AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
2,890 Commits 1 Branch 0 Tags 839 MiB
04e9399694
Commit Graph

117 Commits

Author SHA1 Message Date
whesse@chromium.org
04e9399694 Fix V8 issue 580: Arithmetic on some integer constants gives wrong anwers. 
Review URL: http://codereview.chromium.org/545134

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3664 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2010-01-20 17:01:34 +00:00
mikhail.naganov@gmail.com
23fe22e7c8 Fix build problems. 
Review URL: http://codereview.chromium.org/543087

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3622 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2010-01-15 20:15:47 +00:00
mikhail.naganov@gmail.com
a3c0f20035 Submit Object.getOwnPropertyNames patch by Pavel Feldman. See http://codereview.chromium.org/549050. 
Add copyright to regression test to fix build broken by r3619.

TBR=sgjesse@chromium.org

Review URL: http://codereview.chromium.org/542092

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3620 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2010-01-15 15:34:32 +00:00
sgjesse@chromium.org
562f90d375 Ensure correct boxing of values when calling functions on them 
When a function is called with a value type as the receiver this is now boxed as an object.

This is a low-impact solution where the receiver is only boxed when required. For IC calls to the V8 builtins values are not boxed and as most of the functions on String.prototype, Number.prototype and Boolean.prototype are sitting there most IC calls on values will not need any boxing of the receiver.

For calls which are not IC calls but calls through the CallFunctionStub a flag is used to determine whether the receiver might be a value and only when that is the case will the receiver be boxed.

No changtes to Function.call and Function.apply - they already boxed values. According to the ES5 spec the receiver should not be boxed for these functions, but current browsers have not adopted that change yet.

BUG=223
TEST=test/mjsunit/value-wrapper.js
TEST=test/mjsunit/regress/regress-crbug-3184.js
Review URL: http://codereview.chromium.org/542087

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3617 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2010-01-15 13:42:32 +00:00
sgjesse@chromium.org
44b7c59eb5 Extend the maximum size map space 
On 32-bit the maps are now aligned on a 32-byte boundary in order to encode more maps during compacting GC. The actual size of a map on 32-bit is 28 bytes making this change waste 4 bytes per map.

On 64-bit the encoding for compacting GC is now using more than 32-bits and the maps here are still pointer size aligned. The actual size of a map on 64-bit is 48 bytes and this change does not intruduce any waste.

My choice of 16 bits for kMapPageIndexBits for 64-bit should give the same maximum number of pages (8K) for map space. As maps on 64-bit are larger than on 32-bit the total number of maps on 64-bit will be smaller than on 32-bit. We could consider raising this to 17 or 18.

I moved the kPageSizeBits to globals.h as the calculation of the encoding really depended on this.

There are still an #ifdef/#endif in objects.h and this constant could be moved to globaks.h as well, but I kept it together with the related constants.

All the tests run in debug mode with additional options --gc-global --always-compact as well (except for a few tests on which also fails before this change when run with --gc-global --always-compact).

BUG=http://code.google.com/p/v8/issues/detail?id=524
BUG=http://crbug.com/29428
TEST=test/mjsunit/regress/regress-524.js

Review URL: http://codereview.chromium.org/504026

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3481 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-12-17 08:53:18 +00:00
lrn@chromium.org
5bbb1d7bd6 Fix for issue 545: don't reuse this VariableProxy. 
Review URL: http://codereview.chromium.org/464069


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3432 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-12-08 09:43:51 +00:00
kmillikin@chromium.org
0bf2822266 The toplevel code generator assumed that declarations did not shadow 
parameters.  This could case the initial value to be lost or worse, a
crash.

Fix by handling the case of a declaration shadowing both
stack-allocated parameters and those in the arguments object.

This is related to V8 issue 540.
http://code.google.com/p/v8/issues/detail?id=540

BUG=29565
Review URL: http://codereview.chromium.org/469006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3429 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-12-07 13:31:47 +00:00
kmillikin@chromium.org
7266bd0b9a Fix issue 540 by handling the case that a declaration is in the 
arguments object.

