Commit Graph

3467 Commits

Author SHA1 Message Date
Andreas Haas
7a31813024 Reland "[wasm] The name of a custom section can cause a validation error"
This is a reland of 03d5a7ba9b

Nothing changed here compared to the original test. The tests on the
blink side were invalid, I fixed them in https://crrev.com/c/2066907.

Original change's description:
> [wasm] The name of a custom section can cause a validation error
>
> The WebAssembly spec defines that the name of a custom section can cause
> a validation error. The streaming decoder, however, used a separate
> Decoder object to decode the name, and thereby avoided a validation
> error. With this CL the streaming decoder uses the main decoder to
> decode the name of the custom section.
>
> In addition this CL removes the test mjsunit/regress/wasm/regress-789952.
> This test defined an invalid WebAssembly module and expected it to
> compile. As it is a regression test, it makes no sense to fix the test.
> The module is invalid because it defines the length of the custom section
> to be '0', so there are no bytes in the custom section for its name.
>
> R=clemensb@chromium.org
> CC=thibaudm@chromium.org
>
> Bug: v8:10126
> Change-Id: I8cfc77c9a5916570d5362d5922e0179a29774da8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2041446
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#66348}

Bug: v8:10126
Change-Id: I48aaed8eb9899da1703030fb6809fe46a6e66191
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2069325
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66431}
2020-02-25 15:38:27 +00:00
Ng Zhi An
0d0d38fec0 Reland "[liftoff] Check fp_pair when looking up register for reuse"
This is a reland of 548fda4afb

regress-1054466 is modified to not use 64x2 operations, since that was
causing problems on noavx/nosse builds, which requires scalar lowering,
and scalar lowering for 64x2 ops is not implemented.

Original change's description:
> [liftoff] Check fp_pair when looking up register for reuse
>
> Given two registers that are both not gp_pair, one could be an fp_pair,
> and the other not, and we will incorrect call == on them. The current
> check needs to be expanded to check that both registers are fp_pair.
>
> Bug: chromium:1054466
> Change-Id: Ib986c002a8a5cadb9668458597a797cecfd971b1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2070006
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#66402}

Bug: chromium:1054466
Change-Id: If88f1ff2fb17aaa3727758cda5b368be1c6d9bd6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2071396
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66423}
2020-02-25 12:18:46 +00:00
Clemens Backes
37425fe968 Revert "[liftoff] Check fp_pair when looking up register for reuse"
This reverts commit 548fda4afb.

Reason for revert: Segfault on nosse bot: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux/35905?

Original change's description:
> [liftoff] Check fp_pair when looking up register for reuse
> 
> Given two registers that are both not gp_pair, one could be an fp_pair,
> and the other not, and we will incorrect call == on them. The current
> check needs to be expanded to check that both registers are fp_pair.
> 
> Bug: chromium:1054466
> Change-Id: Ib986c002a8a5cadb9668458597a797cecfd971b1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2070006
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#66402}

TBR=clemensb@chromium.org,zhin@chromium.org

Change-Id: I56f13406ef3cc3793c9d0e2273c4dc5fb0e3de38
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:1054466
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2069327
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66405}
2020-02-24 13:18:46 +00:00
Ng Zhi An
548fda4afb [liftoff] Check fp_pair when looking up register for reuse
Given two registers that are both not gp_pair, one could be an fp_pair,
and the other not, and we will incorrect call == on them. The current
check needs to be expanded to check that both registers are fp_pair.

Bug: chromium:1054466
Change-Id: Ib986c002a8a5cadb9668458597a797cecfd971b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2070006
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66402}
2020-02-24 12:24:06 +00:00
Jakob Kummerow
a8b7d47733 [wasm] Bring memory limits up to spec
Make sure the "initial pages" memory limit is enforced correctly and
throws a CompileError when exceeded.
Bump the "maximum pages" memory limit to 65536.
The --wasm-max-mem-pages flag now controls the "initial pages" limit;
the "maximum pages" limit is always 65536 as spec'ed.

This CL depends on https://github.com/WebAssembly/spec/pull/1121.

