antonm@chromium.org
fed5622671
Better security checks when accessing named properties via Object.getOwnPropertyDescriptor.
...
Current approach returns undefined descriptor if caller is not granted v8::HAS_ACCESS.
If the caller has v8::HAS_ACCESS, for no JS accessors regular v8::GET_ACCESS check is
performed and value property of the descriptor is set to undefined if caller doesn't
have proper access. For JS accessors both v8::GET_ACCESS and v8::SET_ACCESS are checked
and affect if getter and setter would be stored in the descriptor.
Review URL: http://codereview.chromium.org/6286020
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6592 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 17:44:29 +00:00
kmillikin@chromium.org
f0573de367
Prepare push to trunk. Now working on version 3.1.2.
...
Review URL: http://codereview.chromium.org/6312090
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6587 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 16:02:11 +00:00
kmillikin@chromium.org
ca936dae9e
More of the fix for V8 issue 1079.
...
The arguments property of functions, if we find an optimized frame for
the function, is always a freshly allocated object. We never try to
find an existing arguments object.
Review URL: http://codereview.chromium.org/6349050
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6581 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 15:08:29 +00:00
antonm@chromium.org
be1f20f828
Follow up to r6540: remove early return from C++ builtin as well.
...
Review URL: http://codereview.chromium.org/6347037
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6580 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 14:17:47 +00:00
erik.corry@gmail.com
0097f005fd
Fix code generation bug on ARM in classic codegen.
...
Review URL: http://codereview.chromium.org/6246045
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6579 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 14:14:55 +00:00
kmillikin@chromium.org
63593f0996
Fix x64 DEBUG build.
...
TBR=whesse@chromium
Review URL: http://codereview.chromium.org/6349049
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6578 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 14:08:30 +00:00
lrn@chromium.org
2d15eb9a90
Fix bug in object literals with large array indexes as strings.
...
Review URL: http://codereview.chromium.org/6410028
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6577 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 14:02:58 +00:00
kmillikin@chromium.org
f1149734fc
Partial fix for V8 issue 1079.
...
Record a safepoint with a deoptimization id for throw in optimized code. We
don't seem to much care what the AST ID is because we will not be using it
for lazy deoptimization (throw doesn't return to the point of throw). For
hygiene we use the actual ID of the throw expression. Throw is no longer a
control-flow instruction, but it's followed by an unconditional abnormal
exit. This is required to insert a simulate between the throw and the exit.
Make our optimized treatment of Function.prototype.apply act like a call and
have side effects. This ensures that it will get a lazy deoptimization
environment. Use that deoptimization ID in the safepoint for the call.
Deleting a property was also missing a deoptimization ID, though there was a
deoptimization environment assigned to the instruction. Record the
environment and use the deoptimization ID at the safepoint.
Review URL: http://codereview.chromium.org/6250105
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 13:55:29 +00:00
vegorov@chromium.org
09b3041a57
GDBJIT: emit .eh_frame section on x64.
...
This enables proper stack unwinding on x64.
Currently this requires V8 to be compiled without snapshot and --gdbjit-full to be enabled.
Original patch by Sanjoy Das (http://codereview.chromium.org/6371011/ )
Review URL: http://codereview.chromium.org/6250104
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6575 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 13:32:18 +00:00
ager@chromium.org
73a4ecfae1
A MessageObject is a purely internal object to hold information about
...
an error message that needs to be generated and reported. This change
hides all of the error information from JavaScript code so user
callbacks cannot get hold of it.
Review URL: http://codereview.chromium.org/6368051
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6574 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 13:31:52 +00:00
whesse@chromium.org
a5f94a4862
Fix Math.pow(-0, 0.5) and Math.pow(-0, -0.5). These are not equal to sqrt(-0) and 1/sqrt(-0). Add tests for these cases. Fixes V8 issue 1088.
...
BUG=1088
TEST=test/mjsunit/math-pow.js
Review URL: http://codereview.chromium.org/6368050
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6573 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 12:54:58 +00:00
karlklose@chromium.org
8152635387
Extract platform independent part of RevertStackCheckCode.
...
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/6349046
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6572 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 11:58:24 +00:00
sgjesse@chromium.org
8fe563cba6
ARM: Refactor duplicated floating point code in type recording binary operation stub.
...
Review URL: http://codereview.chromium.org/6334045
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6570 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 10:30:41 +00:00
vegorov@chromium.org
6751627615
Require typed input representation for HTypeof hydrogen instruction.
...
BUG=http://code.google.com/p/chromium/issues/detail?id=71647
TEST=test/mjsunit/regress/regress-71647.js
Review URL: http://codereview.chromium.org/6410025
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6566 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 09:52:57 +00:00
ricow@chromium.org
cb0a7bc748
This fixes the issue with the deoptimizer trashing the reloc info before patching the code.
...
If we, immediately after the deoptimization, but before actually
running the patched code, get a compacting GC, the addresses from the
calls might no longer be valid.
