1. 07 Feb, 2020 1 commit
  2. 06 Feb, 2020 1 commit
  3. 29 Jan, 2020 1 commit
  4. 09 Jan, 2020 1 commit
  5. 27 Dec, 2019 1 commit
    • Daniel Clifford's avatar
      Port bitfield ScopeFlags to Torque · 7e8a197c
      Daniel Clifford authored
      In the process:
      
      * Rework the Torque definition of ScopeInfo to enable direct
        field-style access of ScopeFlags, removing some dead code in
        the process.
      * Allow implicit FromConstexpr conversion from subtypes of
        'constexpr A' to other types. This makes it possible/easy to
        convert constexpr versions of enums to other types, since the
        constexpr version of the enum isn't addressable. It's namespace
        isn't a valid namespace and is an implementation detail anyway.
      * Cleanup LanguageMode: Language mode is now an enum and directly
        mirrors the C++-side definition rather than being a Smi. With
        the changes above, a new type LanguageModeSmi is introduced
        that is the Smi representation of LanguageMode that can be
        implicitly casted from constexpr LanguageMode values.
      
      Change-Id: I190412f95e02905f445d149883fbf1f2b8ed757b
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1977159
      Commit-Queue: Daniel Clifford <danno@chromium.org>
      Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#65561}
      7e8a197c
  6. 04 Dec, 2019 1 commit
    • Leszek Swirski's avatar
      [isolate] Revert oddball checks to non-const Isolate* · 29af4273
      Leszek Swirski authored
      Looks like even the small amount of logic needed to extract ReadOnlyRoots
      from a const Isolate* (e.g. a HeapObject check) is enough to cause
      regressions.
      
      Revert these predicates to take non-const Isolate*, while keeping const
      Isolate* elsewhere. If we ever need const Isolate* for the oddball
      predicates, we can add it in addition to the non-const one.
      
      Bug: chromium:1029457
      Bug: chromium:1030001
      Bug: chromium:1030003
      Bug: chromium:1030102
      Change-Id: Ia6fa45f282a1a1961c0afa8ed973baebf6fbafd3
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1948721Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Commit-Queue: Igor Sheludko <ishell@chromium.org>
      Auto-Submit: Leszek Swirski <leszeks@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#65331}
      29af4273
  7. 27 Nov, 2019 1 commit
    • Leszek Swirski's avatar
      [isolate] Make field getters use a const Isolate* · 42a56e03
      Leszek Swirski authored
      To indicate that the Isolate* in getters might not be a "real" isolate,
      but rather a calculated one from GetIsolateForPtrCompr only used for
      calculating the isolate root, make that function return a const Isolate*
      and change field getters, Object::IsFoo predicates, and related
      functions to all take a const Isolate* instead of an Isolate*
      
      With this change, we can slightly more confidently use Objects that are
      in OffThreadSpace, without having to worry too much about having an
      Isolate* floating around that could accidentally be used.
      
      This is a slight abuse of const semantics, but it allows implicit
      conversion from Isolate* arguments to the const Isolate* parameter.
      
      Bug: v8:7703
      Bug: chromium:1011762
      Change-Id: I54d4a65d2299477195f4d754cabe64ce34fdaa4c
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1939455
      Commit-Queue: Leszek Swirski <leszeks@chromium.org>
      Auto-Submit: Leszek Swirski <leszeks@chromium.org>
      Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
      Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#65199}
      42a56e03
  8. 26 Nov, 2019 1 commit
  9. 25 Nov, 2019 3 commits
  10. 21 Nov, 2019 1 commit
    • Tobias Tebbi's avatar
      [torque] shape: define in-object properties properly · cfab6505
      Tobias Tebbi authored
      This introduces a new keyword "shape" in addition to "class",
      which allows the definition of a type that extends a JSObject
      subclass and specifies one or several maps with statically
      known in-object properties.
      Differences compared to normal classes:
      - Shapes are transient since they specify maps instead of
        instance types.
      - Shapes have a known size.
      - Fields of shapes are always in-object properties. In particular,
        this means that their offset is after kHeaderSize.
      - It's forbidden to inherited from shapes.
      - Since shapes usually specify NativeContext-dependent maps, it's
        not possible to write runtime type-checks for them. Thus this CL
        avoids mapping them to their own TNode type, as the CAST macro
        won't work properly. We had runtime-checks for some of them
        nevertheless, some of them scarily confusing like
        IsJSSloppyArgumentsObject, that actually just checked the instance
        type.
      
