mvstanton@chromium.org
1a4482ab3f
Missing type cell on ia32 from bindings.
...
Javascript constructors called from C++ code didn't have a type cell
properly filled in on ia32. This showed up as a bug in webkit bindings.
Re-enabled flag optimize-constructed-arrays.
BUG=
R=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/15870002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14775 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-23 13:45:33 +00:00
yangguo@chromium.org
a1e18bdf3c
Improve SeqStringSetChar implementation.
...
R=jkummerow@chromium.org
BUG=
Review URL: https://chromiumcodereview.appspot.com/15743006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14769 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-23 09:51:06 +00:00
verwaest@chromium.org
308e69755b
Implement HChange support for Smis and use it in Load/StoreNameField
...
BUG=
R=verwaest@chromium.org
Review URL: https://chromiumcodereview.appspot.com/15303004
Patch from Daniel Clifford <danno@chromium.org>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14765 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-23 08:32:07 +00:00
verwaest@chromium.org
36e91242fd
Make Object.freeze fast
...
This patch both speeds up the freeze operation itself, but also
allows properties to remain in fast mode. Objects with non-empty
elements backing stores still end up with slow elements.
Relanding r14758 and r14759 with fix for Test262: only mark properties
and elements READ_ONLY if they are not JS setter/getters. Tightened up
tests to assert frozen-ness, and added targeted tests for the new code
(covering accessors).
BUG=v8:1858, 115960
R=verwaest@chromium.org
Review URL: https://chromiumcodereview.appspot.com/15691007
Patch from Adam Klein <adamk@chromium.org>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14762 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-23 07:05:58 +00:00
adamk@chromium.org
4d48bb832f
Revert "Make Object.freeze fast"
...
and "Fix Object.freeze on dictionary-backed arrays to properly freeze elements"
This reverts r14758 and r14759 due to introducing failures in Test262
TBR=verwaest@chromium.org
Review URL: https://codereview.chromium.org/15681004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14760 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 21:27:00 +00:00
adamk@chromium.org
3ebccb7aae
Fix Object.freeze on dictionary-backed arrays to properly freeze elements
...
Follow-up to r14758: slightly rearranges JSObject::Freeze() to avoid duplicating
code while still retaining proper dictionary elements storage behavior.
Also fix a lint error.
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/15737018
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14759 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 20:40:04 +00:00
adamk@chromium.org
648e99e308
Make Object.freeze fast
...
This patch both speeds up the freeze operation itself, but also
allows properties to remain in fast mode. Objects with non-empty
elements backing stores still end up with slow elements.
BUG=v8:1858, 115960
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/14888005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14758 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 18:53:58 +00:00
mstarzinger@chromium.org
b704cb9139
Fix bogus deopt in BuildEmitDeepCopy for holey arrays.
...
R=verwaest@chromium.org
BUG=chromium:242924
TEST=mjsunit/regress/regress-crbug-242924
Review URL: https://codereview.chromium.org/15735012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14757 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 17:58:21 +00:00
verwaest@chromium.org
b353b1d131
Don't allow copying holes to fields.
...
R=jkummerow@chromium.org
Review URL: https://chromiumcodereview.appspot.com/15745006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14753 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 15:33:53 +00:00
mstarzinger@chromium.org
bf413b5122
Fix VisitLogicalExpression for empty blocks on RHS.
...
R=jkummerow@chromium.org
BUG=chromium:242870
TEST=mjsunit/regress/regress-crbug-242870
Review URL: https://codereview.chromium.org/15744002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14747 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 13:27:00 +00:00
yangguo@chromium.org
9960b24694
Fix unexpected elements transition in JSON.parse
...
R=verwaest@chromium.org
BUG=241344
Review URL: https://chromiumcodereview.appspot.com/15739003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14746 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 13:24:18 +00:00
verwaest@chromium.org
8db3014974
Keep representations while overwriting transitions.
...
BUG=chromium:241477
R=jkummerow@chromium.org
Review URL: https://chromiumcodereview.appspot.com/15718002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14745 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 10:46:33 +00:00
mstarzinger@chromium.org
d696f7b3c1
Use explicit type feedback clearing in some tests.
...
