- 14 Sep, 2022 9 commits
-
-
Manos Koukoutos authored
Before, import and export wrappers were cached based on their signature. This change - makes wrapper canonicalization consistent with that of types and call_indirect signatures under --wasm-type-canonicalization, - removes the last uses of signature maps, which will enable us to remove them in a future CL. Change-Id: I512bc234f0ae10e50bd94237e8e675ca47ed13c5 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891250 Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#83183}
-
Greg Thompson authored
Bug: chromium:1092804 Change-Id: I9f4385d00af464eb2b9251b7c1dcfe0d4b69cdf2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891279 Auto-Submit: Greg Thompson <grt@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/main@{#83182}
-
Jakob Linke authored
Ignition remembers the correct context to restore when entering an exception handler by moving the context to an interpreter register when entering a try block, and restoring it from there when unwinding the frame and entering the catch block. Maglev code has to do the same by taking the context from the appropriate register for the handler's frame state. Bug: v8:7700 Change-Id: I294fcccc845c660b2289b6d7b40f49f1aa46283d Fixed: chromium:1359928 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892352Reviewed-by: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Jakob Linke <jgruber@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83181}
-
Marja Hölttä authored
This error type is very common and deserves its own error message instead of the generic "Unexpected value" one. Change-Id: I07a0de8b190db58e97fae98d0f7347872efd9995 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892694 Commit-Queue: Marja Hölttä <marja@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83180}
-
Leszek Swirski authored
Move the CompilationInfo out of the GraphProcessor and into the individual NodeProcessors, allowing them to hold it as a field rather than getting it passed in via the various process methods. This will allow us to write graph processors that don't have/need access to the compilation info. Bug: v8:7700 Change-Id: I8b91cbeaf632f05ae8bbbe8783e5a7381b5c8e53 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892698 Auto-Submit: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Jakob Linke <jgruber@chromium.org> Commit-Queue: Jakob Linke <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#83179}
-
Dominik Inführ authored
This CL adds shared spaces for regular and large objects in the shared space isolate. Spaces aren't used for allocation yet. Bug: v8:13267 Change-Id: If508144530f4c9a1b3c0567570165955b64cc200 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876824Reviewed-by: Jakob Linke <jgruber@chromium.org> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#83178}
-
Michael Achenbach authored
Joining a queue-using process can deadlock if the child process is about to write to the queue, but the parent process wants to join the child. To fix this, we now drain elements from a separate thread of the main process. Bug: v8:13113 Change-Id: Ic279e66ab84eb89a4034ff1f2c025eb850b65013 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891116 Commit-Queue: Michael Achenbach <machenbach@chromium.org> Reviewed-by: Alexander Schulze <alexschulze@chromium.org> Cr-Commit-Position: refs/heads/main@{#83177}
-
Liu Yu authored
Besides, fix a wrong instruction in mips64. Port commit ac0cedf1 Change-Id: I3c8c73eacc2aa1b5f4a583a0187261455917ad7a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892526 Auto-Submit: Liu Yu <liuyu@loongson.cn> Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn> Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn> Cr-Commit-Position: refs/heads/main@{#83176}
-
v8-ci-autoroll-builder authored
Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/7fcb69a..4157fb6 Rolling v8/buildtools: https://chromium.googlesource.com/chromium/src/buildtools/+log/4276428..e713c13 Rolling v8/buildtools/third_party/libc++/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libcxx/+log/60f9078..c1e647c Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/4864449..37391a1 Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/2d25dbd..9ebcfa6 Rolling v8/third_party/fuchsia-sdk/sdk: version:9.20220912.3.1..version:9.20220913.3.1 Rolling v8/third_party/zlib: https://chromium.googlesource.com/chromium/src/third_party/zlib/+log/05e137d..f48cb14 Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/2a5ebae..02a202a R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com Change-Id: I5cc2b3bdb94bd9786f11095169c3e193f8876ad9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893427 Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/main@{#83175}
