- 31 Oct, 2018 11 commits
-
-
Sigurd Schneider authored
You can now serve the page locally by running npm i npm run-script build npm run-script dev-server Notry: true Change-Id: Iefe8459a8c53445570ecfed4cc843a4e8ed9c42d Bug: v8:7327 Reviewed-on: https://chromium-review.googlesource.com/c/1309753Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Cr-Commit-Position: refs/heads/master@{#57163}
-
Toon Verwaest authored
This allows the compiler to generate slightly better code and actually reduces binary size a little. Bug: v8:7926 Change-Id: Ib43ff1508ab85b5ffabfa4338d4f0ebacb7eac0c Reviewed-on: https://chromium-review.googlesource.com/c/1309637 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#57162}
-
Toon Verwaest authored
Bug: v8:8363, v8:7926 Change-Id: Ibecb5c8df0703249207c1541ae42e60dd9f50d80 Reviewed-on: https://chromium-review.googlesource.com/c/1309635 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#57161}
-
Jakob Gruber authored
Now that lazy deserialization has been removed, we can roll back all the mechanisms we introduced to support lazy single-builtin deserialization. This CL moves serialized builtin code objects (i.e. off-heap-trampolines in most cases) back into the startup snapshot. Support classes for builtin serialization and deserialization, as well as the builtins snapshot itself are removed. Templatization on the allocator class is removed as well. Tbr: delphick@chromium.org Bug: v8:6666, v8:7990 Change-Id: I2a910f8d3278b7e27b5f18ad408361ebd18871cc Reviewed-on: https://chromium-review.googlesource.com/c/1304539Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#57160}
-
Jakob Gruber authored
Obvious in hindsight. The problem wasn't that a signaling nan snuck into the array, but that equality comparisons always return false if either operand is a nan. Bug: chromium:900133 Change-Id: I9cf82afd1ad1fcc3bf7138b612f615b1bd51b98a Reviewed-on: https://chromium-review.googlesource.com/c/1309634Reviewed-by: Peter Marshall <petermarshall@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#57159}
-
Toon Verwaest authored
Bug: chromium:900383, v8:8363, v8:7926 Change-Id: I6e3e38ee4cc986757926ef745d2e35865ba797a1 Reviewed-on: https://chromium-review.googlesource.com/c/1309633Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#57158}
-
Sigurd Schneider authored
CanCover is not transitive. The counter example are Nodes A,B,C such that CanCover(A, B) and CanCover(B,C) and B is pure. In this case the effect level of A and B might differ. This CL adds a missing CanCover check to a case of shift reduction where we assumed transitivity. Change-Id: I9f368ffa6907d2af21bbc87b3e6570d0d422e125 Bug: v8:8384 Reviewed-on: https://chromium-review.googlesource.com/c/1307419 Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#57157}
-
Mathias Bynens authored
This patch adds a micro-benchmark comparing Array#indexOf, Array#includes, and a roughly equivalent `for` loop. The benchmark can be used to measure any Array#{indexOf,includes} optimizations we implement in the future. Test: tools/run_perf.py --binary-override-path=out/x64.release/d8 \ --filter=JSTests/ArrayIndexOfIncludesPolymorphic \ --extra-flags=--trace-turbo test/js-perf-test/JSTests.json Bug: v8:8388 Change-Id: I9150d3e56e9d4cb2ffe6baa50ee8cddf8df0ac74 Reviewed-on: https://chromium-review.googlesource.com/c/1307430Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Mathias Bynens <mathias@chromium.org> Cr-Commit-Position: refs/heads/master@{#57156}
-
Yang Guo authored
TBR=petermarshall@chromium.org Bug: v8:8385 Change-Id: Iba13004e0fd03a82cb65ed497d4bd2b4d006b424 Reviewed-on: https://chromium-review.googlesource.com/c/1307417Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#57155}
-
Jakob Kummerow authored
mostly in HandleScopeImplementer and related classes. Bug: v8:3770 Change-Id: I9da757c60be99434b711fe74a5f5d296a0f08b22 Reviewed-on: https://chromium-review.googlesource.com/c/1300854 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#57154}