      Drive-by cleanups and simplifications:
      - Allow subclassing from non-abstract classes and remove
        @dirtyInstantiatedAbstractClass. This attribute stems from a mis-
        conception of how instance types work, and with this change it
        ceases to have semantic influence.
      - Replace the existing JSArgumentsObject subclasses into two shapes.
        JSArgumentsObjectWithLength had to be removed since shapes don't
        support subclassing.
      - Place kHeaderSize correctly for objects with indexed fields.
      
      Design doc:
      https://docs.google.com/document/d/1zPy2ZYfNFjeEuw6Mz3YJA-GaPGbdcSYam3SrS7ETzRU
      
      Bug: v8:8944
      
      Change-Id: Iabf185ccd27d0900e0890539a7fe9eaa8bf2d50e
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1917140
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Reviewed-by: 's avatarNico Hartmann <nicohartmann@chromium.org>
      Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#65108}
      cfab6505
  11. 20 Nov, 2019 1 commit
  12. 28 Oct, 2019 1 commit
    • Seth Brenith's avatar
      [torque] Use generated instance types, part 1 · 91e6421c
      Seth Brenith authored
      This change begins making use of the fact that Torque now knows about
      the relationship between classes and instance types, to replace a few
      repetitive lists:
      
      - Instance type checkers (single and range), defined in
        src/objects/instance-type.h
      - Verification dispatch in src/diagnostics/objects-debug.cc
      - Printer dispatch in src/diagnostics/objects-printer.cc
      - Postmortem object type detection in
        tools/debug_helper/get-object-properties.cc
      
      Torque is updated to generate four macro lists for the instance types,
      representing all of the classes separated in two dimensions: classes
      that correspond to a single instance type versus those that have a
      range, and classes that are fully defined in Torque (with fields and
      methods inside '{}') versus those that are only declared. The latter
      distinction is useful because fully-defined classes are guaranteed to
      correspond to real C++ classes, whereas only-declared classes are not.
      
      A few other changes were required to make the lists above work:
      
      - Renamed IsFiller to IsFreeSpaceOrFiller to better reflect what it does
        and avoid conflicts with the new macro-generated IsFiller method. This
        is the part I'm most worried about: I think the new name is an
        improvement for clarity and consistency, but I could imagine someone
        typing IsFiller out of habit and introducing a bug. If we'd prefer to
        keep the name IsFiller, my other idea is to rename FreeSpace to
        VariableSizeFiller and Filler to FixedSizeFiller.
      - Made Tuple3 extend from Struct, not Tuple2, because IsTuple2 is
        expected to check for only TUPLE2_TYPE and not include TUPLE3_TYPE.
      - Normalized the dispatched behavior for BigIntBase and HeapNumber.
      - Added a few new object printers.
      
      Bug: v8:7793
      Change-Id: I5462bb105f8a314baa59bd6ab6ab6215df6f313c
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1860314
      Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
      Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
      Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
      Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Reviewed-by: 's avatarDan Elphick <delphick@chromium.org>
      Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#64597}
      91e6421c
  13. 11 Oct, 2019 1 commit
    • Seth Brenith's avatar
      [torque] Generate instance types · 8c7ae314
      Seth Brenith authored
      Design doc:
      https://docs.google.com/document/d/1ZU6rCvF2YHBGMLujWqqaxlPsjFfjKDE9C3-EugfdlAE/edit
      
      Changes from the design doc:
      - Changed to use 'class' declarations rather than 'type' declarations
        for things that need instance types but whose layout is not known to
        Torque. These declarations end with a semicolon rather than having a
        full set of methods and fields surrounded by {}. If the class's name
        should not be treated as a class name in generated output (because
        it's actually a template, or doesn't exist at all), we use the
        standard 'generates' clause to declare the most appropriate C++ class.
      - Removed @instanceTypeName.
      - @highestInstanceType became @highestInstanceTypeWithinParentClassRange
        to indicate a semantic change: it no longer denotes the highest
        instance type globally, but only within the range of values for its
        immediate parent class. This lets us use it for Oddball, which is
        expected to be the highest primitive type.
      - Added new abstract classes JSCustomElementsObject and JSSpecialObject
        to help with some range checks.
      - Added @lowestInstanceTypeWithinParentClassRange so we can move the new
        classes JSCustomElementsObject and JSSpecialObject to the beginning of
        the JSObject range. This seems like the least-brittle way to establish
        ranges that also include JSProxy (and these ranges are verified with
        static assertions in instance-type.h).
      - Renamed @instanceTypeValue to @apiExposedInstanceTypeValue.
      - Renamed @instanceTypeFlags to @reserveBitsInInstanceType.
      
