Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport] Fix High Resolution touchpad scrolling in XWayland #1

Open
wants to merge 1 commit into
base: 80-based
Choose a base branch
from

Conversation

@satmandu satmandu changed the title Fix High Resolution touchpad scrolling in XWayland [Backport] Fix High Resolution touchpad scrolling in XWayland May 7, 2020
qtprojectorg pushed a commit that referenced this pull request Feb 19, 2021
Partial cherry-pick (leaving out tests) of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2674008:
Merged: [interpreter] Store accumulator to callee after optional chain checks

Revision: df98901c19ce17ca995ee6750379b0f004210d68

BUG=chromium:1171954
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
[email protected]

Change-Id: If09e1503ca07b47a112362495ec0bb9d502118c9
Reviewed-by: Ross McIlroy <[email protected]>
Cr-Commit-Position: refs/branch-heads/8.9@{#33}
Cr-Branched-From: 16b9bbbd581c25391981aa03180b76aa60463a3e-refs/heads/8.9.255@{#1}
Cr-Branched-From: d16a2a688498bd1c3e6a49edb25d8c4ca56232dc-refs/heads/master@{#72039}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Apr 1, 2021
Partial cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2780300:
Merged: [deoptimizer] Fix bug in OptimizedFrame::Summarize

Revision: 3353a7d0b017146d543434be4036a81aaf7d25ae

BUG=chromium:1182647
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
[email protected]

Change-Id: I86abd6a3f34169be5f99aa9f54bb7bb3706fa85a
Reviewed-by: Georg Neis <[email protected]>
Reviewed-by: Benedikt Meurer <[email protected]>
Commit-Queue: Georg Neis <[email protected]>
Cr-Commit-Position: refs/branch-heads/8.9@{#49}
Cr-Branched-From: 16b9bbbd581c25391981aa03180b76aa60463a3e-refs/heads/8.9.255@{#1}
Cr-Branched-From: d16a2a688498bd1c3e6a49edb25d8c4ca56232dc-refs/heads/master@{#72039}
Reviewed-by: Jüri Valdmann <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Apr 1, 2021
Partial cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2748077:
Merged: Squashed multiple commits.

Merged: [const-tracking] Mark const field as mutable when reconfiguring
Revision: 7535b91f7cb22274de734d5da7d0324d8653d626

Merged: [const-tracking] Fix incorrect DCHECK in MapUpdater
Revision: f95db8916a731e6e5ccc0282616bc907ce06012f

BUG=chromium:1161847,chromium:1185463,v8:9233
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
[email protected]

Change-Id: I4a34bafb3b072f2e788b47949947c76110f1b85c
Reviewed-by: Igor Sheludko <[email protected]>
Commit-Queue: Georg Neis <[email protected]>
Cr-Commit-Position: refs/branch-heads/9.0@{#18}
Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
Reviewed-by: Jüri Valdmann <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Apr 6, 2021
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2674169:
[Merged ][wasm] PostMessage of Memory.buffer should throw

PostMessage of an ArrayBuffer that is not detachable should result
in a DataCloneError.

[email protected]

(cherry picked from commit dfcf1e86fac0a7b067caf8fdfc13eaf3e3f445e4)

Bug: chromium:1170176, chromium:961059
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: Ife852df032841b7001375acd5e101d614c4b0771
Reviewed-by: Zhi An Ng <[email protected]>
Commit-Queue: Zhi An Ng <[email protected]>
Cr-Commit-Position: refs/branch-heads/8.8@{#30}
Cr-Branched-From: 2dbcdc105b963ee2501c82139eef7e0603977ff0-refs/heads/8.8.278@{#1}
Cr-Branched-From: 366d30c99049b3f1c673f8a93deb9f879d0fa9f0-refs/heads/master@{#71094}
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Apr 9, 2021
Partial cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2780300:
Merged: [deoptimizer] Fix bug in OptimizedFrame::Summarize

Revision: 3353a7d0b017146d543434be4036a81aaf7d25ae

BUG=chromium:1182647
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
[email protected]

Change-Id: I86abd6a3f34169be5f99aa9f54bb7bb3706fa85a
Reviewed-by: Georg Neis <[email protected]>
Reviewed-by: Benedikt Meurer <[email protected]>
Commit-Queue: Georg Neis <[email protected]>
Cr-Commit-Position: refs/branch-heads/8.9@{#49}
Cr-Branched-From: 16b9bbbd581c25391981aa03180b76aa60463a3e-refs/heads/8.9.255@{#1}
Cr-Branched-From: d16a2a688498bd1c3e6a49edb25d8c4ca56232dc-refs/heads/master@{#72039}
Reviewed-by: Jüri Valdmann <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Apr 9, 2021
Partial cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2748077:
Merged: Squashed multiple commits.

Merged: [const-tracking] Mark const field as mutable when reconfiguring
Revision: 7535b91f7cb22274de734d5da7d0324d8653d626

Merged: [const-tracking] Fix incorrect DCHECK in MapUpdater
Revision: f95db8916a731e6e5ccc0282616bc907ce06012f

BUG=chromium:1161847,chromium:1185463,v8:9233
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
[email protected]

Change-Id: I4a34bafb3b072f2e788b47949947c76110f1b85c
Reviewed-by: Igor Sheludko <[email protected]>
Commit-Queue: Georg Neis <[email protected]>
Cr-Commit-Position: refs/branch-heads/9.0@{#18}
Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
Reviewed-by: Jüri Valdmann <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Apr 14, 2021
… in V8 for x86_64

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2821959:
Fix bug in InstructionSelector::ChangeInt32ToInt64

(cherry picked from commit 02f84c745fc0cae5927a66dc4a3e81334e8f60a6)

No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Bug: chromium:1196683
Change-Id: Ib4ea738b47b64edc81450583be4c80a41698c3d1
Commit-Queue: Georg Neis <[email protected]>
Reviewed-by: Nico Hartmann <[email protected]>
Cr-Original-Commit-Position: refs/heads/master@{#73903}
Commit-Queue: Jana Grill <[email protected]>
Reviewed-by: Georg Neis <[email protected]>
Reviewed-by: Victor-Gabriel Savu <[email protected]>
Cr-Commit-Position: refs/branch-heads/8.6@{#75}
Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Apr 21, 2021
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2838235:
M86-LTS: [compiler] Fix bug in RepresentationChanger::GetWord32RepresentationFor

We have to respect the TypeCheckKind.