-
- 13 Sep, 2022 31 commits
-
-
Fabrice de Gans authored
Bug: v8:8594 Change-Id: I734a548b074567af3cad6359ef96640cbf0eb6f3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892137 Commit-Queue: Fabrice de Gans <fdegans@chromium.org> Auto-Submit: Fabrice de Gans <fdegans@chromium.org> Reviewed-by: Alexander Schulze <alexschulze@chromium.org> Cr-Commit-Position: refs/heads/main@{#83174}
-
Thibaud Michaud authored
Trap if the suspender argument provided to the JSPI import wrapper is invalid. For now, the suspender argument is expected to be the active suspender. In the future, it will also be possible to suspend to a parent of the current suspender. This will only be possible once wasm-to-wasm suspending wrappers are supported, or if and when JSPI suspenders become compatible with their core stack-switching counterpart (e.g. Fibers in the fiber proposal). R=jkummerow@chromium.org Bug: v8:12191 Change-Id: I650454ed076bd251b0aa18656774d4c4b2d3bfdc Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892697Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/main@{#83173}
-
Frank Tang authored
Remove RegulateISODate after BalanceISODate and inline one call to AddISODate https://github.com/tc39/proposal-temporal/pull/2291/files Spec Text: https://tc39.es/proposal-temporal/#sec-temporal-addisodate https://tc39.es/proposal-temporal/#sec-get-temporal.zoneddatetime.prototype.hoursinday Bug: v8:11544 Change-Id: I4d5faaa48a26d37015c82bc06b3414698db9945d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893558 Commit-Queue: Frank Tang <ftang@chromium.org> Reviewed-by: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/heads/main@{#83172}
-
Frank Tang authored
1. Return null if the transition is out of bound. 2. Remove incorrect MAYBE_RETURN which is handled by the IsNothing check. Bug: v8:11544 Change-Id: Ia54f68831120bd2460cb813464168b1a2c92da3d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893595 Commit-Queue: Frank Tang <ftang@chromium.org> Reviewed-by: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/heads/main@{#83171}
-
Andy Wingo authored
Instead of having e.g. `string.new_wtf8` that takes an immediate specifying the particular UTF-8 flavor to parse, make one instruction per flavor. See https://github.com/WebAssembly/stringref/pull/46. Bug: v8:12868 Change-Id: I2e9f2735c557b2352b6e75314037e473710d87a9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892695Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Andy Wingo <wingo@igalia.com> Cr-Commit-Position: refs/heads/main@{#83170}
-
Teodor Dutu authored
This also allows allocation folding to be tested in cctests. Bug: v8:13070 Change-Id: I7b6991461dd7ad4423539b33f59a05d6b247c3e7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891257 Auto-Submit: Teo Dutu <teodutu@google.com> Commit-Queue: Teo Dutu <teodutu@google.com> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/main@{#83169}
-
Omer Katz authored
1) Cast to PagedSpaceBase instead of PagedSpace in sweeper.cc 2) Free LAB before filling space in heap-utils.cc Bug: v8:12612 Change-Id: I5820c2d2f4ab832a4b5a829fc55973d93296ec10 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892690 Commit-Queue: Omer Katz <omerkatz@chromium.org> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Auto-Submit: Omer Katz <omerkatz@chromium.org> Cr-Commit-Position: refs/heads/main@{#83168}
-
Shu-yu Guo authored
Bug: v8:12547 Change-Id: I89dbaea6b8559ada651b6ed986c842c1dc2b6df9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892129Reviewed-by: Milad Farazmand <mfarazma@redhat.com> Commit-Queue: Milad Farazmand <mfarazma@redhat.com> Cr-Commit-Position: refs/heads/main@{#83167}
-
Leszek Swirski authored
Double-representation field loads were DCHECKing that the entry in the descriptor array for a double-representation IC is also double representation. With in-place map updates, however, the IC may be out of date, so weaken this DCHECK to take into account in-place updates, and rely on compilation dependency commit making this lookup safe. Bug: v8:7700 Change-Id: Iff3c80d396274d14034e010dbe98f5640c9e4495 Fixed: chromium:1358872 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892692 Commit-Queue: Jakob Linke <jgruber@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Jakob Linke <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#83166}
