AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
6,506 Commits 1 Branch 0 Tags 839 MiB
3f84fcf6c9
Commit Graph

316 Commits

Author SHA1 Message Date
kmillikin@chromium.org
3f84fcf6c9 Fix a bug in Object.defineProperty. 
There was a bug in Object.defineProperty when used to add an indexed
property to an arguments object.  When converting the elements backing
store to dictionary mode, the parameter map in front of the backing
store does not change.

R=ager@chromium.org,karlklose@chromium.org

Review URL: http://codereview.chromium.org/7289011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8481 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-30 11:11:19 +00:00
keuchel@chromium.org
3f70c456eb Fix "illegal access" when calling parseInt with a radix that is not a smi. 
BUG=v8:1246
TEST=regress-1246.js

Review URL: http://codereview.chromium.org/7206019

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8444 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-28 12:31:42 +00:00
ager@chromium.org
89cc886ba7 Fix receiver check in arguments ICs. 
The receiver needs to be checked in the same way as all other KeyedLoadICs to take non-JSObject and objects that require access checks or has interceptors into account.

R=sgjesse@chromium.org
BUG=87478
TEST=mjsunit/regress/regress-crbug-87478.js

Review URL: http://codereview.chromium.org/7259015

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8429 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-27 13:02:51 +00:00
fschneider@chromium.org
4bc671c2b0 Add missing write barrier for arguments store ICs. 
Review URL: http://codereview.chromium.org/7207006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8390 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-23 09:20:07 +00:00
ager@chromium.org
a96b9156a3 Correctly handle non-array receivers in Array length setter. 
BUG=v8:1491
TEST=mjsunit/regress/regress-1491.js

Review URL: http://codereview.chromium.org/7206038

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8343 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-21 08:07:45 +00:00
erik.corry@gmail.com
c95ecb1fcd Refix issue 1472. The previous fix worked for the example in the bug 
report, but was not general enough to catch all cases.  This is a new
approach.  Includes regression test!
Review URL: http://codereview.chromium.org/7193007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8318 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-17 08:01:12 +00:00
lrn@chromium.org
ee59eff127 Make line-terminators inside multi-line comments count. 
Now follows the specification. Follows WebKit change in revision 89100.

BUG=86431
TEST=regress-892742

Review URL: http://codereview.chromium.org/7184034

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8317 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-17 07:23:07 +00:00
karlklose@chromium.org
f4e4bc43a8 Merge arguments branch to bleeding edge (second try). 
Review URL: http://codereview.chromium.org/7187007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8315 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-16 14:12:58 +00:00
karlklose@chromium.org
cc19d1e278 Revert "Merge arguments branch to bleeding merge." 
This reverts commit ceb31498b9d69edca3260820fb4047045891ce6d.

TBR=kmillikin@chromium.org

Review URL: http://codereview.chromium.org/7172030

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8308 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-16 06:37:49 +00:00
vegorov@chromium.org
14bf246dfa Add missing branches in code generated for LModI with power-of-2 divisor. 
BUG=v8:1476
TEST=test/mjsunit/regress/regress-1476.js

Review URL: http://codereview.chromium.org/7097015

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8301 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-15 19:57:39 +00:00
karlklose@chromium.org
6cfeb2d400 Merge arguments branch to bleeding merge. 
Review URL: http://codereview.chromium.org/7167006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8300 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-15 15:09:28 +00:00
ricow@chromium.org
23d0aa614b Ensure that bound functions does not have a prototype (fixes issue 794) 
Review URL: http://codereview.chromium.org/7148014

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8293 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-15 10:47:37 +00:00
ager@chromium.org
aa7ad8ee9d Fix issue 1447 by not redefining properties unneccesarily in seal and freeze. 
This avoids attempting to redefine function.arguments with a different
value than the current one. function.arguments returns a new copy on
each invocation.

