- 08 Aug, 2018 38 commits
-
-
Frank Tang authored
Bug: v8:7979 Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Change-Id: I367e7a7e93de267cf9b0718f193f5de3abfbf692 Reviewed-on: https://chromium-review.googlesource.com/1152556 Commit-Queue: Frank Tang <ftang@chromium.org> Reviewed-by:
Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#54992}
-
Frank Tang authored
Spec: http://tc39.github.io/proposal-intl-list-format/ Design Doc: go/add-intl.listformat-to-v8 Test: intl/list-format/* R=gsathya@chromium.org, mvstanton@chromium.org Bug: v8:7871 Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Change-Id: I820c205ca842c228ffe37f7e1648667f30f80bd8 Reviewed-on: https://chromium-review.googlesource.com/1126683 Commit-Queue: Frank Tang <ftang@chromium.org> Reviewed-by:
Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/heads/master@{#54991}
-
Sergiy Byelozyorov authored
R=machenbach@chromium.org Bug: chromium:863607 Change-Id: I999770d1dafbafe8bbe60b575a940f6feb90fae0 Reviewed-on: https://chromium-review.googlesource.com/1165551Reviewed-by:
Michael Achenbach <machenbach@chromium.org> Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org> Cr-Commit-Position: refs/heads/master@{#54990}
-
Michael Achenbach authored
NOTRY=true Bug: chromium:872230 Change-Id: I15534f533e43cd4bdeedcdac204776178886c48d Reviewed-on: https://chromium-review.googlesource.com/1166916Reviewed-by:
Michael Hablich <hablich@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#54989}
-
Deepti Gandluri authored
Bug: v8:8005 Change-Id: I07774c23a332dac96e30d1bfe471db311de46496 Reviewed-on: https://chromium-review.googlesource.com/1166543Reviewed-by:
Bill Budge <bbudge@chromium.org> Commit-Queue: Deepti Gandluri <gdeepti@chromium.org> Cr-Commit-Position: refs/heads/master@{#54988}
-
Sathya Gunasekaran authored
Also, fix one spec violation that checked for Name, but should just check for Strings. Bug: v8:8032, v8:7684 Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Change-Id: Ib9ffa48b86b4da6e881eeec4eb24ec623345aae4 Reviewed-on: https://chromium-review.googlesource.com/1167042Reviewed-by:
Camillo Bruni <cbruni@chromium.org> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#54987}
-
Sigurd Schneider authored
This reverts commit f991465b. Reason for revert: test failure https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux64%20-%20internal%20snapshot/16696 Original change's description: > [wasm] Publish new code from the background threads. > > R=clemensh@chromium.org > BUG=v8:7921 > > Change-Id: Ib86cb5f742907b6e54365827facfc765867ca22e > Reviewed-on: https://chromium-review.googlesource.com/1156384 > Reviewed-by: Clemens Hammacher <clemensh@chromium.org> > Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> > Cr-Commit-Position: refs/heads/master@{#54985} TBR=mstarzinger@chromium.org,clemensh@chromium.org Change-Id: Id7b0f8ec208a0117f386e6e809ebe61125cf1119 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:7921 Reviewed-on: https://chromium-review.googlesource.com/1167522Reviewed-by:
Sigurd Schneider <sigurds@chromium.org> Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Cr-Commit-Position: refs/heads/master@{#54986}
-
Michael Starzinger authored
R=clemensh@chromium.org BUG=v8:7921 Change-Id: Ib86cb5f742907b6e54365827facfc765867ca22e Reviewed-on: https://chromium-review.googlesource.com/1156384Reviewed-by:
Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#54985}
-
Simon Zünd authored
This CL adds basic JS benchmarks for Array.p.copyWithin to get some feedback for the upcoming Torque implementation. R=jgruber@chromium.org Bug: v8:7624 Change-Id: Ic193a2b576d5fb7ac9f39db0379cece9144f979f Reviewed-on: https://chromium-review.googlesource.com/1167289Reviewed-by:
Jakob Gruber <jgruber@chromium.org> Commit-Queue: Simon Zünd <szuend@google.com> Cr-Commit-Position: refs/heads/master@{#54984}