-
Jakob Kummerow authored
as part of the continuing quest to get rid of Object*/Object** entirely. Since it fits nicely, this CL as a bonus includes the planned change to make Handle::location() return an Address*, in the process dropping the temporarily needed duplicate Handle::location_as_address_ptr(). Bug: v8:3770 Change-Id: I87480289ce2a62ea1ae503e73d179256b7108c5c Reviewed-on: https://chromium-review.googlesource.com/c/1298389Reviewed-by: Yang Guo <yangguo@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#57153}
-
- 30 Oct, 2018 29 commits
-
-
Junliang Yan authored
Port 15c31fe4 Original Commit Message: This introduces Word64 support for the CheckBounds operator, which now lowers to either CheckedUint32Bounds or CheckedUint64Bounds after the representation selection. The right hand side of CheckBounds can now be any positive safe integer on 64-bit architectures, whereas it remains Unsigned31 for 32-bit architectures. We only use the extended Word64 support when the right hand side is outside the Unsigned31 range, so for everything except DataViews this means that the performance should remain the same. The typing rule for the CheckBounds operator was updated to reflect this new behavior. The CheckBounds with a right hand side outside the Unsigned31 range will pass a new Signed64 feedback kind, which is handled with newly introduced CheckedFloat64ToInt64 and CheckedTaggedToInt64 operators in representation selection. The JSCallReducer lowering for DataView getType()/setType() methods was updated to not smi-check the [[ByteLength]] and [[ByteOffset]] anymore, but instead just use the raw uintptr_t values and operate on any value (for 64-bit architectures these fields can hold any positive safe integer, for 32-bit architectures it's limited to Unsigned31 range as before). This means that V8 can now handle huge DataViews fully, without falling off a performance cliff. This refactoring even gave us some performance improvements, on a simple micro-benchmark just exercising different DataView accesses we go from testDataViewGetUint8: 796 ms. testDataViewGetUint16: 997 ms. testDataViewGetInt32: 994 ms. testDataViewGetFloat64: 997 ms. to testDataViewGetUint8: 895 ms. testDataViewGetUint16: 889 ms. testDataViewGetInt32: 888 ms. testDataViewGetFloat64: 890 ms. meaning we lost around 10% on the single byte case, but gained 10% across the board for all the other element sizes. R=bmeurer@chromium.org, joransiu@ca.ibm.com, michael_dawson@ca.ibm.com BUG= LOG=N Change-Id: Ia86089ca9ccc75405aa13600b031c72bac0279dd Reviewed-on: https://chromium-review.googlesource.com/c/1305035Reviewed-by: Joran Siu <joransiu@ca.ibm.com> Commit-Queue: Junliang Yan <jyan@ca.ibm.com> Cr-Commit-Position: refs/heads/master@{#57152}
-
Frank Tang authored
Bug: v8:7834 Change-Id: I2016b8d5e561546ec2f9b81d24c75bff0b950367 Reviewed-on: https://chromium-review.googlesource.com/c/1306896 Commit-Queue: Frank Tang <ftang@chromium.org> Reviewed-by: Mathias Bynens <mathias@chromium.org> Cr-Commit-Position: refs/heads/master@{#57151}
-
Alexey Kozyatinskiy authored
- introduced ValueMirror interface, this interface contains methods to generate different protocol entities, - introduced DebugPropertyIterator, this iterator iterates through object properties in the following order: exotic indices, enumerable strings, all other properties, - removed all injected script infra, e.g. closure compiler, R=dgozman@chromium.org TBR=yangguo@chromium.org Bug: chromium:595206 Change-Id: Idcfc04489ee52e015ad1d1d191c3474cc65e63f2 Reviewed-on: https://chromium-review.googlesource.com/c/1308353Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Cr-Commit-Position: refs/heads/master@{#57150}
-
Michael Lippautz authored
The reduer should only fire on increasing memory. R=ulan@chromium.org Change-Id: I4abd956ea14730b223724a01af819be574b1aa3a Reviewed-on: https://chromium-review.googlesource.com/c/1308354Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#57149}
-