-
Leszek Swirski authored
ElementAccessFeedback transition groups can contain multiple maps in a transition group if feedback is polymorphic on elements kind but not otherwise the map kind. Maglev should treat this case as polymorphic. Bug: v8:7700 Change-Id: I779299e4cf9d1c3a30e77f7a953d057ea5a69935 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892691 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83165}
-
Jakob Linke authored
For frame inspection (i.e. not deoptimization), no RegisterValues are available to TranslatedState and thus any register-allocated value is unavailable. Stack trace collection require `function` and `receiver` values to be available and thus stack-allocated. Both are immutable and have fixed stack slots so this is not a problem; we just lost track of the receiver inside Maglev when function parameters were wrapped inside exception Phi nodes. We solve this for now by special-casing the `receiver` to reuse the InitialValue node instead of creating a new Phi. Bug: v8:7700 Change-Id: I4f4de9a643b98e2fcbc7ee7a53688cc97a8d6f1d Fixed: chromium:1359428 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893856Reviewed-by: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Jakob Linke <jgruber@chromium.org> Commit-Queue: Jakob Linke <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#83164}
-
Milad Fa authored
BE machines use a 4 byte bias to spill/fill 32-bit values on the stack. This is done so because TF always fills 64-bit values even if the spilled value was 32-bits. To make sure this holds between LO and TF we have added a 4 byte bias in this CL: crrev.com/c/2756712 LoadSpillAddress needs to also take this into account and add a bias if the spilled value was 4 bytes. Change-Id: Ibd2b2071ce1fb11a9c5884611ae8edd1f17cb0c9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891196 Commit-Queue: Milad Farazmand <mfarazma@redhat.com> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/main@{#83163}
-
Matthias Liedtke authored
Fixed: v8:12463 Change-Id: I7ca2d3db803ca6ac50c1340d747f98d03c3985a4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890982Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Matthias Liedtke <mliedtke@chromium.org> Cr-Commit-Position: refs/heads/main@{#83162}
-
Camillo authored
Drive-by-fixes: - Auto-create the --perf-data-dir Change-Id: I6801452f9c4c6b9069a29aa3ab1e25909adffb19 No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893858 Auto-Submit: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#83161}
-
Liu Yu authored
Port commit 6f9e71fa Change-Id: I8aaf45c82b3787acd55de595cebe6b4b3c99efc2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893596 Auto-Submit: Liu Yu <liuyu@loongson.cn> Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn> Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn> Cr-Commit-Position: refs/heads/main@{#83160}
-
Matthias Liedtke authored
GetIterator on object o consists of two steps: 1) iter = load o[#Symbol.Iterator] 2) call iter For null / undefined step (1) throws an exception, meaning step (2) is never reached. Up to this change, turbofan deopts if for either of the two steps there isn't enough feedback, meaning that we have a deopt loop for null and undefined. Change-Id: Ie0eaf8e231a149313e10af9e95fd80bc77dc0beb Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890980Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Auto-Submit: Matthias Liedtke <mliedtke@chromium.org> Cr-Commit-Position: refs/heads/main@{#83159}
-
Omer Katz authored
FillCurrentPage assumed that everything after top is empty, which doesn't work with MinorMC and sweeping. Revise FillCurrentPage based SimulateFullSpace for MinorMC. I similar implementation is provided both in unittests and cctest. Migrating affected cctest to unittests is left a future work. Bug: v8:12612 Change-Id: Ie29be2fc7aaee25e1fd5f66b1c0959c2a45f007f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3885888Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Omer Katz <omerkatz@chromium.org> Cr-Commit-Position: refs/heads/main@{#83158}
-
Al Muthanna Athamina authored
Bug: v8:13052 Change-Id: Ida65f95547006e6fa2542362c59f20c60a63a9af Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893852Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Almothana Athamneh <almuthanna@chromium.org> Cr-Commit-Position: refs/heads/main@{#83157}
-
Leszek Swirski authored
