1. 24 Apr, 2020 2 commits
    • Timothy Gu's avatar
      Reland "[builtins] Clean up the use of class_name / ES5 [[Class]]" · 1aa51b49
      Timothy Gu authored
      This is a reland of 29c1eab9
      
      Original change's description:
      > [builtins] Clean up the use of class_name / ES5 [[Class]]
      >
      > Before ES2015, the ES spec had a [[Class]] internal slot for all
      > objects, which Object.prototype.toString() would use to figure the
      > returned string. Post-ES2015, the [[Class]] slot was removed in spec for
      > all objects, with the @@toStringTag well-known symbol the proper way to
      > change Object.prototype.toString() output.
      >
      > At the time, spec-identical handling without the use of [[Class]] was
      > implemented in V8 for all objects other than API objects, where issues
      > with the Web IDL spec [1] prevented Blink, and hence V8, to totally
      > migrate to @@toStringTag. However, since 2016 [2] Blink has been setting
      > @@toStringTag on API class prototypes to manage the
      > Object.prototype.toString() output, so the legacy [[Class]] handling in
      > V8 has not been necessary for the past couple of years.
      >
      > This CL removes the remaining legacy [[Class]] handling in
      > Object.prototype.toString(), JSReceiver::class_name(), and
      > GetConstructorName(). However, it does not remove the class_name field
      > in FunctionTemplateInfo, as it is still used for the `name` property of
      > created functions.
      >
      > This CL also cleans up other places in the codebase that still reference
      > [[Class]].
      >
      > This change should have minimal impact on web-compatibility. For the
      > change to be observable, a script must do one of the following:
      >
      > 1. delete APIConstructor.prototype[Symbol.toStringTag];
      > 2. Object.setPrototypeOf(apiObject, somethingElse);
      >
      > Before this CL, these changes will not change the apiObject.toString()
      > output. But after this CL, they will make apiObject.toString() show
      > "[object Object]" (in the first case) or the @@toStringTag of the other
      > prototype (in the latter case).
      >
      > However, both are deemed unlikely. @@toStringTag is not well-known
      > feature of JavaScript, nor does it get tampered much on API
      > constructors. In the second case, setting the prototype of an API object
      > would effectly render the object useless, as all its methods (including
      > property getters/setters) would no longer be accessible.
      >
      > Currently, @@toStringTag-based API object branding is not yet
      > implemented by other browsers. This V8 bug in particular has been an
      > impediment to standardizing toString behavior. Fixing this bug will
      > unblock [3] and lead to a better Web IDL spec, and better toString()
      > compatibility for all.
      >
      > [1]: https://www.w3.org/Bugs/Public/show_bug.cgi?id=28244
      > [2]: https://crrev.com/909c0d7d5a53c8526ded351683c65ea7d17531d4
      > [3]: https://github.com/heycam/webidl/pull/357
      >
      > Bug: chromium:793406
      > Cq-Include-Trybots: luci.chromium.try:linux-rel
      > Change-Id: Iceded24e37afa2646ec385d5018909f55b177f93
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2146996
      > Commit-Queue: Timothy Gu <timothygu@chromium.org>
      > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#67327}
      
      Bug: chromium:793406
      Change-Id: Ia5d97bd4e1c44cadc6f18a17ffc9d06b038cf8f1
      Cq-Include-Trybots: luci.chromium.try:linux-rel
      Cq-Include-Trybots: luci.v8.try:v8_linux_blink_rel
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2163881
      Auto-Submit: Timothy Gu <timothygu@chromium.org>
      Commit-Queue: Toon Verwaest <verwaest@chromium.org>
      Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67361}
      1aa51b49
    • Bill Budge's avatar
      Revert "[builtins] Clean up the use of class_name / ES5 [[Class]]" · 213016d6
      Bill Budge authored
      This reverts commit 29c1eab9.
      
      Reason for revert: Causes Blink test failures:
      https://ci.chromium.org/p/v8/builders/ci/V8%20Blink%20Linux/4222
      
