... when the code range is created. This key should be more helpful
than the existing kCodeSpaceFirstPageAddress crash key, especially
for the cases when snapshot does not contain Code objects and thus
the code space is not created during Isolate initialization.
The mid-term plan is to remove the latter in favour of the former
since the default configuration does not imply creation of the code
space.
Bug: v8:11880
Change-Id: Icdea38723c7ed73605c2df6589ec01193571d55c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849038
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82667}
Sparkplug generates a lot of code and the default limit of 128 MB also
hurts non-pointer compression builds which is used by Node.js.
This CL keeps the old limit only for pointer compression configurations
without external code space because in this case the code range is
allocated in the pointer compression cage and thus bigger code range
steals the address space from the regular V8 heap.
Bug: v8:12689
Change-Id: I3c68daf6cd5322d7e30249a054a7c6d6e38fb8c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3850291
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82666}
IsRunning() and IsMarking() are now equivalent. So IsRunning() can be
removed in favor of IsMarking().
IsComplete() is also renamed to IsMarkingComplete().
Bug: v8:12775
Change-Id: Ife88be4d674af055590ba5178ec1e410f8fa89d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849833
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82665}
Now roll_merge_gerrit.py waits for a +1, and immediately submits. With
auto-submit and rubber-stamper bot, this makes the script fully
fire-and-forget.
This also fixes the commit message update to include the change id.
Bug: v8:12849
Change-Id: I63784bfc1b2a16dfcd308b11e67d9da9c2ff3f8a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3804249
Reviewed-by: Liviu Rau <liviurau@google.com>
Commit-Queue: Liviu Rau <liviurau@google.com>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82664}
Add a stack check to maglev function entry, and ensure that there is
deopt info on the safepoint when there is a loop interrupt which can
also stack check.
These are somewhat hacky fixes for now, both of which do the minimal
work to make OptimizedFrame::Summarize work. There are some TODOs on
making this better, in particular not relying on lazy deopt info for
said summarize. Cleaning this up will likely be part of a larger piece
of work around exception support.
Bug: v8:7700
Fixed: v8:13152, v8:13153, v8:13154, v8:13162
Change-Id: Ib9e4820200806a3f7d08fb8b069655525f90efb3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3811285
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82663}
... to globals.h. The latter is included into flags.h and thus
the flag-defnitions.h can rely on those values to be defined.
The xxx_BOOL macros that were used in #if expressions in
flag-definitions.h are now explicitly checked for being defined.
This change allows using the constants also in the globals.h header.
Bug: v8:12689
Change-Id: I2498502284ab1e8dc8a3526229613ea1ce6624bc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849377
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82662}
When compaction is aborted during marking, the
start_of_evacuation_area_ value would previously be set to -1. This
would, however, cause some DCHECK failures during sweeping, which
expect this value to contain the (previous) start value. This is now
fixed by just setting the top bits of the start_of_evacuation_area_
value when aborting compaction. During sweeping, these bits are
cleared again and the DCHECKs work as expected.
Bug: v8:10391, chromium:1355640
Change-Id: Id48ee71a3942b3e0b88e8e1667a8f9e109a68bb3
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849650
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82661}
This is mostly to make fuzzers happy. Currently, adding --future
changes user-observable behaviour if also --wasm-lazy-validation is
passed, because --future implies --wasm-lazy-compilation.
By implying --wasm-lazy-compilation from --wasm-lazy-validation, we
make this independent of --future, and foozzie should be happy.
R=jkummerow@chromium.org
Bug: chromium:1355062
Change-Id: I47161c107de6ef00395a2a5e3284fc5ceae37d3f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3850483
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82660}
Delayed tasks were never used, so remove support for it. The only
supported task type is therefore "normal", immediately scheduled tasks.
Bug: v8:12775
Change-Id: Ifd659deae2b98f424d889e4253f79d9b031a82d1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849831
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82659}
Generate Tbz/Tbnz instead of (tst;bcc),
and Cbz/Cbnz instead of (cmp;bcc), where possible.
This improves Speedometer2 by 0.22% on a Neoverse-N1 machine.
Change-Id: Ie86bae7189a7a4bd4975f946e7413225c9023316
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3833816
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82657}
Use the `fuchsia_component` and `fuchsia_package` GN templates from the
Fuchsia SDK to package the `v8_unittests` test for Fuchsia. Give the
`v8_unittests` their own dedicated `.cmx` file, instead of depending on
`v8.cmx`.
Bug: chromium:1256503
Change-Id: I22788359bed18eb643e288ee1a0c92c24c0dc3e1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3819644
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Wez <wez@chromium.org>
Commit-Queue: Derek Gonyeo <dgonyeo@google.com>
Cr-Commit-Position: refs/heads/main@{#82656}
This CL adjusts MarkingBarrier for MinorMC incremental marking.
The MarkingBarrier will be activated in a follow-up CL that schedules
MinorMC on a soft limit.
Bug: v8:13012
Change-Id: I525f6f158c2d55074d66f51925a1d8220cd4e9b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3787874
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82655}
Add return register to the allocator. SetPendingMessage is a ValueNode
and returns the previous pending message.
