Commit Graph

994 Commits

Author SHA1 Message Date
mvstanton@chromium.org
6115a006fd Bugfix for 349874: we incorrectly believe we saw a growing store
When we set an out of bounds array index, the index might be so large that
it causes the array to go to dictionary mode. It's better to avoid
"learning" that this was a growing store in that case.

This fix also partially reverts a fix for bug 347543, as this fix is
comprehensive and satisfies that repro case as well (partial revert of
v19591).

BUG=349874
LOG=N
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/188643002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19691 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 13:07:51 +00:00
jkummerow@chromium.org
5ea3f0004a Let HTransitionElementsKind take part in RestoreActualValues phase
BUG=chromium:349853
LOG=n
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/183753005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19689 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 12:13:49 +00:00
yangguo@chromium.org
285f253af1 Remove outdated assertion scope.
R=jkummerow@chromium.org
BUG=349870
LOG=N

Review URL: https://codereview.chromium.org/182003004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19687 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 11:51:53 +00:00
yangguo@chromium.org
e2e2f4050d Fix issues with JSON stringify replacer array
If the replacer array contains a property key we should include the
property even if the property is non enumerable or if it is a non own
property.

String and Number wrappers in the replacer array should be treated as
string and number values.

R=yangguo@chromium.org
BUG=v8:3200, v8:3201
LOG=Y

Review URL: https://codereview.chromium.org/187053003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19685 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 09:50:53 +00:00
verwaest@chromium.org
7bf33c53eb Use Representation::Integer32() for smi types on 32-bit-tagged systems.
BUG=
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/187353005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19684 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 09:49:10 +00:00
verwaest@chromium.org
f913c3b492 Also delete force representations that have no uses.
BUG=
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/187773002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19683 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 09:47:27 +00:00
jarin@chromium.org
52fd520c96 Fix materialization of captured objects in adapted arguments.
R=mstarzinger@chromium.org
BUG=348512
LOG=N

Review URL: https://codereview.chromium.org/183063006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19676 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-05 12:57:18 +00:00
jarin@chromium.org
7ac668f753 Deoptimization fix for HPushArgument.
HPushArgument should never be used in a simulation environment
because the slot addresses for the arguments can be off (e.g.,
due to on-stack arguments object of an inlined caller).

R=mstarzinger@chromium.org
BUG=v8:3183
LOG=N

Review URL: https://codereview.chromium.org/178193026

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19675 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-05 12:45:46 +00:00
jkummerow@chromium.org
3df5573195 x64: Fix LMathMinMax for constant Smi right-hand operands
BUG=chromium:349079
LOG=y
R=titzer@chromium.org

Review URL: https://codereview.chromium.org/186593003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19668 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-05 09:49:07 +00:00
yangguo@chromium.org
b1a271a02c Fix HCheckValue::Canonicalize wrt uninitialized HConstant unique.
R=titzer@chromium.org
BUG=348280
LOG=N

Review URL: https://codereview.chromium.org/183383006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19642 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-04 08:08:08 +00:00
ulan@chromium.org
b9e0b87a5a Clear optimized code cache in shared function info when code gets deoptimized.
This adds a pointer to the shared function info into deoptimization data of an optimized code. Whenever the code is deoptimized, it clears the cache in the shared function info.

This fixes the problem when the optimized function dies in new space GC before the code is deoptimized due to code dependency and before the optimized code cache is cleared in old space GC (see mjsunit/regress/regress-343609.js).

This partially reverts r19603 because we need to be able to evict specific code from the optimized code cache.

BUG=343609
LOG=Y
TEST=mjsunit/regress/regress-343609.js
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/184923002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19635 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-03 11:11:39 +00:00
rossberg@chromium.org
5543263c19 Move all Harmony-only tests to harmony/
R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/178583005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19622 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 14:26:32 +00:00
ishell@chromium.org
c2601aea8a Check elimination did not mark some dead blocks.
R=danno@chromium.org

Review URL: https://codereview.chromium.org/180483003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19619 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 14:16:38 +00:00
svenpanne@chromium.org
e9273332ef Fixed constant folding for Math.clz32.
LOG=y
BUG=347906
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/184353002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19609 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 13:07:10 +00:00
mvstanton@chromium.org
b1ffc7901f A JSArray may have a filler map in the elements pointer.
We already have code that expects this, but incorrectly asserted that the
filler map case would never happen when allocation folding is turned on.
However, even folding has it's limits, bailing out of continued folding
when the object size grows too large. Therefore, it's a general problem
when verifying JSArray objects, that we might encounter a filler map
in elements().

Discovered by ClusterFuzz crbug 347903.

