- 08 Sep, 2022 20 commits
-
-
Leon Bettscheider authored
ShouldFinalize should only be called if major incremental marking is active, and can crash if minor incremental marking is active, if MajorMC's local_marking_worklists_ was reset. The only caller is IsMarkingComplete. This CL changes the IsMarking check to IsMajorMarking to solve this issue, and renames IsMarkingComplete to IsMajorMarkingComplete. Bug: v8:13012 Change-Id: Iba6bd5b7977ec8566c3ab0f047646d8cafd45038 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879485 Commit-Queue: Leon Bettscheider <bettscheider@google.com> Reviewed-by: Omer Katz <omerkatz@chromium.org> Cr-Commit-Position: refs/heads/main@{#83064}
-
Victor Gomes authored
BytecodeArray::Disassemble fails a SLOW_DCHECK when invoking from a background thread, due to the little hack to recover the handle inside the function. This CL changes the method to static with a handle as input. The old method calls the static one, since it is allowed to be called by the main thread. Change-Id: I3546f0d2b160d15386da0980efc539693672c230 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879498 Auto-Submit: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83063}
-
Michael Achenbach authored
Bug: v8:13113 Change-Id: Ie42a654378660e4a2dc45d53d40683281e7343dd Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879496Reviewed-by: Alexander Schulze <alexschulze@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/main@{#83062}
-
Omer Katz authored
Fix broken DCHECK: When using MinorMC, new space is a paged space and only uses the TO_PAGE page flag. New large object space however still uses both TO_PAGE and FROM_PAGE page flags. With MinorMC it still possible to find reference to FROM_PAGEs, but those pages have to be large pages. Fix broken test: MinorMC may only free empty pages when shrinking. Therefore, shrink may actually not change the space capacity at all (e.g. when all pages have live objects on them). More specifically, the capacity is not guaranteed to be half the previous capacity. Bug: v8:12612 Change-Id: Ib0edcafd758828f821f82bc8c796c205f162809c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879493Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Commit-Queue: Omer Katz <omerkatz@chromium.org> Auto-Submit: Omer Katz <omerkatz@chromium.org> Cr-Commit-Position: refs/heads/main@{#83061}
-
Omer Katz authored
On allocation failure in new space we used to do at most 2 GCs before calling the near heap limits callback. The 2 GCs would empty new space, thus insuring that the current allocation can succeed. With MinorMC the 2nd GC has no effect and we should do a full GC instead to empty new space. Bug: v8:12612 Change-Id: I4f767136283b5d26fee4f4a3998359b3c1e2108b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879495Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Commit-Queue: Omer Katz <omerkatz@chromium.org> Cr-Commit-Position: refs/heads/main@{#83060}
-
Leszek Swirski authored
For accessors, instead of storing the descriptor index + holder in the LoadHandler, store the getter directly (avoiding the map->descriptor->pair->getter hops). For the non-prototype case, where there's no LoadHandler, store the AccessorPair directly as a weak handler instead of the Smi handler. We can't store the getter here directly, because it could be in new space, and then we can't use it in the stub cache. Required some rejiggling of ic.cc method signatures, to allow ComputeHandler to return a weak ref. Change-Id: I22c0e64bec9880a3ba23c2d1eeb3a1c23179ca4b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865557Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83059}
-
Matthias Liedtke authored
assertEquals() compares objects by comparing each property for both objects. This was done by using Object.keys() which however only returns enumerable properties. With this change also non-enumerable properties are compared. Still, the comparison doesn't require the properties to be equal. So, if one property is marked enumerable in one object but not the other, the objects would still be considered equal. This could be adapted in a follow-up CL if desired. The prototype is still ignored for the comparison. Change-Id: I1bb9df055bfb764ac1c02d971ac6f4a50f4a98e8 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876384 Commit-Queue: Matthias Liedtke <mliedtke@chromium.org> Reviewed-by: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#83058}