      Original change's description:
      > [builtins] Clean up the use of class_name / ES5 [[Class]]
      > 
      > Before ES2015, the ES spec had a [[Class]] internal slot for all
      > objects, which Object.prototype.toString() would use to figure the
      > returned string. Post-ES2015, the [[Class]] slot was removed in spec for
      > all objects, with the @@toStringTag well-known symbol the proper way to
      > change Object.prototype.toString() output.
      > 
      > At the time, spec-identical handling without the use of [[Class]] was
      > implemented in V8 for all objects other than API objects, where issues
      > with the Web IDL spec [1] prevented Blink, and hence V8, to totally
      > migrate to @@toStringTag. However, since 2016 [2] Blink has been setting
      > @@toStringTag on API class prototypes to manage the
      > Object.prototype.toString() output, so the legacy [[Class]] handling in
      > V8 has not been necessary for the past couple of years.
      > 
      > This CL removes the remaining legacy [[Class]] handling in
      > Object.prototype.toString(), JSReceiver::class_name(), and
      > GetConstructorName(). However, it does not remove the class_name field
      > in FunctionTemplateInfo, as it is still used for the `name` property of
      > created functions.
      > 
      > This CL also cleans up other places in the codebase that still reference
      > [[Class]].
      > 
      > This change should have minimal impact on web-compatibility. For the
      > change to be observable, a script must do one of the following:
      > 
      > 1. delete APIConstructor.prototype[Symbol.toStringTag];
      > 2. Object.setPrototypeOf(apiObject, somethingElse);
      > 
      > Before this CL, these changes will not change the apiObject.toString()
      > output. But after this CL, they will make apiObject.toString() show
      > "[object Object]" (in the first case) or the @@toStringTag of the other
      > prototype (in the latter case).
      > 
      > However, both are deemed unlikely. @@toStringTag is not well-known
      > feature of JavaScript, nor does it get tampered much on API
      > constructors. In the second case, setting the prototype of an API object
      > would effectly render the object useless, as all its methods (including
      > property getters/setters) would no longer be accessible.
      > 
      > Currently, @@toStringTag-based API object branding is not yet
      > implemented by other browsers. This V8 bug in particular has been an
      > impediment to standardizing toString behavior. Fixing this bug will
      > unblock [3] and lead to a better Web IDL spec, and better toString()
      > compatibility for all.
      > 
      > [1]: https://www.w3.org/Bugs/Public/show_bug.cgi?id=28244
      > [2]: https://crrev.com/909c0d7d5a53c8526ded351683c65ea7d17531d4
      > [3]: https://github.com/heycam/webidl/pull/357
      > 
      > Bug: chromium:793406
      > Cq-Include-Trybots: luci.chromium.try:linux-rel
      > Change-Id: Iceded24e37afa2646ec385d5018909f55b177f93
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2146996
      > Commit-Queue: Timothy Gu <timothygu@chromium.org>
      > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#67327}
      
      TBR=verwaest@chromium.org,timothygu@chromium.org
      
      Change-Id: I678d2ffc1064b1d1ddb62024cc23c6c41b216ef4
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: chromium:793406
      Cq-Include-Trybots: luci.chromium.try:linux-rel
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2163956Reviewed-by: 's avatarBill Budge <bbudge@chromium.org>
      Commit-Queue: Bill Budge <bbudge@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67349}
      213016d6
  2. 23 Apr, 2020 1 commit
    • Timothy Gu's avatar
      [builtins] Clean up the use of class_name / ES5 [[Class]] · 29c1eab9
      Timothy Gu authored
      Before ES2015, the ES spec had a [[Class]] internal slot for all
      objects, which Object.prototype.toString() would use to figure the
      returned string. Post-ES2015, the [[Class]] slot was removed in spec for
      all objects, with the @@toStringTag well-known symbol the proper way to
      change Object.prototype.toString() output.
      
      At the time, spec-identical handling without the use of [[Class]] was
      implemented in V8 for all objects other than API objects, where issues
      with the Web IDL spec [1] prevented Blink, and hence V8, to totally
      migrate to @@toStringTag. However, since 2016 [2] Blink has been setting
      @@toStringTag on API class prototypes to manage the
      Object.prototype.toString() output, so the legacy [[Class]] handling in
      V8 has not been necessary for the past couple of years.
      
      This CL removes the remaining legacy [[Class]] handling in
      Object.prototype.toString(), JSReceiver::class_name(), and
      GetConstructorName(). However, it does not remove the class_name field
      in FunctionTemplateInfo, as it is still used for the `name` property of
      created functions.
      
      This CL also cleans up other places in the codebase that still reference
      [[Class]].
      
      This change should have minimal impact on web-compatibility. For the
      change to be observable, a script must do one of the following:
      
      1. delete APIConstructor.prototype[Symbol.toStringTag];
      2. Object.setPrototypeOf(apiObject, somethingElse);
      
      Before this CL, these changes will not change the apiObject.toString()
      output. But after this CL, they will make apiObject.toString() show
      "[object Object]" (in the first case) or the @@toStringTag of the other
      prototype (in the latter case).
      