R=hpayer@chromium.org
LOG=N
BUG=347903

Review URL: https://codereview.chromium.org/184493002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19604 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 12:29:19 +00:00
yangguo@chromium.org
5c186bb197 Evict from optimized code map in sync with removing from optimized functions list.
R=ulan@chromium.org

Review URL: https://codereview.chromium.org/184443002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19603 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 12:27:31 +00:00
bmeurer@chromium.org
70242fe3bb Fix JSObject::PrintTransitions.
BUG=347912
LOG=y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/183683005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19601 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 11:41:07 +00:00
hpayer@chromium.org
38ca2629be Fix representation generalization for doubles.
BUG=
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/184393002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19599 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 11:07:10 +00:00
dcarney@chromium.org
98d1cedac4 Get array_function from NativeContext
R=mvstanton@chromium.org
LOG=N
BUG=347528

Review URL: https://codereview.chromium.org/184173003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19595 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 10:01:27 +00:00
bmeurer@chromium.org
5945f9ebb9 Fix handling of constant global variable assignments.
BUG=347904
LOG=y
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/184303003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19594 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 09:40:12 +00:00
svenpanne@chromium.org
c4e90c15b8 Removed bogus ASSERT.
LOG=y
BUG=347542
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/183763007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19592 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 08:45:07 +00:00
ishell@chromium.org
2ab83cf192 HAllocate should never generate allocation code if the requested size does not fit into page. Regression test included.
BUG=347543
LOG=N
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/180803005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19591 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 17:33:25 +00:00
verwaest@chromium.org
aa14020bc7 Fix putting of prototype transitions. The length is also subject to GC, just like entry.
BUG=347536
LOG=n
R=danno@chromium.org

Review URL: https://codereview.chromium.org/183193003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19586 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 16:07:44 +00:00
jarin@chromium.org
05b98492a4 Handle arguments objects in frame when materializing arguments
R=mstarzinger@chromium.org
BUG=347262

Review URL: https://codereview.chromium.org/177293009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19584 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 15:12:12 +00:00
yangguo@chromium.org
6912a248ca Fix bogus assertion in SetFastDoubleElements.
R=danno@chromium.org
BUG=347530
LOG=N

Review URL: https://codereview.chromium.org/181433016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19579 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 14:45:53 +00:00
mvstanton@chromium.org
b8f8cfabca Fix for Clusterfuzz issue 343928.
The problem was that the debugger didn't expect that a JSFunction could
have a GlobalContext, which it can with harmony scoping.

BUG=343928
R=yangguo@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/183103003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 13:25:05 +00:00
ishell@chromium.org
1ae7e8a1e5 Fix for failing asserts in HBoundsCheck code generation on x64: index register should be zero extended.
BUG=345820
LOG=N
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/180013002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19549 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 16:33:54 +00:00
verwaest@chromium.org
d5caecccc5 Revert "Use stability to only conditionally flush information from the CheckMaps table."
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/180023002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19548 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 16:11:58 +00:00
jkummerow@chromium.org
e7e93cd433 Mark HCompareMap as having Tagged representation
BUG=chromium:346636
LOG=y
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/176923013

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19545 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 15:09:47 +00:00
rossberg@chromium.org
63f1970c6c Fix crasher in Object.getOwnPropertySymbols
R=arv@chromium.org, mstarzinger@chromium.org
BUG=346141
LOG=Y

Review URL: https://codereview.chromium.org/177883002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19539 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 12:01:34 +00:00
bmeurer@chromium.org
77f597d387 Don't eliminate loads with incompatible types or representations.
BUG=346343
LOG=y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/179553002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19536 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 09:55:50 +00:00
ishell@chromium.org
6c1659becf Fix for a smi stores optimization on x64 with a regression test.
BUG=345715
LOG=N
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/178833002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19535 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 09:55:02 +00:00
dcarney@chromium.org
cb05cff594 negative bounds checking on realm calls
R=rossberg@chromium.org

LOG=N

BUG=344285

Review URL: https://codereview.chromium.org/169393002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19533 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 09:15:05 +00:00
jkummerow@chromium.org
37b6fd07c1 Fix optimistic BCE to back off after deopt
BUG=v8:3176
LOG=n
R=danno@chromium.org

Review URL: https://codereview.chromium.org/177523002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19530 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-24 13:15:31 +00:00
verwaest@chromium.org
84b366516e Don't turn objects with empty-string properties into fast-mode.
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/165743003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19511 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-20 16:11:48 +00:00
ishell@chromium.org
1342cb8b00 Bugfix in check elimination with a regression test.
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/172173003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19481 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-19 12:34:50 +00:00
jkummerow@chromium.org
6e3b81a7b2 Fix Hydrogen bounds check elimination
When combining bounds checks, they must all be moved before the first load/store
that they are guarding.

BUG=chromium:344186
LOG=y
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/172093002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19475 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-19 10:30:39 +00:00
verwaest@chromium.org
60c08a8bf2 Directly store the transition target on LookupResult in TransitionResult.
BUG=chromium:343964
LOG=N
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/170343003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19440 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-18 12:19:32 +00:00
jarin@chromium.org
4c7ed144e1 Comparison in effect context lazy deopt fix.
R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/163623002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19396 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-16 05:51:10 +00:00
ulan@chromium.org
6744ff61ae Fix dictionary element load to pass correct elements kind.
Using FAST_SMI_ELEMENTS triggers optimization on 64-bit architectures that load
only the higher 32 bits of the element. If the element is a pointer to undefined
that has 0 in the higher half than it is erroneously treated as SMI 0.