R=lrn@chromium.org
BUG=v8:1447
TEST=mjsunit/regress/regress-1447.js

Review URL: http://codereview.chromium.org/7044104

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8258 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-10 09:45:02 +00:00
whesse@chromium.org
c40aa827bf Add boolean flag to HChange and LNumberUntagD to not convert undefined to NaN. 
This is needed so that HCompare, optimized for double inputs, works correctly on undefined inputs.
BUG=v8:1434
TEST=mjsunit/bugs/bug-1434.js

Review URL: http://codereview.chromium.org/7044049

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8237 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-09 12:27:28 +00:00
fschneider@chromium.org
68eab4a8d8 Fix bug with GVN on array loads. 
This fixes a bug where an array load was incorrectly hoisted by GVN.

BUG=85177
TEST=mjsunit/regress/regress-85177.js
Review URL: http://codereview.chromium.org/7003054

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8230 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-09 11:15:03 +00:00
ager@chromium.org
626cdffaef Fix Array.prototype.{reduce,reduceRight} to pass undefined as receiver for strict mode callbacks. 
Propagate strict mode information from pre-parser to parser for lazily compiled functions.

R=lrn@chromium.org
BUG=v8:1436
TEST=mjsunit/regress/regress-1436.js

Review URL: http://codereview.chromium.org/7044054

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8227 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-09 09:05:15 +00:00
whesse@chromium.org
1ea14c2041 Limit the number of arguments in a function call to 32766. 
Limit the number of arguments in a function call to 32766.  This is identical
to the limit on the number of parameters to a function.

BUG=v8:1413
TEST=

Review URL: http://codereview.chromium.org/7054074

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8194 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-07 08:15:47 +00:00
fschneider@chromium.org
7c9cf0b3a1 Re-land r8140: Deoptimize on never-executed code-paths. 
Original cl: http://codereview.chromium.org/7105015

I'm removing the test GlobalLoadICGC test that was introduced for testing
inlined global cell loads (in the classic backend) and has an invalid assumption
about the number of global objects referenced from a v8 context. We don't have
this feature with Crankshaft anymore.
Review URL: http://codereview.chromium.org/7112032

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8185 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-06 14:57:25 +00:00
kmillikin@chromium.org
6a81642f31 Fix a bug in Lithium environment iteration. 
The Advance() function of the class responsible for iterating
environment uses didn't always advance as far as it could (relying on
the HasNext predicate to finish advancing).  This is brittle.

The HasNext predicate also didn't advance as far as it could when it
was at the end of an environment level.  This is a bug.

R=jkummerow@chromium.org
BUG=
TEST=

Review URL: http://codereview.chromium.org/6993023

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8181 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-06 11:30:17 +00:00
erik.corry@gmail.com
0023cacc22 Fix traversal of the map transition tree to take the prototype 
transitions into account.
Review URL: http://codereview.chromium.org/7074052

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8165 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-03 14:48:09 +00:00
fschneider@chromium.org
ff76d1ab0c Revert r8140. 
It breaks test when running with nosnapshot.
TBR=ager@chromium.org
Review URL: http://codereview.chromium.org/7027029

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8145 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-01 13:34:15 +00:00
fschneider@chromium.org
0aa422923c Eagerly deoptimize on never-executed code-paths. 
If type-feedback indicates that an expression was never executed in
the non-optimized code, we insert a forced deoptimization right away
to enable re-optimization if we ever hit this path.

With this change we still continue to build the graph. As a next step, we
should remove the dead code after the deoptimize.

I had to remove one assert about the optimization status in a test since
we now immediately deoptimize after exiting the loop that triggers OSR.

Also remove a restriction that control-flow from an inlined function in a
test context always reaches both true- and false-target.
Review URL: http://codereview.chromium.org/7105015

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8140 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-06-01 11:04:40 +00:00
ager@chromium.org
544191e718 Update apply with arguments optimization for strict mode functions and builtins. 
Do not convert to object for values for strict-mode functions and
builtins.

R=ricow@chromium.org
BUG=v8:1412
TEST=mjsunit/regress/regress-1412.js

Review URL: http://codereview.chromium.org/7096006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8120 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-31 10:38:41 +00:00
ager@chromium.org
a01b45df58 Fix a number of tests that incorrectly used assertUnreachable. 
Our testing infrastructure uses exceptions to indicate
errors. assertUnreachable therefore throws an exception to indicate
that it was reached. Therefore, it cannot be used to check that an
exception was thrown using the pattern:

try {
  shouldThrow();
  assertUnreachable();
} catch(e) {
}

Such a test will always pass because assertUnreachable will throw an
exception if shouldThrow does not.

