Commit Graph

1126 Commits

Author SHA1 Message Date
jarin@chromium.org
00e90b7e6e Remove deoptimization by patching the call stack.
We go back to patching the code for lazy deoptimization because ICs need the on-stack return address to read/update the IC address/state.

The change also fixes bunch of tests, mostly by adding more deoptimization points.

(We still need to add code to ensure lazy deopt patching does not overwrite ICs and other lazy deopts; this is coming next.)

BUG=
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/568783002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23934 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-15 09:21:39 +00:00
jarin@chromium.org
e401262400 Reland "Change the order of arguments of the (One|Two)ByteSeqStringSetChar intrinsic."
This relands commit r23899.

BUG=
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/565093002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23910 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-12 10:58:43 +00:00
jarin@chromium.org
bc0674d0a7 Revert "Change the order of arguments of the (One|Two)ByteSeqStringSetChar intrinsic."
This reverts commit r23899.

TBR=ulan@chromium.org

Review URL: https://codereview.chromium.org/552253003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23902 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-12 08:49:22 +00:00
jkummerow@chromium.org
b4375b77ec Fix Smi vs. HeapObject confusion in HConstants.
Representation and HType should agree with each other.

BUG=chromium:412215
LOG=y
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/556563005

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23901 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-12 08:44:14 +00:00
jarin@chromium.org
91e97f8371 Change the order of arguments of the (One|Two)ByteSeqStringSetChar intrinsic.
This makes the syntactic order consistent with the evaluation order.

BUG=
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/561133005

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23899 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-12 08:18:29 +00:00
rossberg@chromium.org
fc71f7fdb3 Fix inaccurate type condition in Hydrogen
R=bmeurer@chromium.org
BUG=chromium:412210
LOG=Y

Review URL: https://codereview.chromium.org/550453003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23873 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-11 12:13:34 +00:00
jkummerow@chromium.org
bd97fcaed0 Fix regress-crbug-412203.js
R=ulan@chromium.org

Review URL: https://codereview.chromium.org/563733002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23869 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-11 11:47:39 +00:00
jkummerow@chromium.org
11f7584d0a Fix ElementsKind handling of prototypes in Array.concat
Double elements, typed elements, and sloppy arguments elements were all erroneously marked UNREACHABLE.

BUG=chromium:412203
LOG=n
R=ulan@chromium.org

Review URL: https://codereview.chromium.org/560463002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23863 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-11 10:04:13 +00:00
ulan@chromium.org
d66ed1176f Don't inline Array functions if receiver map is not extensible.
BUG=405517
LOG=N
TEST=mjsunit/regress/regress-crbug-405517.js
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/552333002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23828 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-10 09:22:13 +00:00
ulan@chromium.org
99301fc8c5 Fix regress-411210 after r23824.
BUG=
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/559863004

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23827 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-10 08:48:40 +00:00
hpayer@chromium.org
ed37edc5c0 Remove guard page mechanism from promotion queue.
BUG=chromium:411210
LOG=n
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/557243002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23824 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-10 07:51:29 +00:00
jarin@chromium.org
01d63e43b2 Handle non-object constants in HConstant::GetMonomorphicJSObjectMap.
R=ulan@chromium.org
BUG=chromium:412162
LOG=N

Review URL: https://codereview.chromium.org/552243002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23803 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-09 12:58:34 +00:00
jkummerow@chromium.org
fd3e505fb6 Hydrogen: bailout when there is a throw statement in a non-effect context.
This mirrors the behavior of the compilation pipeline before recent OptimizeFunctionOnNextCall changes.

BUG=chromium:412208
LOG=n
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/558593002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23799 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-09 12:16:33 +00:00
yangguo@chromium.org
4b0c076052 Turn old space cons strings into regular external strings (not short).
R=hpayer@chromium.org
BUG=v8:3530
LOG=N

Review URL: https://codereview.chromium.org/368223002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23794 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-09 11:41:56 +00:00
jarin@chromium.org
83af12c21b Harden OptimizeFunctionOnNextCall.
BUG=411237
LOG=N
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/547553003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23743 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-05 15:13:44 +00:00
verwaest@chromium.org
1dddf69fdc Allocate a new empty number dictionary when resetting elements
BUG=410332
LOG=y
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/545773003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23727 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-05 11:38:22 +00:00
jarin@chromium.org
b74fae5511 Fix EvacuateJSFunction to obtain the target address from the forwarding pointer.
R=mstarzinger@chromium.org
BUG=410912
LOG=N

Review URL: https://codereview.chromium.org/541353003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23722 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-05 09:38:04 +00:00
titzer@chromium.org
4923810a68 Remove redundant --always-full-compiler flag.
R=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/538613006