BUG=v8:3158
LOG=N
TEST=mjsunit/sparse-array-reverse,mjsunit/regress/regress-3158.js
R=danno@chromium.org, ishell@chromium.org

Review URL: https://codereview.chromium.org/166653005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19387 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-14 15:52:24 +00:00
yangguo@chromium.org
68c7523e63 Fix assignment of function name constant.
If it's shadowed by a variable of the same name and both are forcibly
context-allocated, the function is assigned to the wrong context slot.

R=rossberg@chromium.org
BUG=v8:3138
LOG=Y

Review URL: https://codereview.chromium.org/159903008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19379 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-14 12:40:47 +00:00
jarin@chromium.org
8acefb33fe Test and fix for polymorphic named call deoptimization.
The fix removes wrong simulates from the number branch of polymorphic
call/field access handling.

The change also fixes the same thing for polymorphic named field
access even thourgh the field access is probably safe in practice
(because it cannot deoptimize). It is better to keep all our simulates
in sync with full codegen.

R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/166503002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19375 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-14 12:02:39 +00:00
yangguo@chromium.org
a676bc1bbf Fix typed array error message.
R=dslomov@chromium.org
BUG=v8:3159
LOG=N

Review URL: https://codereview.chromium.org/163293002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19369 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-14 09:33:03 +00:00
verwaest@chromium.org
e0960e19aa Fix polymorphic inlining of accessors in a test-context.
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/164003002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19363 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-13 16:55:38 +00:00
verwaest@chromium.org
161b2f689a Reland: "Use stability to only conditionally flush information from the CheckMaps table."
BUG=
R=ishell@chromium.org

Original CL: https://codereview.chromium.org/153823003

Review URL: https://codereview.chromium.org/153653007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19342 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 18:48:12 +00:00
verwaest@chromium.org
7b7e3658f7 Don't propagate information through phis in loop headers.
To properly do this, we'd have to iterate over CompareMaps (and their bodies) handling phis, until we have learned enough to decide which paths can be taken. For now, just disable learning from phis in loop headers.

BUG=
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/147023005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19341 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 18:30:41 +00:00
verwaest@chromium.org
75432b7696 Revert "Use stability to only conditionally flush information from the CheckMaps table."
R=ishell@chromium.org

BUG=

Review URL: https://codereview.chromium.org/137863005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19331 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 15:38:42 +00:00
verwaest@chromium.org
2b7d33572a Use stability to only conditionally flush information from the CheckMaps table.
BUG=
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/153823003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19330 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 15:07:41 +00:00
jarin@chromium.org
af29e31a11 Fix for (One|Two)ByteSeqStringSetChar evaluation order/deopt.
This makes the evaluation order consistent between full codegen
and Hydrogen (so that deopt does not screw up stack).

R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/159983008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19326 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 13:31:24 +00:00
ulan@chromium.org
e95bc7eec8 Merge experimental/a64 to bleeding_edge.
BUG=v8:3113
LOG=Y
R=jochen@chromium.org, rmcilroy@chromium.org, rodolph.perfetta@arm.com

Review URL: https://codereview.chromium.org/148293020

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19311 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 09:19:30 +00:00
jarin@chromium.org
21bf99e53e Fix environment of the optimized version of the _SetValueOf intrinsic.
R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/158723006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19289 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-11 16:11:53 +00:00
rossberg@chromium.org
e8175a3e9f Revert "Make Function.length and Function.name configurable properties."
Plenty of test failures on test262, Mozilla, Webkit. Will have to investigate.

TBR=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/139983003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19203 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-07 15:29:18 +00:00
rossberg@chromium.org
7317b71f02 Make Function.length and Function.name configurable properties.
ES6 makes the Function object properties "length" and "name"
configurable; switch the implementation over to follow that.

Doing so exposed a problem in the handling of non-writable, but
configurable properties backed by foreign callback accessors
internally. As an optimization, if such an accessor property is
re-defined with a new value, its setter was passed the new value
directly, keeping the property as an accessor property. However, this
is not correct should the property be non-writable, as its setter will
then simply ignore the updated value. Adjust the enabling logic for
this optimization accordingly, along with adding a test.

LOG=N
R=rossberg@chromium.org, rossberg
BUG=v8:3045

Review URL: https://codereview.chromium.org/116083006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19200 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-07 14:55:30 +00:00
jarin@chromium.org
476881ce5b Test and fix for _CallFunction intrinsic deoptimization.
I have also cleaned up HOptimizedGraphBuilder::GenerateCallFunction
to use IfBuilder.