-
Jakob Linke authored
This is a reland of commit 24e60017 The reland changes %ClearFunctionFeedback to clear *all* feedback slot kinds including binary/compare/for-in slots. In the tests we thus no longer have to resort to tricks to restore the function to it's initial state, instead simply call %ClearFunctionFeedback. Original change's description: > [maglev] Deopt on overflow in >>> > > Re-enable the int32 fast path for ShiftRightLogical, but account for > Maglev's missing signed/unsigned representation tracking by a) > removing rhs==0 as the identity value (a shift by 0 is still a > signed-unsigned conversion) and b) deoptimizing if the result cannot > be converted to a non-negative smi. > > Note this is not a deopt loop, since a non-smi result will change the > feedback to kSignedSmallInputs (from kSignedSmall). > > To fix this properly, we should track signed/unsigned representations > and convert the result to a heap number if it doesn't fit within smi > range. > > Bug: v8:7700 > Change-Id: Ifd538d227a6f1290eb7f008d9bfad586ff91ea0f > Fixed: v8:13251 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876366 > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Commit-Queue: Jakob Linke <jgruber@chromium.org> > Cr-Commit-Position: refs/heads/main@{#83025} Bug: v8:7700 Change-Id: I2f607a0fb863b80e8589c9c1e86ee31fbac48c25 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879491 Auto-Submit: Jakob Linke <jgruber@chromium.org> Commit-Queue: Jakob Linke <jgruber@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83057}
-
Michael Achenbach authored
Bug: v8:13113 Change-Id: I7cd37446d9ecbe271e0e5df96a4dcfd43b307c27 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879489Reviewed-by: Alexander Schulze <alexschulze@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/main@{#83056}
-
Leszek Swirski authored
Attempting to set a FunctionTemplate without a code handler as an accessor for a property will fail in the runtime, which expects to be able to call the handler. Add an API check that guards against this. Change-Id: I270f0ca3d20de507bc9bde2c4c8d23b2614313dd Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879490Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83055}
-
Victor Gomes authored
The current abort will crash if the generator is created by the interpreter and resumed by the maglevved code. This current workaround is not ideal since it can introduce a deopt-reopt loop. Bug: v8:7700, v8:13109 Change-Id: I7db71a896711255d866ace98eddde85538aa2903 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879228 Auto-Submit: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Jakob Linke <jgruber@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Jakob Linke <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#83054}
-
Jakob Linke authored
Bug: v8:7700 Change-Id: Ie9be2aaf0a75cf1fd19f50ce4697f71e92a36df6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879223Reviewed-by: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Jakob Linke <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#83053}
-
Shu-yu Guo authored
Bug: v8:11111 Change-Id: I4af1cc85a15833c360a5a454f8d36f43840232ad Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878254Reviewed-by: Marja Hölttä <marja@chromium.org> Auto-Submit: Shu-yu Guo <syg@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#83052}
-
Victor Gomes authored
Change-Id: If4c6792d36423daafb2a4454354db2d9e4abe297 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879229Reviewed-by: Jakob Linke <jgruber@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83051}
-
Dominik Inführ authored
At the moment the shared heap is internally implemented as its own isolate - the shared isolate. This CL prepares to remove the shared isolate and replace it with shared spaces in the main isolate. This CL introduces the --shared-space flag to opt-in into this shared heap-approach. Isolate::is_shared_space_isolate() and Isolate::shared_space_isolate() are added as well to identify the main isolate (or shared space isolate). Bug: v8:13267 Change-Id: I1a79c839de3b3b9cc988401e2e6e70ce3b02fa22 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3874928Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Shu-yu Guo <syg@chromium.org> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/main@{#83050}