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23703 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-04 16:29:47 +00:00
jarin@chromium.org
1afada8d04 Ignore numbers as values of --expose-natives-as flag.
R=yangguo@chromium.org
BUG=408036
LOG=N

Review URL: https://codereview.chromium.org/534943004

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23700 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-04 15:05:06 +00:00
bmeurer@chromium.org
0baf275e20 Enforce correct number comparisons when inlining Array.indexOf.
TEST=mjsunit/regress/regress-crbug-407946
BUG=407946
LOG=y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/536393003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23691 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-04 12:25:57 +00:00
jarin@chromium.org
7572e779d0 Exclude LoadMutableDouble and FunctionBindArguments from fuzzing.
BUG=409542,410262
LOG=N
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/535153002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23663 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-03 14:28:46 +00:00
verwaest@chromium.org
03b0237e1d Fix loading non-configurable non-writable value from a constant with mismatching type feedback
BUG=410209
LOG=n
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/534093003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23650 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-03 12:13:46 +00:00
jarin@chromium.org
a668cd6fc8 Context deoptimization and removal of the deoptimization block in Turbofan
This adds context deoptimization to Turbofan and Crankshaft (also submitted separately as https://codereview.chromium.org/515723004/).

The second patchset removes the deoptimization/continuation block from calls.

BUG=
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/522873002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23547 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-01 09:31:14 +00:00
jarin@chromium.org
73da434b8e Fix manual allocation folding of RegExpConstructResult.
R=mstarzinger@chromium.org
BUG=409533
LOG=N

Review URL: https://codereview.chromium.org/532453003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23543 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-09-01 08:08:31 +00:00
verwaest@chromium.org
2a37ab79ad Fixed inlining of constant values
Use CopyToRepresentation to elide HForceRepresentation of HConstant

BUG=v8:3529
LOG=y
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/507613002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23397 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-08-26 11:34:25 +00:00
yangguo@chromium.org
ba09fa35fd Handle null receiver in sloppy mode in %GetFrameDetails.
R=jarin@chromium.org
BUG=405922
LOG=N

Review URL: https://codereview.chromium.org/492303006

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23312 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-08-22 12:55:23 +00:00
bmeurer@chromium.org
0142786cea Don't inline Array.shift() if receiver map is not extensible.
TEST=mjsunit/regress/regress-crbug-405517
BUG=405517
LOG=y
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/491863002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23255 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-08-21 06:23:44 +00:00
yangguo@chromium.org
f7947b8ec4 Fix --expose-debug-as with number as argument.
R=jkummerow@chromium.org
BUG=405491
LOG=N

Review URL: https://codereview.chromium.org/468803004

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23228 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-08-20 11:52:22 +00:00
hpayer@chromium.org
91599ffc6c Do not install fillers when right trimming large objects.
BUG=
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/487703002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23183 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-08-19 08:35:39 +00:00
jkummerow@chromium.org
dacca11cb9 Correctly handle holes when concat()ing double arrays
BUG=chromium:403409
LOG=y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/468863003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23144 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-08-18 08:51:35 +00:00
dslomov@chromium.org
eebb61a3f9 Fix OrderedHashTabelIterator accessors.
They might be undefined for uninitialized iterators.
The rest of the code is ready for this eventuality.

R=arv@chromium.org, adamk@chromium.org
BUG=403292
LOG=N

Review URL: https://codereview.chromium.org/468813003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23126 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-08-14 10:24:19 +00:00
yangguo@chromium.org
413b20b6c1 Make %DebugPushPromise more robust wrt fuzzing.
If %DebugPushPromise and throwing is called outside its intended context,
we may encounter assertion failures.

R=hpayer@chromium.org
BUG=401915
LOG=N

Review URL: https://codereview.chromium.org/453933002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23023 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-08-11 07:59:10 +00:00
adamk@chromium.org
bcf8b05072 Enable ES6 Map and Set by default
In doing so also remove all references to the --harmony-collections flag.
Due to the way context snapshotting works, it's not possible to simply
enable the flag by default.

Depends on ES6 Symbols: https://codereview.chromium.org/421313004

BUG=v8:1622
LOG=Y
R=arv@chromium.org, rossberg@chromium.org

Review URL: https://codereview.chromium.org/427723002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22889 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-08-05 19:37:32 +00:00
adamk@chromium.org
d8c30bd8e7 Enable ES6 Symbols by default
In doing so also remove all references to the --harmony-symbols flag.
Due to the way context snapshotting works, it's not possible to simply enable
the flag by default.