-
Predrag Rudic authored
Also, since trampoline code is position independent now, these builtins can be deleted from this list of Isolate dependent builtins. Bug: v8:7882 Change-Id: Ie65f739ebd3136993548e9737b22e7de0f09bf25 Reviewed-on: https://chromium-review.googlesource.com/1163513Reviewed-by:
Ivica Bogosavljevic <ibogosavljevic@wavecomp.com> Reviewed-by:
Michael Stanton <mvstanton@chromium.org> Commit-Queue: Ivica Bogosavljevic <ibogosavljevic@wavecomp.com> Cr-Commit-Position: refs/heads/master@{#54983}
-
Jaroslav Sevcik authored
The idea is to compute the slack before compilation start. Then we check that the slack tracking decision is the same at the end of compilation. If it is, we just commit to that slack tracking (by calling function->CompleteInobjectSlackTrackingIfActive). If the slack tracking decision changed, we will retry the compilation. This has several pieces: - Expose computation of slack and instance size from the object model. - Add compilation dependency on the slack tracking result. - Change create lowering to use the dependency. - Fix array creation to use the slack tracking result's instance size. Bug: v8:7790 Change-Id: Id975300cfd6c1786733cd7cbf55cc507c05738b2 Reviewed-on: https://chromium-review.googlesource.com/1164957Reviewed-by:
Georg Neis <neis@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#54982}
-
Marja Hölttä authored
This also allows us to get rid of Context::self_weak_cell. BUG=v8:7308 Change-Id: I1b450385b674a4ad90c116648880fcbce6454c55 Reviewed-on: https://chromium-review.googlesource.com/1167186 Commit-Queue: Marja Hölttä <marja@chromium.org> Reviewed-by:
Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#54981}
-
Junliang Yan authored
Port d324382e and Port bd3f0a68 Original Commit Message: This is a reland of a462a785 Original change's description: > [turboassembler] Introduce hard-abort mode > > For checks and assertions (mostly for debug code, like stack alignment > or zero extension), we had two modes: Emit a call to the {Abort} > runtime function (the default), and emit a debug break (used for > testing, enabled via --trap-on-abort). > In wasm, where we cannot just call a runtime function because code must > be isolate independent, we always used the trap-on-abort behaviour. > This causes problems for our fuzzers, which do not catch SIGTRAP, and > hence do not detect debug code failures. > > This CL introduces a third mode ("hard abort"), which calls a C > function via {ExternalReference}. The C function still outputs the > abort reason, but does not print the stack trace. It then aborts via > "OS::Abort", just like the runtime function. > This will allow fuzzers to detect the crash and even find a nice error > message. > > Even though this looks like a lot of code churn, it is actually not. > Most added lines are new tests, and other changes are minimal. > > R=mstarzinger@chromium.org > > Bug: chromium:863799 > Change-Id: I77c58ff72db552d49014614436259ccfb49ba87b > Reviewed-on: https://chromium-review.googlesource.com/1142163 > Commit-Queue: Clemens Hammacher <clemensh@chromium.org> > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> > Cr-Commit-Position: refs/heads/master@{#54592} R=clemensh@chromium.org, joransiu@ca.ibm.com, michael_dawson@ca.ibm.com BUG= LOG=N Change-Id: I60023470fa07576fd313f628ade06e279d5f4927 Reviewed-on: https://chromium-review.googlesource.com/1165822 Commit-Queue: Junliang Yan <jyan@ca.ibm.com> Reviewed-by:
-
Michael Lippautz authored
Implement independent write barrier for contents of objects. Change-Id: I739745f524245fa61b2b1cd01263cc8fe3a3d373 Reviewed-on: https://chromium-review.googlesource.com/1152909 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by:
-
Camillo Bruni authored
