Check against copying around a TracedReference containing a zap value.
Bug: chromium:1322114
Change-Id: Ie97ecaf18931006516fc70be262829a267d1285c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3717323
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81293}
When a GC was requested via stack guard, we don't restart incremental
marking anymore on finding new objects but rather finish the GC cycle.
This regressed in https://crrev.com/c/3702801
Bug: v8:12985, chromium:1338071, v8:12775
Change-Id: Ie515cea6d5345ad1111a4fb9f042cffc52083453
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716486
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81291}
Bug: v8:12978
Change-Id: Ic8c73eafbd080714915268c8bcb9f2c30614b9b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3711712
Auto-Submit: Adam Klein <adamk@chromium.org>
Reviewed-by: Frank Tang <ftang@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81288}
Rolling v8/build: 7eec98d..3a562c9
Rolling v8/buildtools/linux64: git_revision:fcda46cf40422284f2e74b770da8b22f7f5d7006..git_revision:8883070fe77f9b484818e73e5892c08ca8a0fe7f
Rolling v8/buildtools/third_party/libc++abi/trunk: 2dba7d2..92ef8d4
Rolling v8/third_party/depot_tools: 9a3c4bc..39e4055
Rolling v8/tools/clang: f0cfef3..f575df1
Rolling v8/tools/luci-go: git_revision:df39938896c4603fb2a214a2430450a85d9cca81..git_revision:5d9b6ecf87cdfb928e1112d2838d26bc7ede2b48
Rolling v8/tools/luci-go: git_revision:df39938896c4603fb2a214a2430450a85d9cca81..git_revision:5d9b6ecf87cdfb928e1112d2838d26bc7ede2b48
R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com
Change-Id: I53ed1615267c094189506a11ee7cd693fb27a59a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3717722
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#81287}
ICU 71 added new enum value UNUM_APPROXIMATELY_SIGN_FIELD
need to map to "approximatelySign"
We also discover a spec bug in
https://github.com/tc39/proposal-intl-numberformat-v3/issues/99
All the parts of formatRangeToParts should have a source "shared" for
the case that start and end are the same or very close.
Bug: chromium:1336865
Change-Id: I89142479989d3d2017d8cb89194db737710c38ed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3717278
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81286}
Initial implementation for concurrent shared arrays. Current implementation exposes a `SharedArray` constructor, but its syntax might
change in the future.
Shared arrays can be shared across Isolates, have a fixed size, have no
prototype, have no constructor, and can only store primitives, shared structs and other shared arrays. With this CL shared structs are also allowed to store shared arrays.
The Backing storage for the SharedArrays is a `FixedArrayBase`. This CL introdces a new ElementKind: `SHARED_ARRAY_ELEMENTS`. The new kind should match the overall functionality of the `PACKED_SEALED_ELEMENTS` kind, but having it as standalone kind allows for easier branching in CSA and turbofan code.
Bug: v8:12547
Change-Id: I054a04624d4cf1f37bc26ae4b92b6fe33408538a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3585353
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Luis Fernando Pardo Sixtos <lpardosixtos@microsoft.com>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81285}
Creates a feature (flag): transition from Done -> Wait
schedules a timer after 30s instead of 8s.
In local benchmark, this reduces by 50% cpu time spent doing
incremental marking and sweeping.
Bug: chromium:1330940
Change-Id: Iff9121243b88d0ed87d0b921e285ece52a83eaa9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3696168
Commit-Queue: Etienne Pierre-Doray <etiennep@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81283}
This is a reland of commit 15f372afaf
Change since revert: TSan fix for tier-up budget reset.
Original change's description:
> [wasm] Fix tier-up budget tracking for recursive calls
>
> In the previous implementation, functions overwrote any budget
> decrements caused by recursive invocations of themselves, which
> could cause tier-up decisions for certain unlucky functions to
> get delayed unreasonably long.
> This patch avoids this by working with the on-instance value
> directly instead of caching it in a stack slot. That generates
> the same amount of Liftoff code as the status quo, but handles
> recursive functions properly.
> The "barista3" benchmark's peak performance improves by almost 20%.
>
> Bug: v8:12281
> Change-Id: I8b487a88da99c2d22e132f2cc72bdf36aa5f6e63
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3693710
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81249}
Bug: v8:12281,v8:12984
Change-Id: Ia6ce776848dc86617546ec514660c9a840484cb1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716479
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81281}
This merges the separate opcode name definitions from wasm-opcodes-inl.h
into the main opcode-defining macros in wasm-opcodes.h. This is simpler
(avoids a bunch of fairly complex macros) and easier to update when we
add new opcodes in the future.
The tests become obsolete because they would simply repeat the implementation.
Change-Id: Ib6421da5670079e7725659c1f4008251f8ff7aed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714244
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81280}
The tier-up check in any backwards jumps in a br_table list cause the
instance to get cached if it wasn't cached before. When the branch is
not taken, we must not rely on this caching to have happened.
This is a variant of crbug.com/1314184.
Fixed: chromium:1338075
Change-Id: Id511e98f29ec13f0a38b5595ceb4a607c58b92a4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716478
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81279}
This is likely just an issue in non-PGO builds, but it might skew
the results locally. JetStream2 seems to profit from this CL.
