- 19 Jul, 2019 1 commit
-
-
Toon Verwaest authored
This is a reland of e55e0aa5 Original change's description: > [runtime] Fix protector invalidation > > Protectors trigger when special properties are modified or masked. Previously > we would check whether the property stored on the holder would invalidate the > protector. Stores to to the receiver rather than the holder, however, so this > CL changes holder for receiver, and adds additional checks that were missing. > > Bug: v8:9466 > Change-Id: I81bc3d73f91381da0d254e9eb79365ae2d25d998 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708468 > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Cr-Commit-Position: refs/heads/master@{#62805} Tbr: leszeks@chromium.org Bug: v8:9466 Change-Id: I693c73577ca9a35a271f509770cc1c87e5cc4b73 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709420 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#62829}
-
- 18 Jul, 2019 2 commits
-
-
Sathya Gunasekaran authored
This reverts commit e55e0aa5. Reason for revert: speculative revert for tsan breakage https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket.appspot.com/8907588363297935904/+/steps/Check__flakes_/0/logs/regress-437713/0 Original change's description: > [runtime] Fix protector invalidation > > Protectors trigger when special properties are modified or masked. Previously > we would check whether the property stored on the holder would invalidate the > protector. Stores to to the receiver rather than the holder, however, so this > CL changes holder for receiver, and adds additional checks that were missing. > > Bug: v8:9466 > Change-Id: I81bc3d73f91381da0d254e9eb79365ae2d25d998 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708468 > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Cr-Commit-Position: refs/heads/master@{#62805} TBR=leszeks@chromium.org,verwaest@chromium.org Change-Id: Id8fc36525b7c5631589a67073ad1fd5815ea2775 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:9466 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708482Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#62807}
-
Toon Verwaest authored
Protectors trigger when special properties are modified or masked. Previously we would check whether the property stored on the holder would invalidate the protector. Stores to to the receiver rather than the holder, however, so this CL changes holder for receiver, and adds additional checks that were missing. Bug: v8:9466 Change-Id: I81bc3d73f91381da0d254e9eb79365ae2d25d998 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708468 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#62805}
-
- 10 Oct, 2018 1 commit
-
-
Hai Dang authored
The MapIterator protector protects the original iteration behaviors of Map.prototype.keys(), Map.prototype.values(), and Set.prototype.entries(). It does not protect the original iteration behavior of Map.prototype[Symbol.iterator](). The protector is invalidated when: * The 'next' property is set on an object where the property holder is the %MapIteratorPrototype% (e.g. because the object is that very prototype). * The 'Symbol.iterator' property is set on an object where the property holder is the %IteratorPrototype%. Note that this also invalidates the SetIterator protector (see below). The SetIterator protector protects the original iteration behavior of Set.prototype.keys(), Set.prototype.values(), Set.prototype.entries(), and Set.prototype[Symbol.iterator](). The protector is invalidated when: * The 'next' property is set on an object where the property holder is the %SetIteratorPrototype% (e.g. because the object is that very prototype). * The 'Symbol.iterator' property is set on an object where the property holder is the %SetPrototype% OR %IteratorPrototype%. This means that setting Symbol.iterator on a MapIterator object can also invalidate the SetIterator protector, and vice versa, setting Symbol.iterator on a SetIterator object can also invalidate the MapIterator. This is an over- approximation for the sake of simplicity. Bug: v8:7980 Change-Id: I54ad6e4c7f19ccc27d7001f6c4b6c8d6ea4ee871 Reviewed-on: https://chromium-review.googlesource.com/c/1273102Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Hai Dang <dhai@google.com> Cr-Commit-Position: refs/heads/master@{#56530}
-