--fuzzer-gc-analysis prints allocations count without need for
predictable mode.
--random_gc_interval is similar to --gc-interval with 2 differences:
1) Causes gc every random(0, X) allocations instead of constant X.
2) Doesn't update the allocation timeout when there is a GC for
different reason than timeout equals to 0.
Bug: v8:6972
Change-Id: I07ad935fc264a61069255c7358b4fcbe42bfb17a
Reviewed-on: https://chromium-review.googlesource.com/815214
Commit-Queue: Michał Majewski <majeski@google.com>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50456}
This reverts commit bf4cc9ee15.
Reason for revert: Breaks windows with msvc and linux with gcc
https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20msvc/builds/841https://build.chromium.org/p/client.v8/builders/V8%20Linux%20gcc%204.8/builds/17265
Original change's description:
> [esnext] load `iterator.next` only once at beginning of iteration
>
> https://github.com/tc39/ecma262/pull/988 gained concensus during the
> september 2017 TC39 meetings. This moves the load of the "next" method
> to the very beginning of the iteration protocol, rather than during
> each iteration step.
>
> This impacts:
>
> - yield*
> - for-of loops
> - spread arguments
> - array spreads
>
> In the v8 implementation, this also affects async iteration versions of
> these things (the sole exception being the Async-From-Sync iterator,
> which requires a few more changes to work with this, likely done in a
> followup patch).
>
> This change introduces a new AST node, ResolvedProperty, which can be used
> as a callee by Call nodes to produce the same bytecode as Property calls,
> without observably re-loading the property. This is used in several
> AST-desugarings involving the iteration protocol.
>
> BUG=v8:6861, v8:5699
> R=rmcilroy@chromium.org, neis@chromium.org, adamk@chromium.org
>
> Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
> Change-Id: Ib81106a0182687fc5efea0bc32302ad06376773b
> Reviewed-on: https://chromium-review.googlesource.com/687997
> Commit-Queue: Caitlin Potter <caitp@igalia.com>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50452}
TBR=rmcilroy@chromium.org,adamk@chromium.org,neis@chromium.org,caitp@igalia.com,caitp@chromium.org
Change-Id: I1797c0d596dfd6850d6f0f505f591a7a990dd1f1
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6861, v8:5699
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/857616
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50454}
--stress-marking and --stress-scavenge flags with the value
greater than 0 enable additional tracking, allocation observers etc.
--fuzzer-analysis switches --stress-* flags into analysis mode,
which means that all allocation observers and additional checks
are still executed, but GC is not influenced by them. It also
provides analysis information needed by the fuzzer on the stdout.
Bug: v8:6972
Change-Id: I5ac45adb311441d57d5b951aeec036e689930e9f
Reviewed-on: https://chromium-review.googlesource.com/814536
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michał Majewski <majeski@google.com>
Cr-Commit-Position: refs/heads/master@{#50453}
https://github.com/tc39/ecma262/pull/988 gained concensus during the
september 2017 TC39 meetings. This moves the load of the "next" method
to the very beginning of the iteration protocol, rather than during
each iteration step.
This impacts:
- yield*
- for-of loops
- spread arguments
- array spreads
In the v8 implementation, this also affects async iteration versions of
these things (the sole exception being the Async-From-Sync iterator,
which requires a few more changes to work with this, likely done in a
followup patch).
This change introduces a new AST node, ResolvedProperty, which can be used
as a callee by Call nodes to produce the same bytecode as Property calls,
without observably re-loading the property. This is used in several
AST-desugarings involving the iteration protocol.
BUG=v8:6861, v8:5699
R=rmcilroy@chromium.org, neis@chromium.org, adamk@chromium.org
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ib81106a0182687fc5efea0bc32302ad06376773b
Reviewed-on: https://chromium-review.googlesource.com/687997
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50452}
This switches the source positions consumed by {WasmFunctionBuilder} to
have type {size_t} instead of {int}. All checks for accidental loss due
to overflow in static casts can now be moved into one place.
R=clemensh@chromium.org
Change-Id: Id0b0da5fe799eac794c9d610c4c4c9a72a587b3f
Reviewed-on: https://chromium-review.googlesource.com/857196
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50449}
In Liftoff, we want to trace the cache state basically before or after
processing each instruction. Instead of duplicating this code
everywhere, introduce a new interface method {NextInstruction}, which
is called before each instruction.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: Iea61738d200076690a8440a75a2fd90018efa43b
Reviewed-on: https://chromium-review.googlesource.com/852457
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50447}
This is a reland of f22156bf37.