Change-Id: I5effe97c53ccae3238a452fe2012926db45d2afe Reviewed-on: https://chromium-review.googlesource.com/1165222 Commit-Queue: Camillo Bruni <cbruni@chromium.org> Reviewed-by:
-
Michael Starzinger authored
R=sigurds@chromium.org Change-Id: I7df887f84024831b4c55b3468bd54429280dd14e Reviewed-on: https://chromium-review.googlesource.com/1167054Reviewed-by:
-
jgruber authored
This fills the padding between builtins in the embedded blob with a sequence of int3 instructions (ia32,x64). Drive-by: Unify code zapping. We can add better support for other architectures later. Bug: v8:6666 Change-Id: Ibcb120ec18a8062d7527e0c6fe5ca86869c0dad8 Reviewed-on: https://chromium-review.googlesource.com/1167050 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by:
Michael Lippautz <mlippautz@chromium.org> Reviewed-by:
Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#54976}
-
Marja Hölttä authored
BUG=V8:7308 Change-Id: I4836aaca1474f08098120e6c17cc2b3bd65c70eb Reviewed-on: https://chromium-review.googlesource.com/1166914Reviewed-by:
Tobias Tebbi <tebbi@chromium.org> Reviewed-by:
-
Mike Stanton authored
Before, splice was implemented with a C++ fast path and a comprehensive JavaScript version. This impl. is entirely in Torque with a fastpath for SMI, DOUBLE and OBJECT arrays, and a comprehensive slow path. The same level of "sparse" array support as given by the array.js implementation is included. Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Change-Id: Ibfa3407ed75b9ad15ac54cce446b3952e38f90a9 Reviewed-on: https://chromium-review.googlesource.com/1039190Reviewed-by:
Yang Guo <yangguo@chromium.org> Reviewed-by:
-
Michael Starzinger authored
R=sigurds@chromium.org Change-Id: I1ca0e215da36400a8817bc8c8912ccfde8eca613 Reviewed-on: https://chromium-review.googlesource.com/1166911Reviewed-by:
-
Marja Hölttä authored
The parameter cannot be a WeakCell here anymore. BUG=v8:7308 Change-Id: Ie96312e0988e801d3bf52368d731e3b0cf9cc2dc Reviewed-on: https://chromium-review.googlesource.com/1167047Reviewed-by:
Toon Verwaest <verwaest@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#54972}
-
Michael Starzinger authored
This is the port of concurrent jump table patching support to ARM. It extends the corresponding stress test and changes the encoding of code targets in jump table slots to use constant pool entries. R=clemensh@chromium.org TEST=cctest/test-jump-table-assembler BUG=v8:8018 Change-Id: I4b709a7f14dace0f4eb9219f995d42ca607bb25f Reviewed-on: https://chromium-review.googlesource.com/1164952 Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by:
-
Predrag Rudic authored
In case of switching from non-optimized to optimized version of BranchLong macro, we forgot to take the instruction which is located in the branch delay slot of the unoptimized version and copy it to branch delay slot of the optimized version. This CL implements the missing functionality. Change-Id: I5e4adcccd0e85fd381a97eea8588e07bd8b045ef Reviewed-on: https://chromium-review.googlesource.com/1165082Reviewed-by:
-
Marja Hölttä authored
BUG=v8:7308 Change-Id: Icdbf7e786ce4ac19d73ab8e69bb57c0b19271b33 Reviewed-on: https://chromium-review.googlesource.com/1167043Reviewed-by:
-
Sergiy Byelozyorov authored
TBR=machenbach@google.om No-Try: true Bug: chromium:838864 Change-Id: Ic162e3fbd1c02b62cd8151bb5a598ca25db39d0b Reviewed-on: https://chromium-review.googlesource.com/1163721 Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org> Reviewed-by:
Sergiy Byelozyorov <sergiyb@chromium.org> Cr-Commit-Position: refs/heads/master@{#54968}
-
Clemens Hammacher authored
DCHECKs (defined in src/logging.h) should not be used in third_party code. This CL removes the only such use. R=marja@chromium.org Bug: v8:7754, v8:7965 Change-Id: I44196bd2d85e459e27c6a897f039f741edf1e2e1 Reviewed-on: https://chromium-review.googlesource.com/1158684Reviewed-by:
