antonm@chromium.org
5d3430a509
Fix forging of object's identity hashes.
...
Do not do standard property lookup on hidden properties object as it might
reach Object.prototype which can be altered to forge identity hashes.
Instead do only local lookup.
Review URL: http://codereview.chromium.org/6472001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6728 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-10 14:09:52 +00:00
fschneider@chromium.org
5b753cecb6
Check holder before optimizing calls to global functions.
...
In the case where the function is not found in the global object,
we have to generate a generic call.
BUG=v8:1106
TEST=mjsunit/regress/regress-1106.js
Review URL: http://codereview.chromium.org/6483010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6727 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-10 12:33:51 +00:00
vegorov@chromium.org
49adfd0f0a
Bailout from PrepareSlowElementsForSort when hiting a key outside of smi-range.
...
BUG=v8:1131
TEST=test/mjsunit/regress/regress-1131.js
Review URL: http://codereview.chromium.org/6469006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6726 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-10 12:33:34 +00:00
danno@chromium.org
1bd9f602be
Implement crankshaft support for pixel array loads.
...
Review URL: http://codereview.chromium.org/6410112
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6725 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-10 12:02:36 +00:00
fschneider@chromium.org
73fe82426f
Strengthen requirements for fixed registers at calls.
...
Already done on ia-32. This change is for x64 and ARM.
We now always require fixed input registers at calls to
avoid overlap with temp registers.
This fixes the affected instructions on ARM.
Review URL: http://codereview.chromium.org/6471021
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6722 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-10 10:31:55 +00:00
kmillikin@chromium.org
c0fd053982
Fix a representation change bug in the Hydrogen graph construction.
...
We could try to treat an HPhi as an HInstruction because the code did
not properly handle the case of a phi in a block with itself as one of
the predecessors.
BUG=v8:1134
Review URL: http://codereview.chromium.org/6471020
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6721 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-10 10:28:59 +00:00
kmillikin@chromium.org
e88f25f6dc
Insert a space to please our presubmit overlords.
...
Review URL: http://codereview.chromium.org/6480027
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6715 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-10 09:16:33 +00:00
fschneider@chromium.org
de06cd58a3
Fix bug in register requirements for function.apply.
...
Whenever we use a fixed temp at a call that can eagerly deopt we
now allow fixed register exclusively to avoid any overlap.
Review URL: http://codereview.chromium.org/6479014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6714 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-10 09:12:38 +00:00
kmillikin@chromium.org
ebebcae4c2
Allow esi to be an allocatable register on IA32.
...
Make esi available to the register allocator rather than dedicating it
permanently to the context.
The context is still passed in register esi to JavaScript and to the runtime
as part of the calling convention. Because some stubs might end up calling
JS or the runtime, it is also conservatively passed to stubs.
Roughly half the calls have been modified to use the context as an input
value in fixed register esi. The other half are marked as calls or deferred
code so esi is spilled and can be explicitly set.
It is no longer necessary to restore the context to esi after a call that
might change it.
Review URL: http://codereview.chromium.org/6452001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6713 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-10 09:00:50 +00:00
mikhail.naganov@gmail.com
12e62e7154
Shorten constructor names in JS tickprocessor.
...
As they are no more used in DevTools profiler, there is no
need to prefix them with "devtools.profiler" namespace.
Review URL: http://codereview.chromium.org/6456025
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6712 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-10 07:47:28 +00:00
antonm@chromium.org
2f17f3e5d7
Do not invoke any setters when forming stack trace JS object.
...
Review URL: http://codereview.chromium.org/6463022
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6709 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 19:34:04 +00:00
antonm@chromium.org
47a22dcecd
Reapply http://code.google.com/p/v8/source/detail?r=6555
...
Compare JSObjects by identity immediately.
When invoking EQUALS JS builtin, 1st argument is passed as a receiver and
if it's a global object, it gets overwritten with global proxy object and
thus one gets incorrect results.
BUG=v8:1082
TBR=ricow@chromium.org
Review URL: http://codereview.chromium.org/6461028
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6708 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 19:09:26 +00:00
kmillikin@chromium.org
dc91c4218b
Make optimized Function.prototype.apply safe for non-JSObject first arguments.
...
If we have a property access of the form this.x, where the access site sees
the global object, we can specialize the IC stub so that it performs a map
check without first performing a heap object check.
Ensure that we do not get in JS code with a non-JSObject this value by
deoptimizing at Function.prototype.apply if the first argument is not a
JSObject.
BUG=v8:1128
Review URL: http://codereview.chromium.org/6463025
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6707 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 16:43:23 +00:00
whesse@chromium.org
e0422e5401
Make VS2005 project files compile without errors: changelist http://codereview.chromium.org/6286135/ .
...
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6706 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 15:58:55 +00:00
whesse@chromium.org
0fb5a1fd1a
Add a regression test for issue 1106, optimized access to the prototype chain of the global object.
...
