1. 14 Nov, 2019 1 commit
  2. 06 Nov, 2019 1 commit
  3. 09 Sep, 2019 1 commit
    • Ulan Degenbaev's avatar
      Reland x6 [arraybuffer] Rearchitect backing store ownership · b6b7de0d
      Ulan Degenbaev authored
      This reverts commit 9da34831
      
      Original change's description:
      > "Reland x4 [arraybuffer] Rearchitect backing store ownership"
      >
      > This is a reland of bc33f5ae
      >
      > Contributed by titzer@chromium.org
      >
      > Original change's description:
      > > [arraybuffer] Rearchitect backing store ownership
      > >
      > > This CL completely rearchitects the ownership of array buffer backing stores,
      > > consolidating ownership into a {BackingStore} C++ object that is tracked
      > > throughout V8 using unique_ptr and shared_ptr where appropriate.
      > >
      > > Overall, lifetime management is simpler and more explicit. The numerous
      > > ways that array buffers were initialized have been streamlined to one
      > > Attach() method on JSArrayBuffer. The array buffer tracker in the
      > > GC implementation now manages std::shared_ptr<BackingStore> pointers,
      > > and the construction and destruction of the BackingStore object itself
      > > handles the underlying page or embedder-allocated memory.
      > >
      > > The embedder API remains unchanged for now. We use the
      > > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
      > > keep the backing store alive properly, even in the case of aliases
      > > from live heap objects. Thus the embedder has a lower chance of making
      > > a mistake. Long-term, we should move the embedder to a model where they
      > > manage backing stores using shared_ptr to an opaque backing store object.
      >
      > TBR=yangguo@chromium.org
      >
      > BUG=v8:9380,v8:9221,chromium:986318
      >
      > Change-Id: If671a4a9ca0476e8f084efae46e0d2bf99ed99ef
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1731005
      > Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
      > Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
      > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
      
      > Cr-Commit-Position: refs/heads/master@{#63041}
      
      TBR=yangguo@chromium.org
      
      Change-Id: I3cc4bb80081c662b1751234bc16a821c20e744be
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1792166
      Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
      Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63617}
      b6b7de0d
  4. 30 Aug, 2019 1 commit
    • Ulan Degenbaev's avatar
      Revert "Reland x5 [arraybuffer] Rearchitect backing store ownership" · 9da34831
      Ulan Degenbaev authored
      This reverts commit 62e16830.
      
      Reason for revert: it will be relanded after branch
      
      Original change's description:
      > Reland x5 [arraybuffer] Rearchitect backing store ownership
      > 
      > This reverts commit 8fdb2387.
      > 
      > Original change's description:
      > > "Reland x4 [arraybuffer] Rearchitect backing store ownership"
      > >
      > > This is a reland of bc33f5ae
      > >
      > > Contributed by titzer@chromium.org
      > >
      > > Original change's description:
      > > > [arraybuffer] Rearchitect backing store ownership
      > > >
      > > > This CL completely rearchitects the ownership of array buffer backing stores,
      > > > consolidating ownership into a {BackingStore} C++ object that is tracked
      > > > throughout V8 using unique_ptr and shared_ptr where appropriate.
      > > >
      > > > Overall, lifetime management is simpler and more explicit. The numerous
      > > > ways that array buffers were initialized have been streamlined to one
      > > > Attach() method on JSArrayBuffer. The array buffer tracker in the
      > > > GC implementation now manages std::shared_ptr<BackingStore> pointers,
      > > > and the construction and destruction of the BackingStore object itself
      > > > handles the underlying page or embedder-allocated memory.
      > > >
      > > > The embedder API remains unchanged for now. We use the
      > > > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
      > > > keep the backing store alive properly, even in the case of aliases
      > > > from live heap objects. Thus the embedder has a lower chance of making
      > > > a mistake. Long-term, we should move the embedder to a model where they
      > > > manage backing stores using shared_ptr to an opaque backing store object.
      > >
      > > TBR=yangguo@chromium.org
      > >
      > > BUG=v8:9380,v8:9221,chromium:986318
      > >
      > > Change-Id: If671a4a9ca0476e8f084efae46e0d2bf99ed99ef
      > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1731005
      > > Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
      > > Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
      > > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
      > > Cr-Commit-Position: refs/heads/master@{#63041}
      > 
      > TBR=yangguo@chromium.org,clemensh@chromium.org,mstarzinger@chromium.org
      > 
      > Change-Id: Iba55c7ab71e5642b5cb6aeb699d6fc9cf9061486
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771795
      > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
      > Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#63461}
      
      TBR=ulan@chromium.org,mlippautz@chromium.org
      
      Change-Id: Id8f67a68ab398032eb2975b1b24ee125394d9c4b
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1776095Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63471}
      9da34831
  5. 29 Aug, 2019 1 commit
    • Ulan Degenbaev's avatar
      Reland x5 [arraybuffer] Rearchitect backing store ownership · 62e16830
      Ulan Degenbaev authored
      This reverts commit 8fdb2387.
      