See http://code.google.com/p/v8/issues/detail?id=540
Review URL: http://codereview.chromium.org/460070

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3421 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-12-04 11:59:09 +00:00
erik.corry@gmail.com
a0e12a3124 Fix toLocaleString-related breakage on buildbot. 
TBR=ager
Review URL: http://codereview.chromium.org/449055

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3392 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-12-01 14:19:23 +00:00
fschneider@chromium.org
1c90793581 Fix bug in the fast compiler's object literal code 
Fixes issue 526:

BUG=http://code.google.com/p/v8/issues/detail?id=526

The object literals code in the fast compiler returned an incorrect result 
when getter or setters are defined together with computed properties.

Added a regression test that captures the most reduced version of this
problem. 

Also added a test for object literals with getters/setters and 
prototype properties.


Review URL: http://codereview.chromium.org/444001

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3370 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-11-26 21:13:20 +00:00
ager@chromium.org
3cf9ce4736 Fix crash in string replace with regexp. If the suffix of the subject 
string is larger than 2047 chars we will encode the slice as two Smis
instead of one.  The calculation of the max size of the string builder
did not take this into account.

BUG=http://code.google.com/p/v8/issues/detail?id=515
Review URL: http://codereview.chromium.org/402056

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3334 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-11-18 18:48:04 +00:00
erik.corry@gmail.com
cc3896dfac Fix bug 503: undefined <= undefined should return false on ARM. 
Review URL: http://codereview.chromium.org/399001

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3309 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-11-16 14:12:27 +00:00
fschneider@chromium.org
2e3e770ab9 Add a regression test that exposes a stack corruption problem. 
See http://code.google.com/p/chromium/issues/detail?id=27227

Review URL: http://codereview.chromium.org/385092

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3303 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-11-13 13:58:48 +00:00
christian.plesner.hansen@gmail.com
5d4d5944dd Remove special-case for arguments.toString to match ES5 
Patch by Jan de Mooij <jandemooij@gmail.com>
Review: http://codereview.chromium.org/273073

Review URL: http://codereview.chromium.org/389008


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3279 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-11-11 11:28:37 +00:00
ager@chromium.org
2252cc1bc9 Fix inline constructor code bailout. 
Remove variable that is currently unused.

BUG=http://code.google.com/p/v8/issues/detail?id=502
Review URL: http://codereview.chromium.org/392001

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3267 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-11-11 09:00:09 +00:00
erik.corry@gmail.com
57c919e414 Fix bug 486, Cyrillic character ranges in case independent regexps. 
http://code.google.com/p/v8/issues/detail?id=486
Review URL: http://codereview.chromium.org/361033

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3236 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-11-06 11:15:20 +00:00
ager@chromium.org
f39fbb206e Fix case where we treat an unaliased call to eval as an aliased call 
to eval.

BUG=http://code.google.com/p/v8/issues/detail?id=496
Review URL: http://codereview.chromium.org/366027

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3225 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-11-05 11:19:37 +00:00
sgjesse@chromium.org
77a71c90c7 Fix issue 491: constantpool dump violates ARM debugger assertion for return point 
The generation of the return sequence is now protected from having the constant pool emitted inside of it in both compilers.

BUG=http://code.google.com/p/v8/issues/detail?id=491
TEST=test/mjsunit/regress/regress-491.js
Review URL: http://codereview.chromium.org/362003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3215 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-11-04 14:45:50 +00:00
sgjesse@chromium.org
54ec6c031a Fix xssue 492: ARM debug crash: mozilla/ecma/FunctionObjects/15.3.1.1-3 
When the number of parameters times 4 (kPointerSize) to a function cannot be encoded in 12 bits the return sequence gets one more instruction. Changed the assertion to check for this case.

BUG=http://code.google.com/p/v8/issues/detail?id=492
TEST=test/mjsunit/regress/regress-492.js
Review URL: http://codereview.chromium.org/354028

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3211 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-11-04 10:04:22 +00:00
sgjesse@chromium.org
b4c11d0816 Don't use string slices when processing RexExp replace (re-apply r3153) 
Re-apply r3153 with a fix for issue 490. Except for the change in line 1756 and the added test this change is identical to http://codereview.chromium.org/342015.

BUG=490
TEST=test/mjsunit/regress/regress-490.js
Review URL: http://codereview.chromium.org/341064

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3197 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-11-02 12:21:43 +00:00
lrn@chromium.org
0aecc29024 Issue 485: Fix leak of builtins object through call and apply functions. 
Review URL: http://codereview.chromium.org/345007


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3164 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-10-28 13:51:30 +00:00
sgjesse@chromium.org
7a509f2101 Fix issue with running some constructors having only this.x = ... assignments. 
If we had compiled the comment instead of the code it would have worked.