-
Jakob Linke authored
.. to increase bus factor in EU time zones. Change-Id: I7f1bca0fd765f8f1720ff5534823b4daaa290ea3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879488 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83049}
-
Feng Yu authored
Bug: None Change-Id: I8cf2e4b651c0ccb784a5d668656cbfcd573b271d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878450Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Feng Yu <f3n67u@gmail.com> Cr-Commit-Position: refs/heads/main@{#83048}
-
Dominik Inführ authored
Set COMPACTION_WAS_ABORTED page flag also when aborting evacuation due to OOM. Bug: chromium:1359294, v8:12578 Change-Id: Ia9833dbf9213375698cb7b1595ade7df5e24189d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3877145Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/main@{#83047}
-
Frank Tang authored
The days is passing incorrectly between calls. Spec text: https://tc39.es/proposal-temporal/#sec-temporal-differencetemporalplaindatetime Bug: v8:11544 Change-Id: If818d0f42bdd3260e68eef2c6aba1c3781632c93 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3857869 Commit-Queue: Frank Tang <ftang@chromium.org> Reviewed-by: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/heads/main@{#83046}
-
Frank Tang authored
Access the correct years, months and weeks which modified previously instead of the value from the input. Spec text: https://tc39.es/proposal-temporal/#sec-temporal-roundduration Bug: v8:11544 Change-Id: I2ffaca5545e2359bc1cc03320068424bba4c7907 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3860649Reviewed-by: Adam Klein <adamk@chromium.org> Commit-Queue: Frank Tang <ftang@chromium.org> Cr-Commit-Position: refs/heads/main@{#83045}
-
- 07 Sep, 2022 20 commits
-
-
Shu-yu Guo authored
This CL fixes redesigns the current API, which does not correctly manage lifetimes of the shared object conveyors. See design doc at https://docs.google.com/document/d/1TV6agY9dafVJFvdPrUAGbEvos8wL2WDnsmf84n3OJVU/edit?usp=sharing This CL also removes the incorrect behavior of serializing all shared strings by sharing instead of copying. Shared strings may be sent to another process, which should still work. Bug: v8:12547 Change-Id: I7413abd2d871fd3d52c9b433445cfa1d03e4a732 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3868713 Commit-Queue: Shu-yu Guo <syg@chromium.org> Reviewed-by: Adam Klein <adamk@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#83044}
-
Michael Lippautz authored
Change-Id: I46763c17f7078a3a5730c5a160ec899663ed990b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879483 Commit-Queue: Adam Klein <adamk@chromium.org> Reviewed-by: Adam Klein <adamk@chromium.org> Auto-Submit: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#83043}
-
Victor Gomes authored
Bug: v8:7700 Change-Id: I3da7bbd928e0a587b4eb2c90c86f71405da67323 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876378 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Victor Gomes <victorgomes@chromium.org> Auto-Submit: Victor Gomes <victorgomes@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83042}
-
Michael Achenbach authored
This reverts commit 0a1a579a. Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Clusterfuzz%20Linux64%20ASAN%20arm64%20-%20debug%20builder/30617/overview Original change's description: > Port JS-Wasm Promise Integration for arm64 > > > Port Generic JS-Wasm Wrapper for arm64 > > Change-Id: I256e6511d47af9ab04c577beb6b829dfee34a6ed > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3841074 > Commit-Queue: Ilya Rezvov <irezvov@chromium.org> > Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> > Cr-Commit-Position: refs/heads/main@{#83038} Change-Id: I83b6c3596561b56d3df34ac2177aa334780dbf87 No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879482 Auto-Submit: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Cr-Commit-Position: refs/heads/main@{#83041}
-
Leszek Swirski authored
Test for non-string objects in the CheckedInternalizedString slow path. Bug: v8:7700 Change-Id: Iac82a39ad0a0a93b328f8c574ed0bb7e2f39703b Fixed: chromium:1360432 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879227 Auto-Submit: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Victor Gomes <victorgomes@chromium.org> Reviewed-by: Victor Gomes <victorgomes@chromium.org> Cr-Commit-Position: refs/heads/main@{#83040}