R=jkummerow@chromium.org
Review URL: https://codereview.chromium.org/15711004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14744 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 09:17:27 +00:00
hpayer@chromium.org
9c3c28646b
Force GC before executing unbox double arrays test to avoid timeouts.
...
BUG=
Review URL: https://codereview.chromium.org/15292002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14743 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 09:05:22 +00:00
mstarzinger@chromium.org
db4a770c3f
Add regression test for fix from r14732.
...
R=verwaest@chromium.org
BUG=chromium:242502
TEST=mjsunit/regress/regress-crbug-242502
Review URL: https://codereview.chromium.org/15288008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14734 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-21 14:20:42 +00:00
mvstanton@chromium.org
239b2830cc
Turning off optimize-constructed-arrays to investigate a WebKit/bindings issue.
...
BUG=
R=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/15303002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14718 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-17 12:33:48 +00:00
hpayer@chromium.org
d7427aa938
Fix transition test to support allocation site info.
...
BUG=
Review URL: https://codereview.chromium.org/15270002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14716 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-17 08:56:45 +00:00
verwaest@chromium.org
73d084fad3
Fix bugs in rewriting combined with attributes and accessors
...
R=danno@chromium.org
Review URL: https://chromiumcodereview.appspot.com/14843023
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14713 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-17 03:16:20 +00:00
titzer@chromium.org
5746d38351
Fix code gen bug on arm and mips; SeqStringSetChar overwrites a register; Add better default PrintDataTo for HInstruction
...
BUG=
Review URL: https://codereview.chromium.org/14895019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14710 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-16 14:27:39 +00:00
rossberg@chromium.org
8ce0718763
Implement Array.observe and emit splice change records for ArrayPush
...
Review URL: https://codereview.chromium.org/14978007
Patch from Rafael Weinstein <rafaelw@chromium.org>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14705 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-16 11:19:37 +00:00
adamk@chromium.org
0ed681905c
Re-land Notifier.prototype.performChange + tests
...
Fixes the debug check failure on sorting an object with an array __proto__.
Original Issue: https://codereview.chromium.org/14779011/
TBR=adamk@chromium.org
Review URL: https://codereview.chromium.org/14977015
Patch from Rafael Weinstein <rafaelw@chromium.org>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14698 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-15 22:09:40 +00:00
adamk@chromium.org
91daa127c9
Revert "Implement Object.getNotifier(obj).performChange()" (r14696)
...
Reverts r14696 because it caused debug assertion failures when running
test/mjsunit/harmony/object-observe.js
TBR=rossberg
Review URL: https://codereview.chromium.org/15203002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14697 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-15 18:47:48 +00:00
adamk@chromium.org
07a54cd06d
Implement Object.getNotifier(obj).performChange()
...
R=rossberg,adamk,arv
BUG=
Review URL: https://codereview.chromium.org/14779011
Patch from Rafael Weinstein <rafaelw@chromium.org>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14696 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-15 17:44:45 +00:00
wingo@igalia.com
55f6281281
Revert "GeneratorFunction() makes generator instances"
...
This reverts r14684 because of blink LayoutTest failures in
inspector/debugger/debugger-pause-in-internal.html.
R=mstarzinger@chromium.org
BUG=
Review URL: https://codereview.chromium.org/14619040
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14694 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-15 15:57:58 +00:00
mvstanton@chromium.org
31b8fc19c3
With flag optimize-constructed-arrays on, ARM and MIPS suffered a performance degrade due to incorrect code in GenerateRecordCallTarget().
...
The CL also enables flag optimize-constructed-arrays.
BUG=
R=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/14772043
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14692 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-15 15:17:01 +00:00
wingo@igalia.com
e24cc32011
GeneratorFunction() makes generator instances
...
The current specification has GeneratorFunction() be like Function(),
except that it makes generator instances. This commit implements that
behavior. It also fills in a piece of the implementation where
otherwise calling GeneratorFunction or GeneratorFunctionPrototype would
cause an abort because they have no code.
R=mstarzinger@chromium.org , rossberg@chromium.org
TEST=mjsunit/harmony/generators-iteration
TEST=mjsunit/harmony/generators-runtime
BUG=v8:2355
BUG=v8:2680
Review URL: https://codereview.chromium.org/14857009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14684 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-15 13:22:05 +00:00
wingo@igalia.com
d6fa1d8ad9
Function constructor should avoid String.prototype methods
...