BUG=483
TEST=mjsunit/regress/regress-483.js
Review URL: http://codereview.chromium.org/332007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3120 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-10-23 12:18:47 +00:00
sgjesse@chromium.org
a637f45385 Fix issue 475 
The check for arguments in registers in one of the three versions of GenericBinaryOpStub::GenerateCall was plain wrong.

BUG=475
TEST=mjsunit/regress/regress-475.js
Review URL: http://codereview.chromium.org/307002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3092 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-10-20 12:13:31 +00:00
peter.rybin@gmail.com
3b955790a0 Redo "running" field in debug-delay.js and support "suspend" command 
It also fixes "backtrace" command so that it didn't give away random stack if we are running

Review URL: http://codereview.chromium.org/242034


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3077 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-10-15 20:06:08 +00:00
lrn@chromium.org
aed6a37c10 X64: Convert smis to holding 32 bits of payload. 
Review URL: http://codereview.chromium.org/196139


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3037 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-10-08 12:36:12 +00:00
ager@chromium.org
e9acdc7a00 Follow the spec in disallowing function declarations without a name. We 
used to allow these for compatibility, but both Safari and Firefox now
disallow them.
Review URL: http://codereview.chromium.org/242124

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3009 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-10-02 12:47:15 +00:00
kasperl@chromium.org
6621a43833 Add regression test case for http://crbug.com/18639 which 
was fixed in r2642.
Review URL: http://codereview.chromium.org/192037

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2840 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-09-08 07:22:35 +00:00
whesse@chromium.org
3703231636 Add safe handling of NaN to Posix platform-dependent time functions. 
Review URL: http://codereview.chromium.org/160580

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2615 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-08-04 09:41:18 +00:00
whesse@chromium.org
18c6337a2c Fix an error in a keyed lookup stub - HeapNumbers treated as strings. 
Review URL: http://codereview.chromium.org/155924

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2527 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-07-23 13:01:17 +00:00
kmillikin@chromium.org
1ca19c383d Fix ARM compiler crash in short-circuited boolean expressions. 
We did not handle the case where the left-hand-side expression was
fully compiled to control flow.  There were also some assertions for
unary and binary expressions that crashed debug builds when the
expression was fully compiled to control flow.

Regression test added.

Review URL: http://codereview.chromium.org/160006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2524 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-07-23 11:40:14 +00:00
kmillikin@chromium.org
6443cb99f7 Fix issue 345 by avoiding duplicates in the list of escaping labels 
from a try...catch...finally statement.

Review URL: http://codereview.chromium.org/149670

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2466 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-07-15 08:57:25 +00:00
lrn@chromium.org
e3bb851efb X64: Fix bug in left-shift. 
Also changed a few other places that looked suspicious in the same way.
Added more info to failing test case and rewrote incorrect uses of mjsunit "fail" function.

Review URL: http://codereview.chromium.org/155279


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2409 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-07-09 08:00:12 +00:00
kasperl@chromium.org
b0f411c298 Fix issue 397 and issue 399. 
Review URL: http://codereview.chromium.org/149247

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2372 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-07-07 11:57:09 +00:00
kasperl@chromium.org
f0053e89aa Add regression test case for issue 396. 
Review URL: http://codereview.chromium.org/150215

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2333 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-07-02 09:08:15 +00:00
sgjesse@chromium.org
25405ddd9c Handle JavaScript accessors on the global object. 
With the new representation of the global object adding JavaScript accessors for a property after global inline caches was created for that property did not work property as the inline caches did not take the JavaScript accessor information (fixed array with two elements) that could be present in a global object property cell into account.

This is now fixed by changing the map for a global object when a JavaScript accessor is defined on it.