-
Thibaud Michaud authored
The src/wasm/stacks.h file became progressively bigger, create a cc file for it and move some function definitions there. R=clemensb@chromium.org Bug: v8:12191 Change-Id: I6880a4e11884856bd2f4d777cb745a3c06c71841 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3874936Reviewed-by: Manos Koukoutos <manoskouk@chromium.org> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/main@{#83039}
-
Ilya Rezvov authored
Port Generic JS-Wasm Wrapper for arm64 Change-Id: I256e6511d47af9ab04c577beb6b829dfee34a6ed Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3841074 Commit-Queue: Ilya Rezvov <irezvov@chromium.org> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/main@{#83038}
-
Dominik Inführ authored
Replace Heap::IsGCWithoutStack() with Heap::IsGCWithStack() to avoid double-negation. Bug: chromium:1359294, v8:12578 Change-Id: I8f2e9feb48e574fae6a7721f86a70728b089ec67 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878170 Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#83037}
-
Dominik Inführ authored
When stress testing compaction, also abort evacuation for 5% of the pages somewhere in the middle of the page. Bug: chromium:1359294, v8:12578 Change-Id: Ie2e9873660ea2c330f175607b443f536f5d3abd2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876369 Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#83036}
-
Michael Achenbach authored
Bug: v8:13113 Change-Id: Ib80f4517075f806950d57f97da4e5181248f2276 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879225Reviewed-by: Alexander Schulze <alexschulze@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/main@{#83035}
-
Leszek Swirski authored
Change-Id: I0c11c0ba51af8e1e1c66ca6cf7e351b54464fd2c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879226Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/main@{#83034}
-
Jakob Linke authored
.. which sets the --interrupt-budget-for-maglev to a very low value s.t. that tiering to Maglev happens very early. Note this affects both normal tierup and OSR. Also add flag handling to fuzzer.py, both as added globally with probability 0.1, and added to InterruptBudgetFuzzer (which I also updated with other tiering-related flags). Bug: v8:7700 Change-Id: I844cf53a6a2da459565d0ad0ccae02b04853cd26 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878165Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Jakob Linke <jgruber@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83033}
-
Liu Yu authored
Port commit 8e069d62 Change-Id: Ifc21ac1bb2d2b93af07ed7b548204b634f1708b9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3875382Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Auto-Submit: Liu Yu <liuyu@loongson.cn> Cr-Commit-Position: refs/heads/main@{#83032}
-
Manos Koukoutos authored
- Remove the {ValueRepr} parameter from Wasm table and global object internals. It is now the responsibility of the user to transform to/from a JS object. This removes duplicate work in some cases (type checking in the caller, transforming in the callee). - For the reverse direction in the JS API, introduce {WasmObjectToJSReturnValue}. Bug: v8:7748 Change-Id: Ie7625cc0f08d38fe74dbe57e69004de2d93b8a11 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876184Reviewed-by: Simon Zünd <szuend@chromium.org> Reviewed-by: Matthias Liedtke <mliedtke@chromium.org> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Cr-Commit-Position: refs/heads/main@{#83031}
-
Teodor Dutu authored
This reverts commit 703b0b31. Reason for revert: a simpler approach will be used instead. Original change's description: > [ptr-compr-8gb] Align runtime allocations to 8 bytes > > In order to support a larger heap cage (8GB, 16GB), the cage offset > will take up more than 32 bits. As a consequence, for 8GB cages, the > least significant bit of the cage offset will overlap with the most > significant bit of the tagged offset. To avoid this, allocations need > to be aligned to 8 bytes to free up one bit from the offset. > All changes are deactivated behind the build flag > `v8_enable_pointer_compression_8gb`. > > Bug: v8:13070 > Change-Id: Ibb0bd0177f3e88dcd24fc0ee7526335df0faa987 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3791052 > Reviewed-by: Igor Sheludko <ishell@chromium.org> > Auto-Submit: Teo Dutu <teodutu@google.com> > Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> > Commit-Queue: Igor Sheludko <ishell@chromium.org> > Cr-Commit-Position: refs/heads/main@{#82299} Bug: v8:13070 Change-Id: I5cb60f8e4500c908bdef5d417393edbe89652c9c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3877146Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Auto-Submit: Teo Dutu <teodutu@google.com> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/main@{#83030}