v8-ci-autoroll-builder authored
Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/c55a0b9..49671d3 Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/985e130..36a23a7 TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org Change-Id: I2aeb099485078312a09866964253ba87fa714447 Reviewed-on: https://chromium-review.googlesource.com/c/1306904 Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org> Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#57148}
-
Sergiy Byelozyorov authored
R=machenbach@chromium.org No-Try: true Bug: chromium:899028 Change-Id: I1de1f393989a63d165209e78f19284053c73ba08 Reviewed-on: https://chromium-review.googlesource.com/c/1307423 Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org> Reviewed-by: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#57147}
-
Toon Verwaest authored
Even though we know we're simply parsing a string as statement, we can still hit a stack overflow on the way there. Bug: v8:8392 Change-Id: I2471cf8273789aa33239f5c137cc2f54454acb32 Reviewed-on: https://chromium-review.googlesource.com/c/1307429Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#57146}
-
Georg Neis authored
I see no reason why it was excluded. Bug: v8:8386 Change-Id: I291b12444b890db1636b00dec1837e1634b23b35 Reviewed-on: https://chromium-review.googlesource.com/c/1307428Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#57145}
-
Clemens Hammacher authored
This reverts commit 34686abe. Reason for revert: Compile errors on several bots, e.g. https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux%20-%20debug%20builder/33299 Original change's description: > inspector: move injected script source to native > > - introduced ValueMirror interface, this interface contains methods to generate > different protocol entities, > - introduced DebugPropertyIterator, this iterator iterates through object properties > in the following order: exotic indices, enumerable strings, all other properties, > - removed all injected script infra, e.g. closure compiler, > > R=dgozman@chromium.org > TBR=yangguo@chromium.org > > Bug: chromium:595206 > Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;luci.chromium.try:linux_chromium_rel_ng;master.tryserver.blink:linux_trusty_blink_rel > Change-Id: I077c1879622aa0d9900d719b80d2ef5ba4221a22 > Reviewed-on: https://chromium-review.googlesource.com/c/1295550 > Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> > Reviewed-by: Dmitry Gozman <dgozman@chromium.org> > Cr-Commit-Position: refs/heads/master@{#57142} TBR=dgozman@chromium.org,yangguo@chromium.org,kozyatinskiy@chromium.org Change-Id: I6e4ccaf1d6b151fbc0ffe4f26daa584433321c77 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:595206 Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;luci.chromium.try:linux_chromium_rel_ng;master.tryserver.blink:linux_trusty_blink_rel Reviewed-on: https://chromium-review.googlesource.com/c/1307432Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#57144}
-
Michael Lippautz authored
Those trace events are too fine grained and heavily impact metrics computation. No-try: true Change-Id: Ica07bfdf8e695689795abb1d6b215c329413ba3b Reviewed-on: https://chromium-review.googlesource.com/c/1307431 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#57143}
-
Alexey Kozyatinskiy authored
- introduced ValueMirror interface, this interface contains methods to generate different protocol entities, - introduced DebugPropertyIterator, this iterator iterates through object properties in the following order: exotic indices, enumerable strings, all other properties, - removed all injected script infra, e.g. closure compiler, R=dgozman@chromium.org TBR=yangguo@chromium.org Bug: chromium:595206 Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;luci.chromium.try:linux_chromium_rel_ng;master.tryserver.blink:linux_trusty_blink_rel Change-Id: I077c1879622aa0d9900d719b80d2ef5ba4221a22 Reviewed-on: https://chromium-review.googlesource.com/c/1295550 Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Cr-Commit-Position: refs/heads/master@{#57142}