(cherry picked from commit fd29e246f65a7cee130e72cd10f618f3b82af232)

No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Bug: chromium:1195777
Change-Id: If1eed719fef79b7c61d99c29ba869ddd7985c413
Commit-Queue: Georg Neis <[email protected]>
Reviewed-by: Nico Hartmann <[email protected]>
Cr-Original-Commit-Position: refs/heads/master@{#73909}
Owners-Override: Achuith Bhandarkar <[email protected]>
Reviewed-by: Artem Sumaneev <[email protected]>
Commit-Queue: Achuith Bhandarkar <[email protected]>
Cr-Commit-Position: refs/branch-heads/8.6@{#79}
Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Apr 21, 2021
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2823829:
[LTS-M86][builtins] Fix Array.prototype.concat with @@species

(cherry picked from commit 7989e04979c3195e60a6814e8263063eb91f7b47)

No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Bug: chromium:1195977
Change-Id: I16843bce2e9f776abca0f2b943b898ab5e597e42
Reviewed-by: Camillo Bruni <[email protected]>
Commit-Queue: Igor Sheludko <[email protected]>
Cr-Original-Commit-Position: refs/heads/master@{#73842}
Commit-Queue: Jana Grill <[email protected]>
Reviewed-by: Igor Sheludko <[email protected]>
Reviewed-by: Victor-Gabriel Savu <[email protected]>
Cr-Commit-Position: refs/branch-heads/8.6@{#77}
Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Apr 21, 2021
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2821961:
[LTS-M86][builtins] Harden Array.prototype.concat.

Defence in depth patch to prevent JavaScript from executing
from within IterateElements.

[email protected]
[email protected]

(cherry picked from commit 8284359ed0607e452a4dda2ce89811fb019b4aaa)

No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Bug: chromium:1195977
Change-Id: Ie59d468b73b94818cea986a3ded0804f6dddd10b
Reviewed-by: Camillo Bruni <[email protected]>
Reviewed-by: Igor Sheludko <[email protected]>
Commit-Queue: Igor Sheludko <[email protected]>
Cr-Original-Commit-Position: refs/heads/master@{#73898}
Commit-Queue: Jana Grill <[email protected]>
Reviewed-by: Victor-Gabriel Savu <[email protected]>
Cr-Commit-Position: refs/branch-heads/8.6@{#76}
Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Apr 27, 2021
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2839559:
Merged: [compiler] Fix a bug in VisitSpeculativeIntegerAdditiveOp

Revision: 9313c4ce3f32ad81df1c65becccec7e129181ce3

BUG=chromium:1199345
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
[email protected]

Change-Id: I0ee9f13815b1a7d248d4caa506c6930697e1866c
Commit-Queue: Georg Neis <[email protected]>
Reviewed-by: Nico Hartmann <[email protected]>
Cr-Commit-Position: refs/branch-heads/9.0@{#41}
Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Apr 27, 2021
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2833911:
Merged: [turbofan] Harden ArrayPrototypePop and ArrayPrototypeShift

Revision: d4aafa4022b718596b3deadcc3cdcb9209896154

[email protected]
BUG=chromium:1198696
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true

Change-Id: I1840ffabbed3a3caab75b0abea1d37d9ed446d3f
Reviewed-by: Georg Neis <[email protected]>
Commit-Queue: Georg Neis <[email protected]>
Cr-Commit-Position: refs/branch-heads/9.0@{#39}
Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Apr 27, 2021
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2827899:
Merged: [TurboFan] Fix SpeculativeNumberEqual[Number] with undefined

(cherry picked from commit 7c7cdec5373127ad24e75edb2d2d75b25d604850)

Bug: chromium:1198309, v8:5660
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I9cb5f66643c0c0ab9b18ca953cf85d2f6aa84b42
Reviewed-by: Georg Neis <[email protected]>
Commit-Queue: Nico Hartmann <[email protected]>
Cr-Original-Commit-Position: refs/heads/master@{#74038}
Cr-Commit-Position: refs/branch-heads/9.0@{#45}
Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request May 7, 2021
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2839559:
Merged: [compiler] Fix a bug in VisitSpeculativeIntegerAdditiveOp

Revision: 9313c4ce3f32ad81df1c65becccec7e129181ce3

BUG=chromium:1199345
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
[email protected]

Change-Id: I0ee9f13815b1a7d248d4caa506c6930697e1866c
Commit-Queue: Georg Neis <[email protected]>
Reviewed-by: Nico Hartmann <[email protected]>
Cr-Commit-Position: refs/branch-heads/9.0@{#41}
Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request May 7, 2021
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2833911:
Merged: [turbofan] Harden ArrayPrototypePop and ArrayPrototypeShift

Revision: d4aafa4022b718596b3deadcc3cdcb9209896154

[email protected]
BUG=chromium:1198696
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true

Change-Id: I1840ffabbed3a3caab75b0abea1d37d9ed446d3f
Reviewed-by: Georg Neis <[email protected]>
Commit-Queue: Georg Neis <[email protected]>
Cr-Commit-Position: refs/branch-heads/9.0@{#39}
Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request May 26, 2021
Cherry-pick of commit originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2883780:
Reland "[compiler] Fix more truncation bugs in SimplifiedLowering"

This is a reland of 47077d94492cb604e3a7f02c0d7c3c495ff6b713 without
changes. The revert was false alarm.

[M86]: Resolved simple conflicts.

Original change's description:
> [compiler] Fix more truncation bugs in SimplifiedLowering
>
> Bug: chromium:1200490
> Change-Id: I3555b6d99bdb4b4e7c302a43a82c17e8bff84ebe
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2840452
> Reviewed-by: Nico Hartmann <[email protected]>
> Commit-Queue: Georg Neis <[email protected]>
> Cr-Commit-Position: refs/heads/master@{#74097}

(cherry picked from commit e4a580c9104e42968e8e13b8c7d933f0b2eda2a3)

(cherry picked from commit 97ad04543438f7b235b21346fdd198f81028cd5e)

Bug: chromium:1200490
Tbr: [email protected]
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: Iedddcf2d0117fa59dc9d7a3604ef203808ad2903
Reviewed-by: Georg Neis <[email protected]>
Commit-Queue: Georg Neis <[email protected]>
Cr-Original-Commit-Position: refs/branch-heads/9.0@{#47}
Cr-Original-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
Cr-Original-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
Reviewed-by: Jana Grill <[email protected]>
Commit-Queue: Victor-Gabriel Savu <[email protected]>
Cr-Commit-Position: refs/branch-heads/8.6@{#95}
Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request May 28, 2021
Reland "M86-LTS: [const-tracking] Ensure map is updated before generalizing constness"

This reverts commit 4b4ad58888faf938a76e0d792c3c3a639c79e2e4.