Bug: v8:7881, v8:8633
Change-Id: I68d07cef56633b8b8ce3b3d047c14e1096daf547
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2035876
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66400}
2020-02-24 11:00:16 +00:00
Nico Hartmann
86a6ce454b [turbofan] Fixes Array constructor with single string argument
Bug: chromium:1034449
Change-Id: Id121b60af0c8c8621464f15aa754056cecb04595
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2064985
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66386}
2020-02-21 12:26:09 +00:00
Toon Verwaest
4b0916a2bc [keys] Make sure we don't leak the enum cache in slow-mode for/in
An enum cache can only be referenced together with the map that owns the
entries that are needed. Otherwise the entires can be trimmed away if
the map dies because of transitions.

Bug: chromium:1050046
Change-Id: I5bc9dd65ca092c3d5ebc08ce553f6f1dc980d41b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2066959
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66375}
2020-02-20 16:44:41 +00:00
Michael Achenbach
43accc8b7f Revert "[wasm] The name of a custom section can cause a validation error"
This reverts commit 03d5a7ba9b.

Reason for revert: Needs rebaseline:
https://ci.chromium.org/p/v8/builders/ci/V8%20Blink%20Linux/3243

Original change's description:
> [wasm] The name of a custom section can cause a validation error
> 
> The WebAssembly spec defines that the name of a custom section can cause
> a validation error. The streaming decoder, however, used a separate
> Decoder object to decode the name, and thereby avoided a validation
> error. With this CL the streaming decoder uses the main decoder to
> decode the name of the custom section.
> 
> In addition this CL removes the test mjsunit/regress/wasm/regress-789952.
> This test defined an invalid WebAssembly module and expected it to
> compile. As it is a regression test, it makes no sense to fix the test.
> The module is invalid because it defines the length of the custom section
> to be '0', so there are no bytes in the custom section for its name.
> 
> R=​clemensb@chromium.org
> CC=​thibaudm@chromium.org
> 
> Bug: v8:10126
> Change-Id: I8cfc77c9a5916570d5362d5922e0179a29774da8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2041446
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#66348}

TBR=ahaas@chromium.org,clemensb@chromium.org

Change-Id: I5a7ea265ce47b9e685a5056bb83db6dc58f774a9
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:10126
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2065168
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66356}
2020-02-19 21:38:28 +00:00
Andreas Haas
03d5a7ba9b [wasm] The name of a custom section can cause a validation error
The WebAssembly spec defines that the name of a custom section can cause
a validation error. The streaming decoder, however, used a separate
Decoder object to decode the name, and thereby avoided a validation
error. With this CL the streaming decoder uses the main decoder to
decode the name of the custom section.

In addition this CL removes the test mjsunit/regress/wasm/regress-789952.
This test defined an invalid WebAssembly module and expected it to
compile. As it is a regression test, it makes no sense to fix the test.
The module is invalid because it defines the length of the custom section
to be '0', so there are no bytes in the custom section for its name.

R=clemensb@chromium.org
CC=thibaudm@chromium.org

Bug: v8:10126
Change-Id: I8cfc77c9a5916570d5362d5922e0179a29774da8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2041446
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66348}
2020-02-19 18:39:25 +00:00
Gus Caplan
b12ba06edf [builtins] stop using imprecise fdlibm pow
This CL reinstates the old pow implementation which calls out to the
system implementation of pow.

Bug: v8:9622
Change-Id: I3df997888ced3fb8b5bd4b810098e967649aaa55
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1774898
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66303}
2020-02-18 09:09:38 +00:00
Thibaud Michaud
80c7ab4d77 [wasm] Fix streaming compilation prefix hash
The previous code was relying on {compilation_unit_builder_} to check if
a section was after or before the code section. This only works for the
first section after code section, since the compilation unit builder is
then reset. Use an additional field to track this instead.

R=clemensb@chromium.org

Bug: chromium:1051912
Change-Id: Id1dfa803ecde2cf77f206ea781c007fc61168942
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2054099
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66265}
2020-02-13 20:53:17 +00:00
Jakob Gruber
04c868c1ac Add test skips for deopt_fuzzer
These tests rely on predictable opt & deopt timings. Also add the
--opt flag to tests to force optimization even in configurations that
contain the --no-opt flag.

