Deletion of global properties puts 'the hole' in the global property
cell and updates the property details in the property dictionary with
the information that the property has been deleted. When setting
global properties that have been deleted in generated code we just
store the new value in the global property cell. This does not update
the property details in the property dictionary. Therefore, it looks
like the property is not there eventhough it was just reintroduced.
Perform 'the hole' checks in generated code for global property stores
and bail out of ICs and optimized code if storing to a property cell
that contains 'the hole'.
Review URL: http://codereview.chromium.org/6306014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6508 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Refactor SafepointTableBuilder::DefineSafepoint and ARM LCodeGen::RecordSafepoint to use an enum for different kinds of safepoints. This change removes a lot of duplicated code and makes it easier to include new kinds of safepoints in the future. The remaining variants of LCodeGen::RecordSafepoint remain as a convinient way to record common safepoint kinds.
BUG=http://code.google.com/p/v8/issues/detail?id=1043
TEST=none
Review URL: http://codereview.chromium.org/6341008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6505 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
To avoid deopts a few extra changes were needed:
o Enable megamorphic state for special property loads on
primitives. We used to flip between monomorphic stubs.
o Extract pure string (no string wrapper support) version of the
string length stub.
Review URL: http://codereview.chromium.org/6334015
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6472 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Change the ARM exit frame to have the same layout as the IA32 exit frame. This basically re-arranges the order of fp and sp and changes the sp location of the entry frame to hold the sp used by the gc and not the sp for popping the arguments. This removes the option of tearing down the frame and returning using one ldm instruction.
The main motivation for this is to avoid pushing an alignment word before generating the entry frame. The GC handling of optimized frames process the registers pushed as part of a safepoint and asumes that these are at the top of the frame, so if an alignment word is pushed this processing will be one off.
The alignment handling in the C entry stub have also been simplified. Now the value of lr is stored to a stack slot already reserved avoiding pushing it and keeping track of "frame skew".
This does result in more instructions in the exit frame on ARM, but we can look into improving this later.
Review URL: http://codereview.chromium.org/6247019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6448 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
files. On ARM it is not enough to iterate the relocation information
because that will only give us access to the constant pool and not to
the place in the instruction stream where the target in the constant
pool is called.
Review URL: http://codereview.chromium.org/6343005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6444 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The function Runtime_LookupContext searches the context chain for a
LOOKUP slot and returns the object holding the slot. It returned the
global context if the slot was not found or if it was found in a
function's context or arguments object. This is not the correct
object to use for 'delete'.
Since this lookup function is only ever used when deleting LOOKUP
slots (those that have to go through a with or a scope with eval), it
is simply replaced with a Runtime_DeleteContextSlot function that does
the appropriate thing for all kinds of context lookups.
This fixes Chromium bug 70066.
http://code.google.com/p/chromium/issues/detail?id=70066
Review URL: http://codereview.chromium.org/6280013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6442 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
conversions for external array types, which implement the Typed Array
spec. (Revision of http://codereview.chromium.org/6315004 .)
Prefer SSE2 code path on x86 processors. Non-SSE2 processors now make
a slow runtime call for float-to-int conversions. Use SSE3 for 32-bit
signed and unsigned int array types where possible.
The movement of code from ic-arm.cc to stub-cache-arm.cc caused the
VFP3 code path to be tested for the first time. Fixed bugs in the
register usage and in the constant value stored into integer arrays
for NaN and +/-Infinity.
Added new truncation test to test-api.cc. Storage of NaN and +/-Inf
was already covered. Ran unit tests on x86, x64 and ARM simulator.
Tested ia32 and x64 code in Chromium on Mac and Linux respectively
with Typed Array unit tests and WebGL content.
BUG=http://code.google.com/p/chromium/issues/detail?id=50972
TEST=test-api/ExternalArrays
Review URL: http://codereview.chromium.org/6303012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6431 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This is svn r6415 with a bugfix.
The bug was that we can have scopes with 0 heap slots (functions with
such scopes do not need a local context) and scopes with at least
Context::MIN_CONTEXT_SLOTS. The code generator only allocated a local
context if there were strictly more than Context::MIN_CONTEXT_SLOTS.
Before the change to with/arguments, it was impossible to actually get
a function scope with exactly Context::MIN_CONTEXT_SLOTS because every
such scope included a heap-allocated arguments (and arguments shadow)
slot.
Review URL: http://codereview.chromium.org/6248014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6426 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Rename HBranch (the instruction that coerces an arbitrary HValue to
control flow) to HTest to free up the term Branch to refer to any
control instruction with two successors.
Change the virtual FirstSuccessor and SecondSuccessor functions on
control instructions to a pair of data members.