M86 merge conflicts and resolution:
* src/objects/map-updater.cc
  Map::instance_descriptor with kRelaxedLoad dispatcher was introduced after
  8.6 branch: https://crrev.com/c/2424130. Before the patch
  Map::instance_descriptor without distpacher was used. Do the same
  here.
* test/mjsunit/regress/regress-crbug-1195331.js
  HasOwnConstDataProperty did not exist in 8.6. Add it from
  https://crrev.com/c/2566757.

Original change's description:
> Revert "M86-LTS: [const-tracking] Ensure map is updated before generalizing constness"
>
> This reverts commit 69a043b410ff83f31ceba23eab410163403c1db0.
>
> Reason for revert: causes compilation errors. kRelaxedLoad is missing.
>
> Original change's description:
> > M86-LTS: [const-tracking] Ensure map is updated before generalizing constness
> >
> > Revision: db2acd7a046d42a8013da76c3f47d2970cef5447
> >
> > BUG=chromium:1195331
> > NOTRY=true
> > NOPRESUBMIT=true
> > NOTREECHECKS=true
> > R=​​[email protected]
> >
> > (cherry picked from commit 5a0dd788cdae65bbfa37fbbd47a5e5dde15dd894)
> >
> > Change-Id: I7ce1b36b8860a49838d208bc7857021e03f83916
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2831474
> > Reviewed-by: Leszek Swirski <[email protected]>
> > Cr-Original-Commit-Position: refs/branch-heads/9.0@{#37}
> > Cr-Original-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
> > Cr-Original-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2850705
> > Reviewed-by: Igor Sheludko <[email protected]>
> > Reviewed-by: Victor-Gabriel Savu <[email protected]>
> > Commit-Queue: Artem Sumaneev <[email protected]>
> > Cr-Commit-Position: refs/branch-heads/8.6@{#82}
> > Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
> > Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}
>
> Bug: chromium:1195331
> Change-Id: Id7170c30d67329b784e9a283c0171fed010970dc
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2853588
> Bot-Commit: Rubber Stamper <[email protected]>
> Commit-Queue: Artem Sumaneev <[email protected]>
> Cr-Commit-Position: refs/branch-heads/8.6@{#84}
> Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
> Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}

No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:1195331
Change-Id: Ie103a7795893860c4c4834eefe9dc327c5c46d19
Reviewed-by: Victor-Gabriel Savu <[email protected]>
Commit-Queue: Victor-Gabriel Savu <[email protected]>
Cr-Commit-Position: refs/branch-heads/8.6@{#93}
Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request May 28, 2021
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2875210:
Merged: [liftoff] Fix >=2GB memory accesses on 32-bit

We were inconsistent in handling offsets >= 2GB on 32-bit systems. The
code was still relying on this being detected as statically out of
bounds, but with the increase of {kV8MaxWasmMemoryPages} to support 4GB
memories, this is not the case any more.

This CL fixes this by again detecting such situations as statically OOB.
We do not expect to be able to allocate memories of size >2GB on such
systems. If this assumptions turns out to be wrong, we will erroneously
trap. If that happens, we will have to explicitly disallow memories of
such size on 32-bit systems.

Tbr: [email protected]

(cherry picked from commit 7ad5b961553d7d9bc30da1bb839726be2b92bb51)

Bug: v8:7881, chromium:1201340
Change-Id: I8a91dd067a1c63a6d1caacb874a27b44b0983774
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Reviewed-by: Clemens Backes <[email protected]>
Commit-Queue: Clemens Backes <[email protected]>
Cr-Commit-Position: refs/branch-heads/9.0@{#51}
Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request May 28, 2021
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2880214:
Merged: [const-tracking] Generalize constness when delete properties

Revision: d570bbe0c74ec4ae40d1abc34bea617ff2d63f26

BUG=chromium:1201938
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
[email protected]

Change-Id: I2745bd574d9f971b3f1e41d5084ec9e9fbbeef07
Reviewed-by: Leszek Swirski <[email protected]>
Cr-Commit-Position: refs/branch-heads/9.0@{#55}
Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Aug 2, 2021
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2940882:
M86-LTS: [debugger] Return ServerError if debugger agent is disabled

This returns a server error on setting breakpoints if the
agent is disabled.

(cherry picked from commit 5aa2de8128f885c44df79d38fb4aa5c6a5d94306)

Also-by: [email protected]
Fixed: chromium:1202534
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I87c80a4bd785fa5c59a8dd0d5ac5f4b31b015ed8
Commit-Queue: Kim-Anh Tran <[email protected]>
Commit-Queue: Benedikt Meurer <[email protected]>
Auto-Submit: Kim-Anh Tran <[email protected]>
Reviewed-by: Benedikt Meurer <[email protected]>
Cr-Original-Commit-Position: refs/heads/master@{#74399}
Reviewed-by: Achuith Bhandarkar <[email protected]>
Commit-Queue: Artem Sumaneev <[email protected]>
Cr-Commit-Position: refs/branch-heads/8.6@{#105}
Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Aug 2, 2021
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2948652:
M86-LTS] Reland "Merged: [compiler] Always record constness dependency for FastDataConstant"

This is a reland of 638d1b238d510a349bdd38648add8d5c85bc5f7d after a
one-character change. A local variable still has a non-optional type
in this version of V8.