      Original change's description:
      > "Reland x4 [arraybuffer] Rearchitect backing store ownership"
      >
      > This is a reland of bc33f5ae
      >
      > Contributed by titzer@chromium.org
      >
      > Original change's description:
      > > [arraybuffer] Rearchitect backing store ownership
      > >
      > > This CL completely rearchitects the ownership of array buffer backing stores,
      > > consolidating ownership into a {BackingStore} C++ object that is tracked
      > > throughout V8 using unique_ptr and shared_ptr where appropriate.
      > >
      > > Overall, lifetime management is simpler and more explicit. The numerous
      > > ways that array buffers were initialized have been streamlined to one
      > > Attach() method on JSArrayBuffer. The array buffer tracker in the
      > > GC implementation now manages std::shared_ptr<BackingStore> pointers,
      > > and the construction and destruction of the BackingStore object itself
      > > handles the underlying page or embedder-allocated memory.
      > >
      > > The embedder API remains unchanged for now. We use the
      > > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
      > > keep the backing store alive properly, even in the case of aliases
      > > from live heap objects. Thus the embedder has a lower chance of making
      > > a mistake. Long-term, we should move the embedder to a model where they
      > > manage backing stores using shared_ptr to an opaque backing store object.
      >
      > TBR=yangguo@chromium.org
      >
      > BUG=v8:9380,v8:9221,chromium:986318
      >
      > Change-Id: If671a4a9ca0476e8f084efae46e0d2bf99ed99ef
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1731005
      > Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
      > Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
      > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#63041}
      
      TBR=yangguo@chromium.org,clemensh@chromium.org,mstarzinger@chromium.org
      
      Change-Id: Iba55c7ab71e5642b5cb6aeb699d6fc9cf9061486
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771795Reviewed-by: 's avatarMichael Lippautz <mlippautz@chromium.org>
      Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63461}
      62e16830
  6. 05 Aug, 2019 1 commit
    • Ulan Degenbaev's avatar
      Revert ""Reland x4 [arraybuffer] Rearchitect backing store ownership"" · 8fdb2387
      Ulan Degenbaev authored
      This reverts commit 5611f70b.
      
      Reason for revert: flaky tests: v8:9588, v8:9587
      
      Original change's description:
      > "Reland x4 [arraybuffer] Rearchitect backing store ownership"
      > 
      > This is a reland of bc33f5ae
      > 
      > Contributed by titzer@chromium.org
      > 
      > Original change's description:
      > > [arraybuffer] Rearchitect backing store ownership
      > >
      > > This CL completely rearchitects the ownership of array buffer backing stores,
      > > consolidating ownership into a {BackingStore} C++ object that is tracked
      > > throughout V8 using unique_ptr and shared_ptr where appropriate.
      > >
      > > Overall, lifetime management is simpler and more explicit. The numerous
      > > ways that array buffers were initialized have been streamlined to one
      > > Attach() method on JSArrayBuffer. The array buffer tracker in the
      > > GC implementation now manages std::shared_ptr<BackingStore> pointers,
      > > and the construction and destruction of the BackingStore object itself
      > > handles the underlying page or embedder-allocated memory.
      > >
      > > The embedder API remains unchanged for now. We use the
      > > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
      > > keep the backing store alive properly, even in the case of aliases
      > > from live heap objects. Thus the embedder has a lower chance of making
      > > a mistake. Long-term, we should move the embedder to a model where they
      > > manage backing stores using shared_ptr to an opaque backing store object.
      > 
      > TBR=yangguo@chromium.org
      > 
      > BUG=v8:9380,v8:9221,chromium:986318
      > 
      > Change-Id: If671a4a9ca0476e8f084efae46e0d2bf99ed99ef
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1731005
      > Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
      > Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
      > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#63041}
      
      TBR=ulan@chromium.org,yangguo@chromium.org,mstarzinger@chromium.org,clemensh@chromium.org
      
      # Not skipping CQ checks because original CL landed > 1 day ago.
      
      Bug: v8:9380, v8:9221, chromium:986318
      Change-Id: Ic7381239f4e90d0c437b7e47a5ac6e8bce60f882
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1736747Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
      Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63081}
      8fdb2387
  7. 02 Aug, 2019 1 commit
    • Ulan Degenbaev's avatar
      "Reland x4 [arraybuffer] Rearchitect backing store ownership" · 5611f70b
      Ulan Degenbaev authored
      This is a reland of bc33f5ae
      
      Contributed by titzer@chromium.org
      
      Original change's description:
      > [arraybuffer] Rearchitect backing store ownership
      >
      > This CL completely rearchitects the ownership of array buffer backing stores,
      > consolidating ownership into a {BackingStore} C++ object that is tracked
      > throughout V8 using unique_ptr and shared_ptr where appropriate.
      >
      > Overall, lifetime management is simpler and more explicit. The numerous
      > ways that array buffers were initialized have been streamlined to one
      > Attach() method on JSArrayBuffer. The array buffer tracker in the
      > GC implementation now manages std::shared_ptr<BackingStore> pointers,
      > and the construction and destruction of the BackingStore object itself
      > handles the underlying page or embedder-allocated memory.
      >
      > The embedder API remains unchanged for now. We use the
      > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
      > keep the backing store alive properly, even in the case of aliases
      > from live heap objects. Thus the embedder has a lower chance of making
      > a mistake. Long-term, we should move the embedder to a model where they
      > manage backing stores using shared_ptr to an opaque backing store object.
      