Replace a use of .indexOf with a call to StringIndexOf. As always,
lexical scoping to the rescue.
R=mstarzinger@chromium.org
TEST=mjsunit/regress/regress-2686
BUG=v8:2686
Review URL: https://codereview.chromium.org/14668013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14678 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-15 10:52:06 +00:00
wingo@igalia.com
8f602260d3
Implement yield* (delegating yield)
...
Ideally this would have been implemented via desugaring at parse-time,
but yield* is an expression, and its desugaring includes statements like
while and try/catch. We'd have to have BlockExpression in the AST to
support that, and it's not worth it for this feature.
So instead we implement all of the logic in
FullCodeGenerator::VisitYield. Delegating yield AST nodes now have a
try handler index, for the try/catch. Otherwise the implementation is
straightforward.
R=rossberg@chromium.org
BUG=v8:2355
TEST=mjsunit/harmony/generators-iteration
Review URL: https://codereview.chromium.org/14582007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14669 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-14 16:26:56 +00:00
wingo@igalia.com
b7ecb8cb8d
Revert mistakenly committed r14667 and r14666.
...
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14668 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-14 16:17:26 +00:00
wingo@igalia.com
25c1d78e3d
Implement yield* (delegating yield)
...
Ideally this would have been implemented via desugaring at parse-time,
but yield* is an expression, and its desugaring includes statements like
while and try/catch. We'd have to have BlockExpression in the AST to
support that, and it's not worth it for this feature.
So instead we implement all of the logic in
FullCodeGenerator::VisitYield. Delegating yield AST nodes now have a
try handler index, for the try/catch. Otherwise the implementation is
straightforward.
R=mstarzinger@chromium.org
BUG=v8:2355
TEST=mjsunit/harmony/generators-iteration
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14666 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-14 15:59:25 +00:00
titzer@chromium.org
68eb1e50ca
Improve dead code elimination by transitively marking live code and removing all dead code. Replace unreachable phi removal algorithm with the new dead code elimination pass, which is more thorough.
...
Review URL: https://codereview.chromium.org/14676011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14661 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-14 13:10:52 +00:00
wingo@igalia.com
1634369af7
Don't flush code for generator functions.
...
R=mstarzinger@chromium.org
BUG=v8:2681
TEST=mjsunit/regress/regress-2681
Review URL: https://codereview.chromium.org/14731023
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14649 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-13 17:36:26 +00:00
dslomov@chromium.org
5777f3fb48
Enable native implementation of array buffer and typed arrays in d8 and tests.
...
R=mstarzinger@chromium.org
BUG=
Review URL: https://codereview.chromium.org/15059009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14646 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-13 14:18:43 +00:00
jkummerow@chromium.org
7636fdec27
Fix missing hole check for loads from Smi arrays when all uses are changes
...
BUG=chromium:233737
Review URL: https://codereview.chromium.org/14978004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14638 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-13 11:58:10 +00:00
danno@chromium.org
05e8e0e7b4
Elide hole checks on KeyedLoads of holey double arrays
...
Improves NavierStokes by about 5%
R=ulan@chromium.org
Review URL: https://codereview.chromium.org/15014020
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14630 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-13 07:35:26 +00:00
svenpanne@chromium.org
f853b08ad0
Fixed constant folding in HMod.
...
We have to check for overflow before attempting to do a modulo operation,
otherwise Crankshaft itself segfaults on some platforms, e.g. ia32. Added tests
even for division, where the problem doesn't show up, just to be sure...
R=mvstanton@chromium.org
Review URL: https://codereview.chromium.org/14617014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14629 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-13 07:32:38 +00:00
verwaest@chromium.org
df57747fc4
Track heap objects.
...
R=danno@chromium.org
Review URL: https://chromiumcodereview.appspot.com/14996004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14625 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-10 17:17:50 +00:00
wingo@igalia.com
3f09e0a3d8
Remove separate maps for function instances
...
ES3 specified that functions created via Function() would have
enumerable prototypes, unlike function literals. For this reason, V8
has always had two prototypes for functions: "function_map" for
literals, and "function_instance_map" for "function instances": those
functions created by Function().
