1. 05 Aug, 2020 1 commit
  2. 30 Jul, 2020 1 commit
  3. 29 Jul, 2020 2 commits
    • Mythri A's avatar
      [turboprop] Enable DynamicMapChecks for TurboProp · 989a9040
      Mythri A authored
      Bug: v8:10582, v8:9684
      Change-Id: Ib29e9b56d4c722cb572e86def7eeb3f588dc9c2d
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2316079Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
      Commit-Queue: Mythri Alle <mythria@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#69128}
      989a9040
    • Jakob Gruber's avatar
      [nci] Update interrupt budget from NCI code · 980e224a
      Jakob Gruber authored
      This is the first step towards implementing a tier-up mechanism from
      NCI code to TF. We will follow the existing Ignition-to-Turbofan
      mechanics, which are, roughly:
      
      1. Track a bytecode interrupt budget.
      2. When exhausted, call the runtime profiler, which increments
         profiler ticks for the top frame's function.
      3. When a function should tier up, it is marked as such using the
         FeedbackVector::optimized_code_weak_or_smi slot / the
         OptimizationMarker mechanism.
      4. The InterpreterEntryTrampoline checks this slot and calls into
         runtime to compile if needed.
      5. The finished code is also placed into this slot, as well as
         installed on the JSFunction.
      6. Again, the IET checks the slot and tail-calls the code object if it
         exists.
      
      This CL implements step 1 for NCI code by inserting the new simplified
      UpdateInterruptBudget operator at the same spots (and using the same
      offsets) as Ignition. When the budget is exhausted, we call a runtime
      function that currently does nothing and will be implemented in the
      next CL.
      
      Bug: v8:8888
      Change-Id: I98c0f8d96f32d515218dc2a76f961d44fe281c86
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2312778
      Commit-Queue: Jakob Gruber <jgruber@chromium.org>
      Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
      Reviewed-by: 's avatarMythri Alle <mythria@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#69124}
      980e224a
  4. 21 Jul, 2020 2 commits
  5. 20 Jul, 2020 2 commits
  6. 16 Jul, 2020 1 commit
  7. 14 Jul, 2020 2 commits
  8. 08 Jul, 2020 1 commit
  9. 30 Jun, 2020 1 commit
  10. 29 Jun, 2020 1 commit
  11. 26 Jun, 2020 2 commits
    • Shu-yu Guo's avatar
      Revert "[wasm-gc] Implement rtt.sub" · 30456566
      Shu-yu Guo authored
      This reverts commit 04ce88ea.
      
      Reason for revert: TSAN failure: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20TSAN/32135
      
      Original change's description:
      > [wasm-gc] Implement rtt.sub
      > 
      > RTTs are internally represented as Maps. To store supertype information,
      > this patch introduces a WasmTypeInfo object, which is installed on Wasm
      > objects' Maps and points at both the off-heap type information and the
      > parent RTT.
      > In this patch, rtt.sub always creates a fresh RTT. The canonicalization
      > that the proposal requires will be implemented later.
      > 
      > Bug: v8:7748
      > Change-Id: I8286dd11f520966155cd95c2bd844ec34fccd131
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2260566
      > Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
      > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
      > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#68564}
      
      TBR=ulan@chromium.org,jkummerow@chromium.org,tebbi@chromium.org
      
      Change-Id: I311732e1ced4de7a58b87d4a9b6056e0d62aa986
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: v8:7748
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2270734Reviewed-by: 's avatarShu-yu Guo <syg@chromium.org>
      Commit-Queue: Shu-yu Guo <syg@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#68567}
      30456566
    • Jakob Kummerow's avatar
      [wasm-gc] Implement rtt.sub · 04ce88ea
      Jakob Kummerow authored
      RTTs are internally represented as Maps. To store supertype information,
      this patch introduces a WasmTypeInfo object, which is installed on Wasm
      objects' Maps and points at both the off-heap type information and the
      parent RTT.
      In this patch, rtt.sub always creates a fresh RTT. The canonicalization
      that the proposal requires will be implemented later.
      