Bug: v8:9972,chromium:1049982
Change-Id: Ic161d188ebfae9aaae6a160d365413abedfee5f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2050402
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66231}
2020-02-12 08:41:54 +00:00
Jakob Gruber
099de337fe [gasm] Fix deopt frame state in Array.p.reduce and reduceRight
This fixes a bug in lazy deopts caused by calls to the callback function
in Array.prototype.reduce and reduceRight.

The deopt continuation expects the *next* iteration's index value but
we actually passed the current iteration's value.

The user-visible effect of this bug was that sometimes, an unexpected
additional call to the callback function would occur.

It was introduced by https://crrev.com/c/1934329.

Bug: v8:9972,chromium:1049982
Change-Id: Icfd2ef076209e20602f54d4662220e1d4c5d07ee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2049850
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66226}
2020-02-11 16:38:33 +00:00
Clemens Backes
0e2e50dd5b [liftoff][ia32] Fix AtomicStore register spilling
If we need a byte register, but {src} is none, we should definitely use
another register.

R=ahaas@chromium.org

Bug: chromium:1048241
Fixed: chromium:1048241
Change-Id: I3396826986e1823250ad6855b84f4b05faaf3b90
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2036073
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66095}
2020-02-04 09:39:54 +00:00
Leszek Swirski
6abbfe2736 [ast] Flatten Wasm function names
Factory::NewFunction now requires names passed into it to be flat.
Make sure to flatten Wasm function names when creating new Wasm JS
functions.

Fixes: chromium:1047368
Change-Id: I7bd2d8bc83ae8fab901ab469872bce0f703fc3ec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2030738
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66064}
2020-01-31 11:25:45 +00:00
Clemens Backes
d8bb229df0 [Liftoff] Clean up implementation of AtomicStore
As discussed offline, the current implementation implement each
situation separately. I think we can simplify the code a lot by sharing
code between the different paths.
This CL does that by
1) implementing the kI64Store case separately, because it does not have
   all the register contraints that the others have, and
2) moving all logic to ensure that the {src} register is usable before
   the switch, such that it's shared by all the compare-exchange cases.

As a side produce, this also fixes issue 1045225, because for i64 stores
which actually only use the lower half of {src}, only that half will be
pinned.

R=ahaas@chromium.org

Bug: chromium:1045225, v8:10108
Change-Id: I0be025b9706d563835ae6337d45b88e0233eacad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2029414
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66062}
2020-01-31 08:54:44 +00:00
Andreas Haas
8ff14f5b36 [wasm] Type check brtable if it's not unreachable
There was a bug in the function body decoder where
type checking of brtable only happened if the brtable
instruction is reachable. However, type checking is
required in all cases where brtable "not unreachable".
The difference between reachable and "not unreachable"
is a state called spec-reachable where a clever
compiler can already infer that the code will be
unreachable (e.g. a memory access is out of bounds
just by the offset and therefore unconditionally
traps), but the spec can not. If an instruction is
only spec-reachable, it still has to be type checked.

R=clemensb@chromium.org
FIX=chromium:1046472

Change-Id: I7e9f1108597871615c0d443a0e94de35a0207b5e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2027990
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66049}
2020-01-30 13:46:15 +00:00
Jakob Kummerow
efaa34b5e5 Fix one more LookupIterator
Copying one object's named properties is always fine, even if one of
the names could be a large index on a TypedArray. Mark the LookupIterator
as OWN_SKIP_INTERCEPTOR to avoid the DCHECK.

Bug: chromium:1044909
Change-Id: I6918186a4b50df7865de3572cb674fd7d6eadb78
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2023558
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66027}
2020-01-29 16:49:50 +00:00
Igor Sheludko
68cc5c6796 [builtins] Fix FastCreateDataProperty
... which didn't check writability of array length on appending
a new element to an array.

Bug: chromium:1041251
Change-Id: I6935e505a4844e5b22abe9d4a42786619499daa6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2023551
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66023}
2020-01-29 12:25:03 +00:00
Georg Neis
e395871fdb [runtime] Don't invalidate property cell when it becomes read-only
The compiler assumes (for loads) that the property cell of a
non-configurable global property never gets invalidated.