R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/131343013

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19151 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-06 12:42:26 +00:00
jarin@chromium.org
eb502fe599 Binary operation deoptimization fix.
R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/132453009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19132 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-06 09:36:55 +00:00
dslomov@chromium.org
a03d31394c Check the offset argument of TypedArray.set for fitting into Smi.
R=jkummerow@chromium.org
BUG=340125
LOG=Y

Review URL: https://codereview.chromium.org/145623009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19051 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-04 09:53:05 +00:00
yangguo@chromium.org
9e70f6a4e7 Fix short-circuiting logical and/or in HOptimizedGraphBuilder.
R=jkummerow@chromium.org
BUG=336148
LOG=Y

Review URL: https://codereview.chromium.org/143263022

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19031 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-03 14:29:34 +00:00
verwaest@chromium.org
db7124dc28 Return a valid map for PropertyAccessInfos with Boolean type.
BUG=340064
LOG=N
R=dcarney@chromium.org

Review URL: https://codereview.chromium.org/152603002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19023 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-03 10:20:32 +00:00
jarin@chromium.org
3c2363f4b4 Simpler repro for bug 2989.
We do not correctly handle accesses to f.arguments after one
of the argument has changed (where f is crankshafted).

R=machenbach@chromium.org
BUG=v8:2989
LOG=n

Review URL: https://codereview.chromium.org/151403003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18999 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-31 16:12:58 +00:00
bmeurer@chromium.org
3214cf11ff Don't crash in Array.join() if the resulting string exceeds the max string length.
LOG=y
BUG=336820
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/144533003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18986 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-31 12:21:17 +00:00
verwaest@chromium.org
bef13f739c Fix regression caused by supporting inlining accesses to non-JSObjects
TBR=dcarney@chromium.org
BUG=

Review URL: https://codereview.chromium.org/150983002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18966 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-31 00:29:04 +00:00
mvstanton@chromium.org
371d6f6a98 We shouldn't throw under FLAG_debug_code, rather abort.
Throwing under FLAG_debug_code confuses the rest of our infrastructure
which expects a safe point at the site of call into the runtime
for throw. We were doing that to make a clusterfuzz test happy, but
the better solution is to assert/abort under debug_code, and prevent
clusterfuzz from fuzzing on internal APIs that crash on incorrect
values.

We'll need to alter the fuzzer to turn off fuzzing for:

string-natives.js
lithium/SeqStringSetChar.js
regress/regress-seqstrsetchar-ex3.js
regress/regress-seqstrsetchar-ex1.js
regress/regress-crbug-320922.js

So as to prevent the fuzzer from running
%_OneByteSeqStringSetChar() and
%_TwoByteSeqStringSetChar().

BUG=
R=hpayer@chromium.org, machenbach@chromium.org

Review URL: https://codereview.chromium.org/139903005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18878 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-28 11:53:11 +00:00
verwaest@chromium.org
21532ddfdc Reland ArrayPop / ArrayPush.
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/138443012

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18814 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-24 11:47:53 +00:00
machenbach@chromium.org
cde3ed1fe3 Speed up some mjsunit test cases and clean up test expectations for arm and mips.
Many skipped test cases already run very fast. Removing the corresponding expectations.

BUG=
R=jkummerow@chromium.org, mvstanton@chromium.org

Review URL: https://codereview.chromium.org/138503008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18812 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-24 11:36:45 +00:00
jkummerow@chromium.org
ee4e034d70 Revert broken ArrayPop changes
This reverts:
r18749 "Reland (and fix) "Add hydrogen support for ArrayPop, and remove the handwritten call stubs."",
r18790 "Remove ArrayPush from the custom call generators, and instead call directly to the handler in crankshaft.", and
r18798 "MIPS: Remove ArrayPush from the custom call generators, and instead call directly to the handler in crankshaft."

For causing crashes on Canary.

BUG=chromium:337686
LOG=N
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/146003006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18805 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-24 08:32:50 +00:00
hpayer@chromium.org
83a1df2354 Remove Heap::MaxRegularSpaceAllocationSize and use Page::MaxRegularHeapObjectSize instead.
BUG=
R=mstarzinger@chromium.org, mvstanton@chromium.org

Review URL: https://codereview.chromium.org/141653016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18776 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-23 13:02:27 +00:00
verwaest@chromium.org
f30330325e Reland (and fix) "Add hydrogen support for ArrayPop, and remove the handwritten call stubs."
BUG=
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/144913003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18749 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-22 13:22:58 +00:00
svenpanne@chromium.org
b4949cfd62 Fixed floor-of-div optimization.
We removed an HDiv by hand which was still used by an HChange. The
solution is letting dead code removal do the cleanup.

Removed a fragile "optimization" (looking through an HChange), too,
this obviously never triggered and is hard to get right given all our
global invariants and state/type/... changes.

The repro is a bit tricky, because you need inlining to make our
representations and types disagree in this case.

LOG=y
BUG=334708
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/143903016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18737 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-22 11:54:51 +00:00
machenbach@chromium.org
1864f7388e Add infrastructure for skipping tests in GC stress mode.
Also move the GC stress configuration from the buildbot to the test runner.