      Bug: v8:7748
      Change-Id: I8286dd11f520966155cd95c2bd844ec34fccd131
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2260566
      Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
      Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
      Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#68564}
      04ce88ea
  12. 22 Jun, 2020 1 commit
  13. 04 Jun, 2020 1 commit
  14. 03 Jun, 2020 1 commit
  15. 27 May, 2020 1 commit
  16. 13 May, 2020 1 commit
  17. 06 May, 2020 2 commits
  18. 05 May, 2020 1 commit
    • Clemens Backes's avatar
      [wasm] Remove interpreter entry code · 61c2a0f4
      Clemens Backes authored
      This removes the interpreter entry stubs, which are used to redirect
      specific wasm functions to the interpreter. It is only needed when
      mixing JS code with interpreted Wasm code, otherwise the test functions
      just call the interpreter directly.
      Thus a lot of tests that contain such interaction between JS and Wasm
      need to be restricted to execute in Liftoff and TurboFan only.
      
      After this CL, the WASM_INTERPRETER_ENTRY frame type and the
      corresponding WasmInterpreterEntryFrame are dead, and will be removed in
      a follow-up CL.
      
      R=thibaudm@chromium.org
      
      Bug: v8:10389
      Change-Id: I8e50d350dbc2afcc1cddaeb98baf23711117af2d
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172962
      Commit-Queue: Clemens Backes <clemensb@chromium.org>
      Reviewed-by: 's avatarThibaud Michaud <thibaudm@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67559}
      61c2a0f4
  19. 04 May, 2020 1 commit
    • Manos Koukoutos's avatar
      [wasm] Avoid runtime calls for exception handling · 567a9bdf
      Manos Koukoutos authored
      Motivation:
      Improve code efficiency by replacing runtime calls with manually written
      turbofan code where possible.
      
      Changes:
      - Remove the runtime functions `Runtime_WasmExceptionGetTag` and
        `Runtime_WasmExceptionGetValues` and replace them with turbofan code.
      - Introduce the builtin function `GetOwnProperty`.
      - Change `wasm-compiler.h` and `wasm-compiler.cc` to accomodate the new
        changes.
        - Introduce three new macros in `wasm-compiler.cc`.
        - Use those macros in two additional places to remove code
          duplication.
      
      Change-Id: I4a32f9e5f7ee55dc50cd03378a68897888ece5c8
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2162905Reviewed-by: 's avatarClemens Backes <clemensb@chromium.org>
      Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67530}
      567a9bdf
  20. 30 Apr, 2020 1 commit
  21. 29 Apr, 2020 1 commit
  22. 28 Apr, 2020 5 commits
    • Clemens Backes's avatar
      [wasm][debug] Remove WasmNumInterpretedCalls runtime function · b98b4621
      Clemens Backes authored
      Redirection to the interpreter is removed from mjsunit tests. Hence the
      runtime function will always return 0.
      This CL removes the runtime function and the respective method from the
      interpreter.
      
      R=thibaudm@chromium.org
      
      Bug: v8:10389
      Change-Id: Ia17bebf3992f42a17a9c1b385ecdc2f2e3061b65
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2164794
      Commit-Queue: Clemens Backes <clemensb@chromium.org>
      Reviewed-by: 's avatarThibaud Michaud <thibaudm@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67447}
      b98b4621
    • Clemens Backes's avatar
      [wasm][debug] Remove redirection to interpreter · 1fb1db17
      Clemens Backes authored
      This removes the {RedirectToWasmInterpreter} runtime function and the
      respective method from {WasmDebugInfo}.
      Some tests test specifically the interaction between compiled code and
      the interpreter. They are irrelevant now and are deleted.
      