Marja Hölttä <marja@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#54967}
-
Michael Starzinger authored
We instantiate the JumpTableAssembler in patching mode (i.e. directly on existing code without an intermittent buffer). In this mode it is not possible to record reloc information. This makes sure we no longer just blindly write into the non-existing buffer. R=clemensh@chromium.org BUG=v8:8028 Change-Id: I4abb8f06cf819fef608e901c4740263f0cecd08a Reviewed-on: https://chromium-review.googlesource.com/1166834 Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by:
-
Sathya Gunasekaran authored
This patch ports most of the Intl.Collator from JS to C++. The Intl.Collator object no longer stores all the resolved values. Instead these are looked up on demand as part of Intl.Collator.prototype.resolvedOptions(), saving several words. In the future, we can cache the result of the resolvedOptions as well. In this patch, we use ICU to do parsing of the unicode extension in the bcp47 language tag instead of using a custom extension parser. This patch also fixes several spec compliance bugs as well. Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Change-Id: Iaaa7be4a628404da1bd83d882e04a2c6de70ebd9 Bug: v8:5751, v8:7480 Reviewed-on: https://chromium-review.googlesource.com/1165084 Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Reviewed-by:
-
Michael Starzinger authored
R=sigurds@chromium.org Change-Id: I2f8210a386fa39030c7ffe4c7d0f25bd845c612a Reviewed-on: https://chromium-review.googlesource.com/1166908 Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Reviewed-by:
-
Shiyu Zhang authored
Partial constant pool aims at reducing code size and only takes effect for shareable constants. Different from ARM’s constant pool, partial constant pool does not emit constant pools at the end of each code object. Instead, it keeps the first shareable constant inlined in the instructions and uses rip-relative memory loadings for the same constants in subsequent instructions. These rip-relative memory loadings will target at the position of the first inlined constant. For example: REX.W movq r10,0x7f9f75a32c20 ; 10 bytes … REX.W movq r10,0x7f9f75a32c20 ; 10 bytes … turns into REX.W movq r10,0x7f9f75a32c20 ; 10 bytes … REX.W movq r10,[rip+0xffffff96] ; 7 bytes … Change-Id: I25a417f6d82da96024989bddf0451d7df9340c00 Reviewed-on: https://chromium-review.googlesource.com/1082231Reviewed-by:
-
Michael Lippautz authored
Introduces a phase for marking wrappers in the atomic pause. The phase is opportunistic in a sense that it may no catch all wrappers. E.g. there may be wrappers discovered only after processing ephemerons. Bug: chromium:843903 Change-Id: Ic55fdcb37e3ff44156e4eca4c1c95919fc3fcd1d Reviewed-on: https://chromium-review.googlesource.com/1166835Reviewed-by:
-
Michael Achenbach authored
This prepares for reusing the driver logic for correctness testing. NOTRY=true Bug: chromium:866862 Change-Id: If901ca8552cf48f29e240ed5b52ea7e722e0e1e4 Reviewed-on: https://chromium-review.googlesource.com/1163608 Commit-Queue: Michael Achenbach <machenbach@chromium.org> Reviewed-by:
-
Michael Achenbach authored
This reverts commit 3c87d28b. Reason for revert: Offending test was disabled. Original change's description: > [CQ] Temporarily make node bot experimental > > TBR=yangguo@chromium.org > NOTRY=true > > Bug: v8:8027 > Change-Id: I3d4383dc4e2c0af25d4e51aba4f4d6695030248c > Reviewed-on: https://chromium-review.googlesource.com/1166823 > Reviewed-by: Michael Achenbach <machenbach@chromium.org> > Commit-Queue: Michael Achenbach <machenbach@chromium.org> > Cr-Commit-Position: refs/heads/master@{#54956} TBR=machenbach@chromium.org,yangguo@chromium.org Change-Id: I7d7620fc3a8049176e2eab355b65c32d7d06cd77 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:8027 Reviewed-on: https://chromium-review.googlesource.com/1166942Reviewed-by:
