- 13 Apr, 2021 8 commits
-
-
Thibaud Michaud authored
When looking for intersections between the current range and inactive range, we can stop the search as soon as the inactive range's next start is past the current range's end position. We know that subsequent inactive ranges cannot intersect either, because they are ordered by their next start. R=sigurds@chromium.org Bug: chromium:986862 Change-Id: I249a781be281abc7b438f31848f5d6cb3a25303f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821434Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/master@{#73932}
-
Sara Tang authored
Original CL: https://chromium-review.googlesource.com/c/v8/v8/+/2807157 Bug: v8:11043 Change-Id: I49d29323bf3ae6ede7e48e63645f4ee0a750c83e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2818573Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Sara Tang <sartang@microsoft.com> Cr-Commit-Position: refs/heads/master@{#73931}
-
Benedikt Meurer authored
The method was scheduled for removal in M92, as finaly part of the fn.displayName support removal. Fixed: chromium:1177685 Doc: https://bit.ly/devtools-function-displayName-removal Change-Id: I243dd6c9849a6f39e76dd003300b639bfd8df604 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821954 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#73930}
-
Camillo Bruni authored
Bug: v8:11263 Change-Id: I320a75b8819353ab7af5bf7608329e6f0a7a66ca Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821544Reviewed-by: Anton Bikineev <bikineev@chromium.org> Reviewed-by: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#73929}
-
Maya Lekova authored
The CanAllocateArray used to be executed during JSCreateLowering, leading to bailouts when large arrays are passed as arguments to an async function or a bound function. This meant that JSCreateAsyncFunctionObject or JSCreateBoundFunction will reach JSGenericLowering, where they are not lowered. This CL moves the checks earlier in the pipeline during JSNativeContextSpecialization and JSCallReducer respectively, so that those operators are not created at all in such cases and we bail out to the runtime instead. Bug: v8:11564 Change-Id: I232ce7d9378730ae0cc8690e52fde840a484e069 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2807609 Commit-Queue: Maya Lekova <mslekova@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#73928}
-
Manos Koukoutos authored
Multivalue has been shipped for a while now, so it is time to remove its experimental feature flag. Additional change: Set kV8MaxWasmFunctionReturns to the old kV8MaxWasmFunctionMultiReturns value. Change-Id: I5c4d33b036e64a7221de17f0e97119bb0a036838 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817790Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Cr-Commit-Position: refs/heads/master@{#73927}
-
v8-ci-autoroll-builder authored
Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/563f147..79006be Rolling v8/third_party/aemu-linux-x64: _EJXYI9PIL6jmQi9nGYfsMiQZf2CFqi_hE7uUCqpScAC..dXMWT4elldlEXvj4YHtc9u0W4YEfTP-KZbIKpA75-7MC Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/ab687ea..8680ff0 Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/006bc90..7168936 Rolling v8/tools/luci-go: git_revision:f784260b204b2d93c7bd6d1a619f09c6822e5926..git_revision:cbabdf2ff62e64e99bfdf57ab5625d3da3eb5db9 Rolling v8/tools/luci-go: git_revision:f784260b204b2d93c7bd6d1a619f09c6822e5926..git_revision:cbabdf2ff62e64e99bfdf57ab5625d3da3eb5db9 Rolling v8/tools/luci-go: git_revision:f784260b204b2d93c7bd6d1a619f09c6822e5926..git_revision:cbabdf2ff62e64e99bfdf57ab5625d3da3eb5db9 TBR=v8-waterfall-sheriff@grotations.appspotmail.com Change-Id: I73becb94dcd7fba838472e99d0bb9202146b221f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2822914Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#73926}
-
Yahan Lu authored
Clean todo comment in constant-riscv64.h about PCRelativeJumpRange. Change-Id: I9067134e96e4801fbd1f976d0e5d033085d5f133 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817975Reviewed-by: Brice Dobry <brice.dobry@futurewei.com> Commit-Queue: Yahan Lu <yahan@iscas.ac.cn> Cr-Commit-Position: refs/heads/master@{#73925}
-
- 12 Apr, 2021 32 commits
-
-
Shu-yu Guo authored
With a shared cage, there's no easy way to recover an Isolate from a heap pointer. Symbol::Description relies on RO symbols' description slot being uncompressed so a Handle could point to it. This isn't possible with a shared cage without going through TLS to get an Isolate for Handle construction, so deprecate the method in favor of one that takes an Isolate directly. Bug: v8:11460 Change-Id: I69b2b7d77f4c00d0f58954cd80e22cba5ff222e3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2802860 Commit-Queue: Shu-yu Guo <syg@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Dan Elphick <delphick@chromium.org> Cr-Commit-Position: refs/heads/master@{#73924}
-
Milad Fa authored