      R=thibaudm@chromium.org
      
      Bug: v8:10389
      Change-Id: I38330fcb523f7c65968fdf03abc60af3392bdcc8
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2164793
      Commit-Queue: Clemens Backes <clemensb@chromium.org>
      Reviewed-by: 's avatarThibaud Michaud <thibaudm@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67427}
      1fb1db17
    • Jakob Gruber's avatar
      Reland "[snapshot] Expose the serializer through %SerializeDeserializeNow" · bce121c7
      Jakob Gruber authored
      This is a reland of ad5b005e
      
      Original change's description:
      > [snapshot] Expose the serializer through %SerializeDeserializeNow
      >
      > ... in order to exercise the snapshot/ component from mjsunit tests
      > and fuzzers.
      >
      > * Since the serializer and deserializer can now be called at any time
      > instead of only in a tightly controlled environment, several
      > assumptions (such as an empty execution stack, no microtasks, no
      > handles) no longer hold and had to be made configurable through
      > SerializerFlags.
      >
      > * Root iteration now skips more root categories which were previously
      > guaranteed to be empty (e.g. the stack, microtask queue, handles).
      >
      > * The %SerializeDeserializeNow runtime function triggers
      > serialization, deserialization, and heap verification on the current
      > isolate and native context.
      >
      > Support is not yet complete and will be extended in future work. Once
      > all mjsunit tests successfully run, we can add a new test mode to
      > stress serialization.
      >
      > Bug: v8:10416
      > Change-Id: Ie7ff441a761257dd7f256d0a33e73227850074ac
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2159495
      > Commit-Queue: Jakob Gruber <jgruber@chromium.org>
      > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > Reviewed-by: Dan Elphick <delphick@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#67423}
      
      Tbr: delphick@chromium.org,ulan@chromium.org
      Bug: v8:10416
      Change-Id: Ibed04c0f0b72fabcf811d8b18a1479391a11568b
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170090Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
      Reviewed-by: 's avatarDan Elphick <delphick@chromium.org>
      Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Commit-Queue: Jakob Gruber <jgruber@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67426}
      bce121c7
    • Nico Hartmann's avatar
      Revert "[snapshot] Expose the serializer through %SerializeDeserializeNow" · 451854fa
      Nico Hartmann authored
      This reverts commit ad5b005e.
      
      Reason for revert: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20shared/36070?
      
      Original change's description:
      > [snapshot] Expose the serializer through %SerializeDeserializeNow
      > 
      > ... in order to exercise the snapshot/ component from mjsunit tests
      > and fuzzers.
      > 
      > * Since the serializer and deserializer can now be called at any time
      > instead of only in a tightly controlled environment, several
      > assumptions (such as an empty execution stack, no microtasks, no
      > handles) no longer hold and had to be made configurable through
      > SerializerFlags.
      > 
      > * Root iteration now skips more root categories which were previously
      > guaranteed to be empty (e.g. the stack, microtask queue, handles).
      > 
      > * The %SerializeDeserializeNow runtime function triggers
      > serialization, deserialization, and heap verification on the current
      > isolate and native context.
      > 
      > Support is not yet complete and will be extended in future work. Once
      > all mjsunit tests successfully run, we can add a new test mode to
      > stress serialization.
      > 
      > Bug: v8:10416
      > Change-Id: Ie7ff441a761257dd7f256d0a33e73227850074ac
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2159495
      > Commit-Queue: Jakob Gruber <jgruber@chromium.org>
      > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
      > Reviewed-by: Dan Elphick <delphick@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#67423}
      
      TBR=ulan@chromium.org,jgruber@chromium.org,delphick@chromium.org
      
      Change-Id: Ie30b94c9ec6e4463bed6cc87dd6525f469fdf84a
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: v8:10416
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170089Reviewed-by: 's avatarNico Hartmann <nicohartmann@chromium.org>
      Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67424}
      451854fa
    • Jakob Gruber's avatar
      [snapshot] Expose the serializer through %SerializeDeserializeNow · ad5b005e
      Jakob Gruber authored
      ... in order to exercise the snapshot/ component from mjsunit tests
      and fuzzers.
      
