- 28 Oct, 2019 6 commits
-
-
Ross McIlroy authored
When rewiring a block to throw, we need to remove the current block from the list of predecessors for all of our successors, as well as clearing our current successors. BUG=v8:9684 Change-Id: I0da063b2ef707f07ea27a5f72cabd2ff9a91cc42 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1881154Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#64579}
-
Michael Starzinger authored
R=jgruber@chromium.org BUG=v8:6666,v8:9810 Change-Id: I972983d8e86729843f4a1bbe050e3b37a3c0c61c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1881147Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#64578}
-
Victor Gomes authored
A bit was added in the context length slot to indicate if the context had an extension slot. It turns out that we need this information much earlier and so this flag is now in the scope info instead. This CL removes this bit from length, since it was not used anymore. I also renamed HasContextExtension to HasContextExtensionSlot to differentiate from Context::has_extension which returns true only if the context has an extension slot and the extension is not the undefined object. Bug: v8:9744 Change-Id: I7c37105b7afed34e8f480a64596fab285388f21b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1879935 Commit-Queue: Victor Gomes <victorgomes@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#64577}
-
Jakob Gruber authored
Debug infos for embedded builtins (associating a file and line number with certain code ranges) should only be emitted in debug modes. This CL disables source position emission in Torque in release builds, and adds checks that the external filename / source position lists are empty in release builds. Bug: v8:9910 Change-Id: Ic69683a2324c3b334150ee2b7da9972fbee56483 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1879903Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#64576}
-
Z Nguyen-Huu authored
This code is triggered by Runtime_ArrayIncludes_Slow. The elements kind changes from DICTIONARY (with accessor property using Object.defineProperty) to empty DICTIONARY (by set the length to 0), to frozen/seal/nonextensible elements. This element kind transition happened in accessor property by Array.includes. Bug: v8:9894 Change-Id: I224ceb537ff358a30a6e00414c71d6fe18924bb4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1876994 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#64575}
-
v8-ci-autoroll-builder authored
Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/66bcca0..2b40e7b TBR=machenbach@chromium.org,tmrts@chromium.org Change-Id: Ice498a61cfe92db159bb1252c027110c783e8ff2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1880337Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#64574}
-
- 27 Oct, 2019 1 commit
-
-
v8-ci-autoroll-builder authored
Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/5ffa0f3..66bcca0 Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/4b1db19..7568fa8 TBR=machenbach@chromium.org,tmrts@chromium.org Change-Id: I75e5585d71fcb5f7345c3f5eb55539299b89118d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1880335Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#64573}
-
- 26 Oct, 2019 1 commit
-
-
v8-ci-autoroll-builder authored
Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/a193dcc..5ffa0f3 Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/a38631c..4b1db19 Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/86244d6..ebba8d7 Rolling v8/third_party/instrumented_libraries: https://chromium.googlesource.com/chromium/src/third_party/instrumented_libraries/+log/e289777..b627b3e TBR=machenbach@chromium.org,tmrts@chromium.org Change-Id: I157db7c4d8458a4a489670bbfa5a245b4650f546 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1880333Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#64572}
-
- 25 Oct, 2019 17 commits
-
-
Liviu Rau authored
Bug: v8:9898 Change-Id: Ie6cd40e2dc8e575dbaf8fa8543a93d5dce3dfd64 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1881158 Commit-Queue: Michael Achenbach <machenbach@chromium.org> Reviewed-by: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#64571}
-
Milad Farazmand authored
Port 36ab93d8 Original Commit Message: Port 3cad6bf5 Original Commit Message: This is a reland of c7c47c68. This makes TSAN happy in addition to: Previously I presumed that the context read from a frame in the profiler was a valid context. Turns out that on non-intel we're not guaranteed that the frame is properly set up. In the case we looked at, the profiler took a sample right before writing the frame marker indicating a builtin frame, causing the "context" pointer from that frame to be a bytecode array. Since we'll read random garbage on the stack as a possible context pointer, I made the code reading the native context from it a little more defensive. Original change's description: > [runtime] Move Context::native_context to the map > > Remove the native context slot from contexts by making context maps > native-context-specific. Now we require 2 loads to go from a context to the > native context, but we have 1 field fewer to store when creating contexts. > > Change-Id: I3c0d7c50c94060c4129db684f46a567de6f30e8d > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1859629 > Commit-Queue: Toon Verwaest <verwaest@chromium.org> > Reviewed-by: Igor Sheludko <ishell@chromium.org> > Reviewed-by: Peter Marshall <petermarshall@chromium.org> > Reviewed-by: Maya Lekova <mslekova@chromium.org> > Reviewed-by: Georg Neis <neis@chromium.org> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > Reviewed-by: Toon Verwaest <verwaest@chromium.org> > Cr-Commit-Position: refs/heads/master@{#64296} R=miladfar@ca.ibm.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com BUG= LOG=N Change-Id: I996a1f5096b34fc556918752224ff51889f0a5ce Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1879443Reviewed-by: Junliang Yan <jyan@ca.ibm.com> Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com> Cr-Commit-Position: refs/heads/master@{#64570}
