CPU-eating DOS attacks against node.js servers. Based on code from
Bert Belder. This version only solves the issue for those that compile
V8 themselves or those that do not use snapshots. A snapshot-based
precompiled V8 will still have predictable string hash codes.
Review URL: http://codereview.chromium.org/9086006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10330 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Port r10280 (5f6aec5).
Original commit message:
Tell the register allocator the value is not overwritten. Never use
temporary registers on ia32, avoid them on x64 and ARM. Restore the
original copyright date on assembler.cc.
BUG=
TEST=
Review URL: http://codereview.chromium.org/9004017
Patch from Daniel Kalmar <kalmard@homejinni.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10281 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This introduces an additional check into the StoreIC_ArrayLength builtin
checking that the array still has fast properties. Redifinitions of the
length property that would cause it's type or attributes to change, will
switch to slow properties, thereby invalidating said optimization.
R=svenpanne@chromium.org
BUG=v8:1756
TEST=test262
Review URL: http://codereview.chromium.org/8895025
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10254 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Port r10220 (1dae466).
Original commit message:
This CL adds support for loading from and storing to context slots
belonging to harmony let or const bound variables. Checks for the
hole value are performed and the function is deoptimized if they fail.
The full-codegen generated code will take care of properly throwing
a reference error in these cases.
BUG=
TEST=
Review URL: http://codereview.chromium.org/8897025
Patch from Daniel Kalmar <kalmard@homejinni.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10235 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Port r10219 (56686b).
Original commit message:
Now with arm and x64 support. Additionally, added default unreachable case to switch statement in CompareIC::TargetState to make win and mac compilers happy.
Reviewer guide:
This is an exact copy of 10216 except:
src/arm/*
src/x64/*
src/ic.cc (added default case to swith in CompareIC::TargetState)
BUG=
TEST=
Review URL: http://codereview.chromium.org/8896022
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10232 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Port r10085 (1ef7d5eb2).
This patch also contains a fix for StoreArrayLiteralElementStub::Generate which is only used from this code.
Original commit message:
Includes general array boilerplate copier and re-introduction FAST_ELEMENT optimizations in full-codegen.
BUG=
TEST=
Review URL: http://codereview.chromium.org/8743010
Patch from Daniel Kalmard <kalmard@homejinni.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10129 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Port r10061 (c648e1d1)
Original commit message:
This generates optimized code for deep-copying of nested object literal
boilerplates which are statically known. Most of the boilerplates have
already been generated at crankshaft time, so this optimization should
kick in for virtually every object literal. Only nested object literal
graphs up to a certain depth and containing up to a certain total number
of properties are considered for this optimization. This will prevent
explosion of code size due to large object literals (e.g. eval on JSON).
Improves splay performance because object literals are created often.
BUG=
TEST=
Review URL: http://codereview.chromium.org/8745012
Patch from Daniel Kalmar <kalmard@homejinni.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10128 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Port r10064 (9c6789a3)
Original commit message:
There is no test case to trigger any crash. This is only to guard against the case that the native function is called with unsafe arguments.
BUG=
TEST=
Review URL: http://codereview.chromium.org/8742012
Patch from Daniel Kalmar <kalmard@homejinni.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10097 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This shaves 416+ KB, just under 1% off the size of the debug d8 executable
on Linux (mostly because the CheckHelper functions for assertions were
getting separate copies for each compilation unit). The difference in
release builds is negligible---a size reduction of 0.1%.
Also, change namespace-level 'static const' variables to remove the static
storage class as it's the default.
R=danno@chromium.org
BUG=
TEST=
Review URL: http://codereview.chromium.org/8680013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10083 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This CL introduces a third mode next to the non-strict
(henceforth called 'classic mode') and 'strict mode'
which is called 'extended mode' as in the current
ES.next specification drafts. The extended mode is based on
the 'strict mode' and adds new functionality to it. This
means that most of the semantics of these two modes
coincide.
The 'extended mode' is entered instead of the 'strict mode'
during parsing when using the 'strict mode' directive
"use strict" and when the the harmony-scoping flag is
active. This should be changed once it is fully specified how the 'extended mode' is entered.
This change introduces a new 3 valued enum LanguageMode
(see globals.h) corresponding to the modes which is mostly
used by the frontend code. This includes the following
components:
* (Pre)Parser
* Compiler
* SharedFunctionInfo, Scope and ScopeInfo
* runtime functions: StoreContextSlot,
ResolvePossiblyDirectEval, InitializeVarGlobal,
DeclareGlobals
The old enum StrictModeFlag is still used in the backend
when the distinction between the 'strict mode' and the 'extended mode' does not matter. This includes:
* SetProperty runtime function, Delete builtin
* StoreIC and KeyedStoreIC
* StubCache
Review URL: http://codereview.chromium.org/8417035
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10062 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Port r9977 (9aded78be4).