However, since 2009 or so, both maps have been the same! Both have had
writable, non-enumerable prototypes. Moreover, ES5 changed to specify
that function instances would have non-enumerable prototypes.
This patch removes the separate maps for function instances in sloppy
and strict mode.
R=mstarzinger@chromium.org
TEST=mjsunit/function-prototype
BUG=
Review URL: https://codereview.chromium.org/14829005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14619 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-10 12:59:20 +00:00
mstarzinger@chromium.org
eb18db3ab4
Skip flaky regress-crbug-160010 regression test.
...
R=ulan@chromium.org
BUG=chromium:160010
TEST=mjsunit/regress/regress-crbug-160010
Review URL: https://codereview.chromium.org/14908006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14614 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-10 10:39:16 +00:00
verwaest@chromium.org
52008429b7
Use mutable heapnumbers to store doubles in fields.
...
R=danno@chromium.org
Review URL: https://chromiumcodereview.appspot.com/14850006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14597 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-08 15:02:08 +00:00
ulan@chromium.org
cd4e9866b7
Fix environment in HOptimizedGraphBuilder::VisitCountOperation. Follow-up for r14584.
...
R=danno@chromium.org
BUG=v8:2671
TEST=mjsunit/regress/regress-2671-1.js
Review URL: https://chromiumcodereview.appspot.com/14972009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14596 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-08 14:58:06 +00:00
mvstanton@chromium.org
f5ad8e4469
Turn off optimize-constructed-arrays flag to investigate ARM perf issue
...
BUG=
R=danno@chromium.org
Review URL: https://codereview.chromium.org/14753007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14588 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-08 08:49:29 +00:00
danno@chromium.org
bd9274436c
Bias commutative single-use register inputs and support lea adds
...
This improves register allocation for many common add and multiply patterns on ia32 and x64 by reducing register pressure.
R=jkummerow@chromium.org
Review URL: https://codereview.chromium.org/14856015
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14587 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-08 08:37:24 +00:00
wingo@igalia.com
75d939aceb
Generators save and restore stack handlers
...
This CL adds machinery to unwind stack handlers from the stack and store
them into a generator's operand array. It also includes routines to
reinstate them. Together this allows generators to yield within
try/catch and try/finally blocks.
BUG=v8:2355
R=mstarzinger@chromium.org
TEST=mjsunit/harmony/generators-iteration
Review URL: https://codereview.chromium.org/14031028
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14586 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-08 08:08:23 +00:00
ulan@chromium.org
e5a29e8ff9
Do not change environment between simulate and scope with no observable side-effects in HandlePropertyAssignment.
...
LChunkBuilder reconstructs the environment by applying simulates. A scope with no observable side-effects has no simulates. If the scope deoptimizes, then LChunkBuilder would miss the changes to the environment between the last simulate and the scope.
R=danno@chromium.org
BUG=v8:2671
TEST=mjsunit/regress/regress-2671.js
Review URL: https://chromiumcodereview.appspot.com/14793009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14584 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-08 07:40:28 +00:00
mvstanton@chromium.org
d7b013de57
Becuase of cross-context calls, hydrogen-based Array constructor needs to ensure
...
the array constructor pointer passed in matches that of the current context.
BUG=
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/14846017
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14581 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-07 21:01:53 +00:00
dslomov@chromium.org
b15bbfbe39
Implement TypedArray.set function.
...
R=rossberg@chromium.org
Review URL: https://codereview.chromium.org/14581005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-07 14:42:17 +00:00
dslomov@chromium.org
e45abf08cc
Update mjsunit tests to be complaian with ES6 implementation of typed arrays
...
R=rossberg@chromium.org
Review URL: https://codereview.chromium.org/14580012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14575 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-07 14:03:50 +00:00
verwaest@chromium.org
46d39cabd6
Fix polymorphic to monomorphic load to take representation into account.
...
Review URL: https://chromiumcodereview.appspot.com/14966005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14565 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-07 10:32:23 +00:00
wingo@igalia.com
3cd73ebc2f
Generators return boxed values
...
Generators now box their return values in object literals of the form
{ value: VAL, done: DONE }
where DONE is false for yield expressions, and true for return
statements.
BUG=v8:2355
TEST=mjsunit/harmony/generators-iteration
R=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/13870007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14563 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-07 08:46:42 +00:00