Port 5e0b94c4 Original Commit Message: This CL adds features to pack/unpack map words. Currently V8 cannot store extra metadata in object headers -- because V8 objects do not have a proper header, but only a map pointer at the start of the object. To store per-object metadata like marking data, a side table is required as the per-object metadata storage. This CL enables V8 to use higher unused bits in a 64-bit map word as per-object metadata storage. Map pointer stores come with an extra step to encode the metadata into the pointer (we call it "map packing"). Map pointer loads will also remove the metadata bits as well (we call it "map packing"). Since the map word is no longer a valid pointer after packing, we also change the tag of the packed map word to make it looks like a Smi. This helps various GC and barrier code to correctly skip them instead of blindly dereferencing this invalid pointer. A ninja flag `v8_enable_map_packing` is provided to turn this map-packing feature on and off. It is disabled by default. * Only works on x64 platform, with `v8_enable_pointer_compression` set to `false` R=wenyu.zhao@anu.edu.au, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com BUG= LOG=N Change-Id: I4a13093e7b20bb38990d947c697008a920cfe715 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821649Reviewed-by: Junliang Yan <junyan@redhat.com> Commit-Queue: Milad Fa <mfarazma@redhat.com> Cr-Commit-Position: refs/heads/master@{#73923}
-
Michael Lippautz authored
Bug: v8:11635 Change-Id: I71c5542a503ca4b94fc3c8746e96fb0bc4e6c1f8 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2822628 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Omer Katz <omerkatz@chromium.org> Auto-Submit: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Omer Katz <omerkatz@chromium.org> Cr-Commit-Position: refs/heads/master@{#73922}
-
Junliang Yan authored
Change-Id: Icb0d165c97e4a08d4111dd1ad0e1402f4a28746f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821634Reviewed-by: Milad Fa <mfarazma@redhat.com> Commit-Queue: Junliang Yan <junyan@redhat.com> Cr-Commit-Position: refs/heads/master@{#73921}
-
Jochen Eisinger authored
It's used when setting up the context snapshot for blink, so we want to be sure that it doesn't execute script. Bug: chromium:728583 Change-Id: I46507e18d178e6473dd10348a9f253016a9178b7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2807615Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Jochen Eisinger <jochen@chromium.org> Cr-Commit-Position: refs/heads/master@{#73920}
-
Deepti Gandluri authored
Finer grained control of platforms that support threads are enforced by chromium. Bug: chromium:1167733 Change-Id: Ic34a4950aebf6ba394053b79df97b703af333636 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2810190Reviewed-by: Lutz Vahl <vahl@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Deepti Gandluri <gdeepti@chromium.org> Cr-Commit-Position: refs/heads/master@{#73919}
-
Thibaud Michaud authored
R=ahaas@chromium.org Bug: chromium:1197408 Change-Id: I9a9ede5cf141cd7d19b67438465bcba35e2b87f6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821543Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/master@{#73918}
-
Andreas Haas authored
The existing code assumes that the number of inputs is fixed to 4. However, the fuzzer says that at least 5 inputs are also possible. This CL makes the number of inputs more flexible. CC=sam.parker@arm.com Bug: chromium:1197393 Change-Id: I487ac96570b96f04b4d0a47065e7b383ba39016f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821435Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#73917}
-
Shu-yu Guo authored
The pointer compression cage is the virtual memory reservation that all compressed pointers fall within. This CL splits pointer compression into two modes: a per-Isolate cage and a shared cage among multiple Isolates. When multiple Isolates are sharing a cage, they can decompress each others' pointers and share the same virtual memory range. Bug: v8:11460 Change-Id: I7b89b7413b8e7ca6b8b6faafd083dc387542a8b4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2783674Reviewed-by: Dan Elphick <delphick@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/master@{#73916}
-
Wenyu Zhao authored
This CL adds features to pack/unpack map words. Currently V8 cannot store extra metadata in object headers -- because V8 objects do not have a proper header, but only a map pointer at the start of the object. To store per-object metadata like marking data, a side table is required as the per-object metadata storage. This CL enables V8 to use higher unused bits in a 64-bit map word as per-object metadata storage. Map pointer stores come with an extra step to encode the metadata into the pointer (we call it "map packing"). Map pointer loads will also remove the metadata bits as well (we call it "map packing"). Since the map word is no longer a valid pointer after packing, we also change the tag of the packed map word to make it looks like a Smi. This helps various GC and barrier code to correctly skip them instead of blindly dereferencing this invalid pointer. A ninja flag `v8_enable_map_packing` is provided to turn this map-packing feature on and off. It is disabled by default. * Only works on x64 platform, with `v8_enable_pointer_compression` set to `false` Bug: v8:11624 Change-Id: Ia2bdf79553945e5fc0b0874c87803d2cc733e073 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2247561Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#73915}
-
Junliang Yan authored