Original change's description:
> Merged: [compiler] Always record constness dependency for FastDataConstant
>
> Revision: 1bfa5139966fe0c9e8036fe6362b61c483675775
>
> BUG=chromium:1209558
> NOTRY=true
> NOPRESUBMIT=true
> NOTREECHECKS=true
>
> Change-Id: If4f7243647bcc12ed482796c1353f0717630f6b9
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2919823
> Commit-Queue: Georg Neis <[email protected]>
> Reviewed-by: Igor Sheludko <[email protected]>
> Cr-Commit-Position: refs/branch-heads/9.1@{#59}
> Cr-Branched-From: 0e4ac64a8cf298b14034a22f9fe7b085d2cb238d-refs/heads/9.1.269@{#1}
> Cr-Branched-From: f565e72d5ba88daae35a59d0f978643e2343e912-refs/heads/master@{#73847}

NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true

(cherry picked from commit 73666e3f6d6bdbc93ab81cf8b3803dd04930e293)

Bug: chromium:1209558
Change-Id: I0c81353882b0f17942fd92ad4181732f941bcb1d
Commit-Queue: Georg Neis <[email protected]>
Reviewed-by: Igor Sheludko <[email protected]>
Cr-Original-Commit-Position: refs/branch-heads/9.1@{#63}
Cr-Original-Branched-From: 0e4ac64a8cf298b14034a22f9fe7b085d2cb238d-refs/heads/9.1.269@{#1}
Cr-Original-Branched-From: f565e72d5ba88daae35a59d0f978643e2343e912-refs/heads/master@{#73847}
Reviewed-by: Artem Sumaneev <[email protected]>
Commit-Queue: Victor-Gabriel Savu <[email protected]>
Cr-Commit-Position: refs/branch-heads/8.6@{#108}
Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Aug 2, 2021
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2940899:
Merged: Squashed multiple commits.

Merged: Disable left-trimming when optimizing compile jobs exist
Revision: ac0605a1a486b8d074f116cc365de9d2b6d7c9e5

Merged: [heap] Don't assume that optimizing-compile-dispatcher exists
Revision: 022b312d55e75935cfa99cca7729ae2d3f795bd0

BUG=chromium:1211215,chromium:1215514
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
[email protected]

Change-Id: I3b3a37d64402ea464c8e653517928522a1c5e0da
Reviewed-by: Dominik Inführ <[email protected]>
Commit-Queue: Georg Neis <[email protected]>
Cr-Commit-Position: refs/branch-heads/9.1@{#67}
Cr-Branched-From: 0e4ac64a8cf298b14034a22f9fe7b085d2cb238d-refs/heads/9.1.269@{#1}
Cr-Branched-From: f565e72d5ba88daae35a59d0f978643e2343e912-refs/heads/master@{#73847}
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Aug 4, 2021
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3027260:
Merged: [compiler] Fix a bug in CodeGenerator::AddTranslationForOperand

(cherry picked from commit 374354bfe4a30740b96936b33e522d6fcd1cda67)

Bug: chromium:1228407
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I358d8736b7b5f87300496cbb39a7689d8207d85f
Bot-Commit: Rubber Stamper <[email protected]>
Reviewed-by: Adam Klein <[email protected]>
Commit-Queue: Adam Klein <[email protected]>
Cr-Commit-Position: refs/branch-heads/9.1@{#77}
Cr-Branched-From: 0e4ac64a8cf298b14034a22f9fe7b085d2cb238d-refs/heads/9.1.269@{#1}
Cr-Branched-From: f565e72d5ba88daae35a59d0f978643e2343e912-refs/heads/master@{#73847}
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Aug 12, 2021
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2993033:
Merged: [JSON] Fix GC issue in BuildJsonObject

We must ensure that the sweeper is not running or has already swept
mutable_double_buffer. Otherwise the GC can add it to the free list.

Change-Id: If0fc7617acdb6690f0567215b78f8728e1643ec0
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Bug: v8:11837, chromium:1214842
Reviewed-by: Michael Lippautz <[email protected]>
Reviewed-by: Toon Verwaest <[email protected]>
Commit-Queue: Victor Gomes <[email protected]>
Cr-Commit-Position: refs/branch-heads/9.1@{#75}
Cr-Branched-From: 0e4ac64a8cf298b14034a22f9fe7b085d2cb238d-refs/heads/9.1.269@{#1}
Cr-Branched-From: f565e72d5ba88daae35a59d0f978643e2343e912-refs/heads/master@{#73847}
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Aug 19, 2021
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3080564:
Merged: [compiler] Fix a bug in MachineOperatorReducer's BitfieldCheck

Revision: 574ca6b71c6160d38b5fcf4b8e133bc7f6ba2387

BUG=chromium:1234770
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
[email protected]

Change-Id: I15af5a94e89b54c2a540442c3544ed459b832e0a
Reviewed-by: Lutz Vahl <[email protected]>
Commit-Queue: Georg Neis <[email protected]>
Cr-Commit-Position: refs/branch-heads/9.3@{#21}
Cr-Branched-From: 7744dce208a555494e4a33e24fadc71ea20b3895-refs/heads/9.3.345@{#1}
Cr-Branched-From: 4b6b4cabf3b6a20cdfda72b369df49f3311c4344-refs/heads/master@{#75728}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Sep 3, 2021
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3027260:
Merged: [compiler] Fix a bug in CodeGenerator::AddTranslationForOperand

(cherry picked from commit 374354bfe4a30740b96936b33e522d6fcd1cda67)

Bug: chromium:1228407
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I358d8736b7b5f87300496cbb39a7689d8207d85f
Bot-Commit: Rubber Stamper <[email protected]>
Reviewed-by: Adam Klein <[email protected]>
Commit-Queue: Adam Klein <[email protected]>
Cr-Commit-Position: refs/branch-heads/9.1@{#77}
Cr-Branched-From: 0e4ac64a8cf298b14034a22f9fe7b085d2cb238d-refs/heads/9.1.269@{#1}
Cr-Branched-From: f565e72d5ba88daae35a59d0f978643e2343e912-refs/heads/master@{#73847}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Sep 3, 2021
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3067222:
Fix GC issue in BuildJsonObject

We must ensure that the sweeper is not running or has already swept
mutable_double_buffer. Otherwise the GC can add it to the free list.