Review URL: http://codereview.chromium.org/6366002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6417 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This patch adds H- and L-variants of StringCharCodeAt and StringLength.
StringCharCodeAt is used to inline a constant function call of
String.prototype.charCodeAt and to implement the corresponding inline
runtime function. It does not yet use the recently introduced extra IC
state. (We can specialize on string encoding and avoid deopts because
of out of bounds accesses.)
StringLength needs more work because the stub version of it also
supports strings wrappers and it matters in some cases. (We have to
separate the string only case.)
Review URL: http://codereview.chromium.org/6243008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6408 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We hit an assertion failure when we tried to record the AST ID of
the (shared) .arguments variable proxy more than once. This was hit
when we had multiple calls to the same parameter in a function that
used the arguments object. The fix is to not visit the subexpressions
of the (shared) property access expression.
BUG=1060
Review URL: http://codereview.chromium.org/6368007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6404 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Extra IC state is only two bits and only supported for call IC-s for
now. To change its extra state an IC stub jumps to a new miss stub
that goes to runtime as usual but then instead of going megamorphic
generates a monomorphic stub with the updated state.
Review URL: http://codereview.chromium.org/6344005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6370 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This change includes support for safepointtables and adding deoptimization info (but not for deoptimizing).
Implemented crankshaft functions:
CallCode
GenerateSafepointTable
RegisterEnvironmentForDeoptimization
EmitGoto
This change allows us to compile very simple functions with crankshaft:
An empty function
A function returning a constant.
A function returning a parameter.
There is 6 disabled tests that require us to be able to deoptimize
which is currently not supported.
Review URL: http://codereview.chromium.org/6310009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6350 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Instead of spilling and then immediately restoring eax to resolve
memory to memory moves, the gap move resolver now tracks registers
that are known to be free and uses one if available. If not it spills
but restores lazily when the spilled value is needed or at the end of
the algorithm.
Instead of using esi for resolving cycles and assuming it is free to
overwrite because it can be rematerialized, the gap move resolver now
resolves cycles using swaps, possibly using a free register as above.
The algorithm is also changed to be simpler: a recursive depth-first
traversal of the move dependence graph. It uses a list of moves to be
performed (because it mutates the moves themselves), but does not use
any auxiliary structure other than the control stack. It does not
build up a separate list of scheduled moves to be interpreted by the
code generate, but emits code on the fly.
Review URL: http://codereview.chromium.org/6263005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6344 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This puts us very close to being able to compile the empty function.
This changes only has a small number of 64 bit specific assembler instructions.
The remaining changes are much more platform specific and will go in another change.
Review URL: http://codereview.chromium.org/6247005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6306 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The the call of the builtin in InstanceofStub was not correctly protected with an internal frame leading to the return address being handled as a pointer during GC.
Marked the Instanceof stub as allowing stub calls (the RecordWriteStub was removed some days ago).
This issue was not caught by the assertion designed for this when debug mode is run with --debug-code (which out tests always does) as generating code for Abort set the allow stub calls flag to true. This has been fixed by restoring the allow stub calls flag correctly.
Review URL: http://codereview.chromium.org/6097010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6218 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When entering a finally block in unoptimized code, we unconditionally
save the accumulator register in the stack in case it holds a return
value or an exception. In the case of a break, continue, or falling
off the end of the try or catch block, this value is unpredictable and
not necessarily safe for GC.
Review URL: http://codereview.chromium.org/5883003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6035 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This is an improved version of my earlier change r5970. It avoids degrading the
non-optimized code.
Initially we emit a conditional branch that is either always- or never-taken
after a smi-check (depending on whether we test for smi for for non-smi)
Since test-eax always sets the carry-flag to 0 we use jump-if-carry and
jump-if-not-carry.
The first invocation of the stub patches a jc with a jz and
jnc with a jnz-instruction so that the code looks exactly as it was
without patching. The only difference is the test- or nop-instruction
after the IC-call.
Review URL: http://codereview.chromium.org/5763004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6030 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
SVN revision 5993 ported changes to the unoptimizing compiler from
ia32 to ARM and x64. A call to AstContext::Plug was moved out of
FullCodeGenerator::EmitVariableAssignment and into the callers. One
call site was missed in both ports.
Review URL: http://codereview.chromium.org/5781008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6003 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
inline allocation code used the expected number of properties to
calculate the number of inobject properties for an object instead of
getting the actual number from the initial map.
It is safer to use the inobject property count from the initial map in
any case because that is the amount the instances will get. I think
this disconnect got introduced when adding shrinking of objects.
Unfortuntely I haven't been able to create a simple reproduction for a
test case but this fixes the webpage that exhibits the crash. I'll see
if I can create a reproduction tomorrow.
Review URL: http://codereview.chromium.org/5278003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5879 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