Bug: chromium:1044919
Change-Id: I27f6ce30fb9a21e2c1e5310f25e9bb973ebbc266
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2023562
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66021}
2020-01-29 11:06:42 +00:00
Jakob Kummerow
2d10033fba Fix ArrayLengthSetter for suddenly frozen elements
Converting an object to an array length can freeze the array whose
length is being set, but SetLength for the frozen elements accessor
is supposedly unreachable. This fix extends the existing special
handling for suddenly-readonly lengths to cover this case as well.
Prior art: https://codereview.chromium.org/2543553002

Bug: chromium:1044911
Change-Id: I85d2e79446a8d9c1d22cd86ddf828328bf51a1a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2023555
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66020}
2020-01-29 10:52:52 +00:00
Andreas Haas
82b78191ef [wasm][liftoff] Zero-extend result of atomic.add
R=clemensb@chromium.org

Fix: chromium:1045737
Change-Id: I0e27b8ff6ab09078a2f63f955e6123e1003ed889
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2020768
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65998}
2020-01-27 14:02:35 +00:00
Deepti Gandluri
3390e57553 Remove "--wasm-disable-structured-cloning" flag
Bug: v8:10021
Change-Id: I23a693064c44cd620a874787bcc00cb42bc5874f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1999158
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65933}
2020-01-22 22:24:19 +00:00
Jakob Kummerow
3bff8fa5ea [64bit] Bump TypedArray max length to 2**32-1 elements
The actual allocatable size still depends on the allocator;
in particular Blink's ArrayBufferAllocator is currently limited
to 2GB.
WebAssembly memories are not affected by this change (i.e. still
capped at 2GB as well).

For 32-bit platforms, the limit remains at 2**30-1 (=max smi) elements.

Bug: v8:4153
Change-Id: If0d6047dd4061028688d85a3dc0a2684dcca8693
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2007495
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65924}
2020-01-22 17:42:26 +00:00
Bill Ticehurst
99641cb424 Fix native stacks flag for pointer compression
The interpreted-frames-native-stack flag has been broken since pointer
compression was enabled. This fixes the load of the field.

Bug: v8:10138
Change-Id: I746407a7a5680c5d3e9a3b190371af00818282b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2011206
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65878}
2020-01-21 09:40:57 +00:00
Emanuel Ziegler
18e9cece40 [asm.js] Force -0 to be double
This adjusts parsing of negative numbers in UnaryExpression and
MultiplicativeExpression to return double if the token is -0.

R=clemensb@chromium.org
TEST=mjsunit/regress/regress-6838-4
BUG=v8:6838

Change-Id: I6c2113b520c3831f4a5101f0a963f49c1eb9d7d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2007272
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Emanuel Ziegler <ecmziegler@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65862}
2020-01-20 11:50:31 +00:00
Jakob Gruber
aedc824a9e [regexp] Fix CP advancement in all SKIP_* bytecodes
The advance-by parameter can contain negative numbers, but until this
CL was treated as unsigned.

Bug: v8:10072,v8:9330
Change-Id: Ib9a9c2d47ba71fa819e89502d14871af6dfc9693
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2002543
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65809}
2020-01-16 13:10:34 +00:00
Jakob Kummerow
8364fc74be [test] Proper OOM handling for multi-mapped mock allocator
When reserving the requested virtual memory fails (due to address space
exhaustion), simply return nullptr to indicate allocation failure, which
callers must be prepared to handle anyway. That way, ClusterFuzz will
correctly classify OOM situations.
Bonus change: skip demo test on simulators to save time.
Drive-by cleanup: add a 'simulator_run' section to mjsunit.status

Bug: chromium:1042151,chromium:1042173
Change-Id: I8569f3c0d2a681fbf6f91b665dcb88a4ac3b901e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2002391
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65785}
2020-01-15 12:11:33 +00:00
Shu-yu Guo
0bc9e52faa Add missing test for optional chains with undefined receiver
Bug: chromium:1038178
Change-Id: I0c96015817b226368479bf8a384a654e6ed22969
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1987914
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65766}
2020-01-14 20:11:57 +00:00
Clemens Backes
3e8407cef1 Add --perf-prof-delete-file flag
Tests which set the --perf-prof flag leave behind a file in the current
working directory every time they execute.
In order to avoid this, this CL introduces a --perf-prof-delete-file
flag, which removes this file right after creating it. This still allows
the process to write to it via the open handle, but the file will be
gone afterwards, even if the process crashes or gets killed while
executing.

