This instruction only depends on the prototype and the holder and can
completely ignore the receiver and its map.
This change also fixes a small bug on arm where a cell was loaded
instead of the prototype from new space.
Review URL: http://codereview.chromium.org/6094020
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6290 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
If the instance of is performed against what is beliwed to be a constant global function inline the instance of check and have the call to the instanceof stub in deferred code. The inlined check will be patched by the instanceof stub when called from deferred code. This is indicated by the lithium instruction LInstanceOfKnownGlobal.
To help the patching the delta from the return address to the patch site is placed just below the return address in the edi slot of the pushad/popad ares. This is safe because the edi register (which is pushed last) is a temporary for the lithium instruction.
As the instanceof stub can call other JavaScript an additional marking for saving all double registers have been added.
Also tweaked the instanceof stub to produce true/false objects instead of 0/1 for the case with deferred code.
Review URL: http://codereview.chromium.org/5990005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6173 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The function HEnvironment::SetExpressionStackAt did not update the
environment's history. This function is used to patch the bailout
environment for count operations and global function calls.
Reorganize class HEnvironment to make it fit V8's style a bit better
and to try to add some sanity to which C++ functions are intended to
be inlined.
Remove the flag --trace-environment which merely duplicated data in
the hydrogen.cfg file except without enough context to be useful.
BUG=1004
Review URL: http://codereview.chromium.org/5992011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6137 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
1. Separating out the instance-type check from the array-length operation.
2. I also changed the bounds-check on keyed loads to use the length property
for JS arrays (like we do for array stores).
The new pattern should use less registers and allow more checks to be eliminated.
Review URL: http://codereview.chromium.org/5961016
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6125 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This prevents code motion from hoisting map-checks across such stores
which may result in unnecessary deoptimizations.
In the following example program we would move a map-check from the inner loop out before the outer loop which is not desirable:
function f() {
var o = {};
var j = 0;
o.a = 1;
do {
o.b = 6; // Map transition
for (var i=0; i<10; i++) {
o.a = o.b + i;
}
} while(++j < 1) {}
}
for (var i = 0; i < 1000000; i++) f();
Review URL: http://codereview.chromium.org/5991001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6071 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Before, when we deoptimized after a branch we jumped to before the branch
was taken in the unoptimized code with a token value that indicated when
edge to take. There was a lot of machinery to track this value through the
short-circuit logical operations and logical negation, and to handle it
properly at inline function return sites. There was also machinery to
prevent incorrectly seeing this environment with the extra value never
actually materialized in the unoptimized code.
Instead, now we deoptimize directly to one of the targets of the branch.
Much but not yet all of the extra machinery has been removed or simplified.
The cost is that branching control structures (the looping statements, if
statements, conditional expressions, and the short-circuit binary logical
operations) need extra AST IDs to identify the branch targets.
Review URL: http://codereview.chromium.org/5908001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6049 ce2b1a6d-e550-0410-aec6-3dcde31c8c00