      This change introduces the new annotations and adds the ability for
      Torque to assign instance types that satisfy those annotations. Torque
      now emits two new macros:
      - TORQUE_ASSIGNED_INSTANCE_TYPES, which is used to define the
        InstanceType enumeration
      - TORQUE_ASSIGNED_INSTANCE_TYPE_LIST, which replaces the non-String
        parts of INSTANCE_TYPE_LIST
      
      The design document mentions a couple of other macro lists that could
      easily be replaced, but I'd like to defer those to a subsequent checkin
      because this one is already pretty large.
      
      Bug: v8:7793
      Change-Id: Ie71d93a9d5b610e62be0ffa3bb36180c3357a6e8
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1757094
      Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
      Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
      Reviewed-by: 's avatarSathya Gunasekaran  <gsathya@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#64258}
      8c7ae314
  14. 27 Sep, 2019 3 commits
    • Mythri A's avatar
      Reland "[compiler] Cache OSR optimized code" · fcff2437
      Mythri A authored
      This is a reland of cfb10028
      with a fix for failures in lite mode.
      
      Original change's description:
      > [compiler] Cache OSR optimized code
      >
      > With lazy feedback allocation, for functions that get OSRed we may
      > not have feedback for the initial part of the functions since feedback
      > vectors might be allocated after the function started executing. Hence
      > we would not be able to optimize the function on the next call. This
      > means we may have to OSR twice before we actually optimize function.
      > This cl introduces OSR cache, so we could reuse the optimized code. One
      > side effect of this cl is that the OSRed code won't be function context
      > specialized anymore.
      >
      > Bug: chromium:987523
      > Change-Id: Ic1e2abca85ccfa0a66a0fa83f7247392cc1e7cb2
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1796329
      > Commit-Queue: Mythri Alle <mythria@chromium.org>
      > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
      > Reviewed-by: Georg Neis <neis@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#64014}
      
      Bug: chromium:987523
      Change-Id: I9c782242b07b24d15247533ab4ee044334b429ff
      TBR: rmcilroy@chromium.org
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1826898
      Commit-Queue: Mythri Alle <mythria@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#64023}
      fcff2437
    • Michael Achenbach's avatar
      Revert "[compiler] Cache OSR optimized code" · f8a08223
      Michael Achenbach authored
      This reverts commit cfb10028.
      
      Reason for revert:
      https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm%20-%20sim%20-%20lite/6483
      
      Original change's description:
      > [compiler] Cache OSR optimized code
      > 
      > With lazy feedback allocation, for functions that get OSRed we may
      > not have feedback for the initial part of the functions since feedback
      > vectors might be allocated after the function started executing. Hence
      > we would not be able to optimize the function on the next call. This
      > means we may have to OSR twice before we actually optimize function.
      > This cl introduces OSR cache, so we could reuse the optimized code. One
      > side effect of this cl is that the OSRed code won't be function context
      > specialized anymore.
      > 
      > Bug: chromium:987523
      > Change-Id: Ic1e2abca85ccfa0a66a0fa83f7247392cc1e7cb2
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1796329
      > Commit-Queue: Mythri Alle <mythria@chromium.org>
      > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
      > Reviewed-by: Georg Neis <neis@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#64014}
      
      TBR=rmcilroy@chromium.org,neis@chromium.org,mythria@chromium.org
      
      Change-Id: Ib3692e7570bed5d3e88ca8a0247b185d70497a04
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: chromium:987523
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1826668Reviewed-by: 's avatarMichael Achenbach <machenbach@chromium.org>
      Commit-Queue: Michael Achenbach <machenbach@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#64015}
      f8a08223
    • Mythri A's avatar
      [compiler] Cache OSR optimized code · cfb10028
      Mythri A authored
      With lazy feedback allocation, for functions that get OSRed we may
      not have feedback for the initial part of the functions since feedback
      vectors might be allocated after the function started executing. Hence
      we would not be able to optimize the function on the next call. This
      means we may have to OSR twice before we actually optimize function.
      This cl introduces OSR cache, so we could reuse the optimized code. One
      side effect of this cl is that the OSRed code won't be function context
      specialized anymore.
      