(cherry picked from commit 81181a8ad80ac978a6a8732d05f615c645df95d2)

Bug: v8:11837
Bug: chromium:1214842
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: Ifd9cf15f1c94f664fd6489c70bb38b59730cdd78
Commit-Queue: Victor Gomes <[email protected]>
Cr-Original-Commit-Position: refs/heads/master@{#74859}
Commit-Queue: Roger Felipe Zanoni da Silva <[email protected]>
Reviewed-by: Achuith Bhandarkar <[email protected]>
Reviewed-by: Jana Grill <[email protected]>
Cr-Commit-Position: refs/branch-heads/9.0@{#68}
Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Sep 3, 2021
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3101487:
[M90-LTS] [deoptimizer] Finish concurrent sweeping before overwriting ByteArrays

(cherry picked from commit b63a59619530cb26bf5d51f39ef4cb4c20952d5f)

Bug: chromium:1228036
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I5abe7009920d2c8f81f024c9ae7bb6b13607da1a
Commit-Queue: Georg Neis <[email protected]>
Cr-Original-Commit-Position: refs/heads/master@{#75932}
Commit-Queue: Zakhar Voit <[email protected]>
Reviewed-by: Achuith Bhandarkar <[email protected]>
Cr-Commit-Position: refs/branch-heads/9.0@{#75}
Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Sep 1, 2023
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/webm/libwebp/+/4634862:
EncodeAlphaInternal: add missing error check

VP8LBitWriterFinish() may cause the VP8LBitWriter's buffer to be grown.
If that allocation fails, VP8LBitWriterNumBytes() will return a size
larger than the current allocation resulting in a heap overwrite of the
missing bytes.

==13==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61900005b880 at pc 0x00000049ffc1 bp 0x7fff144f5b40 sp 0x7fff144f5310
READ of size 1028 at 0x61900005b880 thread T0
    #0 0x49ffc0 in __asan_memcpy
    #1 0x695861 in VP8BitWriterAppend src/utils/bit_writer_utils.c:186:3
    #2 0x65acf9 in EncodeAlphaInternal src/enc/alpha_enc.c:169:14

Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).

This is the same issue that was fixed in the non-alpha lossless path in:
d49cfbb3 vp8l_enc,WriteImage: add missing error check

Bug: chromium:1455619
Change-Id: I6bd10de213707d3d6b7ce3d0d2b3942af45d317f
(cherry picked from commit c3bd7cff2e57b4bf1b744e70dd379570d83fb0e4)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/500280
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Jan 8, 2024
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5110982:
Merged: [promises, async stack traces] Fix the case when the closure has run

We were using the closure pointing to NativeContext as a marker that the
closure has run, but async stack trace code was confused about it.

(cherry picked from commit bde3d360097607f36cd1d17cbe8412b84eae0a7f)

Bug: chromium:1501326
Change-Id: I30d438f3b2e3fdd7562ea9a79dde4561ce9b0083
Cr-Original-Commit-Position: refs/heads/main@{#90949}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5110982
Commit-Queue: Marja Hölttä <[email protected]>
Reviewed-by: Shu-yu Guo <[email protected]>
Reviewed-by: Igor Sheludko <[email protected]>
Auto-Submit: Marja Hölttä <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.0@{#18}
Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1}
Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/526277
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Jan 8, 2024
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5110982:
Fix the case when the closure has run

M114 changes:
- replace IsNativeContext(*context) by context->IsNativeContext()

We were using the closure pointing to NativeContext as a marker that the
closure has run, but async stack trace code was confused about it.

(cherry picked from commit bde3d360097607f36cd1d17cbe8412b84eae0a7f)

Bug: chromium:1501326
Change-Id: I30d438f3b2e3fdd7562ea9a79dde4561ce9b0083
Cr-Original-Commit-Position: refs/heads/main@{#90949}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5110982
Commit-Queue: Marja Hölttä <[email protected]>
Auto-Submit: Marja Hölttä <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.0@{#18}
Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1}
Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651}
(cherry picked from commit cbd09b2ca928f1fd929ef52e173aa81213e38cb8)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/526344
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Jan 8, 2024
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5110982:
Fix the case when the closure has run

M114 changes:
- replace IsNativeContext(*context) by context->IsNativeContext()

We were using the closure pointing to NativeContext as a marker that the
closure has run, but async stack trace code was confused about it.

(cherry picked from commit bde3d360097607f36cd1d17cbe8412b84eae0a7f)

Bug: chromium:1501326
Change-Id: I30d438f3b2e3fdd7562ea9a79dde4561ce9b0083
Cr-Original-Commit-Position: refs/heads/main@{#90949}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5110982
Commit-Queue: Marja Hölttä <[email protected]>
Auto-Submit: Marja Hölttä <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.0@{#18}
Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1}
Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651}
(cherry picked from commit cbd09b2ca928f1fd929ef52e173aa81213e38cb8)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/526350
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Jan 8, 2024
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5110982:
[M114-LTS][promises, async stack traces] Fix the case when the closure has run

M114 changes:
- replace IsNativeContext(*context) by context->IsNativeContext()

We were using the closure pointing to NativeContext as a marker that the
closure has run, but async stack trace code was confused about it.

(cherry picked from commit bde3d360097607f36cd1d17cbe8412b84eae0a7f)

Bug: chromium:1501326
Change-Id: I30d438f3b2e3fdd7562ea9a79dde4561ce9b0083
Cr-Original-Commit-Position: refs/heads/main@{#90949}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5110982
Commit-Queue: Marja Hölttä <[email protected]>
Auto-Submit: Marja Hölttä <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.0@{#18}
Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1}
Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651}
(cherry picked from commit cbd09b2ca928f1fd929ef52e173aa81213e38cb8)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/526232
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Jan 16, 2024
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5114883:
Merged: [turboshaft] Fix StructuralOptimization because of ignored side-effects

Side-effects in the 1st else block were not taken into account.

Drive-by: minor cleanups to StructuralOptimizationReducer.

Bug: v8:12783, chromium:1509576
(cherry picked from commit 4a664b390577de3d3572010da0dc1138d78ab2c4)

Change-Id: Id4e230ee0fd408c821747d3350d688c8b0098ae3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5114883
Reviewed-by: Matthias Liedtke <[email protected]>
Commit-Queue: Matthias Liedtke <[email protected]>
Auto-Submit: Darius Mercadier <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.0@{#20}
Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1}
Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/530060
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Jan 18, 2024
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5192447:
Merged: [runtime] Drop fast last-property deletion

This interacts badly with other optimizations and isn't particularly
common.