Change-Id: Id70030074dbabf2669fd42fb5fd9399e8692bed6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716475
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81278}
This is a reland of commit 5b9401dde4
Now also skip tests that require large amounts of virtual address space
if tsan is enabled as tsan may cause V8 to create a smaller sandbox
which is then unable to allocate the required amount of memory.
Original change's description:
> [sandbox] Also enable the sandbox outside of Chromium builds
>
> Drive-by: include the right header in sandboxed-pointer-inl.h and fix
> missing sandbox initialization in generate-bytecode-expectations.cc.
>
> Bug: v8:10391
> Change-Id: Ic39ba04b7c98eaa58ea3943189c23b297f581f5a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3630082
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81216}
Bug: v8:10391
Change-Id: I141080fdf61a77ef48b22e353e3cfbc1ff816e5a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716474
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81277}
When picking an arbitrary register for an input, prefer picking a
register that's already used as input. If there's no such register,
block the newly picked register.
Bug: v8:7700
Change-Id: I5926ae33482aa615060fef3500c1d2d6079090a4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716476
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81276}
The spec uses "v128" (not "s128") as the vector type name.
Some conversion instructions have more specific names that we used to
print, e.g. "i32x4.trunc_sat_f32x4_s" instead of "...convert...".
Bug: v8:8460
Change-Id: I4e06f452de6ce8b06670a8c5e53142c36d5e6010
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3704497
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81274}
- block regs that already contained the value
- clear the blocklists (including double) in more places
- check that a ForceAllocated reg isn't blocked yet (when allocated
at start)
Bug: v8:7700
Change-Id: I17b58ff23e0558f962a5d798a39ebb7d9b0ae634
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716470
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81273}
Previously it was implemented in api.cc, therefore requiring an additional
function call when accessing external pointer fields from embedder code with
the sandbox enabled. Now ReadExternalPointerField can be inlined.
Bug: v8:10391
Change-Id: Ia8cb2df148ac96f979fd3e22989b0ff6177abcec
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714245
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Samuel Groß <saelo@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81271}
We factor out the path-state part of branch elimination, to reuse it for
wasm path-based type optimizations. The node state becomes a template
parameter for the {ControlPathState} and
{AdvancedReducerWithControlPathState} classes.
Change-Id: I5e9811ced0b71140ec73ba26fae358ac7d56c982
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714238
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81270}
By maintaining a separate list of registers that can't be freed we can
keep track of decisions already made for a node, and avoid creating
conflicts. This can be used to avoid freeing fixed input/temporary
requirements or other assigned registers.
Bug: v8:7700
Change-Id: I3c24e0502e66714cf5f68374811741bc9f5e8b21
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714242
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81268}
This reverts commit 15f372afaf.
Reason for revert: https://crbug.com/v8/12984
Original change's description:
> [wasm] Fix tier-up budget tracking for recursive calls
>
> In the previous implementation, functions overwrote any budget
> decrements caused by recursive invocations of themselves, which
> could cause tier-up decisions for certain unlucky functions to
> get delayed unreasonably long.
> This patch avoids this by working with the on-instance value
> directly instead of caching it in a stack slot. That generates
> the same amount of Liftoff code as the status quo, but handles
> recursive functions properly.
> The "barista3" benchmark's peak performance improves by almost 20%.
>
> Bug: v8:12281
> Change-Id: I8b487a88da99c2d22e132f2cc72bdf36aa5f6e63
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3693710
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81249}
Bug: v8:12281, v8:12984
Change-Id: Ie254236785628c07ac569de16ea82a67ed5bd221
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714247
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Owners-Override: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#81267}
Maintaining an AST class just for testing constant exressions does not
seem justified. This CL changes constant expressions in mjsunit tests
to be represented with bytes, like regular expressions.
Change-Id: If5ec5f4d863176952442b1a7e2fec8a61e385971
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714237
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81266}
This is a temporary change to get more detailed crash reports for
further investigations.
Bug: chromium:1330861
Change-Id: Ifdd8d61692577dffd54d07fadb65575a5c30dcd3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3707592
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81262}
This CL removes the the usage of custom byte reversing functions from
the simulator and uses the one provided by V8 utils under:
```
src/utils/utils.h
```
Change-Id: I9a334a10d659b8a3315c34563eb3e6f84644a9e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714898
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/main@{#81261}
Port commit b84c7dbd7f
Change-Id: I80ac3498e6cd21fffeb3988fa7341668e59593f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716150
Commit-Queue: ji qiu <qiuji@iscas.ac.cn>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#81260}
Before we assumed that no exception can be thrown when specifying a
function to be used as an async hook, but that's not the case when e.g.
the object passed to createHook is a proxy trapping on property access
and the trap throws an exception.
Bug: chromium:1337629
Change-Id: I7bd7893cd274afb6e642ed18aacb9e203f7fdd96
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714233
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81258}
PopToModifiableRegister did not check the {pinned} list, so it could
return a register which was already used for another (temporary) value.
This CL fixes that, and adds a little optimization which gives more
freedom to the choice of spilling and has a chance to avoid a register
mode.