-
Georg Neis authored
This reverts commit 2f2ce7b7. Reason for revert: https://bugs.chromium.org/p/chromium/issues/detail?id=865494 Original change's description: > [turbofan] Remove optimization for NumberToString > > We used to have an optimized version for ToString on number nodes > which was allocating an object on the heap, therefore > preventing this code from being executed on the compiler thread. > Octane benchmark results show insignificant increase in performance > (< 0.5%) without this optimization - see > https://docs.google.com/spreadsheets/d/1MC5NrMoMSsqxZqw0ojoZvomBb7q2EOt1S0sFoJ8ld2c/edit#gid=1732639373 > which leads to the conclusion we can safely remove the optimization for now. > > Bug: v8:7790 > Change-Id: Ia1d53608f8d10ba20e0ff57cccb34583655382c6 > Reviewed-on: https://chromium-review.googlesource.com/1139063 > Commit-Queue: Maya Lekova <mslekova@chromium.org> > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> > Reviewed-by: Georg Neis <neis@chromium.org> > Cr-Commit-Position: refs/heads/master@{#54495} TBR=jarin@chromium.org,neis@chromium.org,mslekova@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: v8:7790, chromium:865494 Change-Id: I4b6c620e88c84ae889ce403fa46672db0d3b17c3 Reviewed-on: https://chromium-review.googlesource.com/1166783 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by:
-
Tobias Tebbi authored
This adds a typeswitch statement typeswitch (e) case (x1 : Type1) { ... } case (x2 : Type2) { } ... ... case (xn : TypeN) { ... } This checks to which of the given types the result of evaluating e can be cast, in the order in which they are listed. So if an earlier type matches, a value of this type won't reach a later case. The type-checks are performed by calling the cast<T>() macro. The type of the argument passed to the cast macro is dependent on the case and excludes all types checked earlier. For example, in const x : Object = ... typeswitch (x) case (x : Smi) { ... } case (x : HeapNumber) { ... } case (x : HeapObject) { ... } there will be calls to cast<Smi>(Object) and cast<HeapNumber>(HeapObject), because after the Smi check we know that x has to be a HeapObject. With the refactored base.tq definition of cast, this will generate efficient code and avoid repeating the Smi check in the second case. The type system ensures that all cases are reachable and that the type given to the last case is safe without a runtime check (in other words, the union of all checked types covers the type of e). The cases can also be written as case (Type) { ... } , in which case the switched value is not re-bound with the checked type. Bug: v8:7793 Change-Id: Iea4aed7465d62b445e3ae0d33f52921912e095e3 Reviewed-on: https://chromium-review.googlesource.com/1156506 Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Reviewed-by:Daniel Clifford <danno@chromium.org> Cr-Commit-Position: refs/heads/master@{#54958}
-
v8-ci-autoroll-builder authored
Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/60ce94a..8e67c4a Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/e19516b..ada05b3 Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/2ebf9fd..735f71d TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org Change-Id: I6af0db47405b4cd3352c62b42119523db0f904a4 Reviewed-on: https://chromium-review.googlesource.com/1166586Reviewed-by:
V8 Autoroller <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#54957}
-
Michael Achenbach authored
TBR=yangguo@chromium.org NOTRY=true Bug: v8:8027 Change-Id: I3d4383dc4e2c0af25d4e51aba4f4d6695030248c Reviewed-on: https://chromium-review.googlesource.com/1166823Reviewed-by:
-
Michael Achenbach authored