Bug: chromium:1517354
(cherry picked from commit 389ea9be7d68bb189e16da79f6414edbd4f7594f)

Change-Id: Ie16aa38e8984c4879491c0d9a0ca9df0e041fd1d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5192447
Auto-Submit: Toon Verwaest <[email protected]>
Reviewed-by: Leszek Swirski <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.0@{#32}
Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1}
Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/531577
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Jan 22, 2024
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5192447:
Merged: [runtime] Drop fast last-property deletion

This interacts badly with other optimizations and isn't particularly
common.

Bug: chromium:1517354
(cherry picked from commit 389ea9be7d68bb189e16da79f6414edbd4f7594f)

Change-Id: Ie16aa38e8984c4879491c0d9a0ca9df0e041fd1d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5192447
Auto-Submit: Toon Verwaest <[email protected]>
Reviewed-by: Leszek Swirski <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.0@{#32}
Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1}
Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/532072
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Jan 22, 2024
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5185558:
Merged: [maglev] Fix allocation folding in derived constructors

Bug: v8:7700
Fixed: chromium:1515930
(cherry picked from commit 78dd4b31847ab1f5b06ef3d8742a9f3835fb6919)

Change-Id: Ia5d80719f97a6676a778e46698ecd6f6999e90d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5185558
Auto-Submit: Leszek Swirski <[email protected]>
Commit-Queue: Victor Gomes <[email protected]>
Reviewed-by: Victor Gomes <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.0@{#30}
Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1}
Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/531978
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Jan 22, 2024
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5180369:
Merged: [codegen] Install BytecodeArray last in SharedFunctionInfo

Maglev assumes that when a SharedFunctionInfo has a BytecodeArray,
then it should also have FeedbackMetadata. However, this may not
hold with concurrent compilation when the SharedFunctionInfo is
re-compiled after being flushed. Here the BytecodeArray was installed
on the SFI before the FeedbackMetadata and a concurrent thread could
observe the BytecodeArray but not the FeedbackMetadata.

Drive-by: Reset the age field before setting the BytecodeArray as
well. This ensures that the concurrent marker will not observe the
old age for the new BytecodeArray.

Bug: chromium:1507412
(cherry picked from commit 46cb67e3b296e50d7fda5a58233d18b9f3dab0d5)

Change-Id: Ide73ac1c6b0a68a1fcf847c8351ec65016e55762
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5180369
Reviewed-by: Leszek Swirski <[email protected]>
Commit-Queue: Dominik Inführ <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.0@{#28}
Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1}
Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/531979
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Jan 22, 2024
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5192447:
Merged: [runtime] Drop fast last-property deletion

This interacts badly with other optimizations and isn't particularly
common.

Bug: chromium:1517354
(cherry picked from commit 389ea9be7d68bb189e16da79f6414edbd4f7594f)

Change-Id: Ie16aa38e8984c4879491c0d9a0ca9df0e041fd1d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5192447
Auto-Submit: Toon Verwaest <[email protected]>
Reviewed-by: Leszek Swirski <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.0@{#32}
Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1}
Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/531980
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Jan 22, 2024
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5192447:
Merged: [runtime] Drop fast last-property deletion

This interacts badly with other optimizations and isn't particularly
common.

Bug: chromium:1517354
(cherry picked from commit 389ea9be7d68bb189e16da79f6414edbd4f7594f)

Change-Id: Ie16aa38e8984c4879491c0d9a0ca9df0e041fd1d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5192447
Auto-Submit: Toon Verwaest <[email protected]>
Reviewed-by: Leszek Swirski <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.0@{#32}
Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1}
Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/532059
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Mar 12, 2024
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5300311:
Merged: [wasm] Use correct signature index for tier-up of wasm-to-js wrapper

The wasm-to-js wrapper tierup used the canonicalized signature id lookup
for module-independent signatures to look up the canonicalized signature
id of module-specific signatures. With this CL the signature id is
looked up with the function index of imported functions and from the
dispatch table for indirect function calls instead.

[email protected]

Bug: 324596281
(cherry picked from commit 2109613ad4622028778a38fb418956fab8b478b6)

Change-Id: I3fb7e4f02596f62e13ffe60015f96bac5efbc598
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5300311
Reviewed-by: Jakob Kummerow <[email protected]>
Commit-Queue: Andreas Haas <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.2@{#32}
Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1}
Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/546082
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Mar 12, 2024
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5323850:
Merged: [wasm] Add bounds check in tier-up of wasm-to-js wrapper

The entry index in the WasmApiFunctionRef was used to look for the given
WasmApiFunctionRef in the indirect function tables, but it was not
considered that the indirect function tables can have different lengths.

[email protected]

Bug: 325893559

(cherry picked from commit 7330f46163e8a2c10a3d40ecbf554656f0ac55e8)

Change-Id: I52355890e21490c75566216985680c64e0b0db75
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5323850
Commit-Queue: Andreas Haas <[email protected]>
Reviewed-by: Thibaud Michaud <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.2@{#38}
Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1}
Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/546083
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Apr 9, 2024
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5401859:
Merged: [runtime] Recreate enum cache on map update if any previous map had one

If any previous map in the transition tree had an enum cache, then we
recreate one when updating the map.

Bug: 330760873
(cherry picked from commit 807cf7d0b7d96212c98ed2119e07f9b2c6a23f61)

Change-Id: Ia9ea4cf17fef60166a0c037318eb539866aac37a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5401859
Reviewed-by: Igor Sheludko <[email protected]>
Commit-Queue: Igor Sheludko <[email protected]>
Auto-Submit: Darius Mercadier <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.2@{#52}
Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1}
Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/553307
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Apr 9, 2024
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5380190:
Merged: [wasm] Check for type-definition count limit

(cherry picked from commit b852ad701db21d6db5b34e66f4ec1cdccd2ec4d4)

Bug: chromium:330575498
Change-Id: I395f0ed6d823b7d1e139da6551486e3627d65724
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5378419
Commit-Queue: Jakob Kummerow <[email protected]>
Reviewed-by: Jakob Kummerow <[email protected]>
Auto-Submit: Manos Koukoutos <[email protected]>
Cr-Original-Commit-Position: refs/heads/main@{#92941}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5380190
Reviewed-by: Francis McCabe <[email protected]>
Commit-Queue: Adam Klein <[email protected]>
Reviewed-by: Adam Klein <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.2@{#50}
Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1}
Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/553292
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Apr 9, 2024
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5401859:
Merged: [runtime] Recreate enum cache on map update if any previous map had one

If any previous map in the transition tree had an enum cache, then we
recreate one when updating the map.