R=ricow@chromium.org

Review URL: http://codereview.chromium.org/7053035

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8117 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-31 08:08:42 +00:00
ager@chromium.org
bfa2ef1f11 Fix receiver for calls to strict-mode and builtin functions that are 
potentially shadowed by eval.

R=sgjesse@chromium.org
TEST=mjsunit/regress/regress-124.js

Review URL: http://codereview.chromium.org/7096004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8116 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-31 07:57:22 +00:00
ager@chromium.org
017935408d Reapply change to Pass undefined to JS builtins when called with 
implicit receiver.

A couple of corner cases have to be treated specially to not break
everything: eval and getter/setter definitions.

R=fschneider@chromium.org
BUG=v8:1365
TEST=mjsunit/regress/regress-1365.js

Review URL: http://codereview.chromium.org/7085034

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8110 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-30 13:49:22 +00:00
ricow@chromium.org
7eb6f5c1ba Correctly set the length of string before creating filler object in the json parser (fixes crbug 84186). 
Testcase created based on the supplied test case from the bug report, but using json parse directly instead of through the chrome javascript console. 
Review URL: http://codereview.chromium.org/7084023

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8089 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-30 06:04:36 +00:00
ager@chromium.org
c832c467a4 Revert "Pass undefined to JS builtins when called with implicit receiver." 
Presubmit and failing test.

TBR=lrn@chromium.org
BUG=
TEST=

Review URL: http://codereview.chromium.org/7071009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8075 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-26 11:22:29 +00:00
ager@chromium.org
19b718fe73 Pass undefined to JS builtins when called with implicit receiver. 
A couple of corner cases have to be treated specially to not break
everything: eval and getter/setter definitions.

R=lrn@chromium.org
BUG=v8:1365
TEST=mjsunit/regress/regress-1365.js

Review URL: http://codereview.chromium.org/7068009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8073 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-26 11:07:48 +00:00
lrn@chromium.org
02c4e8bfcb Make RegExp objects not callable. 
Review URL: http://codereview.chromium.org/6930006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8068 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-26 07:35:09 +00:00
ricow@chromium.org
f675db651d Change calls to undefined property setters to not throw (fixes issue 1355). 
We currently throw when there is only a getter defined on the
property, but this should only be the case in strict mode.
Review URL: http://codereview.chromium.org/7064027

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8054 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-25 08:37:38 +00:00
sgjesse@chromium.org
eff2946b9b Handle changes to the Object prototype in fast handling of arrays 
R=ager@chromium.org

BUG=v8:1403
TEST=test/mjsunit/regress/regress-1403.js

Review URL: http://codereview.chromium.org//7067019

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8032 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-24 12:28:10 +00:00
ricow@chromium.org
ab67432ed0 Change strict mode poison pill to be the samme type error function (fixes issue 1387). 
We are now following the spec, and with regards to the error message we are following firefox (webkit still has different type errors in their nightly)
Review URL: http://codereview.chromium.org/7067017

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8026 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-24 11:07:06 +00:00
sgjesse@chromium.org
825a433900 Add regression test for issue 1401 
R=ager@chromium.org

BUG=v8:1401
TEST=test/regress/regress-1401.js

Review URL: http://codereview.chromium.org//7062002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7995 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-23 13:03:45 +00:00
ager@chromium.org
98778dc802 Remove execScript from V8. No longer present i neither Firefox nor Safari. 
R=ricow@chromium.org
BUG=
TEST=

Review URL: http://codereview.chromium.org/7046002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7948 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-19 08:10:27 +00:00
vegorov@chromium.org
7fba506f23 Add regression test for http://crbug.com/82769 
Review URL: http://codereview.chromium.org/7034025

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7933 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-18 12:46:21 +00:00
whesse@chromium.org
0eca2b4fc1 Fix error in postfix ++ in Crankshaft. 
Add HForceRepresentation, to represent the implicit ToNumber applied to the input of a count operation.