      TBR=yangguo@chromium.org
      
      BUG=v8:9380,v8:9221,chromium:986318
      
      Change-Id: If671a4a9ca0476e8f084efae46e0d2bf99ed99ef
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1731005
      Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
      Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
      Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63041}
      5611f70b
  8. 31 Jul, 2019 2 commits
    • Francis McCabe's avatar
      Revert ""Reland x3 [arraybuffer] Rearchitect backing store ownership"" · 195679de
      Francis McCabe authored
      This reverts commit df8e6177.
      
      Reason for revert: Multiple flakes in apparently related areas:
      
      https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket.appspot.com/8906409837768155568/+/steps/Check__flakes_/0/logs/BackingStoreTest.RacyGrowWasmMem.../0
      
      Original change's description:
      > "Reland x3 [arraybuffer] Rearchitect backing store ownership"
      > 
      > This is a reland of bc33f5ae
      > 
      > Original change's description:
      > > [arraybuffer] Rearchitect backing store ownership
      > >
      > > This CL completely rearchitects the ownership of array buffer backing stores,
      > > consolidating ownership into a {BackingStore} C++ object that is tracked
      > > throughout V8 using unique_ptr and shared_ptr where appropriate.
      > >
      > > Overall, lifetime management is simpler and more explicit. The numerous
      > > ways that array buffers were initialized have been streamlined to one
      > > Attach() method on JSArrayBuffer. The array buffer tracker in the
      > > GC implementation now manages std::shared_ptr<BackingStore> pointers,
      > > and the construction and destruction of the BackingStore object itself
      > > handles the underlying page or embedder-allocated memory.
      > >
      > > The embedder API remains unchanged for now. We use the
      > > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
      > > keep the backing store alive properly, even in the case of aliases
      > > from live heap objects. Thus the embedder has a lower chance of making
      > > a mistake. Long-term, we should move the embedder to a model where they
      > > manage backing stores using shared_ptr to an opaque backing store object.
      > 
      > R=​mlippautz@chromium.org
      > BUG=v8:9380,v8:9221,chromium:986318
      > TBR=ulan@chromium.org
      > 
      > Change-Id: I6c49e2425029b5664ef1c68dab8b5146f4ed0ff2
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1719191
      > Reviewed-by: Ben Titzer <titzer@chromium.org>
      > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
      > Commit-Queue: Ben Titzer <titzer@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#63007}
      
      TBR=mstarzinger@chromium.org,titzer@chromium.org,mlippautz@chromium.org
      
      Change-Id: If0266e5893b1325a332d5986337fa7ece2cb6943
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: v8:9380, v8:9221, chromium:986318
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1729549Reviewed-by: 's avatarFrancis McCabe <fgm@chromium.org>
      Commit-Queue: Francis McCabe <fgm@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63011}
      195679de
    • Ben L. Titzer's avatar
      "Reland x3 [arraybuffer] Rearchitect backing store ownership" · df8e6177
      Ben L. Titzer authored
      This is a reland of bc33f5ae
      
      Original change's description:
      > [arraybuffer] Rearchitect backing store ownership
      >
      > This CL completely rearchitects the ownership of array buffer backing stores,
      > consolidating ownership into a {BackingStore} C++ object that is tracked
      > throughout V8 using unique_ptr and shared_ptr where appropriate.
      >
      > Overall, lifetime management is simpler and more explicit. The numerous
      > ways that array buffers were initialized have been streamlined to one
      > Attach() method on JSArrayBuffer. The array buffer tracker in the
      > GC implementation now manages std::shared_ptr<BackingStore> pointers,
      > and the construction and destruction of the BackingStore object itself
      > handles the underlying page or embedder-allocated memory.
      >
      > The embedder API remains unchanged for now. We use the
      > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
      > keep the backing store alive properly, even in the case of aliases
      > from live heap objects. Thus the embedder has a lower chance of making
      > a mistake. Long-term, we should move the embedder to a model where they
      > manage backing stores using shared_ptr to an opaque backing store object.
      
      R=mlippautz@chromium.org
      BUG=v8:9380,v8:9221,chromium:986318
      TBR=ulan@chromium.org
      
      Change-Id: I6c49e2425029b5664ef1c68dab8b5146f4ed0ff2
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1719191Reviewed-by: 's avatarBen Titzer <titzer@chromium.org>
      Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
      Commit-Queue: Ben Titzer <titzer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63007}
      df8e6177
  9. 23 Jul, 2019 1 commit
  10. 22 Jul, 2019 1 commit
    • Ben L. Titzer's avatar
      Reland "Reland "[arraybuffer] Rearchitect backing store ownership"" · 306cf403
      Ben L. Titzer authored
      This is a reland of bc33f5ae
      