Change-Id: Ic7ed7938527dcf32d856a965da86a33cd713b83d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821630Reviewed-by: Milad Fa <mfarazma@redhat.com> Commit-Queue: Junliang Yan <junyan@redhat.com> Cr-Commit-Position: refs/heads/master@{#73914}
-
Ross McIlroy authored
BUG=chromium:1180335 Change-Id: Ic6e4d18595b1003a036d247e8b11b03fcdae9b01 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821538 Auto-Submit: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#73913}
-
QiuJi authored
Refs: https://bugs.chromium.org/p/v8/issues/detail?id=11628 Change-Id: Ia651b14acd6fc3293abddbe5e49277d8dadb19ba Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814563Reviewed-by: Brice Dobry <brice.dobry@futurewei.com> Commit-Queue: Brice Dobry <brice.dobry@futurewei.com> Cr-Commit-Position: refs/heads/master@{#73912}
-
Santiago Aboy Solanes authored
We have to have special rules for bit_fields since we multiple accesors touch the same field. I used: * If the accessor is set at map initalization time only and: * only the main thread accesses it: non-atomic write/read * bg accesses it too: non-atomic write, relaxed read (read has to be relaxed due to the whole bit_field being modified concurrently via other bit_field3 accessors) * If the accessor is set after map initialization: * but it is not necessary for synchronization: relaxed write/read * If the accessor is needed for synchronization: release/acquire As a note, Map::NumberOfOwnDescriptors are the bits accessed by the concurrent marker. For concurrent marker reasons it can be relaxed, but we would like it to be release/acquire for the compiler since that's where we synchronize Maps with adding descriptors to the descriptor array. Bug: v8:7790, chromium:1150811 Change-Id: I0ba7d2f8cb81d65a487970b4ea0bfa2a4cb3a975 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773286Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Cr-Commit-Position: refs/heads/master@{#73911}
-
Camillo Bruni authored
Make runtime-call-stats a compile-time flag. Disabling RCS saves roughly 1MB binary size on 64bit systems and yields minor performance improvements. Bug: v8:11299 Change-Id: Ia1db75e330a665db5251b685c164b96857e38d2d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2799766Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Michael Achenbach <machenbach@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#73910}
-
Georg Neis authored
We have to respect the TypeCheckKind. Bug: chromium:1195777 Change-Id: If1eed719fef79b7c61d99c29ba869ddd7985c413 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817791 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Cr-Commit-Position: refs/heads/master@{#73909}
-
Yahan Lu authored
Skip wasm/simd test for riscv64 Add buitin info when call a builtin. Port 064ca18c Change-Id: I1150de98a95231abf9d5def9e95ad38a8a42bbb3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814128Reviewed-by: Brice Dobry <brice.dobry@futurewei.com> Commit-Queue: Brice Dobry <brice.dobry@futurewei.com> Cr-Commit-Position: refs/heads/master@{#73908}
-
Junliang Yan authored
Change-Id: Ia49c840d5e87554dd28222ba96dcba860a21d051 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821648Reviewed-by: Milad Fa <mfarazma@redhat.com> Commit-Queue: Junliang Yan <junyan@redhat.com> Cr-Commit-Position: refs/heads/master@{#73907}
-
Mike Stanton authored
If a loop is removed in dead code elimination, we may have a dead node in the control chain. This wasn't expected, and endless recursion could result. Bug: chromium:1196185 Change-Id: Id6d69d0eaed11b0c6158b5643d3433b11611af59 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817792Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/master@{#73906}
-
Maya Lekova authored
This CL makes more assumptions in the fast-api-call mjsunit test explicit and specifies --deopt-every-n-times=0 for it, as it relies on particular optimization/deoptimization sequences. It also fixes an inconsistency between the fast/slow path results. Bug: v8:11620 Change-Id: I385949a04534cd1658236878875efa6622936bc5 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817607Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Maya Lekova <mslekova@chromium.org> Cr-Commit-Position: refs/heads/master@{#73905}
-
Andreas Haas authored
In Isolate::UnwindAndFindHandler(), the thread-in-wasm flag was set before the destructor of some objects in that function got executed, e.g. the destructor of {WasmCodeRefScope}. On Windows-asan, these destructors could throw exceptions (asan on Windows uses exceptions for its memory access tracking), which get handled initially by the wasm trap handler, and would thereby invalidate the thread-in-wasm flag. With this CL a new scope gets introduced which makes sure that setting the thread-in-wasm flag is the last thing that happens in Isolate::UnwindAndFindHandler(). Bug: chromium:1195595 Change-Id: If9f5f486c55b3bc2718a1d5aee3e3bd290d0ff35 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817598 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#73904}
-
Georg Neis authored
Bug: chromium:1196683 Change-Id: Ib4ea738b47b64edc81450583be4c80a41698c3d1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2820971 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Cr-Commit-Position: refs/heads/master@{#73903}