Original change's description:
> [Liftoff] Rename kConstant to kI32Const
>
> This makes it more clear that we only store i32 values as constants in
> the cache state.
>
> R=ahaas@chromium.org
>
> Bug: v8:6600
> Change-Id: I3022e963e864c9c533cbb673bd8502481389799b
> Reviewed-on: https://chromium-review.googlesource.com/853870
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50437}
Bug: v8:6600
Change-Id: I4c28f379eab525a0c86866c39b2e6b55f7c5ab1a
Reviewed-on: https://chromium-review.googlesource.com/857017
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50446}
We were trying to disassemble the whole body of a function, including
safepoints and the constant pool. This lead to DCHECK errors on mips.
This CL fixes that, and adds printing of source positions.
It also fixes the output of instructions size to only contain the
instructions for both on-the-heap and off-the-heap code.
R=titzer@chromium.org
Bug: chromium:800233
Change-Id: Idb15a779680af7997eb78aea2a329189b684d53e
Reviewed-on: https://chromium-review.googlesource.com/856458
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50444}
Loop headers contain a stack check in wasm, hence an exception can be
thrown at the position of the loop instruction. This means that for
asm.js, we need to store a source position for each loop instruction.
R=mstarzinger@chromium.org
Bug: chromium:799690
Change-Id: I129abef11461992e2f10af8e6afc28ce1cf83341
Reviewed-on: https://chromium-review.googlesource.com/856338
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50443}
In d8 a script is executed in a RealmScope. However, all micro task
which are created by the script are not executed within the RealmScope
at the moment. With this CL I move the execution of the micro task into
the RealmScope.
I thought about creating a new RealmScope for the micro tasks, but
(1) It did not fix the crashing repro;
(2) It seems wrong that the micro tasks are executed in a different
realm than the script;
Therefore I just moved the execution of the micro tasks into the
RealmScope of the script.
Thereby I moved the execution tasks also into the Context::Scope of the
script. The problem is that the Context::Scope surrounds the RealmScope,
and when I to open the RealmScope before the Context::Scope, not even
the execution of the script works anymore.
R=yangguo@chromium.org
Bug: chromium:797846
Change-Id: If152af282beec8f0b0564dcc9682fee8588e142c
Reviewed-on: https://chromium-review.googlesource.com/856497
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50442}
This adds support for i32.eqz, i32.clz, and i32.ctz.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: I0dd7c14cf98b68463edae7de3ced9a9d1f82de44
Reviewed-on: https://chromium-review.googlesource.com/852456
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50441}
- Remove unused deoptimization reasons.
- Replace most uses of kNoReason with an actual reason (some are new).
- Rename kNoReason to kUnknown.
Bug:
Change-Id: Ia8df54fca0f0f4885ef0c3523ce8f67b557a635d
Reviewed-on: https://chromium-review.googlesource.com/839421
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50440}
This reverts commit f22156bf37.
Reason for revert: Lots of compile errors. Try bots sloppy??
Original change's description:
> [Liftoff] Rename kConstant to kI32Const
>
> This makes it more clear that we only store i32 values as constants in
> the cache state.
>
> R=ahaas@chromium.org
>
> Bug: v8:6600
> Change-Id: I3022e963e864c9c533cbb673bd8502481389799b
> Reviewed-on: https://chromium-review.googlesource.com/853870
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50437}
TBR=ahaas@chromium.org,clemensh@chromium.org
Change-Id: I6e224d4aa03ff18d6d55e9f8d4726fac711c7665
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6600
Reviewed-on: https://chromium-review.googlesource.com/857016
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50438}
This makes it more clear that we only store i32 values as constants in
the cache state.
R=ahaas@chromium.org
Bug: v8:6600
Change-Id: I3022e963e864c9c533cbb673bd8502481389799b
Reviewed-on: https://chromium-review.googlesource.com/853870
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50437}
The checked node and used node were mismatched. It checked if
"var_unique" is a string, but it used "key" which may not be a string.