Note: This is the port of the reapplied patch, not the original.
Original commit message:
To support deoptimization of exception handlers, the handler address in the
stack is converted to a pair of code object and an index into a separate
table of code offsets. The index part is invariant under deoptimization.
The index is packed into the handler state field so that handler size does
not change.
BUG=
TEST=
Review URL: http://codereview.chromium.org/8557003
Patch from Gergely Kis <gergely@homejinni.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10039 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Port r10006 (4b344a03).
Original commit message:
Changes the way we do lazy deoptimization:
1. For side-effect instructions, we insert the lazy-deopt call at
the following LLazyBailout instruction.
CALL
GAP
LAZY-BAILOUT ==> lazy-deopt-call
2. For other instructions (StackCheck) we insert it right after the
instruction since the deopt targets an earlier deoptimization environment.
STACK-CHECK
GAP ==> lazy-deopt-call
The pc of the lazy-deopt call that will be patched in is recorded in the
deoptimization input data. Each Lithium instruction can have 0..n safepoints.
All safepoints get the deoptimization index of the associated LAZY-BAILOUT
instruction. On lazy deoptimization we use the return-pc to find the safepoint.
The safepoint tells us the deoptimization index, which in turn finds us the
PC where to insert the lazy-deopt-call.
Additional changes:
* RegExpLiteral marked it as having side-effects so that it
gets an explicitlazy-bailout instruction (instead of
treating it specially like stack-checks)
* Enable target recording CallFunctionStub to achieve
more inlining on optimized code.
BUG=
TEST=
Review URL: http://codereview.chromium.org/8587008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10020 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
EmitIsObject is only called from one function, DoIsObjectAndBranch.
DoIsObjectAndBranch now passes the temp2 register to EmitIsObject
instead of simply relying on the two functions using the same
lithium scratch register.
BUG=
TEST=
Review URL: http://codereview.chromium.org/8588004
Patch from Gergely Kis <gergely@homejinni.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10017 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Changes:
-separated the two code-paths (constant power of 2 divisor similar to ARM and everything else)
-replaced a bailout condition with faster handling (negative modulo result)
-removed a possibly useless mov instruction from one path
-replaced the IsConstantOperand condition with the more meaningful HasPowerOf2Divisor (although in this specific case they're equivalent)
BUG=
TEST=
Review URL: http://codereview.chromium.org/8591002
Patch from Gergely Kis <gergely@homejinni.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10016 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
r9871 (5baeaf57) changed the fill value for deleted entries in hash tables from null_value to the_hole_value.
This commit changes an assertion in MIPS code that expects this value.
BUG=
TEST=
Review URL: http://codereview.chromium.org/8479028
Patch from Gergely Kis <gergely@homejinni.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9955 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Port r9909 (56c8728aa).
Original commit message:
Test at the bottom in the unwind loop. Eliminate the possibility of a
useless move to the eax/rax/r0 register (currently impossible because
this function has two call sites). Do not explicitly zero the context
because we've already saved 0 as the context in the handler.
BUG=
TEST=
Review URL: http://codereview.chromium.org/8507007
Patch from Gergely Kis <gergely@homejinni.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9923 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Port r9847 (fc7590).
Original commit message:
Also partition side effects into observable and not observable, with only observable requiring Simulates and non-observable changes able to participate in GVN and code hoisting.
BUG=
TEST=
Review URL: http://codereview.chromium.org/8387044
Patch from Gergely Kis <gergely@homejinni.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9866 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Port r9863 (0996dc77)
Original commit message:
This was pretty heavyweight. It was kept in just for a few corner cases
that assumed it was there. We can work around them by making sure that the
expression in a reified test context is always really the expression that
was visited in that context; and by inspecting the context manually and
consing up a pair of extra AST IDs for the unusual case of unary not in a
value AST context.
BUG=
TEST=
Review URL: http://codereview.chromium.org/8372085
Patch from Gergely Kis <gergely@homejinni.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9865 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This was pretty heavyweight. It was kept in just for a few corner cases
that assumed it was there. We can work around them by making sure that the
expression in a reified test context is always really the expression that
was visited in that context; and by inspecting the context manually and
consing up a pair of extra AST IDs for the unusual case of unary not in a
value AST context.
R=fschneider@chromium.org
BUG=
TEST=
Review URL: http://codereview.chromium.org/8386037
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9863 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Port r9837 (38061af).
Port r9834 (95ac04).
Original commit message (r9834):
Also, handlify functions for loading with interceptors and callbacks.