BUG=
R=jkummerow@chromium.org, mvstanton@chromium.org

Review URL: https://codereview.chromium.org/141653008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18708 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-21 12:41:25 +00:00
mvstanton@chromium.org
155ef100e9 Fix logic error in assert in IsUndeclaredGlobal()
Recent changes in IC logic meant that CallStubs no longer use the Contextual bit. IsUndeclaredGlobal() needed to adjust for that.

In fact, now the CL has morphed to remove the notion of storing contextual state in the IC at all, it just becomes some extra ic state of the load ic. This took some adjustment in harmony code to use the global receiver for certain stores.

Now it's clearer that only LoadICs actually record any information about contextual or not.

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/140943002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18660 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-17 11:08:24 +00:00
verwaest@chromium.org
53f46c5214 Get rid of ContextualMode for call ICs.
BUG=
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/137083002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18594 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-14 16:15:05 +00:00
jkummerow@chromium.org
be4c1bdac2 Fix test after r18586
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/138063003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18588 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-14 14:00:10 +00:00
jkummerow@chromium.org
1ed94acf0c Turn Runtime_MigrateInstance into Runtime_TryMigrateInstance
because it must not cause lazy deopts because it is called from deferred code that cannot handle lazy deopts.

Hat tip to Ben for doing most of the debugging work, and to Toon for writing the regression test.

BUG=chromium:315252
LOG=Y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/131243003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18586 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-14 13:41:09 +00:00
verwaest@chromium.org
f2245a9cf9 Make the strict-mode calling convention for contextual calls the default one.
BUG=
R=dcarney@chromium.org

Review URL: https://codereview.chromium.org/131663003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18581 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-14 12:04:10 +00:00
ulan@chromium.org
8db7aaa03d Correctly handle instances without elements in polymorphic keyed load/store.
BUG=331416
TEST=mjsunit/regress/regress-331416.js
LOG=Y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/121893003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18484 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-08 09:57:28 +00:00
ulan@chromium.org
43d1c23e2a Fix selection of popular pages in store buffer.
BUG=331444
TEST=mjsunit/regress/regress-331444.js
LOG=Y
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/125983002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18483 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-08 09:49:37 +00:00
jkummerow@chromium.org
7761059a98 Fix d8's Shell::ReadBuffer after r18227
BUG=v8:3085
LOG=N
R=jochen@chromium.org

Review URL: https://codereview.chromium.org/127853003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18482 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-08 09:48:38 +00:00
mvstanton@chromium.org
fc5834343f Remove flag track-allocation-sites.
The flag has been on in the build for ~9 months, and we aren't likely to turn it off. The only customer of the flag is a set of tests that want to verify transitioning behavior in isolation. This CL removes the flag and updates those tests to get what they want without the flag.

R=verwaest@chromium.org

Committed: https://code.google.com/p/v8/source/detail?r=18385

Review URL: https://codereview.chromium.org/104923010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18474 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-07 15:58:25 +00:00
ulan@chromium.org
711bcbb0e3 ARM: fix loading of global object in LWrapReceiver.
Since r16993 the cp register is handled by registers allocator,
and we cannot assume that the cp always contains the context.

BUG=318420
LOG=Y
TEST=test/mjsunit/regress/regress-318420.js
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/121703002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18421 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-27 14:38:00 +00:00
yangguo@chromium.org
2a4be7067c Refactor the compiling pipeline.
Goals:
 - easier to read, more suitable identifiers.
 - better distinction between compiling optimized/unoptimized code
 - compiler does not install code on the function.
 - easier to add features (e.g. caching optimized code for osr).
 - remove unnecessary code.

R=titzer@chromium.org

Review URL: https://codereview.chromium.org/110203002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18409 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-23 14:30:35 +00:00
yangguo@chromium.org
cd7d61cfc2 Fix small spec violation in String.prototype.split.
Also slightly extended the test coverage.

R=rossberg@chromium.org
BUG=v8:3026
LOG=Y

Review URL: https://codereview.chromium.org/119093002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18405 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-23 10:01:22 +00:00
yangguo@chromium.org
c61d07e03f Correctly resolve forcibly context allocated parameters in debug-evaluate.
R=ulan@chromium.org
BUG=325676
LOG=Y

Review URL: https://codereview.chromium.org/107243006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18402 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-23 08:37:03 +00:00
rossberg@chromium.org
b882bddcfd Make a strict function's "name" property non-writable.
Set [[Writable]] to false for the "name" property of strict
functions as well, mirroring what non-strict functions have
it as.

LOG=N
R=rossberg@chromium.org
TEST=mjsunit/regress/regress-270142
BUG=270142

Review URL: https://codereview.chromium.org/99203006

Patch from Sigbjorn Finne <sigbjornf@opera.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18387 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-20 12:06:11 +00:00
hpayer@chromium.org
f583b73b70 Revert "Remove flag track-allocation-sites."
This reverts commit 6c430da40efe388035504d3603756aa8c46ed1dc.