Bug: v8:4911, v8:7161, chromium:800077
Change-Id: Ia2aee8b77ac33500430365a4800bf9cca40a28fc
Reviewed-on: https://chromium-review.googlesource.com/855138
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50435}
This CL simply moves the implementation classes for WASM native
module serialization into the CC file and simplifies them a bit.
R=mstarzinger@chromium.org
Bug:
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Id560d2c35eb12bdd461f5d80cb5211a2f4f51684
Reviewed-on: https://chromium-review.googlesource.com/856677
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50434}
In collaboration with Qingyan Li <qingyan.liqy@alibaba-inc.com>.
R=jgruber@chromium.org, mlippautz@chromium.org
Bug: v8:7249
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I87f62103ec5b31de274fa22ad275f1c1bcb3ed86
Reviewed-on: https://chromium-review.googlesource.com/846750
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50433}
There were two separate bugs here. First, a signed/unsigned mismatch
where we took the result of PositiveNumberToUint32 and treated it as a
signed int. Second, AdvanceStringIndex did not handle large input
values correctly.
Both are fixed by using uint64_t consistently.
Bug: chromium:799813, v8:7258
Change-Id: If2819f87986d0ca732bc24df290f6dc7614083e8
Reviewed-on: https://chromium-review.googlesource.com/854272
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50432}
Instead of calling Abort, which was failing when trying to read its
string argument as a Smi.
Change-Id: I008b8620cbb7df2a56fc5c5ea42f4d573b159f76
Reviewed-on: https://chromium-review.googlesource.com/856778
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50431}
This adds support for if blocks to Liftoff.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: Iac7f3ec6526e1259b447ab6ec794a8a1c7ae05c3
Reviewed-on: https://chromium-review.googlesource.com/853501
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50430}
Temporary workaround to avoid the same variant name for multiple
variants of the same test.
Bug: v8:6917
Change-Id: I9a25dcaf81d35da0dc2617c089cb4811c2a958cb
Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/852833
Commit-Queue: Michał Majewski <majeski@google.com>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50428}
This adds support for direct calls in Liftoff.
Drive-by: Fix / extend two tests for calls which were helpful for
developing this CL.
R=ahaas@chromium.org
Bug: v8:6600
Change-Id: I20a98d9dd330da9a020c8c9b5c10b04e94af684d
Reviewed-on: https://chromium-review.googlesource.com/847579
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50427}
This ensures that there is only one entrance point from C++ to
generated code, hence only one method has to be excluded from CFI.
It also introduces type safety by only allowing the code to be called
with the right arguments.
This CL includes minor drive-by fixes in the tests, like removing
unused dummy variables.
R=mstarzinger@chromium.org
Bug: v8:7182
Change-Id: Ied9164a2497db9e7c032324c5e082094fdffc72d
Reviewed-on: https://chromium-review.googlesource.com/852213
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50426}
Store protected instruction info needed for the wasm trap handler.
This code will be used and covered by existing tests once we add support
for if-constructs to Liftoff.
R=titzer@chromium.orgCC=eholk@chromium.org
Bug: v8:6600, v8:5277
Change-Id: I508b0ab8572ef8b5c7943564714fcec7e9eb8e3b
Reviewed-on: https://chromium-review.googlesource.com/853497
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50425}
If there is no constructor or species updates on Array or TypedArrays,
then skip lookups of constructor and species so that we can create a new
typed array quickly. This path makes TA.p.slice() 4x faster in fast
cases.
Bug: v8:7161
Change-Id: Ib8d2a3f6b8b5ed356c5822a814164166d1285f64
Reviewed-on: https://chromium-review.googlesource.com/828343
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50423}
This seems to be a merge error. The if moved down by a few lines and
now actually implements the bounds check instead of bailing out.
Taking it out revealed a bug where we were trying to access the lowest
8 bits on a register where this is not allowed on ia32, thus a few
more changes were needed in this CL.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: Ib1ef131a12df050302ae50115493a1fcd8323fe5
Reviewed-on: https://chromium-review.googlesource.com/852734
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50422}
Port fba4cdf16c
Original Commit Message:
This patch breaks out bailout reasons into two enum classes.
This helps save 3 bits on the SharedFunctionInfo as we don't have to
track the abort reasons.