-
Sathya Gunasekaran authored
Bug: v8:5751, chromium:899537 Change-Id: I4c072727dffc9381a81eb8711c4114220345914d Reviewed-on: https://chromium-review.googlesource.com/c/1304538Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#57141}
-
Frank Tang authored
Fix the code incorrctly exposed Intl["SegmentIterator"] that caused Unreachable code in builtins-internal.cc Bug: chromium:900013 Change-Id: I50d457a9f065d597b3bbb77a7a45011335c959da Reviewed-on: https://chromium-review.googlesource.com/c/1306906Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Commit-Queue: Frank Tang <ftang@chromium.org> Cr-Commit-Position: refs/heads/master@{#57140}
-
Toon Verwaest authored
Change-Id: I45e004a64c03f31253cbbca2976894c63b0d515e Reviewed-on: https://chromium-review.googlesource.com/c/1307427Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#57139}
-
Ivica Bogosavljevic authored
MIPS32r2 doesn't have load-linked/store-conditional instructions that work with 64-bit values and these are now implemented through runtime. TEST=mjsunit/wasm/compare-exchange64-stress Change-Id: I70d8a454dcbbdac6f30e30ec3ac0eb4d429ef62e Reviewed-on: https://chromium-review.googlesource.com/c/1296211 Commit-Queue: Ivica Bogosavljevic <ibogosavljevic@wavecomp.com> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#57138}
-
Peter Marshall authored
We didn't check if the input typed array was neutered before going to the fast path, so we hit a CHECK in this case. Fix this by just checking if the buffer was neutered and then going to the 'check iterator' case if it is. This will cause a TypeError via IterableToList, which was the same as the behavior before the optmization was landed. Bug: chromium:899519 Change-Id: I09e6389ea2ab1e3bef01e616721b48a9b66c1b2a Reviewed-on: https://chromium-review.googlesource.com/c/1307422 Commit-Queue: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#57137}
-
Toon Verwaest authored
Change-Id: I27e2e0529281008b8350e1dd219c0d38bdcb66f5 Reviewed-on: https://chromium-review.googlesource.com/c/1307424 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#57136}
-
Clemens Hammacher authored
This removes another liability of the finisher: to abort compilation and publish errors once an error state has been set by a background compile unit. This CL makes background threads set the error state directly and schedule a foreground task to actually publish the error (e.g. via the promise). R=mstarzinger@chromium.org Bug: v8:7921 Change-Id: I7a6a7ca4f235c2ad374b6ffc434eb6ac7d5f54ae Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_isolates_rel_ng Reviewed-on: https://chromium-review.googlesource.com/c/1307425Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#57135}
-
Sergiy Byelozyorov authored
We define a TestFailedError exception and raise it when we can reliably detect that a test has crashed. All other exceptions are treated as infra failures and are captured by the try-catch clause in MainWrapper function. This also fixes all tests in run_perf_test.py, run_tests_test.py and makes sure that both are run on any changes in tools directory. R=machenbach@chromium.org Bug: chromium:899028 Change-Id: I283bc87b31c814be476bebe9fdda414975494183 Reviewed-on: https://chromium-review.googlesource.com/c/1303293 Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org> Reviewed-by: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#57134}
-
Toon Verwaest authored
Bug: v8:8363, v8:7926 Change-Id: Id892a084d3c1097d8faf3cca379300f791dd942b Reviewed-on: https://chromium-review.googlesource.com/c/1307426Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#57133}
-
Alexey Kozyatinskiy authored
Change-Id: I3605ecf593c32743f5401b5e8a2d57e877ebcc7c Reviewed-on: https://chromium-review.googlesource.com/c/1306898Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Cr-Commit-Position: refs/heads/master@{#57132}
-
Igor Sheludko authored