      Original change's description:
      > Reland "[arraybuffer] Rearchitect backing store ownership"
      > 
      > This is a reland of 31cd5d83
      > 
      > Original change's description:
      > > [arraybuffer] Rearchitect backing store ownership
      > > 
      > > This CL completely rearchitects the ownership of array buffer backing stores,
      > > consolidating ownership into a {BackingStore} C++ object that is tracked
      > > throughout V8 using unique_ptr and shared_ptr where appropriate.
      > > 
      > > Overall, lifetime management is simpler and more explicit. The numerous
      > > ways that array buffers were initialized have been streamlined to one
      > > Attach() method on JSArrayBuffer. The array buffer tracker in the
      > > GC implementation now manages std::shared_ptr<BackingStore> pointers,
      > > and the construction and destruction of the BackingStore object itself
      > > handles the underlying page or embedder-allocated memory.
      > > 
      > > The embedder API remains unchanged for now. We use the
      > > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
      > > keep the backing store alive properly, even in the case of aliases
      > > from live heap objects. Thus the embedder has a lower chance of making
      > > a mistake. Long-term, we should move the embedder to a model where they
      > > manage backing stores using shared_ptr to an opaque backing store object.
      > > 
      > > R=mlippautz@chromium.org
      > > BUG=v8:9380,v8:9221
      > > 
      > > Change-Id: I48fae5ac85dcf6172a83f252439e77e7c1a16ccd
      > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584323
      > > Commit-Queue: Ben Titzer <titzer@chromium.org>
      > > Reviewed-by: Ben Titzer <titzer@chromium.org>
      > > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
      > > Reviewed-by: Yang Guo <yangguo@chromium.org>
      > > Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
      > > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
      > > Cr-Commit-Position: refs/heads/master@{#62572}
      > 
      > Bug: v8:9380, v8:9221
      > Change-Id: If3f72967a8ebeb067c0edcfc16ed631e36829dbc
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691906
      > Commit-Queue: Ben Titzer <titzer@chromium.org>
      > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
      > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
      > Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
      > Reviewed-by: Yang Guo <yangguo@chromium.org>
      > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#62809}
      
      Bug: v8:9380, v8:9221
      Change-Id: I9a2525753ae2424108d074fa81df5f25d945c824
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709409
      Commit-Queue: Ben Titzer <titzer@chromium.org>
      Reviewed-by: 's avatarYang Guo <yangguo@chromium.org>
      Reviewed-by: 's avatarMichael Lippautz <mlippautz@chromium.org>
      Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#62847}
      306cf403
  11. 18 Jul, 2019 2 commits
    • Clemens Hammacher's avatar
      Revert "Reland "[arraybuffer] Rearchitect backing store ownership"" · 6e0473f3
      Clemens Hammacher authored
      This reverts commit bc33f5ae.
      
      Reason for revert: Still failing (OOM on win32): https://ci.chromium.org/p/v8/builders/ci/V8%20Win32/22210
      
      Original change's description:
      > Reland "[arraybuffer] Rearchitect backing store ownership"
      > 
      > This is a reland of 31cd5d83
      > 
      > Original change's description:
      > > [arraybuffer] Rearchitect backing store ownership
      > > 
      > > This CL completely rearchitects the ownership of array buffer backing stores,
      > > consolidating ownership into a {BackingStore} C++ object that is tracked
      > > throughout V8 using unique_ptr and shared_ptr where appropriate.
      > > 
      > > Overall, lifetime management is simpler and more explicit. The numerous
      > > ways that array buffers were initialized have been streamlined to one
      > > Attach() method on JSArrayBuffer. The array buffer tracker in the
      > > GC implementation now manages std::shared_ptr<BackingStore> pointers,
      > > and the construction and destruction of the BackingStore object itself
      > > handles the underlying page or embedder-allocated memory.
      > > 
      > > The embedder API remains unchanged for now. We use the
      > > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
      > > keep the backing store alive properly, even in the case of aliases
      > > from live heap objects. Thus the embedder has a lower chance of making
      > > a mistake. Long-term, we should move the embedder to a model where they
      > > manage backing stores using shared_ptr to an opaque backing store object.
      > > 
      > > R=mlippautz@chromium.org
      > > BUG=v8:9380,v8:9221
      > > 
      > > Change-Id: I48fae5ac85dcf6172a83f252439e77e7c1a16ccd
      > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584323
      > > Commit-Queue: Ben Titzer <titzer@chromium.org>
      > > Reviewed-by: Ben Titzer <titzer@chromium.org>
      > > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
      > > Reviewed-by: Yang Guo <yangguo@chromium.org>
      > > Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
      > > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
      > > Cr-Commit-Position: refs/heads/master@{#62572}
      > 
      > Bug: v8:9380, v8:9221
      > Change-Id: If3f72967a8ebeb067c0edcfc16ed631e36829dbc
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691906
      > Commit-Queue: Ben Titzer <titzer@chromium.org>
      > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
      > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
      > Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
      > Reviewed-by: Yang Guo <yangguo@chromium.org>
      > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#62809}
      
      TBR=ulan@chromium.org,yangguo@chromium.org,mstarzinger@chromium.org,titzer@chromium.org,gdeepti@chromium.org,mlippautz@chromium.org
      
      Change-Id: Iea755df9aaa1e95d284135bd0a6681b1340b6832
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: v8:9380, v8:9221
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708487Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
      Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#62811}
      6e0473f3
    • Ben L. Titzer's avatar
      Reland "[arraybuffer] Rearchitect backing store ownership" · bc33f5ae
      Ben L. Titzer authored
      This is a reland of 31cd5d83
      