      * Since the serializer and deserializer can now be called at any time
      instead of only in a tightly controlled environment, several
      assumptions (such as an empty execution stack, no microtasks, no
      handles) no longer hold and had to be made configurable through
      SerializerFlags.
      
      * Root iteration now skips more root categories which were previously
      guaranteed to be empty (e.g. the stack, microtask queue, handles).
      
      * The %SerializeDeserializeNow runtime function triggers
      serialization, deserialization, and heap verification on the current
      isolate and native context.
      
      Support is not yet complete and will be extended in future work. Once
      all mjsunit tests successfully run, we can add a new test mode to
      stress serialization.
      
      Bug: v8:10416
      Change-Id: Ie7ff441a761257dd7f256d0a33e73227850074ac
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2159495
      Commit-Queue: Jakob Gruber <jgruber@chromium.org>
      Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Reviewed-by: 's avatarDan Elphick <delphick@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67423}
      ad5b005e
  23. 24 Apr, 2020 3 commits
    • Camillo Bruni's avatar
      [runtime] Fix source location for CallWithSpread with errors · 1d00b785
      Camillo Bruni authored
      Unify error handling for errors in CallWithSpread Bytecode and thus
      fix source location mismatches.
      
      Bug: v8:10378
      Change-Id: If224cd34f1306492059dbedd8d2ca5c0feee5658
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2162856Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
      Commit-Queue: Camillo Bruni <cbruni@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67365}
      1d00b785
    • Timothy Gu's avatar
      Reland "[builtins] Clean up the use of class_name / ES5 [[Class]]" · 1aa51b49
      Timothy Gu authored
      This is a reland of 29c1eab9
      
      Original change's description:
      > [builtins] Clean up the use of class_name / ES5 [[Class]]
      >
      > Before ES2015, the ES spec had a [[Class]] internal slot for all
      > objects, which Object.prototype.toString() would use to figure the
      > returned string. Post-ES2015, the [[Class]] slot was removed in spec for
      > all objects, with the @@toStringTag well-known symbol the proper way to
      > change Object.prototype.toString() output.
      >
      > At the time, spec-identical handling without the use of [[Class]] was
      > implemented in V8 for all objects other than API objects, where issues
      > with the Web IDL spec [1] prevented Blink, and hence V8, to totally
      > migrate to @@toStringTag. However, since 2016 [2] Blink has been setting
      > @@toStringTag on API class prototypes to manage the
      > Object.prototype.toString() output, so the legacy [[Class]] handling in
      > V8 has not been necessary for the past couple of years.
      >
      > This CL removes the remaining legacy [[Class]] handling in
      > Object.prototype.toString(), JSReceiver::class_name(), and
      > GetConstructorName(). However, it does not remove the class_name field
      > in FunctionTemplateInfo, as it is still used for the `name` property of
      > created functions.
      >
      > This CL also cleans up other places in the codebase that still reference
      > [[Class]].
      >
      > This change should have minimal impact on web-compatibility. For the
      > change to be observable, a script must do one of the following:
      >
      > 1. delete APIConstructor.prototype[Symbol.toStringTag];
      > 2. Object.setPrototypeOf(apiObject, somethingElse);
      >
      > Before this CL, these changes will not change the apiObject.toString()
      > output. But after this CL, they will make apiObject.toString() show
      > "[object Object]" (in the first case) or the @@toStringTag of the other
      > prototype (in the latter case).
      >
      > However, both are deemed unlikely. @@toStringTag is not well-known
      > feature of JavaScript, nor does it get tampered much on API
      > constructors. In the second case, setting the prototype of an API object
      > would effectly render the object useless, as all its methods (including
      > property getters/setters) would no longer be accessible.
      >
      > Currently, @@toStringTag-based API object branding is not yet
      > implemented by other browsers. This V8 bug in particular has been an
      > impediment to standardizing toString behavior. Fixing this bug will
      > unblock [3] and lead to a better Web IDL spec, and better toString()
      > compatibility for all.
      >
      > [1]: https://www.w3.org/Bugs/Public/show_bug.cgi?id=28244
      > [2]: https://crrev.com/909c0d7d5a53c8526ded351683c65ea7d17531d4
      > [3]: https://github.com/heycam/webidl/pull/357
      >
      > Bug: chromium:793406
      > Cq-Include-Trybots: luci.chromium.try:linux-rel
      > Change-Id: Iceded24e37afa2646ec385d5018909f55b177f93
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2146996
      > Commit-Queue: Timothy Gu <timothygu@chromium.org>
      > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#67327}
      