to control how the memory for Isolate object is allocated. This is the support for pointer-compression friendly heap layout. Bug: v8:8182 Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Change-Id: Ida36b81ee22bd865005c394748b62d4c0897d746 Reviewed-on: https://chromium-review.googlesource.com/c/1251548 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#57131}
-
Michael Lippautz authored
Speculatively mitigation for renderer hangs in Scavenger while waiting in a barrier. Bug: Change-Id: I48520e0ffd99123dbe352d2012c911186c187e4b Reviewed-on: https://chromium-review.googlesource.com/c/1296463 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Hannes Payer <hpayer@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#57130}
-
Toon Verwaest authored
Change-Id: I233a3f6d8b19b945cfc3572d72237ec5619d8cbc Reviewed-on: https://chromium-review.googlesource.com/c/1307414Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#57129}
-
Ivica Bogosavljevic authored
Port 15c31fe4 Change-Id: Ia611585f862196d97e701b5e15560044e42b1a12 Reviewed-on: https://chromium-review.googlesource.com/c/1306439Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Commit-Queue: Ivica Bogosavljevic <ibogosavljevic@wavecomp.com> Cr-Commit-Position: refs/heads/master@{#57128}
-
Clemens Hammacher authored
For memory limit checks, we should use the minimum of the --wasm-max-mem-pages flag and kV8MaxWasmMemoryPages. The former is a limit set by the user, the latter is the maximum we can handle internally. R=titzer@chromium.org Bug: chromium:898677 Change-Id: I3c549f4e90dd016b5d07475d9353f30134f76dcc Reviewed-on: https://chromium-review.googlesource.com/c/1305274 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#57127}
-
Clemens Hammacher authored
This is a reland of bf3d7b9a Original change's description: > [wasm] Store compile errors in CompilationState > > We are currently storing compilation errors in the individual > compilation units and pass it to the ErrorThrower during finishing. > This CL changes that to store errors on the CompilationState directly. > From there, it is propagated to the ErrorThrower in the compilation > state callback. > This removes more work from the finisher task and slims down the > WasmCompilationUnits. > > R=mstarzinger@chromium.org > > Bug: v8:8343, v8:7921 > Change-Id: Id332add43d4219d2a30fee653ed4e53a9b2698d9 > Reviewed-on: https://chromium-review.googlesource.com/c/1303720 > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> > Commit-Queue: Clemens Hammacher <clemensh@chromium.org> > Cr-Commit-Position: refs/heads/master@{#57091} Bug: v8:8343, v8:7921 Change-Id: Iaa5c89d224cb2bcfca2d12eba305413a9ad95618 Reviewed-on: https://chromium-review.googlesource.com/c/1304547 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#57126}
-
Hai Dang authored
BinaryNumberOpTyper was not monotonic: if one input changes from Number to Numeric, while the other input stays BigInt, the result would change from Number to BigInt. We have some fuzzing tests for monotonicity but unfortunately they never generated the inputs required for triggering this bug. We'll look into improving our tests. Bug: v8:8380 Change-Id: I7320d9ae4b89ad8798bf9e97cc272edba2162a77 Reviewed-on: https://chromium-review.googlesource.com/c/1307418 Commit-Queue: Hai Dang <dhai@google.com> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#57125}
-
Jakob Gruber authored
Until this CL, CSA array allocation methods only handled arrays that could fit into new space. This behavior was preserved in a bunch of related builtins (e.g. Array.p.map), which completely bailed out to the slow path if larger allocations were required. This CL adds large object space handling to array allocation functions, which means that callers can use the more permissive kMaxFastArrayLength boundary instead of kInitialMaxFastElementsArray. Bug: chromium:890599 Change-Id: Idabb0ef232c2896cd453e2ae10b479bf24cbb1c1 Reviewed-on: https://chromium-review.googlesource.com/c/1301483 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#57124}
-