      Original change's description:
      > [arraybuffer] Rearchitect backing store ownership
      > 
      > This CL completely rearchitects the ownership of array buffer backing stores,
      > consolidating ownership into a {BackingStore} C++ object that is tracked
      > throughout V8 using unique_ptr and shared_ptr where appropriate.
      > 
      > Overall, lifetime management is simpler and more explicit. The numerous
      > ways that array buffers were initialized have been streamlined to one
      > Attach() method on JSArrayBuffer. The array buffer tracker in the
      > GC implementation now manages std::shared_ptr<BackingStore> pointers,
      > and the construction and destruction of the BackingStore object itself
      > handles the underlying page or embedder-allocated memory.
      > 
      > The embedder API remains unchanged for now. We use the
      > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
      > keep the backing store alive properly, even in the case of aliases
      > from live heap objects. Thus the embedder has a lower chance of making
      > a mistake. Long-term, we should move the embedder to a model where they
      > manage backing stores using shared_ptr to an opaque backing store object.
      > 
      > R=mlippautz@chromium.org
      > BUG=v8:9380,v8:9221
      > 
      > Change-Id: I48fae5ac85dcf6172a83f252439e77e7c1a16ccd
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584323
      > Commit-Queue: Ben Titzer <titzer@chromium.org>
      > Reviewed-by: Ben Titzer <titzer@chromium.org>
      > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
      > Reviewed-by: Yang Guo <yangguo@chromium.org>
      > Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
      > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#62572}
      
      Bug: v8:9380, v8:9221
      Change-Id: If3f72967a8ebeb067c0edcfc16ed631e36829dbc
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691906
      Commit-Queue: Ben Titzer <titzer@chromium.org>
      Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
      Reviewed-by: 's avatarMichael Lippautz <mlippautz@chromium.org>
      Reviewed-by: 's avatarDeepti Gandluri <gdeepti@chromium.org>
      Reviewed-by: 's avatarYang Guo <yangguo@chromium.org>
      Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#62809}
      bc33f5ae
  12. 08 Jul, 2019 2 commits
    • Clemens Hammacher's avatar
      Revert "[arraybuffer] Rearchitect backing store ownership" · bf92fbf4
      Clemens Hammacher authored
      This reverts commit 31cd5d83.
      
      Reason for revert: It breaks my heart to revert this, but it fails differently on several bots, e.g. https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20debug/26671.
      
      Original change's description:
      > [arraybuffer] Rearchitect backing store ownership
      > 
      > This CL completely rearchitects the ownership of array buffer backing stores,
      > consolidating ownership into a {BackingStore} C++ object that is tracked
      > throughout V8 using unique_ptr and shared_ptr where appropriate.
      > 
      > Overall, lifetime management is simpler and more explicit. The numerous
      > ways that array buffers were initialized have been streamlined to one
      > Attach() method on JSArrayBuffer. The array buffer tracker in the
      > GC implementation now manages std::shared_ptr<BackingStore> pointers,
      > and the construction and destruction of the BackingStore object itself
      > handles the underlying page or embedder-allocated memory.
      > 
      > The embedder API remains unchanged for now. We use the
      > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
      > keep the backing store alive properly, even in the case of aliases
      > from live heap objects. Thus the embedder has a lower chance of making
      > a mistake. Long-term, we should move the embedder to a model where they
      > manage backing stores using shared_ptr to an opaque backing store object.
      > 
      > R=​mlippautz@chromium.org
      > BUG=v8:9380,v8:9221
      > 
      > Change-Id: I48fae5ac85dcf6172a83f252439e77e7c1a16ccd
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584323
      > Commit-Queue: Ben Titzer <titzer@chromium.org>
      > Reviewed-by: Ben Titzer <titzer@chromium.org>
      > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
      > Reviewed-by: Yang Guo <yangguo@chromium.org>
      > Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
      > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#62572}
      
      TBR=ulan@chromium.org,yangguo@chromium.org,mstarzinger@chromium.org,titzer@chromium.org,gdeepti@chromium.org,mlippautz@chromium.org
      
      Change-Id: Ib35788ba8c31192d90cbc72df3dbc41030f109de
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: v8:9380, v8:9221
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691034Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
      Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#62578}
      bf92fbf4
    • Ben L. Titzer's avatar
      [arraybuffer] Rearchitect backing store ownership · 31cd5d83
      Ben L. Titzer authored
      This CL completely rearchitects the ownership of array buffer backing stores,
      consolidating ownership into a {BackingStore} C++ object that is tracked
      throughout V8 using unique_ptr and shared_ptr where appropriate.
      
      Overall, lifetime management is simpler and more explicit. The numerous
      ways that array buffers were initialized have been streamlined to one
      Attach() method on JSArrayBuffer. The array buffer tracker in the
      GC implementation now manages std::shared_ptr<BackingStore> pointers,
      and the construction and destruction of the BackingStore object itself
      handles the underlying page or embedder-allocated memory.
      
      The embedder API remains unchanged for now. We use the
      v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
      keep the backing store alive properly, even in the case of aliases
      from live heap objects. Thus the embedder has a lower chance of making
      a mistake. Long-term, we should move the embedder to a model where they
      manage backing stores using shared_ptr to an opaque backing store object.
      
      R=mlippautz@chromium.org
      BUG=v8:9380,v8:9221
      
      Change-Id: I48fae5ac85dcf6172a83f252439e77e7c1a16ccd
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584323
      Commit-Queue: Ben Titzer <titzer@chromium.org>
      Reviewed-by: 's avatarBen Titzer <titzer@chromium.org>
      Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
      Reviewed-by: 's avatarYang Guo <yangguo@chromium.org>
      Reviewed-by: 's avatarDeepti Gandluri <gdeepti@chromium.org>
      Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Reviewed-by: 's avatarMichael Lippautz <mlippautz@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#62572}
      31cd5d83
  13. 26 Jun, 2019 1 commit
  14. 27 May, 2019 3 commits
    • Benedikt Meurer's avatar
      Reland "[typedarray] Move external/data pointer to JSTypedArray." · 70bd7cf0
      Benedikt Meurer authored
      This is a reland of 4b86fea5 with
      copy&paste typo in CodeStubAssembler::AllocateByteArray() fixed
      (bug led to holes in new space, which was crashing reproducibly
      on the ia32 bot).
      