      Bug: chromium:793406
      Change-Id: Ia5d97bd4e1c44cadc6f18a17ffc9d06b038cf8f1
      Cq-Include-Trybots: luci.chromium.try:linux-rel
      Cq-Include-Trybots: luci.v8.try:v8_linux_blink_rel
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2163881
      Auto-Submit: Timothy Gu <timothygu@chromium.org>
      Commit-Queue: Toon Verwaest <verwaest@chromium.org>
      Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67361}
      1aa51b49
    • Bill Budge's avatar
      Revert "[builtins] Clean up the use of class_name / ES5 [[Class]]" · 213016d6
      Bill Budge authored
      This reverts commit 29c1eab9.
      
      Reason for revert: Causes Blink test failures:
      https://ci.chromium.org/p/v8/builders/ci/V8%20Blink%20Linux/4222
      
      Original change's description:
      > [builtins] Clean up the use of class_name / ES5 [[Class]]
      > 
      > Before ES2015, the ES spec had a [[Class]] internal slot for all
      > objects, which Object.prototype.toString() would use to figure the
      > returned string. Post-ES2015, the [[Class]] slot was removed in spec for
      > all objects, with the @@toStringTag well-known symbol the proper way to
      > change Object.prototype.toString() output.
      > 
      > At the time, spec-identical handling without the use of [[Class]] was
      > implemented in V8 for all objects other than API objects, where issues
      > with the Web IDL spec [1] prevented Blink, and hence V8, to totally
      > migrate to @@toStringTag. However, since 2016 [2] Blink has been setting
      > @@toStringTag on API class prototypes to manage the
      > Object.prototype.toString() output, so the legacy [[Class]] handling in
      > V8 has not been necessary for the past couple of years.
      > 
      > This CL removes the remaining legacy [[Class]] handling in
      > Object.prototype.toString(), JSReceiver::class_name(), and
      > GetConstructorName(). However, it does not remove the class_name field
      > in FunctionTemplateInfo, as it is still used for the `name` property of
      > created functions.
      > 
      > This CL also cleans up other places in the codebase that still reference
      > [[Class]].
      > 
      > This change should have minimal impact on web-compatibility. For the
      > change to be observable, a script must do one of the following:
      > 
      > 1. delete APIConstructor.prototype[Symbol.toStringTag];
      > 2. Object.setPrototypeOf(apiObject, somethingElse);
      > 
      > Before this CL, these changes will not change the apiObject.toString()
      > output. But after this CL, they will make apiObject.toString() show
      > "[object Object]" (in the first case) or the @@toStringTag of the other
      > prototype (in the latter case).
      > 
      > However, both are deemed unlikely. @@toStringTag is not well-known
      > feature of JavaScript, nor does it get tampered much on API
      > constructors. In the second case, setting the prototype of an API object
      > would effectly render the object useless, as all its methods (including
      > property getters/setters) would no longer be accessible.
      > 
      > Currently, @@toStringTag-based API object branding is not yet
      > implemented by other browsers. This V8 bug in particular has been an
      > impediment to standardizing toString behavior. Fixing this bug will
      > unblock [3] and lead to a better Web IDL spec, and better toString()
      > compatibility for all.
      > 
      > [1]: https://www.w3.org/Bugs/Public/show_bug.cgi?id=28244
      > [2]: https://crrev.com/909c0d7d5a53c8526ded351683c65ea7d17531d4
      > [3]: https://github.com/heycam/webidl/pull/357
      > 
      > Bug: chromium:793406
      > Cq-Include-Trybots: luci.chromium.try:linux-rel
      > Change-Id: Iceded24e37afa2646ec385d5018909f55b177f93
      > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2146996
      > Commit-Queue: Timothy Gu <timothygu@chromium.org>
      > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
      > Cr-Commit-Position: refs/heads/master@{#67327}
      