BUG=v8:2158
LOG=Y
R=dslomov@chromium.org

Review URL: https://codereview.chromium.org/421313004

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22831 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-08-04 18:17:54 +00:00
mstarzinger@chromium.org
57c315d0b3 Fix handling of potential string additions in hydrogen.
R=titzer@chromium.org
TEST=mjsunit/regress/regress-3476
BUG=v8:3476
LOG=N

Review URL: https://codereview.chromium.org/423083004

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22677 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-07-29 14:53:11 +00:00
verwaest@chromium.org
f08d2690c6 Fix Object.freeze with field type tracking.
Keep the descriptor properly intact while update the field type.

BUG=v8:3458
LOG=y
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/424093002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22671 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-07-29 13:30:29 +00:00
mvstanton@chromium.org
6980c4277c CallIC customization stubs must accept that a vector slot is cleared.
The CallIC Array custom IC stub read from the type vector, expecting
to get an AllocationSite. But there are paths in the system where a
type vector can be re-created with default values, even though we
currently grant an exception to clearing of vector slots with
AllocationSites in them at gc time.

BUG=392114
LOG=N
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/418023002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22668 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-07-29 11:53:30 +00:00
danno@chromium.org
afcfa7d2b7 Keep new arrays allocated with 'new Array(N)' in fast mode (revisited)
Also explicit length setting with a.length = N should remain in fast mode.

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/416403002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22645 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-07-28 13:12:26 +00:00
verwaest@chromium.org
60df9dabad In GrowMode, force the value to the right representation to avoid deopts between storing the length and storing the value.
BUG=16459193
LOG=n
R=danno@chromium.org

Review URL: https://codereview.chromium.org/419683004

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22616 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-07-25 11:48:25 +00:00
verwaest@chromium.org
77a37e44f6 Fix issue with setters and their holders in accessors.cc
BUG=3462
LOG=Y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/417793002

Patch from Erik Arvidsson <arv@chromium.org>.

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22606 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-07-24 16:42:54 +00:00
danno@chromium.org
b5a5148260 Revert 22595: "Keep new arrays allocated with 'new Array(N)' in fast mode"
Due to failures in mjsunit/array-functions-prototype-misc

TBR=verwaest@chromium.org

Review URL: https://codereview.chromium.org/417953004

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22601 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-07-24 13:38:05 +00:00
danno@chromium.org
ac89b17813 Keep new arrays allocated with 'new Array(N)' in fast mode
Also explicit length setting with a.length = N should remain in fast mode.

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/397593008

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22595 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-07-24 12:08:23 +00:00
verwaest@chromium.org
6798779031 Fix ArrayLengthSetter to not throw on non-extensible receivers.
BUG=v8:3460
LOG=n
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/411983003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-07-23 20:27:32 +00:00
danno@chromium.org
1d2a4b8333 Remove experimental flags that are now required
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/397253002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22461 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-07-18 07:17:21 +00:00
rodolph.perfetta@arm.com
56ec59bd26 ARM64: always restore regexp register cache after a C function call.
BUG=v8:3444
TEST=mjsunit/regress/regress-regexp-nocase.js
LOG=N
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/392403002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22443 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-07-17 09:55:48 +00:00
yangguo@chromium.org
49ae3081d2 Error.captureStackTrace should define "stack" property as configurable.
R=verwaest@chromium.org
BUG=393988
LOG=N

Review URL: https://codereview.chromium.org/396063008

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22420 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-07-16 07:55:05 +00:00
verwaest@chromium.org
1d55a634a9 Replace AddProperty by AddNamedProperty to speed up the common case
BUG=
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/384003003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22381 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-07-14 14:05:30 +00:00
verwaest@chromium.org
aa7198dfdd This CL simplifies var / const by ensuring the behavior is consistent in itself, and with regular JS semantics; between regular var/const and eval-ed var/const.
Legacy const is changed so that a declaration declares a configurable, but non-writable, slot, and the initializer reconfigures it (when possible) to non-configurable non-writable. This avoids the need for "the hole" as marker value in JSContextExtensionObjects and GlobalObjects. Undefined is used instead.

BUG=
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/379893002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22379 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-07-14 14:01:04 +00:00
jarin@chromium.org
457de26330 Fix arm64 deoptimization from double registers (reverts r20613).
This reverts "ARM64: Use pair memory access in deoptimizer entry", r20613. It does not really make sense to micro-optimize the deoptimizer as it is the ultra-slow path. Moreover, the original code was easier to read (in addition to being correct).

BUG=391313
LOG=N
R=ulan@chromium.org

Review URL: https://codereview.chromium.org/389583003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22360 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-07-11 19:30:09 +00:00
mstarzinger@chromium.org
50beec9738 Follow-up to a pre-existing regression test.
R=yangguo@chromium.org
BUG=v8:1530,v8:1872
TEST=mjsunit/regress/regress-1530
LOG=N

Review URL: https://codereview.chromium.org/378233006

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22295 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-07-09 10:23:58 +00:00