      Original change's description:
      > [typedarray] Move external/data pointer to JSTypedArray.
      >
      > As the next step in supporting huge typed arrays in V8, this moves the
      > external/data pointer from the FixedTypedArrayBase backing store to the
      > JSTypedArray instance itself, and replaces the special backing stores
      > with a plain ByteArray (removing all the code for the FixedTypedArrayBase
      > class hierarchy). By doing so, we can drastically simplify the system
      > around typed arrays.
      >
      > Note: Several places in the code base used to check the instance type
      > of the elements backing store of a JSTypedArray instead of checking the
      > elements kind on the JSTypedArray map directly. Those had to be fixed,
      > since the backing store is now always a ByteArray.
      >
      > Drive-by-fix: Move all the typed elements access related code into the
      > elements.cc file to properly encapsulate the accesses.
      >
      > Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
      > Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
      > Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646
      > Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535
      > Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > Reviewed-by: Simon Zünd <szuend@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#61855}
      
      Tbr: petermarshall@chromium.org
      Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
      Change-Id: I87fcdb28532c5f08cc227332a4d59546cb423810
      Cq-Include-Trybots: luci.chromium.try:linux-rel, win7-rel
      Cq-Include-Trybots: luci.v8.try:v8_linux_shared_compile_rel
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631592Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#61864}
      70bd7cf0
    • Clemens Hammacher's avatar
      Revert "[typedarray] Move external/data pointer to JSTypedArray." · e4db146a
      Clemens Hammacher authored
      This reverts commit 4b86fea5.
      
      Reason for revert: Fails on linux shared: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20shared/31045
      
      Original change's description:
      > [typedarray] Move external/data pointer to JSTypedArray.
      > 
      > As the next step in supporting huge typed arrays in V8, this moves the
      > external/data pointer from the FixedTypedArrayBase backing store to the
      > JSTypedArray instance itself, and replaces the special backing stores
      > with a plain ByteArray (removing all the code for the FixedTypedArrayBase
      > class hierarchy). By doing so, we can drastically simplify the system
      > around typed arrays.
      > 
      > Note: Several places in the code base used to check the instance type
      > of the elements backing store of a JSTypedArray instead of checking the
      > elements kind on the JSTypedArray map directly. Those had to be fixed,
      > since the backing store is now always a ByteArray.
      > 
      > Drive-by-fix: Move all the typed elements access related code into the
      > elements.cc file to properly encapsulate the accesses.
      > 
      > Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
      > Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
      > Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646
      > Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535
      > Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > Reviewed-by: Simon Zünd <szuend@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#61855}
      
      TBR=ulan@chromium.org,yangguo@chromium.org,titzer@chromium.org,sigurds@chromium.org,petermarshall@chromium.org,bmeurer@chromium.org,szuend@chromium.org
      
      Change-Id: I0bc1f935de6063acf75a0f4bb8c0ba67428603fd
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
      Cq-Include-Trybots: luci.chromium.try:linux-rel, win7-rel
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631427Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
      Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#61856}
      e4db146a
    • Benedikt Meurer's avatar
      [typedarray] Move external/data pointer to JSTypedArray. · 4b86fea5
      Benedikt Meurer authored
      As the next step in supporting huge typed arrays in V8, this moves the
      external/data pointer from the FixedTypedArrayBase backing store to the
      JSTypedArray instance itself, and replaces the special backing stores
      with a plain ByteArray (removing all the code for the FixedTypedArrayBase
      class hierarchy). By doing so, we can drastically simplify the system
      around typed arrays.
      
      Note: Several places in the code base used to check the instance type
      of the elements backing store of a JSTypedArray instead of checking the
      elements kind on the JSTypedArray map directly. Those had to be fixed,
      since the backing store is now always a ByteArray.
      
      Drive-by-fix: Move all the typed elements access related code into the
      elements.cc file to properly encapsulate the accesses.
      
      Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
      Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
      Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646
      Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarPeter Marshall <petermarshall@chromium.org>
      Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Reviewed-by: 's avatarSimon Zünd <szuend@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#61855}
      4b86fea5
  15. 23 May, 2019 2 commits
  16. 22 May, 2019 1 commit
  17. 21 May, 2019 1 commit
  18. 20 May, 2019 2 commits
  19. 17 May, 2019 2 commits
  20. 07 May, 2019 1 commit
    • Peter Marshall's avatar
      Reland "[typedarray] Make JSTypedArray::length authoritative." · 330e5ba2
      Peter Marshall authored
      This is a reland of ad44c258
      
      Patchset 2 is the original CL
      Patchset 3 fixes some misuses of FixedArrayBase::length() and adds some
      DCHECKS to flush out any more misuses.
      Patchset 4 adds the PPC/S390 port by miladfar@ca.ibm.com.
      