R=ahaas@chromium.org

Bug: v8:10121
Change-Id: I99b159bb6d94255f77095ac78d98ba55106e94fc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000738
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65759}
2020-01-14 15:41:47 +00:00
Leszek Swirski
a85d74a36b [parser] Fix cache scope recursion for with
The fix in https://crrev.com/c/1997135 didn't properly recurse the cache
scope after a with scope, passing the current scope rather than the
original cache scope up the recursion. Now the "use external cache" check
is done in LookupWith (and, analogously, LookupSloppyEval) while passing
the given cache scope through the Lookup recursion.

Fixed: chromium:1041210
Fixed: chromium:1041616
Change-Id: I5ac9ddc6c16d63b59aa034721fccec2f7781c4f8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000133
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65754}
2020-01-14 13:57:47 +00:00
Jakob Kummerow
356470b043 [test] Make Multi-Mapped Mock Allocator threadsafe
TSan complains in "isolates" tests otherwise. Also further reduce
virtual memory requirements of the sample test to address flaky
allocation failures on 32-bit platforms.

Change-Id: I26c9a59965009d7083876b4ff4836ee879d33350
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000138
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65750}
2020-01-14 12:20:37 +00:00
Maya Lekova
2f820780da Revert "[parser] Fix caching dynamic vars on wrong scope"
This reverts commit 304e97d334.

Reason for revert: Last roll is failing - https://ci.chromium.org/p/chromium/builders/try/linux-rel/282356

Original change's description:
> [parser] Fix caching dynamic vars on wrong scope
> 
> When looking up a variable in a deserialized WITH scope, we were
> unconditionally passing in the cache scope to the lookup, even if the
> with was inside the cache scope. This would lead to and outer scope of
> the with holding the generated dynamic variable. If the cache scope was
> the SCRIPT scope, the dynamic variable would be interpreted as a global
> object property.
> 
> Now, we only store the WITH scope dynamic variables in the cache scope
> if it is an inner scope of the WITH scope, same as we do for 'normal'
> scope lookups.
> 
> Fixed: chromium:1041210
> Change-Id: I4e8eb25bbb8ea58311355d13a9c7c97bf2fa3ec7
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1997135
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Auto-Submit: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#65732}

TBR=leszeks@chromium.org,verwaest@chromium.org

Change-Id: I7b6d77d03b603152a9a47541db466934f46b1176
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000140
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65747}
2020-01-14 10:59:06 +00:00
Jakob Kummerow
bd51a5ea47 [test] Fix Multi-Mapped Mock Allocator
Rather than explicitly requesting MAP_HUGETLB mappings, which requires
kernel configuration, we should rely on the "Transparent Hugepages"
feature, where eligible allocation requests are automatically fulfilled
with huge page mappings.

Bug: chromium:1041232
Change-Id: I5263da7a23290316aa7b99e63881ca88e65b4e34
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1997442
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65741}
2020-01-13 19:44:26 +00:00
Leszek Swirski
304e97d334 [parser] Fix caching dynamic vars on wrong scope
When looking up a variable in a deserialized WITH scope, we were
unconditionally passing in the cache scope to the lookup, even if the
with was inside the cache scope. This would lead to and outer scope of
the with holding the generated dynamic variable. If the cache scope was
the SCRIPT scope, the dynamic variable would be interpreted as a global
object property.

Now, we only store the WITH scope dynamic variables in the cache scope
if it is an inner scope of the WITH scope, same as we do for 'normal'
scope lookups.

Fixed: chromium:1041210
Change-Id: I4e8eb25bbb8ea58311355d13a9c7c97bf2fa3ec7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1997135
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65732}
2020-01-13 15:06:15 +00:00
Jakob Kummerow
ee04007976 [test] Clean up "ALWAYS" section of mjsunit.status
This patch contains real changes affecting the following tests:
- regress-1119: Bogus test, was failing justifiedly. Dropped.
- regress-crbug-9161: Was accidentally disabled everywhere. Re-enabled
                      for ASan (as the comment promised).
- regress-crbug-160010: Throws "invalid string length" on all platforms.
                        Was disabled everywhere. Dropped.
- regress-crbug-514081: Test was previously changed to use 2MB instead
                        of 2GB. Re-enabled variants.