-
Jakob Gruber authored
Several spots in arm codegen require 24-bit integers; since getting this wrong is usually a security problem, let's change these DCHECKs into CHECKs. Bug: chromium:1197363 Change-Id: I277dc8fe4771adae89375adbe19a33d2c9f6783c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2820972 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Auto-Submit: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#73902}
-
Camillo Bruni authored
Bug: chromium:1193459 Change-Id: I6d9dace9341e96f2586a469d7e16bfa38bf68029 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2810845Reviewed-by: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#73901}
-
Marja Hölttä authored
The de-duplication happens when 1) we have a JSFunction for an outer function and a JSFunction for its inner function in the snapshot and 2) we call the outer function again after deserializing Expectation: the created JSFunction for the inner function uses the SFI which was created when deserializing. Bug: v8:11525 Change-Id: I80933514873e857452585317248fa34913d8d8e7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2794438Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Shu-yu Guo <syg@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#73900}
-
Benedikt Meurer authored
This is a reland of 2b94e567 Original change's description: > [inspector] Report [[Prototype]] as internal property. > > Previously the inspector was trying to add a special `__proto__` > property to every JSObject, which looked and behaved like a real > data property on the object. But this is confusing to developers > since `__proto__` is not a real data property, but usually an > accessor property on the `Object.prototype`. > > Additionally all other internal properties are reported using the > [[Name]] notation, with the [[Prototype]] having been the strange > outlier. > > Drive-by-cleanup: Use an ArrayList to collect the name/value pairs > inside Runtime::GetInternalProperties(), which makes this function > more readable and easier to add things. > > Bug: chromuium:1162229 > Fixed: chromium:1197019 > Screenshot: https://imgur.com/a/b7TZ32s.png > Change-Id: Ic4c1e35e2e65f90619fcc12bf3a72806cadb0794 > Doc: http://doc/1Xetnc9s6r0yy4LnPbqeCwsnsOtBlvJsV4OCdXMZ1wCM > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814565 > Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> > Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> > Reviewed-by: Yang Guo <yangguo@chromium.org> > Cr-Commit-Position: refs/heads/master@{#73881} Bug: chromuium:1162229, chromium:1197019 Screenshot: https://imgur.com/a/b7TZ32s.png Doc: http://doc/1Xetnc9s6r0yy4LnPbqeCwsnsOtBlvJsV4OCdXMZ1wCM Change-Id: Ie1e2276b385b18a5f865fdae583d1ce0101157c0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2820970 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Yang Guo <yangguo@chromium.org> Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#73899}
-
Brendon Tiszka authored
Defence in depth patch to prevent JavaScript from executing from within IterateElements. R=ishell@chromium.org R=cbruni@chromium.org Bug: chromium:1195977 Change-Id: Ie59d468b73b94818cea986a3ded0804f6dddd10b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2819941Reviewed-by: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#73898}
-
Liqiang Tao authored
Change-Id: Ia88e43711d54e1aa651757f6a2bac7005b4274aa Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814129Reviewed-by: Brice Dobry <brice.dobry@futurewei.com> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#73897}
-
Michael Achenbach authored
Fuzz tests could mess with some library methods used by stubs for NaN-pattern problems in typed arrays. This change makes the stubs more robust. Bug: chromium:1197627 Change-Id: I84975f798d616fd5e82fd9ab84ad01fc35336a04 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2820968 Auto-Submit: Michael Achenbach <machenbach@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#73896}
-
Maya Lekova authored
This CL enables the fast-api-calls mjsunit test again on gc_stress with a fix for --stress-flush-bytecode. Change-Id: I3a65f8cb4ec319945319d533ed92241b14f624c7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817604 Commit-Queue: Maya Lekova <mslekova@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#73895}
-
Yahan Lu authored
Port pc-relative builtin-to-builtin calls. Port: ccc068d5 Change-Id: I1d11dd1e77ca578f7714864e4e090493fa8bca0a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814722 Commit-Queue: Yahan Lu <yahan@iscas.ac.cn> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Brice Dobry <brice.dobry@futurewei.com> Cr-Commit-Position: refs/heads/master@{#73894}
-
Manos Koukoutos authored
Changes: - Rename Uint32ToUintptr() -> BuildChangeUint32ToUintPtr() for consistency. - Simplify smi conversions. - Remove an unneeded TruncateInt64ToInt32() conversion. Change-Id: I6f3213fc57e03019d2cb26592ecd4db396bd01d5 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817600Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Cr-Commit-Position: refs/heads/master@{#73893}
-