      Bug: chromium:987523
      Change-Id: Ic1e2abca85ccfa0a66a0fa83f7247392cc1e7cb2
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1796329
      Commit-Queue: Mythri Alle <mythria@chromium.org>
      Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#64014}
      cfb10028
  15. 26 Sep, 2019 1 commit
  16. 10 Sep, 2019 1 commit
  17. 26 Aug, 2019 1 commit
    • Tobias Tebbi's avatar
      Reland "[torque] introduce JSAny type for user-accessible JavaScript values" · 1ef99b93
      Tobias Tebbi authored
      Changes in the reland: Rebased and added a check that JavaScript-linkage
      builtins use JSAny in parameters and return type, plus the necessary
      cleanups for this test to pass.
      
      Design Doc: https://docs.google.com/document/d/1z6j0pWHnNIfId0v00uWN2HBrGRDJxJfYuCr5K7Kr1xA
      
      This reverts commit 4418a7b9.
      
      Original change's description:
      > Revert "[torque] introduce JSAny type for user-accessible JavaScript values"
      >
      > This reverts commit 79b00555.
      >
      > Reason for revert: needs more discussion
      >
      > Original change's description:
      > > [torque] introduce JSAny type for user-accessible JavaScript values
      > >
      > > This CL introduces a JSAny type for user-exposed JavaScript values and
      > > a few new types to define it. Especially, it splits Symbol into
      > > PrivateSymbol (not exposed) and PublicSymbol (JavaScript exposed
      > > symbols).
      > >
      > > The change is mostly mechanical, but a few things are interesting:
      > > - PropertyKey and JSPrimitive were designed to coincide with the spec
      > >   notions of IsPropertyKey() and primitive value, respectively.
      > > - Since Name is an open type, we define AnyName to be the known
      > >   subtypes of Name. This is not too elegant, but by using AnyName
      > >   instead of Name, typeswitch can properly conclude something if a
      > >   subtype of Name is excluded.
      > >
      > > Small drive-by changes, which were necessary:
      > > - Allow subtyping on label parameters.
      > > - Fix the formatting of typeswitch, it was broken with union types
      > >   in case types.
      > >
      > > Bug: v8:7793
      > > Change-Id: I14b10507f8cf316ad85e048fe8d53d1df5e0bb13
      > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1735322
      > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > > Reviewed-by: Jakob Gruber <jgruber@chromium.org>
      > > Cr-Commit-Position: refs/heads/master@{#63114}
      >
      > TBR=neis@chromium.org,jgruber@chromium.org,tebbi@chromium.org
      >
      > Change-Id: Ifde7881d74afe407628f40047997339d54cb2424
      > No-Presubmit: true
      > No-Tree-Checks: true
      > No-Try: true
      > Bug: v8:7793
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1741652
      > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
      > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#63115}
      
      TBR=neis@chromium.org,jgruber@chromium.org,tebbi@chromium.org
      
      # Not skipping CQ checks because original CL landed > 1 day ago.
      
      Bug: v8:7793
      Change-Id: Icca34e3824f55009b984d9348fd21884400f0081
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1769316
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63395}
      1ef99b93
  18. 20 Aug, 2019 1 commit
  19. 07 Aug, 2019 2 commits
    • Tobias Tebbi's avatar
      Revert "[torque] introduce JSAny type for user-accessible JavaScript values" · 4418a7b9
      Tobias Tebbi authored
      This reverts commit 79b00555.
      
