Fixes JS portion of DefineOwnProperty when there is
an existing property and the new descriptor is generic.
Makes code follow spec steps more closely.
Fixes typo for check for unchanged enumerable in step 6.
Adds regression tests.
Fixes errors in object-define-property test
Don't normalize the JSGlobalProxy. Gets webkit http/tests/security/xss-DENIED-defineProperty.html working.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6561 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
other situations.
Do not use overwritten Object.prototype.hasOwnProperty and
Array.prototype.pop. Do not use split and join in the error formatting
implementation. They are too big to control and their generality is
not needed.
Review URL: http://codereview.chromium.org/6287041
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6552 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
1. The placement of checks for negative zero has to be computed after
all conversion instructions have been inserted. I separated the code
into its own phase.
2. GVN need to take instruction flags into account when comparing
instructions for redundancy.
Review URL: http://codereview.chromium.org/6260035
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6534 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Deletion of global properties puts 'the hole' in the global property
cell and updates the property details in the property dictionary with
the information that the property has been deleted. When setting
global properties that have been deleted in generated code we just
store the new value in the global property cell. This does not update
the property details in the property dictionary. Therefore, it looks
like the property is not there eventhough it was just reintroduced.
Perform 'the hole' checks in generated code for global property stores
and bail out of ICs and optimized code if storing to a property cell
that contains 'the hole'.
Review URL: http://codereview.chromium.org/6306014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6508 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
With SVN r6465 (reverting changes to scopes), a regression test for
deleting parameter variables has to change to reflect a semantic
change. It is now again possible to delete parameters from a function
that uses 'with' or 'try...catch'.
Review URL: http://codereview.chromium.org/6307014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6466 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Code generated for checks starting with primitive receivers skips one step
in the usual prototype checking algorithm, so the holder must always be set.
Not setting the holder did not cause an immediate failure because our
primitives have additional hidden prototypes before the real prototypes.
These extra objects in the chain usually contain no properties and so
allowed the right holders to be selected.
Review URL: http://codereview.chromium.org/6353014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6459 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The function Runtime_LookupContext searches the context chain for a
LOOKUP slot and returns the object holding the slot. It returned the
global context if the slot was not found or if it was found in a
function's context or arguments object. This is not the correct
object to use for 'delete'.
Since this lookup function is only ever used when deleting LOOKUP
slots (those that have to go through a with or a scope with eval), it
is simply replaced with a Runtime_DeleteContextSlot function that does
the appropriate thing for all kinds of context lookups.
This fixes Chromium bug 70066.
http://code.google.com/p/chromium/issues/detail?id=70066
Review URL: http://codereview.chromium.org/6280013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6442 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This is svn r6415 with a bugfix.
The bug was that we can have scopes with 0 heap slots (functions with
such scopes do not need a local context) and scopes with at least
Context::MIN_CONTEXT_SLOTS. The code generator only allocated a local
context if there were strictly more than Context::MIN_CONTEXT_SLOTS.
Before the change to with/arguments, it was impossible to actually get
a function scope with exactly Context::MIN_CONTEXT_SLOTS because every
such scope included a heap-allocated arguments (and arguments shadow)
slot.
Review URL: http://codereview.chromium.org/6248014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6426 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
- var eval | arguments
- catch (eval | arguments)
- 'with' is disabled
- function can't be named eval or arguments
Add FLAG_strict_mode
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6422 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Before, we conservatively marked every variable in a scope as used if the
scope contained 'with'. Instead, just mark the variables occurring in the
body of the with. This avoids marking 'arguments' as used whenever 'with'
occurs, which incurs an extra performance penalty (a use of arguments is
seen as an instruction to redirect all parameter accesses to the arguments
object).
Review URL: http://codereview.chromium.org/6357007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6415 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We hit an assertion failure when we tried to record the AST ID of
the (shared) .arguments variable proxy more than once. This was hit
when we had multiple calls to the same parameter in a function that
used the arguments object. The fix is to not visit the subexpressions
of the (shared) property access expression.
BUG=1060
Review URL: http://codereview.chromium.org/6368007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6404 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
- var eval | arguments
- catch (eval | arguments)
- 'with' is disabled
- function can't be named eval or arguments
- function parameter name cannot be eval or arguments
- no duplicate parameter names allowed
Add FLAG_strict_mode
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6369 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This change includes support for safepointtables and adding deoptimization info (but not for deoptimizing).
Implemented crankshaft functions:
CallCode
GenerateSafepointTable
RegisterEnvironmentForDeoptimization
EmitGoto
This change allows us to compile very simple functions with crankshaft:
An empty function
A function returning a constant.
A function returning a parameter.
There is 6 disabled tests that require us to be able to deoptimize
which is currently not supported.