This is a reland of commit 133e7f83 Reland: Rebase onto v8_multi_arch_build fix. Original change's description: > [maglev] Optimize monomorphic keyed loads > > Add a fast path for keyed loads that are: > > 1. Monomorphic, > 2. Fast elements accesses, > 3. Not out-of-bounds (deopt on OOB), > 4. Not holey > > Bug: v8:7700 > Change-Id: I4d46f4d0ce7065c93a9b092833fb16a8c9e9f94e > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3882974 > Auto-Submit: Leszek Swirski <leszeks@chromium.org> > Reviewed-by: Jakob Linke <jgruber@chromium.org> > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > Cr-Commit-Position: refs/heads/main@{#83149} Bug: v8:7700 Change-Id: Ib48bdc8729757527c19d0b24864f8eab0570c3f3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890920 Commit-Queue: Jakob Linke <jgruber@chromium.org> Reviewed-by: Jakob Linke <jgruber@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83156}
-
Samuel Groß authored
During ExternalPointerTable::Grow, if we cross one of a handful of predefined utilization thresholds, we now request a (major) GC to free up entries that are no longer used in the table. Bug: v8:10391 Change-Id: Id2d262f0f1d4dc37aec1e4978a8be2d223fb2b2b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890971 Commit-Queue: Samuel Groß <saelo@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#83155}
-
Leszek Swirski authored
v8_multi_arch_build toggles v8_enable_pointer_compression, but some other flags are set depending on v8_enable_pointer_compression. Previously the v8_multi_arch_build condition was resetting some of these in its branch, but we can make this simpler by moving the pointer compression toggle earlier, immediately after the default pointer compression setting. Change-Id: Ie5f4e73f947b693d4ba2abe4e1cf30009a2bbb2c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890918Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83154}
-
Hao Xu authored
The way to determine whether a MaybeObject is a strong or weak reference to the heap object is to check its lowest two bits. However, if the MaybeObject is known to not be a smi, that is, the lowest bit is known to be 1, we can check one bit instead. This allows Turbofan to select better instructions: x64: Before: movl r9,r11 andl r9,0x3 cmpb r9l,0x1 After: testb r11,0x2 arm64: Before: and w8, w7, #0x3 cmp w8, #0x1 (1) b.ne #+0x320 After: tbnz w7, #1, #+0x320 Change-Id: I03623183406ad7d920c96a752651e0116a22832e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3861310Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Hao A Xu <hao.a.xu@intel.com> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/main@{#83153}
-
Jakob Linke authored
.. Throw|LazyDeopt. Whether a builtin can Throw|LazyDeopt depends on the implementation, so to be safe all builtin calls should be marked as such - UNLESS we know for certain that one or the other doesn't happen. Drive-by: For calls with two result registers, properly consider the second register in a few spots. Bug: v8:7700 Change-Id: Icbcffb51e9760761a2f4e32d79af33abccb8f1cb Fixed: chromium:1361245 Fixed: chromium:1360800 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879617Reviewed-by: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Jakob Linke <jgruber@chromium.org> Commit-Queue: Jakob Linke <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#83152}
-
Jakob Linke authored
.. where we sometimes want to inspect Node contents. With this CL, for a human-readable print in gdb: print node->Print() Note: Since we use an adhoc-created graph labeller, the output can't properly identify input nodes and instead prints them as 'unregistered node'. Bug: v8:7700 Change-Id: Icba458ac1a5c43a09b815e12582443aca4e19380 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890914 Auto-Submit: Jakob Linke <jgruber@chromium.org> Commit-Queue: Jakob Linke <jgruber@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83151}
-
Leszek Swirski authored
This reverts commit 133e7f83. Reason for revert: Breaks compilation for non-pointer-compressed x64 Original change's description: > [maglev] Optimize monomorphic keyed loads > > Add a fast path for keyed loads that are: > > 1. Monomorphic, > 2. Fast elements accesses, > 3. Not out-of-bounds (deopt on OOB), > 4. Not holey > > Bug: v8:7700 > Change-Id: I4d46f4d0ce7065c93a9b092833fb16a8c9e9f94e > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3882974 > Auto-Submit: Leszek Swirski <leszeks@chromium.org> > Reviewed-by: Jakob Linke <jgruber@chromium.org> > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > Cr-Commit-Position: refs/heads/main@{#83149} Bug: v8:7700 Change-Id: I08e7ca3a79b383d19c6baf73a721364b859d6df3 No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890916 Auto-Submit: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Cr-Commit-Position: refs/heads/main@{#83150}