I have validated that this works by patching the existing code to
always do a compacting gc after we finish deoptimizing. I will create
a real regression test for this, but this includes additional code for
allowing us to force a deopt/opt from javascript test code. I will
land this in a seperate change.
Review URL: http://codereview.chromium.org/6349043
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6565 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 09:40:09 +00:00
ricow@chromium.org
0dd951ee84
Revert revision 6555 as it causes win32 debug to fail.
...
Review URL: http://codereview.chromium.org/6349044
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6564 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 08:14:06 +00:00
vegorov@chromium.org
2c93e885f3
Switch from template functions overloading to partial template specialization.
...
This should fix compilation on old GCC.
Review URL: http://codereview.chromium.org/6350012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6563 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-01 20:47:53 +00:00
peterhal@chromium.org
5ca89179d7
Revert "Fix bugs 992 and 1083"
...
This reverts commit 6561 as the new assert caused failures in sputnik.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6562 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-01 20:08:01 +00:00
peterhal@chromium.org
9c89aa6dd9
Fix bugs 992 and 1083
...
Fixes JS portion of DefineOwnProperty when there is
an existing property and the new descriptor is generic.
Makes code follow spec steps more closely.
Fixes typo for check for unchanged enumerable in step 6.
Adds regression tests.
Fixes errors in object-define-property test
Don't normalize the JSGlobalProxy. Gets webkit http/tests/security/xss-DENIED-defineProperty.html working.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6561 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-01 17:08:14 +00:00
sgjesse@chromium.org
a453a3ce65
ARM: Add multiplication and modulus to the type recording binary operation stub.
...
For now the smi part only handles power of two right hand side operands.
Fixed a bug when loading floating point value into core registers with VFP supported.
Review URL: http://codereview.chromium.org/6312059
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6560 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-01 16:38:25 +00:00
mmaly@chromium.org
72b1d0c747
Fix Xcode project.
...
TBR=ager@chromium.org
Code review URL: http://codereview.chromium.org/6286016/
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6559 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-01 16:20:04 +00:00
mmaly@chromium.org
a0c96dc3fb
Fix error message name.
...
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6558 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-01 16:08:44 +00:00
vegorov@chromium.org
03e1036fde
Fix control flow resolution bug in lithium register allocator.
...
Review URL: http://codereview.chromium.org/6312057
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6556 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-01 14:33:23 +00:00
antonm@chromium.org
32a631d8bc
Compare JSObjects by identity immediately.
...
When invoking EQUALS JS builtin, 1st argument is passed as a receiver and
if it's a global object, it gets overwritten with global proxy object and
thus one gets incorrect results.
BUG=v8::1082
Review URL: http://codereview.chromium.org/6287018
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6555 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-01 13:29:37 +00:00
antonm@chromium.org
93f8e3d821
Temporary disable comparison of optimizability of code objects in some cases.
...
With crankshaft, a code object can change its optimizability: it can start as
optimizable code object, but later we can find out it was a bad idea to
optimize it. Alas, currently we don't have a proper event to communicate
this back to logger. Hence we temporary allow a code object to be viewed
as optimizable judging from logs while being unoptimizable judging from
heap traversal.
Review URL: http://codereview.chromium.org/6250054
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6553 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-01 12:39:02 +00:00
ager@chromium.org
471c0d2983
Avoid callbacks to user code during error formatting in a couple of
...
other situations.
Do not use overwritten Object.prototype.hasOwnProperty and
Array.prototype.pop. Do not use split and join in the error formatting
implementation. They are too big to control and their generality is
not needed.
Review URL: http://codereview.chromium.org/6287041
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6552 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-01 12:31:16 +00:00
karlklose@chromium.org
5264d17d8f
Change OSR stack check patching to use the stack check table.
...
Change OSR stack check patching to use the stack check table to iterate over the calls to stack guards platform independent. Introduce Deoptimizer::PatchStackCheckAt for each platform to perform the platform specific patch at a given pc.
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/6392027
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6551 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-01 11:18:45 +00:00
mmaly@chromium.org
aa779b3842
Fix V8 bug 1084: allow "\0" in strict mode as valid escape sequence.
...
http://code.google.com/p/v8/issues/detail?id=1084
Code Review URL: http://codereview.chromium.org/6386014/
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6550 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-31 22:35:27 +00:00
antonm@chromium.org
a38a8ffab0
ArraySplice builtin should return empty array and not alter receiver if invoked with no arguments.
...
Review URL: http://codereview.chromium.org/6357025
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6540 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-31 14:54:53 +00:00
antonm@chromium.org
1023f569b9
Perform security checks before fetching the value in Object.getOwnPropertyDescriptor.
...
Review URL: http://codereview.chromium.org/6386022
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6539 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-31 13:49:15 +00:00
antonm@chromium.org
65465f5228
Add entries for build products of OOM dump utility into .gitignore.
...