Review URL: http://codereview.chromium.org/6310009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6350 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Unfortunately, arguments is pretty much the normal JS object. For now
I am adding more sanity checks (in hope that typically arguments
list is rather short.) However it probably requires more systematic
treatment, for example, we could optimistically copy elements until
we meet first hole and in this case resort to JS builtin.
Review URL: http://codereview.chromium.org/6062006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6256 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This patch enables two new flags for the tools/test.py script;
--shard-count - giving the ability to split the tests to be run
into shard-count chunks.
--shard-run - giving the ability to specify which of the shards to actually run.
Example
tools/test.py -j15 --shard-count=2 --shard-run=1 mozilla
would split the mozilla tests into two chunks and run the tests in the first chunk
Running:
tools/test.py -j15 --shard-count=2 --shard-run=1 mozilla
tools/test.py -j15 --shard-count=2 --shard-run=2 mozilla
is equivalent (in terms of test coverage) of just running:
tools/test.py -j15 mozilla
In addition, tests are now sorted before they are returned from the
test specific ListTests methods (sputnik and mozilla tests where
already sorted before they where returned).
This change is needed to split a single test suite over two slaves on
the waterfall.
Review URL: http://codereview.chromium.org/6127003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6248 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
First cut at bug 992
Fixes JS portion of DefineOwnProperty when there is
an existing property and the new descriptor is generic.
Makes code follow spec steps more closely.
Fixes typo for check for unchanged enumerable in step 6.
Adds regression test.
Codereview url: http://codereview.chromium.org/6035014/
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6220 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
If the instanceof stub was requested to deliver true/false objects as the result instead of 0/1 then 0/1 was actually returned if the builtin INSTANCE_OF ended up being called. This is now fixed.
BUG=v8:1020
TEST=test/mjsunit/regress/regress-1020.js
Review URL: http://codereview.chromium.org/6014013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6185 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
methods rely on the time values passed in being within a certain range
- not significantly larger than the the ECMA 262 specified time
range. When creating a time, always make it NaN if there is no way
that it can be within range even after UTC conversion.
Review URL: http://codereview.chromium.org/5905003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6048 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
In the past we only accepted functions as argument for setting an
accessor. Since one should be able to set an accessor to undefined
this had to be changed to take either.
In addition, we did not lookup properties in the prototype chain,
causing us to call the setter of an existing accessor up the prototype
chain when trying to replace an existing accessor (that was not local)
with a data property.
Review URL: http://codereview.chromium.org/5861006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6045 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When entering a finally block in unoptimized code, we unconditionally
save the accumulator register in the stack in case it holds a return
value or an exception. In the case of a break, continue, or falling
off the end of the try or catch block, this value is unpredictable and
not necessarily safe for GC.
Review URL: http://codereview.chromium.org/5883003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6035 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This fixes V8 issue 989.
Before, assignments used the AST ID of the assignment expression to
mark the side effect of the store, which became a target for
deoptimization bailout for code after the assignment. In effect
contexts this environment included the value of the assignment, which
was unexpected by the unoptimized code.
Now we introduce a new assignment ID for AST node types that include
an assignment (Assignment, CountOperation, and ForInStatement) and use
it for the side effect of the store.
Review URL: http://codereview.chromium.org/5682010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5990 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
SplitBetween (formely known as Split with 3 arguments) should select split position from [start, end] instead of [start, end[. This should also improve allocation quality (remove certain redundant move patterns).
Also some minor renaming and refactoring to make register allocator code more readable.
BUG=v8:962
TEST=test/mjsunit/regress/regress-962.js
Review URL: http://codereview.chromium.org/5720001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5969 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
x64 where crankshaft is not the default. Add ability to add custom
expectations for running in this special crankshaft mode.
The expectations are not updated in this change. There are a couple of
bugs that I would like to fix before doing that. Otherwise the lists
will be very long. :)
Review URL: http://codereview.chromium.org/5787001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5962 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When falling off the end of a function inlined in a test context, we cannot
constant fold the test of undefined away. The graph builder assumes that
control flow always reaches both branches of a test.
Instead, explicitly test and branch on "undefined". Introduce a pair of
empty blocks to hold the necessary LeaveInlined instructions.
Review URL: http://codereview.chromium.org/5566005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5927 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
see http://code.google.com/p/v8/issues/detail?id=944
This patch makes DateParser::TimeComposer process times that have
millisecond values with only 1 or 2 digits.
Without this patch, Date.parse("2010-11-25T22:02:30.5") returns
1290690150005 and
Date.parse("2010-11-25T22:02:30.5") == Date.parse("2010-11-25T22:02:30.005")
evaluates to true.
With this patch, Date.parse("2010-11-25T22:02:30.5") returns
1290690150500 instead, and
Date.parse("2010-11-25T22:02:30.5") == Date.parse("2010-11-25T22:02:30.005")
evaluates to false.
Review URL: http://codereview.chromium.org/5336005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5893 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