BUG=v8:1389

TEST=

Review URL: http://codereview.chromium.org/7033008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7913 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-17 11:41:59 +00:00
ricow@chromium.org
964dbff40d Only send null or undefined as receiver for es5 natives, not generally 
for builtin functions.
Review URL: http://codereview.chromium.org/7012012

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7879 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-13 07:26:44 +00:00
ricow@chromium.org
7f8a918f08 Allow strict mode flag as extraicstate for keyed external array store ic 
We currently hit an assertion in computeflags, but the extra_ic_state is used to pass the strict mode flag in.

BUG: 1383
Review URL: http://codereview.chromium.org/7003022

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7847 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-11 08:53:46 +00:00
jkummerow@chromium.org
1eedd8056d Fix timeout of test regress-1118.js 
TEST=mjsunit/regress/regress-1118.js no longer times out when run in the ARM simulator.

Review URL: http://codereview.chromium.org/6994010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7843 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-10 15:07:30 +00:00
ager@chromium.org
0961b1a936 Check that receiver is JSObject on API calls. 
R=sgjesse@chromium.org
BUG=v8:1369
TEST=mjsunit/regress/regress-1369.js

Review URL: http://codereview.chromium.org/6931056

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7808 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-06 14:14:16 +00:00
karlklose@chromium.org
d43066050a Replace loops by OptimizeFunctionOnNextCall in regress-1085 and regress-1210. 
Review URL: http://codereview.chromium.org/6938001

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7800 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-06 09:10:28 +00:00
ricow@chromium.org
e0eb110130 Reapply 7763, including arm and x64 variants. 
The only difference to revision 7763 is the implementation in the
builtins file for arm and x64, plus a move of Array.prototype.toString
and Array.prototype.toLocaleString from should throw on null or
undefined to the non generic test cases in the function-call test (due
to us not currently supporting generic cases with these to functions)
Review URL: http://codereview.chromium.org/6928007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7786 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-05 05:21:30 +00:00
karlklose@chromium.org
8b917d4d96 Replace long running loops by OptimizeFunctionOnNextCall in some tests that are often timing out on ARM. 
Review URL: http://codereview.chromium.org/6910022

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7765 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-03 13:53:08 +00:00
ricow@chromium.org
4d890da191 Revert 7763, missing implementation on x64 and arm for call and apply with null or undefined. 
Review URL: http://codereview.chromium.org/6913024

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7764 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-03 13:45:19 +00:00
ricow@chromium.org
2b730c2bf6 Don't exchange null and undefined with the global object in function.prototype.{call, apply} for natives. 
This makes us compatible with firefox in throwing an exception when
call is invoked on a builtin with null as the this argument.
Review URL: http://codereview.chromium.org/6902104

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7763 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-03 13:19:04 +00:00
lrn@chromium.org
d1411602a7 Don't allow whitespace after sign characters in parseInt. 
BUG=v8:955
TEST=mjsunit/regress/regress-955

Review URL: http://codereview.chromium.org/6903171

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7755 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-03 07:11:17 +00:00
kmillikin@chromium.org
1af840ad4c Be more discriminating about uses of the arguments object in optimized code. 
Because we track the value of the arguments object, we need to check
values whenever plugged into a forbidden value context.  It is not
enough to check at only variable references as we did previously.

R=fschneider@chromium.org
BUG=1351
TEST=regress-1351.js

Review URL: http://codereview.chromium.org/6902202

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7739 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-05-02 11:35:51 +00:00
vegorov@chromium.org
1c950e04cc Fix missing writebarrier in ArraySplice builtin. 
Review URL: http://codereview.chromium.org/6883227

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7706 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-04-28 16:03:40 +00:00
karlklose@chromium.org
3b6fe22c4d Make throw inlineable only if the exception is inlineable. 
BUG=1337
TEST=regress-1337

Review URL: http://codereview.chromium.org/6881079

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7671 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2011-04-20 09:15:52 +00:00