This was not identified before, because we do not support
exception handlers yet.
Bug: v8:7700
Change-Id: Ia03ea609e85297198792816edda22d4f1c79708c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849652
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82654}
This is a reland of commit c3a5c5b1e0
The previous CL was writing into the wrong sets when invoking
CollectSlots<OLD_TO_SHARED>(). Also move the NULL checks out of
that condition to also check this for chunks in the young generation.
Original change's description:
> [heap] Ensure all old-to-shared slots are recorded
>
> This CL adds verification of the old-to-shared remembered set to
> --verify-heap. During shared GCs client heaps will be scanned for
> references into the shared heap, this CL will CHECK that every found
> slot is contained in the old-to-shared remembered set. After this
> gets a bit more stable, the full heap iteration can be dropped and we
> can fully rely on the remembered set instead.
>
> Bug: v8:11708
> Change-Id: I0b5c4edfe3271306e4e7af7394472534113e1953
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3792605
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82578}
Bug: v8:11708
Change-Id: I24b7787977f06708efb7a017dd1ec72f78d0ea13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3841570
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82653}
Adds flags to allow overriding marking support. This adds
compatibility with EmbedderHeapTracer which allows for disabling
incremental marking support with `--no-incremental-marking-wrappers`.
The corresponding CppHeap flags are
* `--cppheap-incremental-marking`
* `--cppheap-concurrent-marking`
This allows embedders that use types that do not support incremental
and concurrent marking to switch from EmbedderHeapTracer to CppHeap.
Bug: v8:13207
Change-Id: I74bdf8ef4be3f6aed8d4d587ea4399546ba2fda4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3840939
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82652}
Publish all local worklists and don't ignore the one corresponding to
the current context.
Bug: chromium:1355679
Change-Id: I1944acd6258178d509610d3806c5aca047bbbbf8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849651
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82651}
There is somes flag errors in the comments, which clarify how to
use pgo for builtin.
Change-Id: I0c418aee57adb7c6774735d32fc63a143bee5c7e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849654
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Wenqin Yang <wenqin.yang@intel.com>
Cr-Commit-Position: refs/heads/main@{#82650}
- Swap() was not necessary as all uses merely required Merge()
- Remove unused empty Local ctor
- Use refrence for backref as it's always supposed to be non-null
Bug: v8:13193
Change-Id: Ide0a0de15185a67d028890371ae30528fd55a058
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3846863
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82648}
This change adds support for new table element types besides the
existing support for func and extern.
The newly supported types are the generic types of the 'any' subtype
hierarchy: any, eq, data and array.
All these table types are also usable and accessible via JavaScript,
causing implicit internalization and externalization of the elements
on Table::get() and Table::set().
Bug: v8:7748
Change-Id: Ie85d8f5e1d70471360dd2fb8a39cd38efaac2c22
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3838729
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82643}
We found there are redundant load context operations in
some bytecode array.
like this:
LdaImmutableCurrentContextSlot [1]
Star0
...... (don’t edit accumulator)
LdaImmutableCurrentContextSlot [1]
Star1
Add r1
In that case, we could modify this bytecode array as:
LdaImmutableCurrentContextSlot [1]
Star0
...... (don’t edit accumulator)
Add r0
This CL will elide these redundant bytecodes
(LdaImmutableCurrentContextSlot and Star1), because there is no
side effect for loading context, and this context slot is immutable.
Change-Id: Ia26f4b934d3bd1d48c50c0c4699ba7942939991c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816221
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82641}
This CL refines https://crrev.com/c/3829539 to only apply to let and
const declared variables. `var`s should stay `undefined`.
R=jarin@chromium.org
Bug: chromium:1328681
Change-Id: I35778c89fb04439348a4f6aebcdeb2db6234f9d0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3848960
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82640}
FastForwardSchedule() was the only operation left which need the
StepResult. However, we can also invoke that method from
AdvanceOnAllocation(). That way we can remove all uses of StepResult.
Bug: v8:12775
Change-Id: If91d76906f0f75342abce1456ea7d4a6fe089bee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3843142
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82639}
When you use the IntelliJ IDE, all the project-specific
settings for the project are stored under the .idea folder.
This patch add .idea to .gitignore to support IntelliJ IDE.
Change-Id: I55ca6530f00fd64f088485f7c856ad602b145f63
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813066
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82637}
Per-context mode marking segregates worklists per context. Upon doing
so, Worklist::Local's move ctor was invoked which cleared the back
pointer to worklist. This break switching to that context which
happens in rare secnarios.
Rework Local marking worklists avoiding the move ctor which is also
removed.
Bug: chromium:1355545
Change-Id: If0e8c7f08df564b2a1e27e4a3fc5a6a40e46ee46
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3845630
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82636}
The generational barrier isn't supported on the background thread at the
moment. Make sure it isn't used on such threads by accident.
Bug: v8:13203
Change-Id: I5577f3802c1aba246955519c8c778fa741d56d96
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3840300
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82635}
The concurrent marker needs an override for JSObject subclasses with
their own visitor id and body descriptor. Implement the missing
VisitJSSynchronizationPrimitive.