-
Leszek Swirski authored
Add a fast path for keyed loads that are: 1. Monomorphic, 2. Fast elements accesses, 3. Not out-of-bounds (deopt on OOB), 4. Not holey Bug: v8:7700 Change-Id: I4d46f4d0ce7065c93a9b092833fb16a8c9e9f94e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3882974 Auto-Submit: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Jakob Linke <jgruber@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83149}
-
Liu Yu authored
Bug: v8:13206 Change-Id: Ifb5daeff2a1e91fd098bc5abe9f81339575636bf Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3837160Reviewed-by: Hannes Payer <hpayer@chromium.org> Reviewed-by: Jakob Linke <jgruber@chromium.org> Reviewed-by: Michael Achenbach <machenbach@chromium.org> Auto-Submit: Liu Yu <liuyu@loongson.cn> Commit-Queue: Liu Yu <liuyu@loongson.cn> Cr-Commit-Position: refs/heads/main@{#83148}
-
Shu-yu Guo authored
The normative change in https://github.com/tc39/proposal-resizablearraybuffer/pull/93 changed the behavior of TypedArray.prototype.subarray(begin, end) such that if the receiver is a length-tracking TA and end is undefined, the result TypedArray is also length-tracking. This change reached consensus in the March 2022 TC39. Bug: v8:11111 Change-Id: If1a84cc3134f3ce8046196d6cc36683b6996dec0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3888382 Commit-Queue: Marja Hölttä <marja@chromium.org> Auto-Submit: Shu-yu Guo <syg@chromium.org> Reviewed-by: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#83147}
-
Fabrice de Gans authored
Bug: v8:8594 Change-Id: I398678bb92105dc99882e4a253d0c6235628952f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892178 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Auto-Submit: Fabrice de Gans <fdegans@chromium.org> Cr-Commit-Position: refs/heads/main@{#83146}
-
Greg Thompson authored
Bug: v8:12589 Change-Id: Idf341625f8fadf4a0145887c0ec6642b5e6bfd88 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3885882Reviewed-by: Alexander Schulze <alexschulze@chromium.org> Commit-Queue: Greg Thompson <grt@chromium.org> Cr-Commit-Position: refs/heads/main@{#83145}
-
Leszek Swirski authored
Loop used value lifetimes extension extends the lifetime of anything used inside of a loop but defined outside of it, to make sure that it is considered 'live' for the entire body of the loop (this is so that we don't e.g. clobber their stack slots with stack slot reuse). The implementation works on the principle that a) basic blocks are topologically sorted by forward control flow, and b) loops are irreducible. This means that basic blocks between a loop header and the jump to that loop header are inside the loop, and nodes whose id preceeds the loop header's id must be before the loop. Generator resumes break this irreducibility by jumping into the middle of loops. This is principally not a problem for the above lifetime extension, it just means that the loop's used nodes will overapproximate and include these generator nodes. However, there was an implicit additional assumption that the node must be loadable by the loop end, to extend its lifetime. This fails for the generator resume case, because it's possible that the node didn't make it into any loop merge state, e.g. because the resume would immediately deopt or return, e.g. Start / \ / GeneratorResume | | v | .>Loop header | | | | | Branch | | | | | | | Suspend | | | | | | Resume <-' | | | | | Return | v `--JumpLoop Here the Resume will get the accumulator from the generator and the Return will use it, which will be seen as an out-of-loop use of the generator, but the generator was never reachable from the "real" loop body. At the end of the day, since there are no actual uses of the generator value in the loop body, the lifetime extension does no harm; all that fails is a DCHECK that the values loop lifetime extension extends are actually loadable. So, we can relax this DCHECK for this specific generator edge case, by checking for whether the JumpLoop is reachable from the generator resume. Bug: v8:7700 Change-Id: Iec4db2aee5b8812de61c3afb9004c8be3982baa2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890975 Auto-Submit: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Jakob Linke <jgruber@chromium.org> Commit-Queue: Jakob Linke <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#83144}
-