BUG=394
TEST=test\mjsunit\regress\regress-394.js
Review URL: http://codereview.chromium.org/150162

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2317 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-07-01 11:20:33 +00:00
kasperl@chromium.org
3ae01ab8ef Fix issue 392 by disabling the TakeValue optimization for 
access to the arguments object.
Review URL: http://codereview.chromium.org/150016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2285 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-06-29 06:20:52 +00:00
lrn@chromium.org
2dd9717c4b Fix bug in static type inference for loops. 
Review URL: http://codereview.chromium.org/140058


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2236 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-06-22 12:36:01 +00:00
whesse@chromium.org
74ddab9d94 Fix issue 386, a bug in JSObject::ReplaceSlowProperty with constant transitions. 
Review URL: http://codereview.chromium.org/141031

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2228 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-06-22 07:41:15 +00:00
erik.corry@gmail.com
e2a01ed4fb Fix regexp bug reported by Ian where [6-9] would match any digit. 
Review URL: http://codereview.chromium.org/140021

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2226 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-06-20 17:57:09 +00:00
lrn@chromium.org
945245393c Fix for issue 351 - lastIndexOf. 
Review URL: http://codereview.chromium.org/113838


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2060 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-05-26 15:42:06 +00:00
lrn@chromium.org
2ff3901cf7 Fix for issue 349: Make initial boundary check for BM text search. 
There was a case where the BMH algorithm bailed out exactly at the end of the string, and the BM algorithm that takes over wasn't expecting this.

Review URL: http://codereview.chromium.org/113575


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1995 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-05-19 09:01:03 +00:00
whesse@chromium.org
1ae8a7da3d Fix bug 344: always keep attributes of existing properties. 
Review URL: http://codereview.chromium.org/113197

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1931 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-05-13 10:46:28 +00:00
kmillikin@chromium.org
18f69a7171 Fix for issue 341. In the stub for instanceof, we could try to read 
an object's map before we were sure it was a heap object.
Review URL: http://codereview.chromium.org/115236

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1914 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-05-12 11:40:14 +00:00
lrn@chromium.org
889eac7f13 Fix Issue 326. Handle sorting of non-array objects correctly. 
Change handling of sorting to be the same for all JS-arrays.
Collect undefined values as well while removing holes.

Review URL: http://codereview.chromium.org/92123


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1800 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-04-27 11:16:59 +00:00
kmillikin@chromium.org
cb9d66638b Fix regression test by wrapping expression in a thunk^H^H^H^H^Hstring. 
Review URL: http://codereview.chromium.org/95001

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1776 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-04-22 17:44:28 +00:00
kmillikin@chromium.org
b39f4383dc When merging a frame to an expected on at block entry, the static type 
of elements is set to a safe lower bound.  Move the setting of the
static type out of VirtualFrame::MergeTo (which is not necessarily run
for all frames) and into VirtualFrame::PrepareMergeTo (which is).
Review URL: http://codereview.chromium.org/92009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1767 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-04-22 13:19:38 +00:00
lrn@chromium.org
bfb33b1e2f Fix for Issue 317 - bug in string.replace(string, "$foo"). 
Fix for Issue 317. Replace string with something containing dollar now works.

Review URL: http://codereview.chromium.org/94002


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1764 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-04-22 11:43:05 +00:00
kmillikin@chromium.org
22896c8304 Change the function name collector to tolerate expressions that contain 
multiple anonymous function literals as subexpressions.

Choose the rightmost one the one to attach a name to.
Review URL: http://codereview.chromium.org/67165

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1715 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-04-15 13:14:23 +00:00
sgjesse@chromium.org
a74fcf458c Fixed the step in handling for function.apply. 
The generic step-in mechanism floods the function called with break points to ensure a break is hit when entering the function. This generic mechanism was also used for function.apply. The code for function.apply contains a keyed load IC which was patched when stepping into function.apply. However function.apply enteres an internal frame not a JavaScript frame. This caused the logic for returning from the break in function.apply to fail as it forced a jump to the IC on the top JavaScript frame. The top JavaScript frame was the frame for the function calling function.apply not the frame for the apply function. Now returning from the break point in the keyed load IC in the apply code caused a jump to the code for the call IC for the function calling function.apply in the first place. Not a pretty sight.

Step-in now handles function.apply as a separate case where the actual JavaScript function called through apply is flodded with breakpoints instead of the function.apply function.

BUG=269
BUG=8210@chromium.org
Review URL: http://codereview.chromium.org/63055

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1683 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-04-07 09:54:53 +00:00
kmillikin@chromium.org
c80b013999 Fix issue 294 by ensuring that we don't lose the copy flag on memory 
frame elements when allocating them to a register as a result of
popping one of their copies.
Review URL: http://codereview.chromium.org/57053

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1655 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2009-03-31 14:01:25 +00:00