      Original change's description:
      > [typedarray] Make JSTypedArray::length authoritative.
      >
      > This is the first step towards full huge typed array support in V8.
      > Before this change, the JSTypedArray::length and the elements backing
      > store length (FixedTypedArrayBase::length) were used more or less
      > interchangeably to determine the number of elements in a JSTypedArray.
      >
      > With this change we disentangle these two lengths, and instead make
      > JSTypedArray::length authoritative. For on-heap typed arrays, the
      > FixedTypedArrayBase::length will remain the number of elements in the
      > backing store, but for the off-heap typed arrays, this length will be
      > set to 0 (matching the fact that the FixedTypedArrayBase instance does
      > not contain any elements itself).
      >
      > This also unifies the JSTypedArray::set_/length() and length_value()
      > methods to only have JSTypedArray::set_/length() which returns/takes
      > size_t values. Currently this still requires the values to be in Smi
      > range, but later we will extend this to allow arbitrary size_t values
      > (in the safe integer range).
      >
      > Bug: v8:4153, v8:7881
      > Change-Id: Iff9089130bb31fa9e08e0cf913e7ab52c3dbf107
      > Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
      > Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1543729
      > Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > Reviewed-by: Ben Titzer <titzer@chromium.org>
      > Reviewed-by: Hannes Payer <hpayer@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#60648}
      
      Bug: v8:4153, v8:7881, v8:9105
      Change-Id: Ic38f833071a723642ebc6f82a4012dbc0878ef98
      Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1594435Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarHannes Payer <hpayer@chromium.org>
      Commit-Queue: Peter Marshall <petermarshall@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#61275}
      330e5ba2
  21. 02 May, 2019 1 commit
    • Peter Marshall's avatar
      Revert "[typedarray] Make JSTypedArray::length authoritative." · 18100666
      Peter Marshall authored
      This reverts commit ad44c258.
      
      Reason for revert: Missed some users: crbug.com/v8/9105
      
      Original change's description:
      > [typedarray] Make JSTypedArray::length authoritative.
      >
      > This is the first step towards full huge typed array support in V8.
      > Before this change, the JSTypedArray::length and the elements backing
      > store length (FixedTypedArrayBase::length) were used more or less
      > interchangeably to determine the number of elements in a JSTypedArray.
      >
      > With this change we disentangle these two lengths, and instead make
      > JSTypedArray::length authoritative. For on-heap typed arrays, the
      > FixedTypedArrayBase::length will remain the number of elements in the
      > backing store, but for the off-heap typed arrays, this length will be
      > set to 0 (matching the fact that the FixedTypedArrayBase instance does
      > not contain any elements itself).
      >
      > This also unifies the JSTypedArray::set_/length() and length_value()
      > methods to only have JSTypedArray::set_/length() which returns/takes
      > size_t values. Currently this still requires the values to be in Smi
      > range, but later we will extend this to allow arbitrary size_t values
      > (in the safe integer range).
      >
      > Bug: v8:4153, v8:7881
      > Change-Id: Iff9089130bb31fa9e08e0cf913e7ab52c3dbf107
      > Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
      > Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1543729
      > Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
      > Reviewed-by: Ben Titzer <titzer@chromium.org>
      > Reviewed-by: Hannes Payer <hpayer@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#60648}
      
      TBR=jarin@chromium.org,titzer@chromium.org,hpayer@chromium.org,petermarshall@chromium.org,bmeurer@chromium.org
      
      # Not skipping CQ checks because original CL landed > 1 day ago.
      
      TBR=jarin@chromium.org, szuend@chromium.org
      
      Bug: v8:4153, v8:7881
      Change-Id: I96992bff15b4a2765ae4a557d2c37e78269c927d
      Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593294
      Commit-Queue: Peter Marshall <petermarshall@chromium.org>
      Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Reviewed-by: 's avatarPeter Marshall <petermarshall@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#61172}
      18100666
  22. 25 Apr, 2019 3 commits
    • Simon Zünd's avatar
      Reland "[typedarray] Fix crash when sorting SharedArrayBuffers" · ff3a26af
      Simon Zünd authored
      This is a reland of 3d846115
      
      Reland changes mjsunit.status to skip the regression test on
      all bots except ASAN.
      
      Original change's description:
      > [typedarray] Fix crash when sorting SharedArrayBuffers
      >
      > TypedArray#sort has a fast-path when the user does not provide a
      > comparison function. This fast-path utilizes std::sort which operates
      > directly on the raw data. Per spec, std::sort requires the "less than"
      > operation to be anti-symmetric and transitive.
      >
      > When sorting SharedArrayBuffers (SAB) that are concurrently modified during
      > sorting, the "less than" operator stops being consistent as the
      > underlying data is constantly modified. This breaks some invariants
      > in std::sort resulting in infinite loops or straight out segfaults.
      >
      > This CL fixes this by copying the data before sorting SABs and
      > writing the sorted result back.
      >
      > Note: The added regression test is tailored for ASAN bots as a
      > normal build would need too many iterations to consistently crash.
      >
      > R=neis@chromium.org, petermarshall@chromium.org
      >
      > Bug: v8:9161
      > Change-Id: Ic089928652f75865bfdb11e7453806faa6ecb988
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581641
      > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > Reviewed-by: Georg Neis <neis@chromium.org>
      > Commit-Queue: Simon Zünd <szuend@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#61004}
      
      Bug: v8:9161
      Change-Id: Idffc3fbb5f28f4966c8f1ac6770d5b5d6003a7e7
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1583726Reviewed-by: 's avatarPeter Marshall <petermarshall@chromium.org>
      Commit-Queue: Simon Zünd <szuend@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#61011}
      ff3a26af
    • Michael Achenbach's avatar
      Revert "[typedarray] Fix crash when sorting SharedArrayBuffers" · a5941ac9
      Michael Achenbach authored
      This reverts commit 3d846115.
      