BUG=

Review URL: https://codereview.chromium.org/109303006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18386 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-20 12:04:34 +00:00
mvstanton@chromium.org
e654c88fab Remove flag track-allocation-sites.
The flag has been on in the build for ~9 months, and we aren't likely to turn it off. The only customer of the flag is a set of tests that want to verify transitioning behavior in isolation. This CL removes the flag and updates those tests to get what they want without the flag.

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/104923010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18385 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-20 11:46:31 +00:00
jkummerow@chromium.org
3c76ecd732 Fix switch statements with non-Smi integer labels and no type feedback
BUG=chromium:329709
LOG=Y
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/98643010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18370 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-19 14:25:58 +00:00
yangguo@chromium.org
213b05b5b9 Fix off-by-one error in AstTyper, part 2.
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/112933002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18308 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-12 15:19:57 +00:00
jkummerow@chromium.org
48ff79a300 Fix polymorphic inlined calls with migrating prototypes
LOG=Y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/104793003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18307 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-12 14:57:00 +00:00
ulan@chromium.org
cc401095fb Initialize Date parse cache with SMI instead of double to workaround sharing mutable heap numbers in snapshot.
This is the only field in the snapshot that was tracked as double.

R=verwaest@chromium.org
TEST=mjsunit/regress/regress-280531.js
BUG=280531
LOG=Y

Review URL: https://chromiumcodereview.appspot.com/112003005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18298 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-11 13:11:44 +00:00
yangguo@chromium.org
5bc64b9fa5 Fix off-by-one error in AstTyper.
This causes the first parameter to be confused with the first
stack local when we collect type information.

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/105943007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18296 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-11 11:34:09 +00:00
hpayer@chromium.org
75a84eca0b Added regression test for escape analysis.
BUG=
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/99133011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18290 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-10 15:54:20 +00:00
svenpanne@chromium.org
e1db6d86a9 Avoid FP exceptions when doing integer division.
BUG=v8:3039
R=titzer@chromium.org

Review URL: https://codereview.chromium.org/104003004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18277 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-09 10:15:19 +00:00
mvstanton@chromium.org
b807f4f82f Bugfix: HCheckInstanceType::GetCheckMaskAndTag used an incorrect mask.
The mask to check for an internalized string was incorrectly formed. Hat
tip to Weiliang Lin for discovering the bug.

BUG=v8:3038
LOG=N
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/108033002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18265 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-06 09:43:07 +00:00
verwaest@chromium.org
8a4df124a4 Fix loop side-effects of deoptimizing loops with a nested live OSR loop.
R=titzer@chromium.org

Review URL: https://chromiumcodereview.appspot.com/106723002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18263 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-05 18:31:06 +00:00
verwaest@chromium.org
d4eaae37d1 Check whether the receiver to a keyed-call is actually a heapobject.
BUG=325225
LOG=n
R=dslomov@chromium.org

Review URL: https://chromiumcodereview.appspot.com/101863004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18241 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-03 17:59:31 +00:00
bmeurer@chromium.org
aa83f2900a Fix invalid assertion with OSR in BuildBinaryOperation.
BUG=v8:3032
LOG=n
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/98623004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18190 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-02 13:12:07 +00:00
mstarzinger@chromium.org
db915fe97e Handle captured objects in OptimizedFrame::Summarize.
R=yangguo@chromium.org
BUG=v8:3029
TEST=mjsunit/regress/regress-3029
LOG=N

Review URL: https://codereview.chromium.org/96773002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18187 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-12-02 12:11:02 +00:00
mvstanton@chromium.org
5ba1304d60 Array builtins need to be prevented from changing frozen objects, and changing structure on sealed objects.
BUG=299979
LOG=Y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/80623002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18164 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-29 15:22:16 +00:00
yangguo@chromium.org
f235194518 Fix bug in inlining Function.apply.
R=jkummerow@chromium.org
BUG=323942
LOG=Y

Review URL: https://codereview.chromium.org/95123003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18135 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-28 15:30:17 +00:00
dslomov@chromium.org
7372596615 Ensure that length is Smi in TypedArrayFromArrayLike constructor.
R=jkummerow@chromium.org
BUG=324028
LOG=Y

Review URL: https://codereview.chromium.org/94473002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18129 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-28 15:22:36 +00:00
mstarzinger@chromium.org
d53e38777f Fix missing bounds check in n-arguments Array constructor.
LOG=N
R=mvstanton@chromium.org
BUG=v8:3027
TEST=mjsunit/regress/regress-3027

Review URL: https://codereview.chromium.org/92103003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18116 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-28 09:29:57 +00:00
yangguo@chromium.org
ab96631177 Increase precision for base conversion for large integers.
R=jkummerow@chromium.org
BUG=v8:3025
LOG=Y