Bug: v8:13214
Change-Id: Ie4f64e2b4e9b211f9661da75bf8d2d012f8d16ac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3846320
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82634}
In collator and localeCompare, we have an incorrect optimization
for zero length string that compare the length and ignore the
fact some non zero length string could be considered as equal to
a zero length string because the content are all ignoreable.
Took out this incorrect optimization with test cases.
The regression is introduced in
6fbb8bc806 which first appeared in 97.0.4665.0
Bug: chromium:1347690
Change-Id: Ie70feb9598b1842f8a8744c38f33b3397865abfd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3832526
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82632}
Namely:
- AccessorInfo::getter and AccessorInfo::js_getter,
- CallHandlerInfo::callback and CallHandlerInfo::js_callback.
The redirected/non-redirected callback distinction is required only
for simulated builds but we wasted memory also for all native builds.
Now we store these fields in "redirected" form which allows us to call
them directly from builtins or generated code. In case it's necessary
to call a callback from C++ code the C function address is read from
the redirection. This additional indirection makes the callback calls
from C++ code in simulated builds slower but saves memory for native
builds.
This CL should recover a part of memory regression caused by inlining
Foreign fields into AccessorInfo and CallHandlerInfo.
Bug: v8:12949, chromium:1336105, chromium:1335930
Change-Id: I38470ed21ee23b281247c11a9531542c7e4acca1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3835686
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82631}
This changeset include:
1. [prepare for migrate] move `cctest/compiler/value-helper.h`,
`cctest/compiler/c-signature.h`, and `cctest/compiler/call-tester.h` to
`test/common` directory because both `test-codegen` and a lot of cctest file
include it.
2. [prepare for migrate] separate the tester helper part of `test-codegen`
into a new `codegen-tester` file.
3. finally, migrate test-codegen.cc to `codegen-unittest.cc`
Bug: v8:12781
Change-Id: Ia2f52c1d3b6b62501066dc1c4308a2c09d699e92
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3831146
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82630}
We used to treat Heap::ReportExternalMemoryPressure just like
allocation observer marking steps. Which means that we advance
incremental marking but never finalize here immediately. This is
now problematic without a separate COMPLETE phase when we don't reach
the stack guard because we are stuck in C++ for awhile. In such cases
we might perform way more marking work than we used to.
We can fix this by finalizing marking immediately at this point when
the stack guard was already armed. Otherwise we prefer to finalize
marking in a task where we don't have a stack at all.
For this we add a new method
IncrementalMarking::AdvanceAndFinalizeIfNecessary. AdvanceFromTask
is renamed to AdvanceAndFinalizeIfComplete to make the difference
between those methods more clear.
Bug: v8:12775, chromium:1354911
Change-Id: If57bedb1a5f87923ccb8ad3fe2b60952e3843975
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3845082
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82626}
The load for external reference should be a full pointer load
instead of tagged size.
Change-Id: I3460a26abea5053ba6daa5c6ed908cb93431654a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3842348
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/main@{#82625}
This is a reland of commit 9b0d5cb14b
The newly added check does not allow comparisons with stale or
invalid pointers because attempt to access the page header might
crash.
Original change's description:
> [ext-code-space] Fix Code vs non-Code comparisons
>
> When external code space is enabled comparing Code and non-Code objects
> by looking at compressed values is not always correct. Such an approach
> works only for comparing Code vs Code objects or non-Code vs non-Code
> objects.
>
> This CL instroduces SLOW_DCHECK into Object comparison operators to
> ensure that such a comparison is allowed. Also, this CL instroduces
> an Object::SafeEquals() method which compares uncompressed values
> and thus is safe to be used for comparing Code with non-Code objects.
>
> Bug: v8:11880
> Change-Id: I7ccf1f90f927beb2bb9f45efb303e902b1838d02
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3838172
> Reviewed-by: Jakob Linke <jgruber@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82611}
Bug: v8:11880
Change-Id: Iab3c8fe49cb954b2dc9171b3fc4b189e84763e73
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3842932
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82624}
This check leads to quadratic runtime, which is problematic on huge
stacks (>10000 entries in the reproducer).
Typically stacks are small, so we check the first 16 entries one by one,
and then increase the step size. This still gives fuzzers and other
tests a good chance to find bugs, but avoids quadratic runtime.
R=thibaudm@chromium.org
Bug: chromium:1344481
Change-Id: Iaa3684410939d4c56177eed62787b29e409c3136
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3842154
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82621}
Currently, when the input ArrayBuffer is detached during DataView
construction, the code will create an invalid DataView object whose
length, offset, and data_pointer are all incorrect. While this is
currently ok as the DataView is never exposed to JavaScript in that
case, it does cause issues as setting the data_pointer to a value
outside of the V8 sandbox leads to a CHECK failure. This CL now ensures
that the constructed DataView is always in a sane state to fix this.
Bug: chromium:1354429
Change-Id: I04260a5cf5547a420956d7a75e77f41408aa4f78
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3841931
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82619}