      Reason for revert: The test hangs flakily on windows:
      https://ci.chromium.org/p/v8/builders/ci/V8%20Win32/20612
      https://ci.chromium.org/p/v8/builders/ci/V8%20Win32%20-%20nosnap%20-%20shared/33147
      https://ci.chromium.org/p/v8/builders/ci/V8%20Win32%20-%20debug/19945
      
      Original change's description:
      > [typedarray] Fix crash when sorting SharedArrayBuffers
      > 
      > TypedArray#sort has a fast-path when the user does not provide a
      > comparison function. This fast-path utilizes std::sort which operates
      > directly on the raw data. Per spec, std::sort requires the "less than"
      > operation to be anti-symmetric and transitive.
      > 
      > When sorting SharedArrayBuffers (SAB) that are concurrently modified during
      > sorting, the "less than" operator stops being consistent as the
      > underlying data is constantly modified. This breaks some invariants
      > in std::sort resulting in infinite loops or straight out segfaults.
      > 
      > This CL fixes this by copying the data before sorting SABs and
      > writing the sorted result back.
      > 
      > Note: The added regression test is tailored for ASAN bots as a
      > normal build would need too many iterations to consistently crash.
      > 
      > R=​neis@chromium.org, petermarshall@chromium.org
      > 
      > Bug: v8:9161
      > Change-Id: Ic089928652f75865bfdb11e7453806faa6ecb988
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581641
      > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > Reviewed-by: Georg Neis <neis@chromium.org>
      > Commit-Queue: Simon Zünd <szuend@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#61004}
      
      TBR=neis@chromium.org,petermarshall@chromium.org,szuend@chromium.org
      
      Change-Id: I046da3e4228bb1a8a3aa89d9c9d8de11875a9273
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: v8:9161
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1583725Reviewed-by: 's avatarMichael Achenbach <machenbach@chromium.org>
      Commit-Queue: Michael Achenbach <machenbach@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#61007}
      a5941ac9
    • Simon Zünd's avatar
      [typedarray] Fix crash when sorting SharedArrayBuffers · 3d846115
      Simon Zünd authored
      TypedArray#sort has a fast-path when the user does not provide a
      comparison function. This fast-path utilizes std::sort which operates
      directly on the raw data. Per spec, std::sort requires the "less than"
      operation to be anti-symmetric and transitive.
      
      When sorting SharedArrayBuffers (SAB) that are concurrently modified during
      sorting, the "less than" operator stops being consistent as the
      underlying data is constantly modified. This breaks some invariants
      in std::sort resulting in infinite loops or straight out segfaults.
      
      This CL fixes this by copying the data before sorting SABs and
      writing the sorted result back.
      
      Note: The added regression test is tailored for ASAN bots as a
      normal build would need too many iterations to consistently crash.
      
      R=neis@chromium.org, petermarshall@chromium.org
      
      Bug: v8:9161
      Change-Id: Ic089928652f75865bfdb11e7453806faa6ecb988
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581641Reviewed-by: 's avatarPeter Marshall <petermarshall@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Commit-Queue: Simon Zünd <szuend@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#61004}
      3d846115
  23. 05 Apr, 2019 1 commit
    • Benedikt Meurer's avatar
      [typedarray] Make JSTypedArray::length authoritative. · ad44c258
      Benedikt Meurer authored
      This is the first step towards full huge typed array support in V8.
      Before this change, the JSTypedArray::length and the elements backing
      store length (FixedTypedArrayBase::length) were used more or less
      interchangeably to determine the number of elements in a JSTypedArray.
      
      With this change we disentangle these two lengths, and instead make
      JSTypedArray::length authoritative. For on-heap typed arrays, the
      FixedTypedArrayBase::length will remain the number of elements in the
      backing store, but for the off-heap typed arrays, this length will be
      set to 0 (matching the fact that the FixedTypedArrayBase instance does
      not contain any elements itself).
      
      This also unifies the JSTypedArray::set_/length() and length_value()
      methods to only have JSTypedArray::set_/length() which returns/takes
      size_t values. Currently this still requires the values to be in Smi
      range, but later we will extend this to allow arbitrary size_t values
      (in the safe integer range).
      
      Bug: v8:4153, v8:7881
      Change-Id: Iff9089130bb31fa9e08e0cf913e7ab52c3dbf107
      Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
      Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1543729
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarPeter Marshall <petermarshall@chromium.org>
      Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Reviewed-by: 's avatarBen Titzer <titzer@chromium.org>
      Reviewed-by: 's avatarHannes Payer <hpayer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#60648}
      ad44c258
  24. 19 Mar, 2019 2 commits
  25. 11 Dec, 2018 1 commit
  26. 13 Nov, 2018 1 commit
  27. 11 Oct, 2018 1 commit
  28. 13 Sep, 2018 1 commit
  29. 17 Aug, 2018 1 commit