Review URL: http://codereview.chromium.org/6459023
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6705 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 15:50:39 +00:00
sgjesse@chromium.org
dabc590527
ARM: Add type-feedback recording for compare
...
Change the comparison in the full code generator to use CompareIC instead of the CompareStub to record the types. This also implements the patching in the full code generator where the inlined smi code is de-activated by default to call the CompareIC once and then activating the inlined smi code by patching the code.
Fixed the smi comparison in the ICCompareStub.
Fixed ToBooleanStub to ensure that the scratch register used is not the input. Use r9 as default as that will never be input with Crankshaft.
Implemented lithium instruction CmpTAndBranch.
Make sure that the lithium instruction CmpID have operands in registrers as the current optimized code expects that.
Review URL: http://codereview.chromium.org/6461017
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6704 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 14:57:24 +00:00
ager@chromium.org
d5851dcde0
x64: Enable inline smi code patching to reenable the inlined code in
...
the code generated by the full code generator after my previous
change.
The generated code is the same as on ia32 and so is the patching.
Review URL: http://codereview.chromium.org/6456023
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6703 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 14:51:38 +00:00
erik.corry@gmail.com
6cfac3c48b
Prepare push to trunk. Now working on version 3.1.4.
...
Review URL: http://codereview.chromium.org/6458026
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6702 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 14:41:22 +00:00
lrn@chromium.org
d358e2ecd3
Fix incorrect asserts in scanner.
...
BUG=v8::1126
TEST=test/mjsunit/regress/regress-1126.js
Review URL: http://codereview.chromium.org/6459021
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6701 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 14:16:25 +00:00
floitschV8@gmail.com
96c4f62b73
Add two tests to strtod.
...
Review URL: http://codereview.chromium.org/6461018
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6700 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 14:12:31 +00:00
whesse@chromium.org
8d3d77055c
Fix assert error on ARM triggered by large numbers of function parameters.
...
Review URL: http://codereview.chromium.org/6458027
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6699 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 13:56:35 +00:00
whesse@chromium.org
afec61e870
Fix typo in r6697: Use assertThrows correctly in the added test regress-1122.js.
...
Review URL: http://codereview.chromium.org/6460030
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6698 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 13:16:40 +00:00
whesse@chromium.org
602d5cf427
Fix a bug that occurs when functions are defined with more than 16,382 parameters.
...
Review URL: http://codereview.chromium.org/6447007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6697 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 12:46:22 +00:00
fschneider@chromium.org
eec7bc8e60
Change the code for materializing double constants on ia32.
...
Instead of using the stack, use a temporary integer register
and avoid memory access.
Review URL: http://codereview.chromium.org/6452002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6696 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 12:39:15 +00:00
ricow@chromium.org
baa3eed710
Change our zap values from hex numbers tagged as a heap object to hex numbers tagged as a failure.
...
Since our zap values are valid heap object addreses we might hit asserts if a heap object gets the value of a zap constant as its address.
Review URL: http://codereview.chromium.org/6456022
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6695 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 12:35:18 +00:00
kmillikin@chromium.org
991a1cae12
Fix an assertion failure in stack trace construction.
...
When constructing stack traces we interpret the deoptimization data for
optimized frames to find the receiver value. This value could sometimes be
eliminated from the deoptimization data if we though it was unused.
BUG=v8:1118
Review URL: http://codereview.chromium.org/6465023
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6694 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 11:45:50 +00:00
antonm@chromium.org
d724993138
Use GC-safe version when setting elements.
...
BUG=1125
TEST=test/mjsunit/regress/regress-1125.js
Review URL: http://codereview.chromium.org/6463001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6693 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 11:38:10 +00:00
antonm@chromium.org
492ef6ee7a
Do sanity check of exception state when returning from native to JS.
...
If --debug-code is on, check that returned value and Top::has_pending_exception
agree on exception state.
Review URL: http://codereview.chromium.org/6450004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6692 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 20:13:08 +00:00
antonm@chromium.org
cf30cefda7
Check if Array.prototype.__proto__ has been reset to null.
...
BUG=v8:1121
TEST=test/mjsunit/regress/regress-1121.js
Review URL: http://codereview.chromium.org/6454004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6691 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 19:56:44 +00:00
ager@chromium.org
40dd216b53
Port fix for duplicate AST ID for deoptimization to ARM and x64.
...
Review URL: http://codereview.chromium.org/6458001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6690 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 19:42:24 +00:00
antonm@chromium.org
0273e8185b
Propagate exceptions thrown when setting elements.
...
Plus use more robust path when formatting messages---work
directly with fixed arrays.
BUG=v8:1107
TEST=test/mjsunit/getter-in-prototype.js,test/mjsunit/regress/regress-1107.js
Review URL: http://codereview.chromium.org/6451004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6689 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 19:42:14 +00:00
antonm@chromium.org
e300c3cccc
We cannot assert that v8 is running in fatal error callback.
...