Remove some unneeded code. Rename Foreign::address() because it
confusingly shadows HeapObject::address() which does something quite
different.
BUG=
TEST=
Review URL: http://codereview.chromium.org/8400087
Patch from Gergely Kis <gergely@homejinni.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9844 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Previously we omitted all cases where the global eval property was shadowed,
even if by a variable holding the same value. ES5 requires us to treat these
as direct calls.
We still throw if calling indirect eval with a detached global object.
BUG=v8:994
TEST=mjsunit/eval.js
Review URL: http://codereview.chromium.org/8343054
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9838 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This ports the following list of commits to mips. It is provided in this form
so that the mips port of the new-gc can be easily tested on your end.
This must be downloaded or landed after http://codereview.chromium.org/8106002
This is based on r9585. With these two mips commits, all tests are passing.
9319 Fix a harmless assert and a genuine bug in the GC-safety of stub generation ...
9329 ARM: Pregenerate some stubs that we call from other stubs.
9335 Initialize pre-allocated fields of JSObject with undefined.
9344 Put back the asserts in RememberedSetHelper, but correct this time
9370 Reorganize object type enum, such that proxies are no longer in the middle...
9392 Basic support for tracking smi-only arrays on ia32.
9402 Notify collector about lazily deoptimized code objects.
9411 Porting r9392 to arm (smi-only arrays).
9418 Small refactor to KeyedStoreIC::GenerateGeneric to make it slightly faster.
9447 Tighten up assertions checking GC-safety of stub calls.
9449 Record function call targets, use them for inlining.
9459 Make sure we don't flush the pregenerated stubs, since they need to b
9461 Fix the build on ARM
9466 Move the is_pregenerated flag so it does not overlap other flags....
9468 Fix the no-VFP3 build on ARM.
9475 Pass correct anchor_slot for EMBEDDED_OBJECT pointers from
9490 Adjust assertions in UpdateSlot to match UpdatePointer in PointersUpdatingVisitor.
9511 Clean list of external references from internal objects like the hole value.
9514 Simplify compares in KeyedStoreIC::GenerateGeneric.
9531 Porting r9456 to arm (Optimize KeyedStoreGeneric for Smi arrays).
9541 Fix load of potentially eval-shadowed let bindings.
9542 Fast allocation of block contexts.
9553 Activate smi-only optimizations for large array literals.
9575 Move declaration of SerializedScopeInfo from variables.h to objects.h
9577 Track elements_kind transitions in KeyedStoreICs.
9583 Fixing a bug in arm as pointed out in issue 1759.
9584 Refactor and fix polymorphic KeyedStoreIC creation.
BUG=
TEST=
Review URL: http://codereview.chromium.org/8112008
Patch from Paul Lind <pling44@gmail.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9601 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This prevents potential misuse of SeqString::kHeaderSize as in the
case of live byte counting in incremental marking stub. All stubs
picked up the undefined size constant SeqString::kHeaderSize, thus
the computed size of all strings was off by two pointers slots.
R=lrn@chromium.org
BUG=v8:1672
TEST=mjsunit/object-seal.js,...
Review URL: http://codereview.chromium.org/7971009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9349 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Although this patch is not small, most parts of it are rather mechanical:
* First of all, the concept of a 'nil-like' value is introduced, which can be
null or undefined. They are treated symmetrically regarding comparisons, so
it makes sense to handle them in a uniform manner. It is a mystery why
JavaScript defines two of those beasts, when even *one* is a design wart...
* Extended and renamed a few things which now handle undefined in addition to
null.
* Made the parts of the full code generator and the hydrogen generation which
deal with comparisons a bit more similar regarding their handling of special
cases.
* Refactored the syntactical detection of special cases for comparisons,
hopefully making them a bit more readable and less copy-n-paste-oriented.
Things like this should really be a one-liner in any sane programming
language... :-P
* Cut down the length of the argument lists of a few functions to something
less insane, making them more easily understandable locally. This involves
minor code duplication, but this was a good tradeoff and can be remedied
later if necessary.
* Replaced some boolean arguments with more readable enums.
* Fixed a TODO: Values which are definitely a Smi or unboxed can never be equal
to null or undefined.
Review URL: http://codereview.chromium.org/7918012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9323 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
port r9258 (c8709a9)
Note on mips implementation: Arm reg r4 (call type) normally maps to mips
reg t0. We had already used t0 as a temp in Generate_FunctionCall() and
Generate_FunctionApply(), so I replaced that existing t0 usage with t3, and
now use t0 only for call type.
Original commit message:
Introduce new %Apply native.
Extend Execution::Call to optionally handle receiver rewriting (needed for %Apply).
Fix Function.prototype.bind for functions that have .apply modified.