R=jkummerow@chromium.org
Bug: chromium:1337221
Change-Id: Ifc02321038713ff03e8f8e7db78dde33f70ec847
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3707287
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81255}
Previously, when embedders attempted to create ArrayBuffers backed by
memory outside the sandbox, V8 would simply crash with a failed CHECK
when converting the raw backing store pointer into a SandboxedPointer.
The new ApiCheck now provides a better error message in that case.
Bug: chromium:1218005
Change-Id: I7a1ad8cbf07fa346b1f09521850df9b18b428427
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3711882
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81254}
The original CL used Object::Set to create the result object of
WebAssembly instantiation. However, Object::Set is potentially
observable from JavaScript, and therefore required a MicrotasksScope.
This CL replaces the use of Object::Set with Object::CreateDataProperty.
Original message:
This CL switches resolving and rejecting the wasm result promise from
the V8-internal API to the external API added in
https://chromium-review.googlesource.com/c/v8/v8/+/3695584.
This CL can land once Chrome provided an implementation of the callback.
R=jkummerow@chromium.org
Bug: v8:12953
Change-Id: If1f252736fd3a13024d4b38adebf468530c59c03
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714234
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81253}
* Move fixed temporary allocation before arbitrary input allocation,
so that fixed temporaries don't accidentally clobber the arbitrary
input register. Now the input allocation will pick a different
register.
* For the above, make temporary allocation 'block' the register with a
sentinel value, rather than marking it free, so that the subsequent
input allocation knows not to use those registers (including
spilling into them).
* Similarly, move arbitrary input allocation after phi resolution when
allocating control nodes, since phis may have fixed requirements.
* Allow deopts to spill their inputs if they are not in registers and
not yet loadable. This is done during the equivalent of input
allocation for deopts.
* Allow there to be multiple targets for a single source during gap
move collection / cycle detection. There can still only be a single
source per target, therefore there can only be one cycle for each
connected component -- this is DCHECKed.
* Make register validation more complete -- also walk the entire
graph, and check whether value nodes' result register states match
the current register allocator state.
* Add much more printing to --trace-maglev-regalloc because these bugs
ain't easy to debug.
Bug: v8:7700
Change-Id: Id98259c2920d772ce168bf27497162e78b136f9f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714235
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81252}
This bug may lead to gc_stats tracing doesn't stop after chrome://tracing stop as expected.
Change-Id: Ibc2ece4c0ad536a99c4aece039ef546d152df10a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3709242
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jianxiao Lu <jianxiao.lu@intel.com>
Cr-Commit-Position: refs/heads/main@{#81251}
According to the style guide, the implicit conversion of any number of
registers to a LiftoffRegList should not be there. This CL removes it,
and fixes two subideal call sites to use SpillRegister (receiving a
single register) instead of SpillOneRegister (receiving a register list
to choose from).
Plus some semantics-preserving rewrites.
R=jkummerow@chromium.org
Bug: chromium:1337221
Change-Id: Id22043ac1c185bc794dbde7baa4b1d5ab7cce56e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3707286
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81250}
In the previous implementation, functions overwrote any budget
decrements caused by recursive invocations of themselves, which
could cause tier-up decisions for certain unlucky functions to
get delayed unreasonably long.
This patch avoids this by working with the on-instance value
directly instead of caching it in a stack slot. That generates
the same amount of Liftoff code as the status quo, but handles
recursive functions properly.
The "barista3" benchmark's peak performance improves by almost 20%.
Bug: v8:12281
Change-Id: I8b487a88da99c2d22e132f2cc72bdf36aa5f6e63
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3693710
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81249}
This is a reland of commit 538f2bc9ab
Changes compared to original: None. We think the problem that caused
the revert (https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20no-concurrent-marking/9377/overview) is unrelated.
Original change's description:
> [wasm-gc][cleanup] Remove wasm signature from CallDescriptor
>
> This field is no longer used, as the functionality it supported has been
> subsumed by wasm-gc typed-based optimizations.
>
> Bug: v8:7748
> Change-Id: I970514bb29e5f91bb5610cafde60ec3dbcfb07aa
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3705376
> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Maya Lekova <mslekova@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81244}
Bug: v8:7748
Change-Id: I8eacff98d265751fae55f244d40c0df94e35e6fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714231
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81248}
CHECKs were added / DCHECKs turned into CHECKs in
https://crrev.com/c/3707103 to help investigate crash reports.
Revert this changes (besides 1 CEHCK that prevents potential OOB reads
when the hash value is corrupted).
Bug: chromium:1336516
Change-Id: I84dd699b53c2006a1be4059940017c1277efa7ff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3711757
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81247}
Fix underflow in allocation timeout which is used by fuzzers to trigger
garabge collection.
Bug: chromium:1337646
Change-Id: Iffa70497c2945a26242e9e67820197bd5e61f04c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3711758
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81246}
This field is no longer used, as the functionality it supported has been
subsumed by wasm-gc typed-based optimizations.
Bug: v8:7748
Change-Id: I970514bb29e5f91bb5610cafde60ec3dbcfb07aa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3705376
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81244}