      TBR=verwaest@chromium.org,timothygu@chromium.org
      
      Change-Id: I678d2ffc1064b1d1ddb62024cc23c6c41b216ef4
      No-Presubmit: true
      No-Tree-Checks: true
      No-Try: true
      Bug: chromium:793406
      Cq-Include-Trybots: luci.chromium.try:linux-rel
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2163956Reviewed-by: 's avatarBill Budge <bbudge@chromium.org>
      Commit-Queue: Bill Budge <bbudge@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67349}
      213016d6
  24. 23 Apr, 2020 1 commit
    • Timothy Gu's avatar
      [builtins] Clean up the use of class_name / ES5 [[Class]] · 29c1eab9
      Timothy Gu authored
      Before ES2015, the ES spec had a [[Class]] internal slot for all
      objects, which Object.prototype.toString() would use to figure the
      returned string. Post-ES2015, the [[Class]] slot was removed in spec for
      all objects, with the @@toStringTag well-known symbol the proper way to
      change Object.prototype.toString() output.
      
      At the time, spec-identical handling without the use of [[Class]] was
      implemented in V8 for all objects other than API objects, where issues
      with the Web IDL spec [1] prevented Blink, and hence V8, to totally
      migrate to @@toStringTag. However, since 2016 [2] Blink has been setting
      @@toStringTag on API class prototypes to manage the
      Object.prototype.toString() output, so the legacy [[Class]] handling in
      V8 has not been necessary for the past couple of years.
      
      This CL removes the remaining legacy [[Class]] handling in
      Object.prototype.toString(), JSReceiver::class_name(), and
      GetConstructorName(). However, it does not remove the class_name field
      in FunctionTemplateInfo, as it is still used for the `name` property of
      created functions.
      
      This CL also cleans up other places in the codebase that still reference
      [[Class]].
      
      This change should have minimal impact on web-compatibility. For the
      change to be observable, a script must do one of the following:
      
      1. delete APIConstructor.prototype[Symbol.toStringTag];
      2. Object.setPrototypeOf(apiObject, somethingElse);
      
      Before this CL, these changes will not change the apiObject.toString()
      output. But after this CL, they will make apiObject.toString() show
      "[object Object]" (in the first case) or the @@toStringTag of the other
      prototype (in the latter case).
      
      However, both are deemed unlikely. @@toStringTag is not well-known
      feature of JavaScript, nor does it get tampered much on API
      constructors. In the second case, setting the prototype of an API object
      would effectly render the object useless, as all its methods (including
      property getters/setters) would no longer be accessible.
      
      Currently, @@toStringTag-based API object branding is not yet
      implemented by other browsers. This V8 bug in particular has been an
      impediment to standardizing toString behavior. Fixing this bug will
      unblock [3] and lead to a better Web IDL spec, and better toString()
      compatibility for all.
      
      [1]: https://www.w3.org/Bugs/Public/show_bug.cgi?id=28244
      [2]: https://crrev.com/909c0d7d5a53c8526ded351683c65ea7d17531d4
      [3]: https://github.com/heycam/webidl/pull/357
      
      Bug: chromium:793406
      Cq-Include-Trybots: luci.chromium.try:linux-rel
      Change-Id: Iceded24e37afa2646ec385d5018909f55b177f93
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2146996
      Commit-Queue: Timothy Gu <timothygu@chromium.org>
      Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67327}
      29c1eab9
  25. 21 Apr, 2020 1 commit
  26. 20 Apr, 2020 1 commit
  27. 16 Apr, 2020 2 commits