Review URL: https://codereview.chromium.org/88583002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18082 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-26 15:48:13 +00:00
yangguo@chromium.org
afd8e5a305 Speed up long-running test cases.
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/85163003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18070 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-26 11:32:39 +00:00
yangguo@chromium.org
4716b292db Make some ARM test cases faster.
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/85473004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18069 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-26 10:43:44 +00:00
yangguo@chromium.org
aa3518a0f3 Make sure files end with exactly one new line and police this in presubmit.
The changes are (excluding presubmit.py) mechanical. I added the following
lines after the check and iterated the presubmit script until all errors
went away:

f = open(name, "w");
if contents.endswith('\n\n'):
  f.write(contents[0:-1])
else:
  f.write(contents + '\n')

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/82803005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18017 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-22 13:50:39 +00:00
ulan@chromium.org
21fb1401bd Restore saved caller FP registers on stub failure
and preserve FP registers on NotifyStubFailure.

In debug mode, clobber FP registers on each runtime call to increase
chances of catching such bugs.

R=danno@chromium.org

Review URL: https://chromiumcodereview.appspot.com/78283002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18000 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-22 10:21:47 +00:00
danno@chromium.org
06c7620302 Fixed crashes exposed though fuzzing.
The %_OneByteSeqStringSetChar intrinsic expects its arguments to be checked before being called for efficiency reasons, but the fuzzer provided no such checks. Now the intrinsic is robust to bad input if FLAG_debug_code is set.

R=yangguo@chromium.org
TEST=test/mjsunit/regress/regress-320948.js
BUG=chromium:320948
LOG=Y

Review URL: https://codereview.chromium.org/72813004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17886 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-19 16:41:07 +00:00
jkummerow@chromium.org
37443768bf Fix register trashing in Emit*ByteSeqStringSetChar
This is currently not observable without --allow-natives-syntax because all internal usages are safe, but it deserves to be fixed nonetheless.

BUG=chromium:320922
LOG=N
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/67103003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17873 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-19 12:59:09 +00:00
mvstanton@chromium.org
bff41483dc Bugfix: dependent code field in AllocationSite was keeping code objects alive even after context death.
BUG=320532
LOG=Y
R=ulan@chromium.org

Review URL: https://codereview.chromium.org/62803008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17856 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-19 10:17:33 +00:00
dslomov@chromium.org
4228132e74 Use mock ArrayBuffer allocator to avoid really allocating 1Gb.
R=jkummerow@chromium.org
BUG=v8:3014
LOG=N

Review URL: https://codereview.chromium.org/61623009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17837 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-18 14:50:45 +00:00
danno@chromium.org
f27f2fa420 Match max property descriptor length to corresponding bit fields
BUG=v8:3010
R=verwaest@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/72333004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17823 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-18 11:44:06 +00:00
jkummerow@chromium.org
c9b41c6995 Limit size of dehoistable array indices
LOG=Y
BUG=chromium:319835,chromium:319860
R=dslomov@chromium.org

Review URL: https://codereview.chromium.org/74113002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17801 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-15 17:24:10 +00:00
dslomov@chromium.org
7936ca39be Limit the size for typed arrays to MaxSmi.
R=jkummerow@chromium.org
LOG=Y
BUG=319722

Review URL: https://codereview.chromium.org/73943004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17800 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-15 16:37:15 +00:00
dslomov@chromium.org
c01aa1fc1f Revert "Limit the size for typed arrays to MaxSmi."
This reverts commit r17798 for allocating too much memroy in tests.

TBR=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/74093002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17799 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-15 16:25:51 +00:00
dslomov@chromium.org
09ca1318ab Limit the size for typed arrays to MaxSmi.
R=jkummerow@chromium.org
LOG=Y
BUG=319722

Review URL: https://codereview.chromium.org/73943004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17798 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-15 16:09:56 +00:00
verwaest@chromium.org
341d405301 Reland and fix "Add support for keyed-call on arrays of fast elements"
BUG=
R=danno@chromium.org

Review URL: https://chromiumcodereview.appspot.com/71783003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17782 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-15 10:52:05 +00:00
bmeurer@chromium.org
2ee5aa951c Fix missing type feedback check for Generic*String addition.
TEST=mjsunit/regress/regress-crbug-318671
BUG=318671
LOG=y
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/67473007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17772 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-15 09:13:36 +00:00
danno@chromium.org
28ed69b8fb Fix overflow in TypedArray initialization function
BUG=chromium:319120
TEST=test/mjsunit/regress/regress-319120.js
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/61753013

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17711 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-14 06:20:48 +00:00
mstarzinger@chromium.org
d5cb83f4aa Fix invalid reuse of weak global handle in GetScriptWrapper.
This fixes a direct usage of a weak global handle in GetScriptWrapper
that just casted it to a strong local handle, while a subsequent GC
might clear it. Handlepocalypse anyone?

R=machenbach@chromium.org
BUG=v8:2988
TEST=mjsunit/regress/regress-2988

Review URL: https://codereview.chromium.org/67273004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17622 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-11 16:27:36 +00:00
ulan@chromium.org
bc4ad49b25 Do not add values to HGraph in Lithium.
Lithium uses indexes after the maximium value ID in the HGraph as indexes
of virtual registers and assumes that the maximum value ID does not change.

