We have to check for uninitialized uses before phi-elimination. Otherwise we
may miss such a use and result in using the hole value instead. This
causes a NULL-dereference or assertion failure.
BUG=96989
TEST=mjsunit/compiler/regress-96989.js
Review URL: http://codereview.chromium.org/7974009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9337 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The approach is to handle the common case in the optimizing
compiler and to bailout for the rare corner cases.
This is done by initializing all local const-variables with
the hole value and disallowing any use of the hole value statically.
Review URL: http://codereview.chromium.org/6026006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8104 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Encapsulate the helper functions in mjsunit.js.
Now only exposes the exception class and the assertXXX functions.
Make assertEquals use === instead of ==.
This prevents a lot of possiblefalse positives in tests, and avoids
having to do assertTrue(expected === actual) when you need it.
Fixed some tests that were either buggy or assuming == test.
Review URL: http://codereview.chromium.org/6869007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7628 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
In the cases where a global property cell cannot be used in the optimized code
use standard load ic to get the property instead of bailing out.
This is re-committing r7212 and r7215 which where reverted in r7239 with the addition of recoring the source position in the hydrogen code for the LoadGlobalCell instruction. To record that position an optional position field has been added to the variable proxy AST node.
Review URL: http://codereview.chromium.org/6758007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7474 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The class did not correctly implement the RequiredInputRepresentation.
I changed this functions to be abstract so that all hydrogen classes
must implement it.
As a convention instructions with zero input operands return None as input
representation.
Instructions that can handle all input representations without converting before
also have None as required input representation (e.g. HTest)
All other instructions need a proper required input representation.
Review URL: http://codereview.chromium.org/6538088
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6891 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
If we have a property access of the form this.x, where the access site sees
the global object, we can specialize the IC stub so that it performs a map
check without first performing a heap object check.
Ensure that we do not get in JS code with a non-JSObject this value by
deoptimizing at Function.prototype.apply if the first argument is not a
JSObject.
BUG=v8:1128
Review URL: http://codereview.chromium.org/6463025
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6707 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
1. The placement of checks for negative zero has to be computed after
all conversion instructions have been inserted. I separated the code
into its own phase.
2. GVN need to take instruction flags into account when comparing
instructions for redundancy.
Review URL: http://codereview.chromium.org/6260035
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6534 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When falling off the end of a function inlined in a test context, we cannot
constant fold the test of undefined away. The graph builder assumes that
control flow always reaches both branches of a test.
Instead, explicitly test and branch on "undefined". Introduce a pair of
empty blocks to hold the necessary LeaveInlined instructions.
Review URL: http://codereview.chromium.org/5566005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5927 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We may encounter an invalid frame after generating code
for the loop body in case the loop body ends in an unconditional
return. Before setting the type information for the loop variable
we need to check for a valid frame.
Review URL: http://codereview.chromium.org/1106002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4182 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This change add simple local live variable information to
the fast code generator. It supports only AST nodes that
are accepted by the syntax checker.
Each variable use points to a variable definition structure
which contains the last use of the definition.
To determine whether a variable is live after a certain point
we can check whether its last use occurs later in the evaluation
order defined by the AST labeling number.
The new information is currently only printed out together with
the IR and not yet used for code generation.
Review URL: http://codereview.chromium.org/603004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3839 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Do not use the speculative compiler for functions with other than one
statement in the body, and do not use it if subexpressions can have
side effects. Bailing out to the beginning of the full code is not
sound if side effects have already occurred.
Add tests that would fail without the restrictions.
Review URL: http://codereview.chromium.org/598016
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3826 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Support a binary operation (bitwise OR) so long as it's not nested in
the left subexpression. This ensures that the expression stack never
has height greater than two and so can be kept fully in registers.
The bounded expression stack height and the absence of any side
effects on the fast path allows us to still bailout out to the very
beginning of the function if any of our fast-path checks fail.
Review URL: http://codereview.chromium.org/594008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3822 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This is a first step towards loading globals directly from property cells instead
of going through a load IC.
This change supports only properties with the DontDelete attribute since
we are only able to bailout into the generic code generated by the secondary
code generator the beginning of a function. The resulting fast-case code is
specialized for a specific context. When invoked with a different global object,
it will always bailout to the secondary code.
When loading a property that does not exist at compile-time or a property
that is deleteable we still generate the generic load IC.
Review URL: http://codereview.chromium.org/565034
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3808 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