-
Santiago Aboy Solanes authored
Some code was moved from code stub assembler here in https://chromium-review.googlesource.com/c/v8/v8/+/1822041 Bug: v8:9810, v8:6949 Change-Id: I0e6735a6b6d9cd516bddf9a65ce190193e52c38a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1881151Reviewed-by: Dan Elphick <delphick@chromium.org> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Cr-Commit-Position: refs/heads/master@{#64569}
-
Santiago Aboy Solanes authored
Bug: v8:9810, v8:6949 Change-Id: I0985606cb05c44e03390194012bc6f9e8fc8d629 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1881150Reviewed-by: Mythri Alle <mythria@chromium.org> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Cr-Commit-Position: refs/heads/master@{#64568}
-
Bartek Nowierski authored
Change-Id: Ieb7febc3a9a14f3d98898e66443705c1a1de195a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1880903 Commit-Queue: Bartek Nowierski <bartekn@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#64567}
-
Igor Sheludko authored
... and reimplement TryNumberToUintPtr. Bug: v8:4153 Change-Id: I3b683b6a41ebf49229aee4ceea4910e94d35ccca Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1876817 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#64566}
-
Ulan Degenbaev authored
Change-Id: I5f73a541d22257d4fbb21e619ad2b62068c267f6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1879940Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#64565}
-
Dominik Inführ authored
Increment pages_freed each time a page was swept. Before pages_freed was always 0, which meant that the max_pages-argument did not have any effect. Change-Id: Id8908bdeb38e262e09b4069893f8f81209568080 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1872399Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/master@{#64564}
-
Michael Starzinger authored
R=miladfar@ca.ibm.com Change-Id: I42963b089243c45a3d065fb00e2864500bd33afb Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1879934Reviewed-by: Milad Farazmand <miladfar@ca.ibm.com> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#64563}
-
Michael Starzinger authored
R=clemensb@chromium.org BUG=v8:9810 Change-Id: I4bfd667952cb933a131701c692cad18857df2244 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1878711Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#64562}
-
Leszek Swirski authored
Move around some methods to make LargeObjectSpace (mostly) thread-independent. Bug: chromium:1011762 Change-Id: I4cc512979a30fa21fd9cb3a90592761cbb01a303 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1878709 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#64561}
-
Leszek Swirski authored
Both LO_SPACE and NEW_LO_SPACE use the basic page management system of LargeObjectSpace, but implement different AllocateRaw methods (with the NEW_LO_SPACE version shadowing the LO_SPACE version). To clean this up, and allow other future LargeObjectSpace implementations (in particular, an off-thread variant), refactored the current LargeObjectSpace into a base class, and make both LargeObjectSpace (renamed to OldLargeObjectSpace) and NewLargeObjectSpace extend this class. Bug: chromium:1011762 Change-Id: I41b45b97f2611611dcfde677213131396df03a5e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1876824 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#64560}
-
v8-ci-autoroll-builder authored
Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/b293e4f..a193dcc Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/bf69ed0..a38631c Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/ea98ebb..86244d6 Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/aa07e59..662cbb8 TBR=machenbach@chromium.org,tmrts@chromium.org Change-Id: Iceb07046b9104a8f17303ed25b5d68713ec62216 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1880947Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#64559}
-
Clemens Backes authored
This is a reland of bc8ad334. The CL was innocent, thus unmodified reland with TBR. Original change's description: > [wasm][debug] Report global scope also for compiled frames > > The global scope (containing global values and the memory) can be > produced from the instance alone, hence we can also report it for > compiled frames. > > R=mstarzinger@chromium.org, jgruber@chromium.org > > Bug: v8:9676 > Change-Id: I20fbb74a98b00b128b6ed305b92fb56ad7dc7558 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1876816 > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > Commit-Queue: Clemens Backes <clemensb@chromium.org> > Cr-Commit-Position: refs/heads/master@{#64547} TBR=mstarzinger@chromium.org Bug: v8:9676 Change-Id: I2486a007156b7197d523f62ca3c30e29e7650b63 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1879929 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#64558}