Bug: 330760873
(cherry picked from commit 807cf7d0b7d96212c98ed2119e07f9b2c6a23f61)

Change-Id: Ia9ea4cf17fef60166a0c037318eb539866aac37a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5401859
Reviewed-by: Igor Sheludko <[email protected]>
Commit-Queue: Igor Sheludko <[email protected]>
Auto-Submit: Darius Mercadier <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.2@{#52}
Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1}
Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/553296
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Apr 10, 2024
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5380190:
Merged: [wasm] Check for type-definition count limit

(cherry picked from commit b852ad701db21d6db5b34e66f4ec1cdccd2ec4d4)

Bug: chromium:330575498
Change-Id: I395f0ed6d823b7d1e139da6551486e3627d65724
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5378419
Commit-Queue: Jakob Kummerow <[email protected]>
Reviewed-by: Jakob Kummerow <[email protected]>
Auto-Submit: Manos Koukoutos <[email protected]>
Cr-Original-Commit-Position: refs/heads/main@{#92941}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5380190
Reviewed-by: Francis McCabe <[email protected]>
Commit-Queue: Adam Klein <[email protected]>
Reviewed-by: Adam Klein <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.2@{#50}
Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1}
Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/553298
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Apr 10, 2024
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5401859:
Merged: [runtime] Recreate enum cache on map update if any previous map had one

If any previous map in the transition tree had an enum cache, then we
recreate one when updating the map.

Bug: 330760873
(cherry picked from commit 807cf7d0b7d96212c98ed2119e07f9b2c6a23f61)

Change-Id: Ia9ea4cf17fef60166a0c037318eb539866aac37a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5401859
Reviewed-by: Igor Sheludko <[email protected]>
Commit-Queue: Igor Sheludko <[email protected]>
Auto-Submit: Darius Mercadier <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.2@{#52}
Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1}
Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/553302
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Jun 11, 2024
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5380190:
Merged: [wasm] Check for type-definition count limit

(cherry picked from commit b852ad701db21d6db5b34e66f4ec1cdccd2ec4d4)

Bug: chromium:330575498
Change-Id: I395f0ed6d823b7d1e139da6551486e3627d65724
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5378419
Commit-Queue: Jakob Kummerow <[email protected]>
Reviewed-by: Jakob Kummerow <[email protected]>
Auto-Submit: Manos Koukoutos <[email protected]>
Cr-Original-Commit-Position: refs/heads/main@{#92941}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5380190
Reviewed-by: Francis McCabe <[email protected]>
Commit-Queue: Adam Klein <[email protected]>
Reviewed-by: Adam Klein <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.2@{#50}
Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1}
Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554624
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Jun 11, 2024
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5410311:
Merged: [wasm][gc] Scan the code field of the WasmInternalFunction

The code field in the WasmInternalFunction is a code pointer since
https://crrev.com/c/5110559, so it has to be scanned explicitly.

Bug: 329130358
(cherry picked from commit b93975a48c722c2e5fe9b39437738eb2e23dac74)

Change-Id: I0795d2188a8af3480c513d1dbaccfcef1da04473
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5410311
Reviewed-by: Deepti Gandluri <[email protected]>
Commit-Queue: Deepti Gandluri <[email protected]>
Auto-Submit: Shu-yu Guo <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.2@{#54}
Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1}
Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554648
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Jun 11, 2024
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5401859:
Merged: [runtime] Recreate enum cache on map update if any previous map had one

If any previous map in the transition tree had an enum cache, then we
recreate one when updating the map.

Bug: 330760873
(cherry picked from commit 807cf7d0b7d96212c98ed2119e07f9b2c6a23f61)

Change-Id: Ia9ea4cf17fef60166a0c037318eb539866aac37a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5401859
Reviewed-by: Igor Sheludko <[email protected]>
Commit-Queue: Igor Sheludko <[email protected]>
Auto-Submit: Darius Mercadier <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.2@{#52}
Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1}
Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554649
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Oct 21, 2024
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5872631:
Merged: [wasm] Do not inline wrappers with 'ref extern' parameter type

This was introduced in https://crrev.com/c/4212394.

The wrapper would need to test for null and throw a type error but
doesn't do that correctly.
(The test case added only tested that a null check happens either in
the wrapper or in the cast instruction because the test case was trying
to test both cases without duplicating too much which was a bad design
choice.)

For simplicity, just disallow inlining of wrappers with parameters
typed 'ref extern'. (Users should use `externref` aka 'ref null extern'
instead anyways as the non-nullability doesn't add any benefits.)

(cherry picked from commit 3eee872739ac3523af126d7f25a623c18f5bee39)

Bug: 366635354
Change-Id: I58deec223e9c01c5292239eebee895febc880215
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5872631
Auto-Submit: Matthias Liedtke <[email protected]>
Commit-Queue: Jakob Kummerow <[email protected]>
Reviewed-by: Jakob Kummerow <[email protected]>
Cr-Commit-Position: refs/branch-heads/13.0@{#2}
Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1}
Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/597922
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Oct 21, 2024
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5872631:
Merged: [wasm] Do not inline wrappers with 'ref extern' parameter type

This was introduced in https://crrev.com/c/4212394.

The wrapper would need to test for null and throw a type error but
doesn't do that correctly.
(The test case added only tested that a null check happens either in
the wrapper or in the cast instruction because the test case was trying
to test both cases without duplicating too much which was a bad design
choice.)

For simplicity, just disallow inlining of wrappers with parameters
typed 'ref extern'. (Users should use `externref` aka 'ref null extern'
instead anyways as the non-nullability doesn't add any benefits.)