      However, both are deemed unlikely. @@toStringTag is not well-known
      feature of JavaScript, nor does it get tampered much on API
      constructors. In the second case, setting the prototype of an API object
      would effectly render the object useless, as all its methods (including
      property getters/setters) would no longer be accessible.
      
      Currently, @@toStringTag-based API object branding is not yet
      implemented by other browsers. This V8 bug in particular has been an
      impediment to standardizing toString behavior. Fixing this bug will
      unblock [3] and lead to a better Web IDL spec, and better toString()
      compatibility for all.
      
      [1]: https://www.w3.org/Bugs/Public/show_bug.cgi?id=28244
      [2]: https://crrev.com/909c0d7d5a53c8526ded351683c65ea7d17531d4
      [3]: https://github.com/heycam/webidl/pull/357
      
      Bug: chromium:793406
      Cq-Include-Trybots: luci.chromium.try:linux-rel
      Change-Id: Iceded24e37afa2646ec385d5018909f55b177f93
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2146996
      Commit-Queue: Timothy Gu <timothygu@chromium.org>
      Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67327}
      29c1eab9
  3. 09 Mar, 2020 1 commit
    • Dan Elphick's avatar
      [api] Create v8::String::NewFromLiteral that returns Local<String> · b097a8e5
      Dan Elphick authored
      String::NewFromLiteral is a templated function that takes a char[N]
      argument that can be used as an alternative to String::NewFromUtf8 and
      returns a Local<String> rather than a MaybeLocal<String> reducing the
      number of ToLocalChecked() or other checks.
      
      Since the string length is known at compile time, it can statically
      assert that the length is less than String::kMaxLength, which means that
      it can never fail at runtime.
      
      This also converts all found uses of NewFromUtf8 taking a string literal
      or a variable initialized from a string literal to use the new API. In
      some cases the types of stored string literals are changed from const
      char* to const char[] to ensure the size is retained.
      
      This API does introduce a small difference compared to NewFromUtf8. For
      a case like "abc\0def", NewFromUtf8 (using length -1 to infer length)
      would treat this as a 3 character string, whereas the new API will treat
      it as a 7 character string.
      
      As a drive-by fix, this also fixes all redundant uses of
      v8::NewStringType::kNormal when passed to any of the String::New*
      functions.
      
      Change-Id: Id96a44bc068d9c4eaa634aea688e024675a0e5b3
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2089935
      Commit-Queue: Dan Elphick <delphick@chromium.org>
      Reviewed-by: 's avatarMathias Bynens <mathias@chromium.org>
      Reviewed-by: 's avatarMythri Alle <mythria@chromium.org>
      Reviewed-by: 's avatarClemens Backes <clemensb@chromium.org>
      Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#66622}
      b097a8e5
  4. 06 Feb, 2020 1 commit
    • Ulan Degenbaev's avatar
      [ptr-compr, heap] Use system pointer size for heap limit computation · 8732596c
      Ulan Degenbaev authored
      A pointer-compressed heap has the same heap limit heuristics as a 32-bit
      heap. Specifically, the heap limit is restricted to 1GB due to scarce
      virtual addresses space on 32-bit platforms. That limitation does not
      apply for pointer-compressed heaps which can use 4GB.
      
      This CL changes the heap limit computation to use system the pointer
      size instead of the tagged pointer size. Note that the young generation
      limit continues to use the tagged pointer size.
      
      Bug: chromium:1045034
      Change-Id: I9d5bb818c32a82322476e9c97feee331400ebe0f
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2042102Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#66159}
      8732596c
  5. 10 Sep, 2019 1 commit
  6. 08 Aug, 2019 1 commit
    • Simon Zünd's avatar
      Calls to {console} require an access check for the provided arguments · a5fd60e1
      Simon Zünd authored
      This CL adds an access check for the arguments to all calls to
      {console} like {console.log}. This is needed since the DevTools
      protocol notificiation event does not contain the context in which
      the {console.log} call occurred. Only the context of the argument.
      When DevTools then reads properties for the preview of the argument,
      it uses arguments context, instead of the calling context, potentially
      leaking objects/exceptions into the calling context.
      
      Bug: chromium:987502, chromium:986393
      Change-Id: I6f7682f7bee94a28ac61994bad259bd003511c39
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1741664
      Commit-Queue: Simon Zünd <szuend@chromium.org>
      Reviewed-by: 's avatarYang Guo <yangguo@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63122}
      a5fd60e1
  7. 02 Aug, 2019 1 commit
    • Simon Zünd's avatar
      Add regression tests that check the native context of accessors · f51e0368
      Simon Zünd authored
      This CL adds regression tests for two bugs where the wrong native
      context is used when lazy accessors are instantiated.
      