      Reason for revert: needs more discussion
      
      Original change's description:
      > [torque] introduce JSAny type for user-accessible JavaScript values
      > 
      > This CL introduces a JSAny type for user-exposed JavaScript values and
      > a few new types to define it. Especially, it splits Symbol into
      > PrivateSymbol (not exposed) and PublicSymbol (JavaScript exposed
      > symbols).
      > 
      > The change is mostly mechanical, but a few things are interesting:
      > - PropertyKey and JSPrimitive were designed to coincide with the spec
      >   notions of IsPropertyKey() and primitive value, respectively.
      > - Since Name is an open type, we define AnyName to be the known
      >   subtypes of Name. This is not too elegant, but by using AnyName
      >   instead of Name, typeswitch can properly conclude something if a
      >   subtype of Name is excluded.
      > 
      > Small drive-by changes, which were necessary:
      > - Allow subtyping on label parameters.
      > - Fix the formatting of typeswitch, it was broken with union types
      >   in case types.
      > 
      > Bug: v8:7793
      > Change-Id: I14b10507f8cf316ad85e048fe8d53d1df5e0bb13
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1735322
      > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      > Reviewed-by: Jakob Gruber <jgruber@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#63114}
      
      TBR=neis@chromium.org,jgruber@chromium.org,tebbi@chromium.org
      
      Change-Id: Ifde7881d74afe407628f40047997339d54cb2424
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: v8:7793
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1741652Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63115}
      4418a7b9
    • Tobias Tebbi's avatar
      [torque] introduce JSAny type for user-accessible JavaScript values · 79b00555
      Tobias Tebbi authored
      This CL introduces a JSAny type for user-exposed JavaScript values and
      a few new types to define it. Especially, it splits Symbol into
      PrivateSymbol (not exposed) and PublicSymbol (JavaScript exposed
      symbols).
      
      The change is mostly mechanical, but a few things are interesting:
      - PropertyKey and JSPrimitive were designed to coincide with the spec
        notions of IsPropertyKey() and primitive value, respectively.
      - Since Name is an open type, we define AnyName to be the known
        subtypes of Name. This is not too elegant, but by using AnyName
        instead of Name, typeswitch can properly conclude something if a
        subtype of Name is excluded.
      
      Small drive-by changes, which were necessary:
      - Allow subtyping on label parameters.
      - Fix the formatting of typeswitch, it was broken with union types
        in case types.
      
      Bug: v8:7793
      Change-Id: I14b10507f8cf316ad85e048fe8d53d1df5e0bb13
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1735322
      Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
      Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#63114}
      79b00555
  20. 09 Jul, 2019 1 commit
  21. 28 Jun, 2019 1 commit
  22. 26 Jun, 2019 1 commit
  23. 24 Jun, 2019 2 commits
  24. 21 Jun, 2019 1 commit
  25. 19 Jun, 2019 1 commit
  26. 18 Jun, 2019 1 commit
  27. 14 Jun, 2019 2 commits
  28. 13 Jun, 2019 1 commit
  29. 06 Jun, 2019 1 commit
  30. 03 Jun, 2019 1 commit
    • Seth Brenith's avatar
      [torque] Remove some uses of @noVerifier · 29ec0087
      Seth Brenith authored
      Implemented verifiers for the following classes:
      - ExternalString
      - FixedArrayBase
      - JSCollection
      - JSCollectionIterator
      - JSWeakCollection
      - Name
      - SeqString
      - Struct
      
      Removed the following class definitions from Torque, because they're
      just JSObject instances with particular starting maps, as discussed in
      https://crrev.com/c/v8/v8/+/1619146/6/src/builtins/base.tq#459 :
      - JSAccessorPropertyDescriptor
      - JSDataPropertyDescriptor
      - JSIteratorResult
      
      Following similar logic, removed the Torque definition of
      WasmExceptionPackage because it's just an error object that happens to
      have a couple of private-symbol properties.
      
      The following classes should not be defined in Torque because they're
      just a starting state for JSObject, but I'm leaving them for now because
      existing Torque code requires them:
      - JSArgumentsObjectWithLength
      - JSProxyRevocableResult
      
      Bug: v8:9311
      Change-Id: I0336b6be7d02e48e4a8a0f660e24d2c2fa5f5e34
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1637448
      Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
      Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
      Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#61970}
      29ec0087
  31. 27 May, 2019 3 commits
    • Benedikt Meurer's avatar
      Reland "[typedarray] Move external/data pointer to JSTypedArray." · 70bd7cf0
      Benedikt Meurer authored
      This is a reland of 4b86fea5 with
      copy&paste typo in CodeStubAssembler::AllocateByteArray() fixed
      (bug led to holes in new space, which was crashing reproducibly
      on the ia32 bot).
      
