case we can just copy the backing
      store using memcpy.
      
      This CL also removes regression test 319120 which is from a pwn2own
      vulnerability. The old code path enforced a maximum byte_length
      that was too low, which this change removes. The length property of
      the typed array must be a Smi, but the byte_length, which can be up
      to 8x larger than length for a Float64Array, can be a heap number.
      
      We can also re-use some of the logic from ConstructByLength when
      deciding whether to allocate the buffer on- or off-heap, so that
      is factored out into InitializeBasedOnLength. We can also re-use
      the DoInitialize helper instead of calling into the runtime,
      meaning we can remove InitializeFromArrayLike.
      
      BUG=v8:5977,chromium:705503,chromium:705394
      
      Change-Id: I63372652091d4bdf3a9491acef9b4e3ac793a755
      Reviewed-on: https://chromium-review.googlesource.com/459621Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Commit-Queue: Peter Marshall <petermarshall@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#44301}
      a450c185
  10. 24 Mar, 2017 1 commit