-
Michael Achenbach authored
NOTRY=true Bug: chromium:1018099 Change-Id: I14de41aac11220fedb58cda9bf5ce66424ff381c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1879932Reviewed-by: Tamer Tas <tmrts@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#64557}
-
Michael Starzinger authored
This class used to describe unoptimized but compiled frames. All such frames are by now covered via the architecture-independent description in the {StandardFrameConstants} class (or one of its subclasses). R=clemensb@chromium.org BUG=v8:9810 Change-Id: I294cc6eec7d4a05e88e7aa336f1ebedfa0eb6e98 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1878708Reviewed-by: Clemens Backes <clemensb@chromium.org> Reviewed-by: Michael Stanton <mvstanton@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#64556}
-
Liviu Rau authored
Basically we expose and put to shame the offending process R=tmrts@chromium.org Bug: v8:9855 Change-Id: I322e3f9db487b53e8cbfc8a5edd696fa8b480f84 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1878707 Commit-Queue: Liviu Rau <liviurau@chromium.org> Reviewed-by: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#64555}
-
- 24 Oct, 2019 15 commits
-
-
Shu-yu Guo authored
This reverts commit 2599d3cc. Reason for revert: Test fails with OOM on Arm64 - N5X (https://ci.chromium.org/p/v8/builders/ci/V8%20Android%20Arm64%20-%20N5X/6514) and is racy on predictable builds (https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20predictable/27044) Original change's description: > [wasm] Fix incorrect check for growing shared WebAssembly.memory > > Bug: chromium:1010272 > Change-Id: Ieff61089255ee088fad45f15a0f1a8f93eeec94b > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1869077 > Commit-Queue: Deepti Gandluri <gdeepti@chromium.org> > Reviewed-by: Andreas Haas <ahaas@chromium.org> > Cr-Commit-Position: refs/heads/master@{#64525} TBR=mstarzinger@chromium.org,gdeepti@chromium.org,ahaas@chromium.org Change-Id: I738a4021a80202c9b822815b922de31f95054fe6 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:1010272 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1879513Reviewed-by: Shu-yu Guo <syg@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/master@{#64554}
-
Shu-yu Guo authored
This reverts commit 556f44c4. Reason for revert: Test fatally OOMs on ARM. https://ci.chromium.org/p/v8/builders/ci/V8%20Arm/12336 Original change's description: > [strings] Fix hash for exactly 512MB long strings > > Bug: chromium:1016237 > Change-Id: Idda1e44b5d578d1213aa54927ca68289bcdce8ac > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1878487 > Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> > Reviewed-by: Igor Sheludko <ishell@chromium.org> > Cr-Commit-Position: refs/heads/master@{#64552} TBR=jkummerow@chromium.org,ishell@chromium.org Change-Id: Ia942469346b0f11fcf853d21717fd127815f7fba No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:1016237 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1879669Reviewed-by: Shu-yu Guo <syg@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/master@{#64553}
-
Jakob Kummerow authored
Bug: chromium:1016237 Change-Id: Idda1e44b5d578d1213aa54927ca68289bcdce8ac Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1878487 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#64552}
-
Michaël Zasso authored
On Windows with MSVC, compilation fails because it cannot find the GetIsolateForPtrCompr identifier. Change-Id: Ib03f5c5ef34e409242bbbe93ec83b7734012feb2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1878712Reviewed-by: Peter Marshall <petermarshall@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#64551}
-
Victor Gomes authored
The native context used an empty function scope info. This is inconsistent with the fact the native context has an extension slot, since the empty function scope info doesn't have the extension slot flag set. This CL creates a scope info dedicated for the native context with the flag set. Bug: v8:9744 Change-Id: I00459e9a0ca75dd7a0e2add5e9e61747d0635f39 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1876821 Commit-Queue: Victor Gomes <victorgomes@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Auto-Submit: Victor Gomes <victorgomes@chromium.org> Cr-Commit-Position: refs/heads/master@{#64550}
-
Sigurd Schneider authored
This reverts commit bc8ad334. Reason for revert: breaks ASAN: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20ASAN/33137 Original change's description: > [wasm][debug] Report global scope also for compiled frames > > The global scope (containing global values and the memory) can be > produced from the instance alone, hence we can also report it for > compiled frames. > > R=mstarzinger@chromium.org, jgruber@chromium.org > > Bug: v8:9676 > Change-Id: I20fbb74a98b00b128b6ed305b92fb56ad7dc7558 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1876816 > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > Commit-Queue: Clemens Backes <clemensb@chromium.org> > Cr-Commit-Position: refs/heads/master@{#64547} TBR=mstarzinger@chromium.org,jgruber@chromium.org,clemensb@chromium.org Change-Id: I7a37723286315235f0c0a63728de58633a3b259e No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:9676 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1878713Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Cr-Commit-Position: refs/heads/master@{#64549}
