Record a safepoint with a deoptimization id for throw in optimized code. We
don't seem to much care what the AST ID is because we will not be using it
for lazy deoptimization (throw doesn't return to the point of throw). For
hygiene we use the actual ID of the throw expression. Throw is no longer a
control-flow instruction, but it's followed by an unconditional abnormal
exit. This is required to insert a simulate between the throw and the exit.
Make our optimized treatment of Function.prototype.apply act like a call and
have side effects. This ensures that it will get a lazy deoptimization
environment. Use that deoptimization ID in the safepoint for the call.
Deleting a property was also missing a deoptimization ID, though there was a
deoptimization environment assigned to the instruction. Record the
environment and use the deoptimization ID at the safepoint.
Review URL: http://codereview.chromium.org/6250105
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
If we, immediately after the deoptimization, but before actually
running the patched code, get a compacting GC, the addresses from the
calls might no longer be valid.
I have validated that this works by patching the existing code to
always do a compacting gc after we finish deoptimizing. I will create
a real regression test for this, but this includes additional code for
allowing us to force a deopt/opt from javascript test code. I will
land this in a seperate change.
Review URL: http://codereview.chromium.org/6349043
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6565 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Fixes JS portion of DefineOwnProperty when there is
an existing property and the new descriptor is generic.
Makes code follow spec steps more closely.
Fixes typo for check for unchanged enumerable in step 6.
Adds regression tests.
Fixes errors in object-define-property test
Don't normalize the JSGlobalProxy. Gets webkit http/tests/security/xss-DENIED-defineProperty.html working.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6561 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
other situations.
Do not use overwritten Object.prototype.hasOwnProperty and
Array.prototype.pop. Do not use split and join in the error formatting
implementation. They are too big to control and their generality is
not needed.
Review URL: http://codereview.chromium.org/6287041
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6552 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Change OSR stack check patching to use the stack check table to iterate over the calls to stack guards platform independent. Introduce Deoptimizer::PatchStackCheckAt for each platform to perform the platform specific patch at a given pc.
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/6392027
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6551 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
1. The placement of checks for negative zero has to be computed after
all conversion instructions have been inserted. I separated the code
into its own phase.
2. GVN need to take instruction flags into account when comparing
instructions for redundancy.
Review URL: http://codereview.chromium.org/6260035
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6534 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Deletion of global properties puts 'the hole' in the global property
cell and updates the property details in the property dictionary with
the information that the property has been deleted. When setting
global properties that have been deleted in generated code we just
store the new value in the global property cell. This does not update
the property details in the property dictionary. Therefore, it looks
like the property is not there eventhough it was just reintroduced.
Perform 'the hole' checks in generated code for global property stores
and bail out of ICs and optimized code if storing to a property cell
that contains 'the hole'.
Review URL: http://codereview.chromium.org/6306014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6508 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Refactor SafepointTableBuilder::DefineSafepoint and ARM LCodeGen::RecordSafepoint to use an enum for different kinds of safepoints. This change removes a lot of duplicated code and makes it easier to include new kinds of safepoints in the future. The remaining variants of LCodeGen::RecordSafepoint remain as a convinient way to record common safepoint kinds.
BUG=http://code.google.com/p/v8/issues/detail?id=1043
TEST=none
Review URL: http://codereview.chromium.org/6341008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6505 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
It is a type error to treat a flag (an enum) as if it were a flag mask (an
int derived from shifting a bit by the enum value). It is error prone to
have functions that take flag mask arguments because they will silently
accept flags.
Review URL: http://codereview.chromium.org/6373011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6500 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The former default was true. The new default is false and the default
implementation is UNREACHABLE so it asserts in debug builds. The function
is overridden in all concrete instruction classes that might have the flag
kUseGVN set.
Review URL: http://codereview.chromium.org/6255013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6493 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Before, we disabled code motion for check instructions on the final
optimization attempt. It is unsafe to prevent movement of check
instructions but to allow movement of instructions that assume the checks
were performed.
Review URL: http://codereview.chromium.org/6378012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6485 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Fix a bug in the --debug-code alignment check in the C entry stub.
Don't force the --debug-code flag in the ARM disassembler tests. The framework does support passing flags and the test runner will when running tests in debug mode.
Skip some deserialization tests which crashes from time to time.
Review URL: http://codereview.chromium.org/6393007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6484 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
To avoid deopts a few extra changes were needed:
o Enable megamorphic state for special property loads on
primitives. We used to flip between monomorphic stubs.
o Extract pure string (no string wrapper support) version of the
string length stub.
Review URL: http://codereview.chromium.org/6334015
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6472 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This implements the type recording binary operation stub for ARM. This first iteration only supports ADD. Handling of 32-bit integers is currently not implemented but just transitions. The generic case for now delegates to the generic binary operation stub.
Review URL: http://codereview.chromium.org/6342019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6471 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Code generated for checks starting with primitive receivers skips one step
in the usual prototype checking algorithm, so the holder must always be set.
Not setting the holder did not cause an immediate failure because our
primitives have additional hidden prototypes before the real prototypes.
These extra objects in the chain usually contain no properties and so
allowed the right holders to be selected.
Review URL: http://codereview.chromium.org/6353014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6459 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
ReferenceError.prototype.__proto__ which will make "error instanceof
Error" fail. However, the ReferenceError.prototype object itself
cannot be modified. Therefore, the error checks must check for
concrete error instances instead of only checking for Error.
Review URL: http://codereview.chromium.org/6388003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6450 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Change the ARM exit frame to have the same layout as the IA32 exit frame. This basically re-arranges the order of fp and sp and changes the sp location of the entry frame to hold the sp used by the gc and not the sp for popping the arguments. This removes the option of tearing down the frame and returning using one ldm instruction.
The main motivation for this is to avoid pushing an alignment word before generating the entry frame. The GC handling of optimized frames process the registers pushed as part of a safepoint and asumes that these are at the top of the frame, so if an alignment word is pushed this processing will be one off.
The alignment handling in the C entry stub have also been simplified. Now the value of lr is stored to a stack slot already reserved avoiding pushing it and keeping track of "frame skew".
This does result in more instructions in the exit frame on ARM, but we can look into improving this later.
Review URL: http://codereview.chromium.org/6247019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6448 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
files. On ARM it is not enough to iterate the relocation information
because that will only give us access to the constant pool and not to
the place in the instruction stream where the target in the constant
pool is called.
Review URL: http://codereview.chromium.org/6343005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6444 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The function Runtime_LookupContext searches the context chain for a
LOOKUP slot and returns the object holding the slot. It returned the
global context if the slot was not found or if it was found in a
function's context or arguments object. This is not the correct
object to use for 'delete'.
Since this lookup function is only ever used when deleting LOOKUP
slots (those that have to go through a with or a scope with eval), it
is simply replaced with a Runtime_DeleteContextSlot function that does
the appropriate thing for all kinds of context lookups.
This fixes Chromium bug 70066.
http://code.google.com/p/chromium/issues/detail?id=70066
Review URL: http://codereview.chromium.org/6280013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6442 ce2b1a6d-e550-0410-aec6-3dcde31c8c00