Additionally, it reorders a bunch of definitions:
- Introduced separate sections for "mode == debug" and "no_i18n" to make
  the "ALWAYS" section cleaner.
- Sorted various "slow tests", "open bugs", and "no_variants" definitions
  into groups.
- Simplified long "arch == x or arch == y" sequences to "arch in (x, y)".

Bug: v8:10021
Change-Id: Ibe404ae400011196473cf082a4706ddbef7c8349
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1995390
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65718}
2020-01-13 10:30:15 +00:00
Jakob Kummerow
b9439f7a81 [cleanup][test] Drop outdated regression test
The regression test for crbug.com/976627 was:
(1) silently failing on all platforms,
(2) very brittle, baking in several internal limits,
(3) highly specific for one particular place in the code,
(4) when fixed, very slow: 6 seconds on x64.release.

For all these reasons, it is herewith dropped.

Bug: v8:10021
Change-Id: Ic144f6bfcca0c301f3aca7840edbdc43f34a77fc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1993975
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65715}
2020-01-13 07:14:05 +00:00
Joshua Litt
d8fe5b9d09 Reland "Reland "Reland "[promises] Port Promise.race to Torque."""
This reverts commit e5e8685c15.

Bug: v8:9838
Change-Id: I3e45479a2470cb7891b39ac6f7d08404115aa7d5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1991954
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65692}
2020-01-10 13:37:50 +00:00
Jakob Kummerow
7b6de8381e [verify-heap] Move verification to Heap::StartTearDown
When Heap::TearDown is called, parts of the Isolate are already gone
(specifically: Managed<> objects, which includes Wasm NativeModules).
Since heap verification can depend on these parts (e.g. to find Code
objects belonging to current activations on the stack), we should do
it before tearing down things. Heap::StartTearDown is a suitable way
to achieve that.

Bug: v8:9209
Change-Id: I44094b19e16a4f372eb14ab363d8b4a65182f38a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1993968
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65684}
2020-01-10 12:06:01 +00:00
Jakob Kummerow
cfc4bba0a0 [test][wasm] Allow testing of huge memories
This patch maintains the previous default value of the flag controlling
the max size of Wasm memories, but allows the limit to be raised on the
command line.
Bonus content: improve the multi-mapped mock allocator by falling back
to regular allocation for small requests.
More bonus content: make debug-mode Wasm tests faster.

Bug: v8:6306
Change-Id: Idabae5734794b06e65d45b3a6165dbd488847f3f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1981157
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65681}
2020-01-10 11:20:59 +00:00
Jakob Kummerow
0445fa2971 [lookup] Refactor LookupIterator "property or element" creation
This CL factors out the decision-making logic whether a property key should
be treated as a "property" or "element" into LookupIterator::Key, which can
be constructed on its own, allowing use sites to take this distinction into
account before constructing a LookupIterator from the Key, without needing
to duplicate the logic.
This also makes the assortment of LookupIterator constructors more uniform.

Bug: chromium:1031175
Change-Id: I81d7b11ab7e4915f5c05668138e6e0c51ae11821
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1962272
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65672}
2020-01-09 18:39:11 +00:00
Andreas Haas
bc9db9f54f [wasm] Leave Global constructor on error
In the WebAssembly.Global constructor we continued to execute even after
the JavaScript code in the descriptor.mutable getter threw an exception.
This caused a problem when the descriptor.value getter was executed even
though there was a scheduled exception.

R=jkummerow@chromium.org

Bug: chromium:1033948
Change-Id: Idac554175fe45ec677447b793db069eb6de543b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1993283
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65669}
2020-01-09 17:51:12 +00:00
Clemens Backes
816ea12124 [wasm] Adjust flags after changed implications
This is a cleanup to remove unneeded flags after these changes (in
https://crrev.com/c/1988548):
* --future does not imply --wasm-tier-up any more, and
* --wasm-tier-up does not imply --liftoff any more.

Instead, now
* --wasm-tier-up is enabled by default,
* --wasm-tier-up has no effect if --liftoff is not set, and
* --future implies --liftoff.