-
Mike Stanton authored
Add VirtualBoundFunction to the serializer which takes care of processing the result of Function.prototype.bind. Add cctest and an mjsunit test. Bug: v8:7790 Change-Id: Ic2b48d356cbe3b576eb22f58215cc886a8994e31 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1859625 Commit-Queue: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#64548}
-
Clemens Backes authored
The global scope (containing global values and the memory) can be produced from the instance alone, hence we can also report it for compiled frames. R=mstarzinger@chromium.org, jgruber@chromium.org Bug: v8:9676 Change-Id: I20fbb74a98b00b128b6ed305b92fb56ad7dc7558 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1876816Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#64547}
-
Thibaud Michaud authored
Quoting from the spec, the expected behavior for validating unreachable code is that: A polymorphic stack cannot underflow, but instead generates Unknown types as needed. (https://webassembly.github.io/spec/core/appendix/algorithm.html) This CL changes the representation of the stack height in the interpreter's side table builder from unsigned to signed to prevent underflow, and makes some DCHECKs depend on code reachability. R=clemensb@chromium.org Bug: chromium:1017061 Change-Id: I4c999859019d6cefb76c1366ba0e98f199f7a0be Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1876813 Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#64546}
-
Michael Starzinger authored
Now that segmented code spaces are enabled for WebAssembly, tests that allocate a large number of modules should no longer flakily run OOM. R=clemensb@chromium.org TEST=mjsunit/wasm/asm-wasm-{i32,f64} BUG=v8:7899 Change-Id: Iab5d2c1b022cc1f6e44f132b14148c86f148cb54 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1876818Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#64545}
-
Liviu Rau authored
Bug: v8:9898 Change-Id: I8bd453af9a14b04baec321b13e05918bc7abe093 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1876812Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Liviu Rau <liviurau@chromium.org> Cr-Commit-Position: refs/heads/master@{#64544}
-
Benedikt Meurer authored
This is an attempt to get a better understanding of the random crashes we get in chromium:893973. Bug: chromium:893973 Change-Id: Ia3b1e9910c9e48efb0bf3233050953f1117a2db9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1876819 Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Yang Guo <yangguo@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#64543}
-
Anna Henningsen authored
Add an `array_buffer_allocator_shared` field to the `Isolate::CreateParams` struct that allows embedders to share ownership of the ArrayBuffer::Allocator with V8, and which in particular means that when this method is used that the BackingStore deleter will not perform an use-after-free access to the Allocator under certain circumstances. For Background: tl;dr: This is necessary for Node.js to perform the transition to V8 7.9, because of the way that ArrayBuffer::Allocators and their lifetimes currently work there. In Node.js, each Worker thread has its own ArrayBuffer::Allocator. Changing that would currently be impractical, as each allocator depends on per-Isolate state. However, now that backing stores are managed globally and keep a pointer to the original ArrayBuffer::Allocator, this means that when transferring an ArrayBuffer (e.g. from one Worker to another through postMessage()), the original Allocator has to be kept alive until the ArrayBuffer no longer exists in the receiving Isolate (or until that Isolate is disposed). See [1] for an example Node.js test that fails with V8 7.9. This problem also existed for SharedArrayBuffers, where Node.js was broken by V8 earlier for the same reasons (see [2] for the bug report on that and [3] for the resolution in Node.js). For SharedArrayBuffers, we already had extensive tracking logic, so adding a shared_ptr to keep alive the ArrayBuffer::Allocator was not a significant amount of work. However, the mechanism for transferring non-shared ArrayBuffers is quite different, and it seems both easier for us and better for V8 from an API standpoint to keep the Allocator alive from where it is being referenced. By sharing memory with the custom deleter function/data pair, this comes at no memory overhead. [1]: https://github.com/nodejs/node/pull/30044 [2]: https://github.com/nodejs/node-v8/issues/115 [3]: https://github.com/nodejs/node/pull/29637 Bug: v8:9380 Change-Id: Ibc2c4fb6341b53653cbd637bd8cb3d4ac43809c7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1874347 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#64542}
-
Igor Sheludko authored
The CL fixes the following builtins: Atomics.add Atomics.and Atomics.compareExchange Atomics.exchange Atomics.load Atomics.or Atomics.store Atomics.sub Atomics.xor Bug: v8:4153 Change-Id: Id6170fd093f6e2f9690838b4b789719ed2fc343c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1876847 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#64541}
-
Igor Sheludko authored
Bug: v8:6949 Change-Id: I01cb7180fbeea0a86e4fddc913311d6ece1aa5e7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1876065 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#64540}
-