BUG=v8:1111
Review URL: http://codereview.chromium.org/6450005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6688 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 19:19:42 +00:00
antonm@chromium.org
da8b72f2b8
1) Return failure if any of property sets failed;
...
2) We cannot assert the declared property will go to the extension in the presence of callbacks and interceptors.
BUG=1119
TEST=test/mjsunit/regress/regress-1119.js
Review URL: http://codereview.chromium.org/6454011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6687 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 19:04:17 +00:00
ager@chromium.org
096c21522b
Fix wrong assumption in parser that parsing a function literal cannot throw an exception.
...
Review URL: http://codereview.chromium.org/6453009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6686 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 18:46:13 +00:00
ager@chromium.org
a9a9111938
ARM: Fix condition usage in DeoptimizeIf().
...
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/6447003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6685 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 18:09:19 +00:00
vegorov@chromium.org
721b60d3f5
Check for overflow when bumping new space's top in inlined allocation.
...
BUG=v8:1109
TEST=test/mjsunit/regress/regress-1109.js
Review URL: http://codereview.chromium.org/6453005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6684 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 17:25:40 +00:00
ager@chromium.org
8c6c273236
Fix issues with using defineProperty on the global proxy object.
...
Review URL: http://codereview.chromium.org/6452004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6683 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 16:31:58 +00:00
kmillikin@chromium.org
27ed4d3a1a
Prepare for bailout with the proper state at labeled block entries.
...
The state here should be NO_REGISTERS. It was spuriously changed to from
NO_REGISTERS to TOS_REG when TOS_EAX was renamed to TOS_REG.
BUG=v8:1113
Review URL: http://codereview.chromium.org/6452007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6682 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 15:51:49 +00:00
ricow@chromium.org
f64966085e
x64: Add MulI and DivI to lithium instructions.
...
Review URL: http://codereview.chromium.org/6448001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6681 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 14:37:50 +00:00
lrn@chromium.org
2f32f27e8f
Correct propagation of exceptions from setters.
...
BUG=v8:1105
TEST=test/mjsunit/regress/regress-1105.js
Review URL: http://codereview.chromium.org/6451003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6680 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 14:04:27 +00:00
kmillikin@chromium.org
bf3c3eb9cb
Fix a possible duplicate AST ID for deoptimization.
...
For redeclarations of variables that alias the parameters in functions
using arguments, we need to avoid re-visiting the shared variable
rewrite.
BUG=v8:1104
Review URL: http://codereview.chromium.org/6453004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6679 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 14:00:22 +00:00
whesse@chromium.org
39c855bd48
Bailout from crankshaft if a global property is found in the prototype chain of the global object, not on the global object itself.
...
Review URL: http://codereview.chromium.org/6449002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6678 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 13:28:09 +00:00
ricow@chromium.org
20f2c1c98a
Make sure that we do not call is_extensible on the global proxy.
...
When calling Object.isExtensible we did not do a check for the global
js proxy. This caused the check on the extensible bit on the map to
return true, even when the bit was set to false on the global js
object.
Review URL: http://codereview.chromium.org/6450003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6677 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 13:09:07 +00:00
vegorov@chromium.org
a2c9ca7464
Speedup decodeURI/decodeURIComponent by switching from charAt(i) to charCodeAt(i) in Decode.
...
Original patch by Alexander Karpinsky.
Review URL: http://codereview.chromium.org/6440001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6676 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 13:01:34 +00:00
ricow@chromium.org
81787f986b
Make sure that we never call prevent extension on the global proxy,
...
but instead call this on the global object.
BUG: 1103
Review URL: http://codereview.chromium.org/6454001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6675 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 12:41:16 +00:00
lrn@chromium.org
48fadffcc4
Fix bug in JSON.parse for objects containing "__proto__" as key.
...
It added the __proto__ key as a normal key, which made it visible
in enumeration, while reading still hit the hard-coded accessor.
Review URL: http://codereview.chromium.org/6451002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6674 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 11:38:15 +00:00
whesse@chromium.org
46e82e2f7e
X64 Crankshaft: Implement DoCodeStub on X64 platform.
...
Review URL: http://codereview.chromium.org/6451001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6673 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 11:26:42 +00:00
fschneider@chromium.org
f740d1adbe
Refactor lithium instructions for constants.
...
1. Remove unnecessary superlcass LConstant.
2. Use hydrogen accessor instead of duplicating the value.
Review URL: http://codereview.chromium.org/6410120
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6672 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 10:45:21 +00:00
vegorov@chromium.org
76cf30d9c8
Support %_IsConstructCall in the Crankshaft pipeline.
...
Provide special case for f.bind(obj).
Review URL: http://codereview.chromium.org/6368138
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6671 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 10:08:47 +00:00
whesse@chromium.org
fde8419697
X64 Crankshaft: Use TypeRecordingBinaryStub in crankshaft.
...
Review URL: http://codereview.chromium.org/6449001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6670 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 09:43:24 +00:00