Review URL: http://codereview.chromium.org/6409008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6538 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-31 13:33:09 +00:00
whesse@chromium.org
cc90e3e54b
Fix typo in Changelog, date in version.cc.
...
Review URL: http://codereview.chromium.org/6287016
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6535 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-31 12:37:19 +00:00
fschneider@chromium.org
4e7ddab6dc
Fix a bug in the placement of minus-zero checks and in GVN.
...
1. The placement of checks for negative zero has to be computed after
all conversion instructions have been inserted. I separated the code
into its own phase.
2. GVN need to take instruction flags into account when comparing
instructions for redundancy.
Review URL: http://codereview.chromium.org/6260035
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6534 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-31 12:36:54 +00:00
whesse@chromium.org
09368a0af6
Prepare push to trunk. Now working on version 3.1.1.
...
Review URL: http://codereview.chromium.org/6347035
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6532 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-31 10:25:44 +00:00
ager@chromium.org
8198db7934
ARM: Add support for DoMathAbs with double inputs.
...
Adds vabs instruction to simulator, assembler, disassembler and tests.
BUG=none
TEST=Added to cctest.
Review URL: http://codereview.chromium.org/6366016
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6531 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-31 10:16:28 +00:00
ager@chromium.org
0a9004aa07
Adding vendor prefix to Locale class (becoming v8Locale) to minimize risk of future changes.
...
Review URL: http://codereview.chromium.org/6332022
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6530 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-31 09:58:12 +00:00
fschneider@chromium.org
e3366d8bf5
Fix bug in tail call of builtin in the ToNumber stub on ARM.
...
Review URL: http://codereview.chromium.org/6255017
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6529 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-28 17:24:10 +00:00
kmillikin@chromium.org
78b9981b90
Revert "Add custom typed ICs for pixel array loads. "
...
This change caused failures in (out of bounds) keyed loads of strings.
TBR'd.
Review URL: http://codereview.chromium.org/6298019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6528 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-28 15:07:04 +00:00
fschneider@chromium.org
24843d6310
Introduce ToNumber stub and use it in non-optimized code for to-number conversion.
...
This stub is used for increment/decrement operations and unary plus.
The resulting code is more compact and faster than calling a JS builtin.
Review URL: http://codereview.chromium.org/6350021
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6527 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-28 14:18:26 +00:00
danno@chromium.org
afd0906204
Add custom typed ICs for pixel array loads.
...
Review URL: http://codereview.chromium.org/6323002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6526 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-28 14:06:20 +00:00
antonm@chromium.org
3d4c4951aa
Clarify some details of global objects implementation.
...
Review URL: http://codereview.chromium.org/6386011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6525 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-28 13:41:19 +00:00
ager@chromium.org
f8b74a1541
Avoid using Function.prototype.call in a number of places in our
...
builtins files. We should always use %_CallFunction for a couple of
reasons: it cannot be overwritten and it does not wrap basic types in
wrapper objects.
Review URL: http://codereview.chromium.org/6349018
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6524 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-28 10:33:10 +00:00
ager@chromium.org
4968d50d8f
Prepare push to trunk. Now working on version 3.1.0.
...
Review URL: http://codereview.chromium.org/6286014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6520 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-28 07:55:43 +00:00
antonm@chromium.org
c5c4f0eda5
Revert "Unification: introduce ExternalReference::pending_exception_address()."
...
This reverts r6518.
TBR=ager@chromium.org
Review URL: http://codereview.chromium.org/6359015
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6519 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-27 18:21:07 +00:00
antonm@chromium.org
bea909a9bf
Unification: introduce ExternalReference::pending_exception_address().
...
Review URL: http://codereview.chromium.org/6335016
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6518 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-27 18:10:45 +00:00
ricow@chromium.org
b4a2e91d45
Implement DoGlobalReceiver and DoCheckFunction lithium instructions on x64
...
Review URL: http://codereview.chromium.org/6277024
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6517 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-27 16:41:43 +00:00
antonm@chromium.org
1c144edd95
Do not set result_ prematurely.
...
If ConfigureGlobalObjects below will fail, we still decide that initialidation
went smoothly as we check emptiness of result_ handle to see if initialisation
failed or not.
Review URL: http://codereview.chromium.org/6347021
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6516 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-27 16:17:13 +00:00
antonm@chromium.org
67f3a0e7f5
Better name for ShouldReturnException which actually should be ShouldReportException.
...
Review URL: http://codereview.chromium.org/6368019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6515 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-27 14:25:37 +00:00
fschneider@chromium.org
d82332ebb7
Cleanup unused code from the type oracle.
...
Review URL: http://codereview.chromium.org/6135004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6514 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-27 14:04:07 +00:00
vegorov@chromium.org
af81c537b2
Fix id for HandleScope::DeleteExtensions and Factory::arguments_marker() in serializer.
...
Review URL: http://codereview.chromium.org/6357020
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6513 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-27 13:17:34 +00:00