Landing http://codereview.chromium.org/7891033/ for Paul Lind.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9316 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Highlights:
- code-stubs-mips.cc
-- use EmitFPUTruncate in place of inline code in several places.
-- use BranchF macro rather than lower-level FP cmp and branch for readability.
-- Port of Sven's r8859 (Implement type recording for ToBoolean) and r8886
(Simplify and optimize ToBoolean handling.)
-- Fix bug in TranscendentalCacheStub::Generate where some regs were not
saved across CFunction call.
-- use updated xxxCFunction macros.
-- update InstanceOfStub to support crankshaft
DoDeferredLInstanceOfKnownGlobal
-- Provide code-patching and I-cache flushing support for generated
code, used for InstanceOfStub under crankshaft (not submitted here).
This requires adding new ExternalReference to src/assember.cc,h
- stub-cache-mips.cc
-- port Danno's r8901 (Create a common base class for Fixed-, FixedDouble-
and ExternalArrays) to mips crankshaft branch.
BUG=
TEST=
Review URL: http://codereview.chromium.org/7890001
Patch from Paul Lind <plind44@gmail.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9308 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Highlights:
- Better support for FP compares and branches (BranchF macro)
- Add EmitFPUTruncate() macro, similar to EmitVFPTruncate on Arm.
- Some improvements to long-branch mechanism for mips.
- Add ClampUint8() and ClampDoubleToUint8()
- Minor changes to ic-mips, full-codegen-mips mostly, for improved
code-patching with BinaryOpStub.
- Small changes to stack checking in full-codegen-mips and
regexp-macro-assembler-mips
BUG=
TEST=
Review URL: http://codereview.chromium.org/7888004
Patch from Paul Lind <plind44@gmail.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9307 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
1) Don't make a call to C without having a valid frame on the stack.
2) Don't generate a call to a stub while generating a stub, unless we can be
sure that the stub we are calling has already been generated (the stub
generation code is not reentrant wrt. GC).
Review URL: http://codereview.chromium.org/7891042
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9297 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The Great Master Plan is to move the recognition of special cases for
comparisons further down the compilation pipeline where more information is
available. This is a first step into this direction: The special handling of
equality comparisons involving null is pushed from the parser to the code
generators, removing the need for a special AST node. (There are rumors from
usually well-informed sources that this node type is actually a relic of ancient
crankshaft days...)
The next steps will be the unification of null/undefined handling and pushing
the special case handling in crankshaft even further down the pipeline, enabling
the recognition of cases like "var foo=null; if (foo === bar) ...", but these
will be in separate CLs.
Review URL: http://codereview.chromium.org/7887037
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9293 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
port r9260 (af9cfd83).
Original commit message:
We passed this flag around in a lot of places and had differenc call
ICs based on it, but never did any real specialization based on its
value.
BUG=
TEST=
Review URL: http://codereview.chromium.org/7886028
Patch from Paul Lind <plind44@gmail.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9269 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Highlights:
- assembler.h adds FPU definitions used for Crankshaft.
- Support optimization of mips call: jalr->jal
- includes changes to set_target_address_at(), support routines.
- Add 2nd use of Apply() to update target addresses.
- Minor debugging improvement in simulator.
BUG=
TEST=
Review URL: http://codereview.chromium.org/7888003
Patch from Paul Lind <plind44@gmail.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9259 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Use the BitField helper class for the code flags, so that we do not have to
define both a shift and a mask explicitly. This makes changing the flags
layout simpler.
Also, make the 'mask' and 'max' members of BitField into constants, because
they are constant and so that they can be used as constant expressions.
E.g., so they can be used in declaring other const members or in static
asserts.
R=fschneider@chromium.org
BUG=
TEST=
Review URL: http://codereview.chromium.org/7787028
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9232 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We have to emit code for declarations later into the body block
(and not into the start block) so that the environment contains
the correct values.
In order to capture the environment effect of the declarations
that generate code (function declarations) I inserted a separate
AST id and a HSimulate after the declarations are visited.
Also fixes handling deopt in named function expressions:
BUG=v8:1647
TEST=test/mjsunit/regress/regress-fundecl.js, test/mjsunit/regress/regress-1647.js
Review URL: http://codereview.chromium.org/7776009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9083 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The ARM and MIPS assemblers had a bug where they did not handle the last element
in the list of code positions correctly during the fixup of offsets for forward
jumps. This happened when the first instruction contained a forward jump to a
label, and that label was used in a forward jump later, too.
Unified the code for Assembler::next on ARM and MIPS while we were there.
Added test cases, even for ia32/x64, which seem to be correct, even I don't
fully understand why... %-}
BUG=v8:1644
Review URL: http://codereview.chromium.org/7786001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9063 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