This reverts commit 690bda84. Reason for revert: Speculative revert for: https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8-Blink%20Linux%2064/25372 See more at: https://github.com/v8/v8/wiki/Blink-layout-tests Original change's description: > [Interpreter] Do not use IC slots for property load/stores in an IIFE and top-level code > > An IIFE or top-level code is executed only once hence, there is no need to collect > type feedback. We can save some memory by not using IC slots for property Loads/Stores > within a IIFE/top-level code. This CL emits Runtime Get/Set property calls instead of LdaNamedProperty > /StaNamedProperty for the property loads within a IIFE and top-level code. > > Change-Id: I3e0ce26d05d82bb3648cb9262c4e112a2c4556c9 > Reviewed-on: https://chromium-review.googlesource.com/1146579 > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> > Reviewed-by: Marja Hölttä <marja@chromium.org> > Reviewed-by: Camillo Bruni <cbruni@chromium.org> > Reviewed-by: Yang Guo <yangguo@chromium.org> > Commit-Queue: Chandan Reddy <chandanreddy@google.com> > Cr-Commit-Position: refs/heads/master@{#54949} TBR=rmcilroy@chromium.org,adamk@chromium.org,marja@chromium.org,yangguo@chromium.org,cbruni@chromium.org,leszeks@chromium.org,verwaest@chromium.org,chandanreddy@google.com Change-Id: I642164a72453189fd0fe92b69f199f958ce56bef No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/1166782Reviewed-by:
-
- 07 Aug, 2018 2 commits
-
-
Ulan Degenbaev authored
This reverts commit 719d23c0. Reason for revert: TSAN failures Original change's description: > Fix invalidation of old-to-old slots after object trimming. > > A recorded old-to-old slot may be overwritten with a pointer to a new > space object. If the object containing the slot is trimmed later on, > then the mark-compactor may crash on a stale pointer to new space. > > This patch ensures that: > 1) On trimming of an object we add it to the invalidated_slots sets. > 2) The InvalidatedSlotsFilter::IsValid returns false for slots outside > the invalidated object unless the page was already swept. > > Array left-trimming is handled as a special case because object start > moves and cannot be added to the invalidated set. Instead, we clear > the freed memory so that the recorded slots contain Smi values. > > Bug: chromium:870226,chromium:816426 > Change-Id: Iffc05a58fcf52ece45fdb085b5d1fd4b3acb5d53 > Reviewed-on: https://chromium-review.googlesource.com/1163784 > Commit-Queue: Ulan Degenbaev <ulan@chromium.org> > Reviewed-by: Hannes Payer <hpayer@chromium.org> > Reviewed-by: Michael Lippautz <mlippautz@chromium.org> > Cr-Commit-Position: refs/heads/master@{#54953} TBR=ulan@chromium.org,hpayer@chromium.org,mlippautz@chromium.org Change-Id: I2e1ff83c2db7902488951a8f597d38133aeb3b04 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:870226, chromium:816426 Reviewed-on: https://chromium-review.googlesource.com/1165862Reviewed-by:
-
Ulan Degenbaev authored
A recorded old-to-old slot may be overwritten with a pointer to a new space object. If the object containing the slot is trimmed later on, then the mark-compactor may crash on a stale pointer to new space. This patch ensures that: 1) On trimming of an object we add it to the invalidated_slots sets. 2) The InvalidatedSlotsFilter::IsValid returns false for slots outside the invalidated object unless the page was already swept. Array left-trimming is handled as a special case because object start moves and cannot be added to the invalidated set. Instead, we clear the freed memory so that the recorded slots contain Smi values. Bug: chromium:870226,chromium:816426 Change-Id: Iffc05a58fcf52ece45fdb085b5d1fd4b3acb5d53 Reviewed-on: https://chromium-review.googlesource.com/1163784 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by:
Hannes Payer <hpayer@chromium.org> Reviewed-by:
-