      The first bug injects an object created in context 1, into another
      context 2. The object has an accessor pair installed via
      FunctionTemplate. In context 2, the property descriptor of this
      accessor is retrieved, causing the JSFunction to be instantiated
      with the current context (context 2) instead of the creation
      context of the object (context 1).
      
      The second bug is similar. When breakpoints are set, the whole heap
      is walked and all lazy accessor pairs are instantiated. This again
      uses the current context instead of using the context from which
      a AccessorPair originates.
      
      Bug: chromium:986063, chromium:989909
      Change-Id: Iaaea6e81f1b9f6b55fc7583b260aa9aea035a8d3
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1730999Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Commit-Queue: Simon Zünd <szuend@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63048}
      f51e0368
  8. 18 Jun, 2019 1 commit
  9. 06 Jun, 2019 1 commit
  10. 27 May, 2019 1 commit
    • Clemens Hammacher's avatar
      [cleanup] Replace simple typedefs by using · a335f2ae
      Clemens Hammacher authored
      This replaces all typedefs that define types and not functions by the
      equivalent "using" declaration.
      
      This was done mostly automatically using this command:
      ag -l '\btypedef\b' src test | xargs -L1 \
           perl -i -p0e 's/typedef ([^*;{}]+) (\w+);/using \2 = \1;/sg'
      
      Patchset 2 then adds some manual changes for typedefs for pointer types,
      where the regular expression did not match.
      
      R=mstarzinger@chromium.org
      TBR=yangguo@chromium.org, jarin@chromium.org
      
      Bug: v8:9183
      Change-Id: I6f6ee28d1793b7ac34a58f980b94babc21874b78
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631409
      Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
      Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#61849}
      a335f2ae
  11. 24 May, 2019 1 commit
  12. 23 May, 2019 2 commits
  13. 22 May, 2019 1 commit
  14. 17 May, 2019 1 commit
  15. 16 May, 2019 2 commits
  16. 30 Apr, 2019 1 commit
  17. 21 Nov, 2018 1 commit
  18. 14 Sep, 2018 1 commit
  19. 13 Sep, 2018 1 commit
  20. 15 Aug, 2018 1 commit
  21. 23 Jul, 2018 1 commit
  22. 26 Mar, 2018 1 commit
  23. 01 Mar, 2018 1 commit
    • Gabriel Charette's avatar
      [v8 platform] Get rid of unused ExpectedRuntime parameter. · 86b4b534
      Gabriel Charette authored
      With a temporary intermediate step to allow adapting embedders before
      getting rid of the ExpectedRuntime method altogether.
      
      The method is being renamed to CallOnWorkerThread() as an effort to
      go away from "background" nomenclature for worker threads ("background"
      usually refers to a priority but worker threads are commonly used for
      high priority tasks in v8).
      Other CLs will follow to rename other "background" APIs.
      
      Bug: v8:7310
      Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;master.tryserver.chromium.linux:linux_chromium_rel_ng
      Change-Id: I2fd4eac7458708d4eacb0f4871c982a567a3865e
      Reviewed-on: https://chromium-review.googlesource.com/941442
      Commit-Queue: Gabriel Charette <gab@chromium.org>
      Reviewed-by: 's avatarAndreas Haas <ahaas@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#51645}
      86b4b534
  24. 04 Dec, 2017 1 commit
  25. 27 Oct, 2017 1 commit
  26. 26 Oct, 2017 2 commits
  27. 28 Sep, 2017 1 commit
  28. 28 Aug, 2017 1 commit
  29. 24 Aug, 2017 1 commit
  30. 05 Jul, 2017 2 commits
  31. 29 Mar, 2017 1 commit
  32. 15 Mar, 2017 1 commit
  33. 24 Feb, 2017 1 commit
  34. 22 Feb, 2017 1 commit
    • dcheng's avatar
      Fix receiver checks for v8::Function on a remote context receiver. · 96eda1f7
      dcheng authored
      v8 allows the embedder to specify a global template to use when
      creating a new context. However, v8 does not use the supplied
      template directly when creating the global proxy: it creates a
      unique template for each global proxy. However, this is problematic
      for remote contexts: functions cannot use strict receiver checks
      with the remote context, as the global template will never match
      the global proxy.
      
      To fix this, remote contexts now also include a remote global
      object in the prototype chain that is instantiated with the global
      template. This mirrors the way the global proxy is configured for a
      full v8 context, and allows strict receiver checks to work.
      
      BUG=527190
      
      Review-Url: https://codereview.chromium.org/2677653002
      Cr-Commit-Position: refs/heads/master@{#43361}
      96eda1f7
  35. 20 Feb, 2017 1 commit