(cherry picked from commit 3eee872739ac3523af126d7f25a623c18f5bee39)

Bug: 366635354
Change-Id: I58deec223e9c01c5292239eebee895febc880215
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5872631
Auto-Submit: Matthias Liedtke <[email protected]>
Commit-Queue: Jakob Kummerow <[email protected]>
Reviewed-by: Jakob Kummerow <[email protected]>
Cr-Commit-Position: refs/branch-heads/13.0@{#2}
Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1}
Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/597950
Reviewed-by: Michal Klocek <[email protected]>
Copy link

cla-assistant bot commented Nov 15, 2024

CLA assistant check
All committers have signed the CLA.

qtprojectorg pushed a commit that referenced this pull request Jan 9, 2025
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/6084686:
Merged: [maglev] Avoid retagging loop phi backedges too early

When we decide that a loop phi should remain tagged, we call
EnsurePhiInputsTagged to ensures that it only has tagged inputs, which
calls EnsurePhiTagged, which might cause retagging of any untagged
phi it has as input.

In order to avoid retagging multiple times the same Phi, we have a
SnaphotTable (`phi_taggings_`), which records existing tagging in the
predecessors, and in which EnsurePhiTagged looks to avoid creating
new retagging nodes. For loop phis, the backedge predecessor won't
have an entry yet in this SnapshotTable (since we only visit loops
once, this has to be the first time we visit the header and thus
we can't have already visited the backedge block), and we should
thus not call EnsurePhiTagged on the backedge.

Note that the backedge input will anyways be properly tagged when
FixLoopPhisBackedge is later called from the JumpLoop backedge.

Fixed: chromium:382190919
(cherry picked from commit e4ecfc909687511aeb20b88ce6ae2a7a1a80afe5)

Change-Id: Ib24f311cb443eabe278f537c00bbc3274bf82415
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6084686
Auto-Submit: Olivier Flückiger <[email protected]>
Commit-Queue: Olivier Flückiger <[email protected]>
Commit-Queue: Camillo Bruni <[email protected]>
Reviewed-by: Camillo Bruni <[email protected]>
Cr-Commit-Position: refs/branch-heads/13.0@{#41}
Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1}
Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/615314
Reviewed-by: Michal Klocek <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Jan 22, 2025
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/6084686:
Merged: [maglev] Avoid retagging loop phi backedges too early

When we decide that a loop phi should remain tagged, we call
EnsurePhiInputsTagged to ensures that it only has tagged inputs, which
calls EnsurePhiTagged, which might cause retagging of any untagged
phi it has as input.

In order to avoid retagging multiple times the same Phi, we have a
SnaphotTable (`phi_taggings_`), which records existing tagging in the
predecessors, and in which EnsurePhiTagged looks to avoid creating
new retagging nodes. For loop phis, the backedge predecessor won't
have an entry yet in this SnapshotTable (since we only visit loops
once, this has to be the first time we visit the header and thus
we can't have already visited the backedge block), and we should
thus not call EnsurePhiTagged on the backedge.

Note that the backedge input will anyways be properly tagged when
FixLoopPhisBackedge is later called from the JumpLoop backedge.

Fixed: chromium:382190919
(cherry picked from commit e4ecfc909687511aeb20b88ce6ae2a7a1a80afe5)

Change-Id: Ib24f311cb443eabe278f537c00bbc3274bf82415
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6084686
Auto-Submit: Olivier Flückiger <[email protected]>
Commit-Queue: Olivier Flückiger <[email protected]>
Commit-Queue: Camillo Bruni <[email protected]>
Reviewed-by: Camillo Bruni <[email protected]>
Cr-Commit-Position: refs/branch-heads/13.0@{#41}
Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1}
Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/615318
Reviewed-by: Anu Aliyas <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Jan 22, 2025
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/6097572:
Merged: [ic] fix Object.assign clearing object hashes

The Object.assign fastcase should not override the hash of the to
object.

Bug: 383647255
(cherry picked from commit 357d0dd4bc7f64eb81cdf49c5cf3699cf151909d)

Change-Id: I2bbf10614d7997a396800cef33144875309010d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6097572
Reviewed-by: Camillo Bruni <[email protected]>
Commit-Queue: Igor Sheludko <[email protected]>
Cr-Commit-Position: refs/branch-heads/13.0@{#43}
Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1}
Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/615320
Reviewed-by: Anu Aliyas <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Jan 22, 2025
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/6097632:
Merged: [turboshaft][wasm] WasmGCTypeAnalyzer: Fix phi input for single-block loops

Fixed: 383356864
(cherry picked from commit f231d83cb3c08754413b3ee1aa249cebd4d5445f)

Change-Id: I3247f6071a9a27eaef49ae8981b7eea93f83dc55
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6097632
Reviewed-by: Eva Herencsárová <[email protected]>
Auto-Submit: Jakob Kummerow <[email protected]>
Commit-Queue: Eva Herencsárová <[email protected]>
Commit-Queue: Jakob Kummerow <[email protected]>
Cr-Commit-Position: refs/branch-heads/13.0@{#45}
Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1}
Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/615722
Reviewed-by: Anu Aliyas <[email protected]>
qtprojectorg pushed a commit that referenced this pull request Jan 22, 2025
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/6097772:
Merged: [turboshaft][wasm] WasmGCTypeAnalyzer: Fix single-block loops properly

While https://crrev.com/c/6087921 fixed a bug where the type in the
loop header revisit was reflecting "older" knowledge, it didn't address
the general issue of loop phis dependencies in single block loops where
it might require many iterations until all type information has
stabilized.

The fix linked above also introduce too specific DCHECKs, as even
outside of single-block loops we can end up with phis where a phi input
appears in the same block before the phi itself.
The binaryen fuzzer found the following pattern:
  v113 = Phi(v26, v113)
  v114 = Phi(v26, v113)

In follow-up changes it should be ensured that the useless phi v113
doesn't get emitted, then v114 wouldn't have that issue (and it could
also be removed.)

(cherry picked from commit c84e01e92bfd61d29541c59e378b9a15ba6fc891)

Fixed: 383356864
Bug: 383814042
Change-Id: I222dc493bf0a2613d14ebb7df2bdeca931c8daa6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6097772
Auto-Submit: Jakob Kummerow <[email protected]>
Commit-Queue: Eva Herencsárová <[email protected]>
Reviewed-by: Eva Herencsárová <[email protected]>
Commit-Queue: Jakob Kummerow <[email protected]>
Cr-Commit-Position: refs/branch-heads/13.0@{#47}
Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1}
Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/615723
Reviewed-by: Anu Aliyas <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

1 participant