      Original change's description:
      > [typedarray] Move external/data pointer to JSTypedArray.
      >
      > As the next step in supporting huge typed arrays in V8, this moves the
      > external/data pointer from the FixedTypedArrayBase backing store to the
      > JSTypedArray instance itself, and replaces the special backing stores
      > with a plain ByteArray (removing all the code for the FixedTypedArrayBase
      > class hierarchy). By doing so, we can drastically simplify the system
      > around typed arrays.
      >
      > Note: Several places in the code base used to check the instance type
      > of the elements backing store of a JSTypedArray instead of checking the
      > elements kind on the JSTypedArray map directly. Those had to be fixed,
      > since the backing store is now always a ByteArray.
      >
      > Drive-by-fix: Move all the typed elements access related code into the
      > elements.cc file to properly encapsulate the accesses.
      >
      > Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
      > Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
      > Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646
      > Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535
      > Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > Reviewed-by: Simon Zünd <szuend@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#61855}
      
      Tbr: petermarshall@chromium.org
      Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
      Change-Id: I87fcdb28532c5f08cc227332a4d59546cb423810
      Cq-Include-Trybots: luci.chromium.try:linux-rel, win7-rel
      Cq-Include-Trybots: luci.v8.try:v8_linux_shared_compile_rel
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631592Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#61864}
      70bd7cf0
    • Clemens Hammacher's avatar
      Revert "[typedarray] Move external/data pointer to JSTypedArray." · e4db146a
      Clemens Hammacher authored
      This reverts commit 4b86fea5.
      
      Reason for revert: Fails on linux shared: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20shared/31045
      
      Original change's description:
      > [typedarray] Move external/data pointer to JSTypedArray.
      > 
      > As the next step in supporting huge typed arrays in V8, this moves the
      > external/data pointer from the FixedTypedArrayBase backing store to the
      > JSTypedArray instance itself, and replaces the special backing stores
      > with a plain ByteArray (removing all the code for the FixedTypedArrayBase
      > class hierarchy). By doing so, we can drastically simplify the system
      > around typed arrays.
      > 
      > Note: Several places in the code base used to check the instance type
      > of the elements backing store of a JSTypedArray instead of checking the
      > elements kind on the JSTypedArray map directly. Those had to be fixed,
      > since the backing store is now always a ByteArray.
      > 
      > Drive-by-fix: Move all the typed elements access related code into the
      > elements.cc file to properly encapsulate the accesses.
      > 
      > Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
      > Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
      > Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646
      > Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535
      > Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
      > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > Reviewed-by: Simon Zünd <szuend@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#61855}
      
      TBR=ulan@chromium.org,yangguo@chromium.org,titzer@chromium.org,sigurds@chromium.org,petermarshall@chromium.org,bmeurer@chromium.org,szuend@chromium.org
      
      Change-Id: I0bc1f935de6063acf75a0f4bb8c0ba67428603fd
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
      Cq-Include-Trybots: luci.chromium.try:linux-rel, win7-rel
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631427Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
      Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#61856}
      e4db146a
    • Benedikt Meurer's avatar
      [typedarray] Move external/data pointer to JSTypedArray. · 4b86fea5
      Benedikt Meurer authored
      As the next step in supporting huge typed arrays in V8, this moves the
      external/data pointer from the FixedTypedArrayBase backing store to the
      JSTypedArray instance itself, and replaces the special backing stores
      with a plain ByteArray (removing all the code for the FixedTypedArrayBase
      class hierarchy). By doing so, we can drastically simplify the system
      around typed arrays.
      
      Note: Several places in the code base used to check the instance type
      of the elements backing store of a JSTypedArray instead of checking the
      elements kind on the JSTypedArray map directly. Those had to be fixed,
      since the backing store is now always a ByteArray.
      
      Drive-by-fix: Move all the typed elements access related code into the
      elements.cc file to properly encapsulate the accesses.
      
      Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
      Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
      Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646
      Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Reviewed-by: 's avatarPeter Marshall <petermarshall@chromium.org>
      Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Reviewed-by: 's avatarSimon Zünd <szuend@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#61855}
      4b86fea5