R=ahaas@chromium.org

Bug: chromium:1040061
Change-Id: I5d04ee1f1d84ddcd0654df0e0a4c6298f80aee9e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1993280
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65666}
2020-01-09 16:55:42 +00:00
Mythri A
36cb5f4b90 [turbofan] Allow handle deferences when compiling non concurrently
When FLAG_noconcurrent_recompilation is turned on we always run on main
thread. So it is safe to derefernce handles when printing the turbofan
graph. We should only add a DCHECK when dereferencing read-only heap
objects when optimizing concurrently.

Bug: chromium:1040444,chromium:1040403
Change-Id: I6bde966690458b1d122611b02e713c581c87f534
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1992433
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65659}
2020-01-09 12:54:51 +00:00
Dan Elphick
c8ab41eb59 [parser] Force stable order for variables
When parsing an arrowhead, it's possible for temporary variables to be
created with a different index depending on whether the parsing is lazy
or eager. This then results in bytecode mismatches as the index is used
to determine which register to use.

To make the ordering stable, this changes variable allocation in arrow
functions to always allocate the non-temporaries first and then the
temporaries.

Bug: chromium:1020162
Change-Id: Ia47c4c2916d63f12d20d663e4e3842bfd68f6d8e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1977865
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65657}
2020-01-09 10:25:31 +00:00
Joshua Litt
e5e8685c15 Revert "Reland "Reland "[promises] Port Promise.race to Torque."""
This reverts commit d6556fbd9d.

Reason for revert: ugh, accidentally submitted this

Original change's description:
> Reland "Reland "[promises] Port Promise.race to Torque.""
> 
> This reverts commit 2225d24233.
> 
> Reason for revert: clusterfuzz fixed
> 
> Original change's description:
> > Revert "Reland "[promises] Port Promise.race to Torque.""
> > 
> > This reverts commit 766aeb9966.
> > 
> > Reason for revert: clusterfuzz
> > Bug: chromium:1040238
> > 
> > Original change's description:
> > > Reland "[promises] Port Promise.race to Torque."
> > >
> > > Fixes clusterfuzz bug.
> > >
> > > This is a reland of 15ec4a09d3
> > >
> > > Original change's description:
> > > > [promises] Port Promise.race to Torque.
> > > >
> > > > Bug: v8:9838
> > > > Change-Id: Iee3bcaa3a7149309c01d16be67d189ccc56bd0e8
> > > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1965919
> > > > Commit-Queue: Joshua Litt <joshualitt@chromium.org>
> > > > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > > > Cr-Commit-Position: refs/heads/master@{#65562}
> > >
> > > Bug: v8:9838
> > > Change-Id: Id295a12023195511289d92517936733ab22cdf4b
> > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1988542
> > > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > > Commit-Queue: Joshua Litt <joshualitt@chromium.org>
> > > Cr-Commit-Position: refs/heads/master@{#65613}
> > 
> > TBR=jgruber@chromium.org,tebbi@chromium.org,joshualitt@chromium.org
> > 
> > 
> > Bug: v8:9838
> > Change-Id: I1d14eae04ee228806f69b489ab2d86e87fec1ae5
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1991808
> > Reviewed-by: Joshua Litt <joshualitt@chromium.org>
> > Auto-Submit: Joshua Litt <joshualitt@chromium.org>
> > Commit-Queue: Joshua Litt <joshualitt@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#65649}
> 
> TBR=jgruber@chromium.org,tebbi@chromium.org,joshualitt@chromium.org
> 
> Change-Id: I9dda79c99070478443db1a2d8190bd27b4e990d3
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug: chromium:1040238, v8:9838
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1992605
> Reviewed-by: Joshua Litt <joshualitt@chromium.org>
> Commit-Queue: Joshua Litt <joshualitt@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#65650}

TBR=jgruber@chromium.org,tebbi@chromium.org,joshualitt@chromium.org

Change-Id: I8cf8909e4e4d9ec59fd80eaa6804a8421b0626a6
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:1040238, v8:9838
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1992606
Reviewed-by: Joshua Litt <joshualitt@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65651}
2020-01-08 23:23:45 +00:00
Joshua Litt
d6556fbd9d Reland "Reland "[promises] Port Promise.race to Torque.""
This reverts commit 2225d24233.