-
Matthias Liedtke authored
This reverts commit 24e60017. Reason for revert: Change breaks maglev GC stress tests. Original change's description: > [maglev] Deopt on overflow in >>> > > Re-enable the int32 fast path for ShiftRightLogical, but account for > Maglev's missing signed/unsigned representation tracking by a) > removing rhs==0 as the identity value (a shift by 0 is still a > signed-unsigned conversion) and b) deoptimizing if the result cannot > be converted to a non-negative smi. > > Note this is not a deopt loop, since a non-smi result will change the > feedback to kSignedSmallInputs (from kSignedSmall). > > To fix this properly, we should track signed/unsigned representations > and convert the result to a heap number if it doesn't fit within smi > range. > > Bug: v8:7700 > Change-Id: Ifd538d227a6f1290eb7f008d9bfad586ff91ea0f > Fixed: v8:13251 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876366 > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Commit-Queue: Jakob Linke <jgruber@chromium.org> > Cr-Commit-Position: refs/heads/main@{#83025} Bug: v8:7700 Change-Id: Ibd4c29cc57b999e1cfcd040cee3228ea27a74029 No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876374 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Owners-Override: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Matthias Liedtke <mliedtke@chromium.org> Cr-Commit-Position: refs/heads/main@{#83029}
-
Igor Sheludko authored
... which works for stale pointers. The default == operator contains a DCHECK guarding against Code vs. non-Code object comparisons and thus it can't be used for stale pointer. Bug: chromium:1360793, v8:11880 Change-Id: Ic5faf9b05e1586a15388cc1cbf3e8dcddbea452f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879222 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/main@{#83028}
-
Jakob Linke authored
Bug: v8:7700 Change-Id: I8880a12e67474c630fe3e09dfeb695474e7d2e8e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876368 Commit-Queue: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Jakob Linke <jgruber@chromium.org> Auto-Submit: Jakob Linke <jgruber@chromium.org> Reviewed-by: Victor Gomes <victorgomes@chromium.org> Cr-Commit-Position: refs/heads/main@{#83027}
-
Samuel Groß authored
This is a reland of commit e7bf8110 Shared string GC issues have been fixed in https://crrev.com/c/3875028 Original change's description: > [sandbox] Sandboxify ExternalString external pointers > > Bug: v8:10391 > Change-Id: I0f737e5adf6e4fd24f93436fa5680ff20c1536da > Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757901 > Commit-Queue: Samuel Groß <saelo@chromium.org> > Reviewed-by: Igor Sheludko <ishell@chromium.org> > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Cr-Commit-Position: refs/heads/main@{#82958} Bug: v8:10391 Change-Id: I555498973dc9d5dcc4163b3b1258e41d7148e2d5 Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872273Reviewed-by: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#83026}
-
Jakob Linke authored
Re-enable the int32 fast path for ShiftRightLogical, but account for Maglev's missing signed/unsigned representation tracking by a) removing rhs==0 as the identity value (a shift by 0 is still a signed-unsigned conversion) and b) deoptimizing if the result cannot be converted to a non-negative smi. Note this is not a deopt loop, since a non-smi result will change the feedback to kSignedSmallInputs (from kSignedSmall). To fix this properly, we should track signed/unsigned representations and convert the result to a heap number if it doesn't fit within smi range. Bug: v8:7700 Change-Id: Ifd538d227a6f1290eb7f008d9bfad586ff91ea0f Fixed: v8:13251 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876366Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Jakob Linke <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#83025}
-