R=gsathya@chromium.org, joransiu@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: Ib2b2ce10b2f1ef6380193964aa9d868168fe129a
Reviewed-on: https://chromium-review.googlesource.com/855016
Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#50419}
This is a reland of 9c79b37aa7
Original change's description:
> [wasm] use allocation tracker to track reserved address space
>
> This is a step towards falling back on bounds checks when there are too many
> guarded Wasm memories.
>
> Bug: v8:7143
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Change-Id: I01916cbdd5ddb08fe1d946ab83b801f37a8fe1c6
> Reviewed-on: https://chromium-review.googlesource.com/832944
> Commit-Queue: Eric Holk <eholk@chromium.org>
> Reviewed-by: Bill Budge <bbudge@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50390}
Bug: v8:7143
Change-Id: Iaf0d22d300a3f2da22649552a17162dcf7bc608b
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/853142
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50418}
This is just a rebased version of
https://chromium-review.googlesource.com/c/v8/v8/+/571453 with
no functional changes
Bug: v8:6889
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ia082cc09ca527505b288ac88e68e0b74eae94765
Reviewed-on: https://chromium-review.googlesource.com/849423
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50417}
This causes issues when running tools/node/fetch_deps.py on systems without
gyp as pre-installed python module. And we do not even need to do this for
building for node (with GN).
R=machenbach@chromium.org
Bug: v8:6105
Change-Id: If0089dedf176bb509b9fd000e5fe829f8a32bac6
Reviewed-on: https://chromium-review.googlesource.com/852458
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50416}
This fixes two issues with --trace-wasm-decoder and --trace-liftoff.
First, cache state tracing in liftoff only makes sense together with
--trace-wasm-decoder, so disable it otherwise.
Second, we were sometimes hitting a DCHECK with --trace-wasm-decoder on
functions which bailed out to Turbofan, since the bailout was resetting
the end pointer of the decoder to the current pc.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: Ib4e052a1cdec6389b12b4a0ea57f07c031324ed5
Reviewed-on: https://chromium-review.googlesource.com/853493
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50415}
GetProperty CSA implementation bailouts prototype lookup when the
holder is a typed array, which is to handle integer indexed exotic
cases. However, this strict condition made too much overheads for
search of common names such as "constructor". This CL checks the
first character of a name, and do not bailout if we are sure that
the name cannot be a special index.
Bug: v8:4911, v8:7161
Change-Id: I2229ff3bebe14a452718e0b1f8354bb05437c09c
Reviewed-on: https://chromium-review.googlesource.com/842963
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50414}
In order to remove the CALL_GENERATED_CODE macro, it helps a lot to
unify the interfaces of the simulators and make the Call method variadic
in the number of arguments.
This CL does that for each simulator. A follow-up CL will then
completely remove the CALL_GENERATED_CODE macro and replace uses with
the (new) GeneratedCode wrapper.
R=mstarzinger@chromium.org
Bug: v8:7182
Change-Id: I1f81445ec2faba30f0bd233b022ae1f0fae4e96f
Reviewed-on: https://chromium-review.googlesource.com/850873
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50413}
Add a counter to measure the pure liftoff compile time. With background
compilation, the reported result will roughly match the cpu time, not
wall-clock time.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: I9c76673a4cbe833de5b41a23d09892f577401374
Reviewed-on: https://chromium-review.googlesource.com/853859
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50412}
And apply a minor change: the {end_offset} is currently always >= 1, and
we sometimes use {end_offset - 1}. Change this to compute the
{end_offset} to be one less than before, and use {Uint32LessThan}
instead of {Uint32LessThanOrEqual}.
This matches the documentation I added and makes reasoning about the
correctness of the checks easier (at least for me).
R=titzer@chromium.org
Change-Id: I9a18ad5c72895cbadb6593cb74d6edc24f9ab032
Reviewed-on: https://chromium-review.googlesource.com/852145
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50411}
For simplicity, we currently use the approach to do all computations
and bounds checks on 32 bit values, and only convert to pointer size
right before using the value as memory offset.
Unfortunately, there are still cases left where we use 32-bit values
for 64-bit operations, which can lead to subtle bugs.
This CL hopefully fixes the last of these bugs.
R=titzer@chromium.org
Bug: v8:7257
Change-Id: I8d340f83ad17925c0d18d4e788350ef6101786ea
Reviewed-on: https://chromium-review.googlesource.com/852299
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50409}