Reason for revert: clusterfuzz fixed

Original change's description:
> Revert "Reland "[promises] Port Promise.race to Torque.""
> 
> This reverts commit 766aeb9966.
> 
> Reason for revert: clusterfuzz
> Bug: chromium:1040238
> 
> Original change's description:
> > Reland "[promises] Port Promise.race to Torque."
> >
> > Fixes clusterfuzz bug.
> >
> > This is a reland of 15ec4a09d3
> >
> > Original change's description:
> > > [promises] Port Promise.race to Torque.
> > >
> > > Bug: v8:9838
> > > Change-Id: Iee3bcaa3a7149309c01d16be67d189ccc56bd0e8
> > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1965919
> > > Commit-Queue: Joshua Litt <joshualitt@chromium.org>
> > > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > > Cr-Commit-Position: refs/heads/master@{#65562}
> >
> > Bug: v8:9838
> > Change-Id: Id295a12023195511289d92517936733ab22cdf4b
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1988542
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Commit-Queue: Joshua Litt <joshualitt@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#65613}
> 
> TBR=jgruber@chromium.org,tebbi@chromium.org,joshualitt@chromium.org
> 
> 
> Bug: v8:9838
> Change-Id: I1d14eae04ee228806f69b489ab2d86e87fec1ae5
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1991808
> Reviewed-by: Joshua Litt <joshualitt@chromium.org>
> Auto-Submit: Joshua Litt <joshualitt@chromium.org>
> Commit-Queue: Joshua Litt <joshualitt@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#65649}

TBR=jgruber@chromium.org,tebbi@chromium.org,joshualitt@chromium.org

Change-Id: I9dda79c99070478443db1a2d8190bd27b4e990d3
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:1040238, v8:9838
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1992605
Reviewed-by: Joshua Litt <joshualitt@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65650}
2020-01-08 23:22:42 +00:00
Joshua Litt
2225d24233 Revert "Reland "[promises] Port Promise.race to Torque.""
This reverts commit 766aeb9966.

Reason for revert: clusterfuzz
Bug: chromium:1040238

Original change's description:
> Reland "[promises] Port Promise.race to Torque."
>
> Fixes clusterfuzz bug.
>
> This is a reland of 15ec4a09d3
>
> Original change's description:
> > [promises] Port Promise.race to Torque.
> >
> > Bug: v8:9838
> > Change-Id: Iee3bcaa3a7149309c01d16be67d189ccc56bd0e8
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1965919
> > Commit-Queue: Joshua Litt <joshualitt@chromium.org>
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#65562}
>
> Bug: v8:9838
> Change-Id: Id295a12023195511289d92517936733ab22cdf4b
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1988542
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Joshua Litt <joshualitt@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#65613}

TBR=jgruber@chromium.org,tebbi@chromium.org,joshualitt@chromium.org


Bug: v8:9838
Change-Id: I1d14eae04ee228806f69b489ab2d86e87fec1ae5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1991808
Reviewed-by: Joshua Litt <joshualitt@chromium.org>
Auto-Submit: Joshua Litt <joshualitt@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65649}
2020-01-08 23:19:41 +00:00
Nico Hartmann
947142734a Fixes lost TypeError for BigInts
The optimized code for String.charCodeAt(BigInt.asUintN(64, 10n)) did
not throw a TypeError due to how lowering of CheckBounds triggers
RepresentationChanger.

Bug: chromium:1038573
Change-Id: Ie0f9ca95de5af5fd3701841ab169e11ccc77216c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1986003
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65632}
2020-01-08 13:41:15 +00:00
Joshua Litt
766aeb9966 Reland "[promises] Port Promise.race to Torque."
Fixes clusterfuzz bug.

This is a reland of 15ec4a09d3

Original change's description:
> [promises] Port Promise.race to Torque.
>
> Bug: v8:9838
> Change-Id: Iee3bcaa3a7149309c01d16be67d189ccc56bd0e8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1965919
> Commit-Queue: Joshua Litt <joshualitt@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#65562}

Bug: v8:9838
Change-Id: Id295a12023195511289d92517936733ab22cdf4b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1988542
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65613}
2020-01-07 17:46:15 +00:00