The IsStandardConstant and GetConstantXX functions could add constants to
HGraph, which aliased virtual registers with real values. This could confuse
the register allocator to think that a value in a virtual register is tagged
and to incorrectly set it in the pointer map.

BUG=298269
TEST=mjsunit/regress/regress-298269.js
R=verwaest@chromium.org

Review URL: https://chromiumcodereview.appspot.com/66693002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17599 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-08 14:16:34 +00:00
mstarzinger@chromium.org
59536de77d Make HCapturedObjects non-deletable for DCE.
R=jkummerow@chromium.org
BUG=v8:2987
TEST=mjsunit/regress/regress-2987

Review URL: https://codereview.chromium.org/64433002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17569 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-07 16:07:19 +00:00
yangguo@chromium.org
eb550c6da4 Fix y-umlaut to uppercase.
R=dcarney@chromium.org
BUG=v8:2984

Review URL: https://codereview.chromium.org/59853006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17545 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-07 09:08:34 +00:00
yangguo@chromium.org
a5ed9a71c8 Correctly load message from an Error object.
R=mstarzinger@chromium.org
BUG=306220

Review URL: https://codereview.chromium.org/46593010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17484 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-05 13:04:51 +00:00
jkummerow@chromium.org
2ebfd6e90e Add missing negative dictionary lookup to NonexistentHandlerFrontend
BUG=v8:2980
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/57433003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17459 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-04 14:14:09 +00:00
jkummerow@chromium.org
316271fc35 Fix uint32-to-smi conversion in Lithium
BUG=chromium:309623
R=vegorov@google.com, yangguo@chromium.org

Review URL: https://codereview.chromium.org/54393002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17441 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-31 10:18:51 +00:00
yangguo@chromium.org
3f1a833524 Do not remove HAdd with zero if the other operand is a double.
The other operand might be minus zero, and -0 + 0 = +0

R=svenpanne@chromium.org
BUG=

Review URL: https://codereview.chromium.org/52173003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17432 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-30 10:22:52 +00:00
jkummerow@chromium.org
9e88c23cbf ia32: Fix comparisons of two constant double operands when exactly one of them is in new space.
R=titzer@chromium.org

Review URL: https://codereview.chromium.org/46883008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17428 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-29 14:34:07 +00:00
yangguo@chromium.org
7dd2d6c590 Reland "Make Array.prototype.pop throw if the last element is not configurable."
This relands r17346.

R=machenbach@chromium.org
BUG=311164

Review URL: https://codereview.chromium.org/43923002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17394 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-25 11:55:56 +00:00
svenpanne@chromium.org
7fb61a78d4 Tune mjsunit/regress/regress-2612.
Lower the bounds to something bearable which would still timeout if we
used a quadratic algorithm.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/39863003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17377 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-24 13:07:16 +00:00
svenpanne@chromium.org
f2122438e0 Removed long-running obselete test case.
The test was the 2nd longest-running test case in debug mode, and the
stuff it tests has already been moved long ago to some other place,
which is in turn heavily tested by far simpler and faster things
(%TruncateString etc.).

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/39233003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17361 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-24 08:09:32 +00:00
yangguo@chromium.org
0f564cb1b0 Revert "Make Array.prototype.pop throw if the last element is not configurable."
This reverts commit r17346.

R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/39593002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17360 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-24 07:48:23 +00:00
yangguo@chromium.org
e25920da19 Make Array.prototype.pop throw if the last element is not configurable.
Popping an element from an array should call [[Delete]] internal method
and pass true as the second argument (ECMA-262/5.1/#sec-15.4.4.6).
When the last element can't be deleted, throw a Type Error.
Not throwing the error would result in endless loop in the following test.

TEST=var a=[];Object.defineProperty(a,0,{});while(a.length)a.pop();

By the way fix another bug, or else i can't post any issues.
"presubmit.py" throw a "missing a correct copyright header" on windows.
Both the slash and the backslash are valid path separator on windows.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/29513004

Patch from Yanagi <admin@web-tinker.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17346 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-23 16:19:24 +00:00
jkummerow@chromium.org
8259439ae8 Fix HObjectAccess for loads from migrating prototypes
BUG=chromium:305309
R=danno@chromium.org

Review URL: https://codereview.chromium.org/35173005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17345 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-23 15:15:15 +00:00
svenpanne@chromium.org
dd74f5aa08 Removed obsolete unit tests.
As discussed offline, these tests don't test what they were supposed to
test anymore and were the longest running ones.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/32433009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17317 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-22 11:26:07 +00:00
mstarzinger@chromium.org
0a2b4ecdcc Add regression test for optimized count operation.
This is a regression test for a bug with handling of count operations
that target a JavaScript accessor on the prototype chain in Crankshaft.

R=jkummerow@chromium.org
BUG=chromium:306851
TEST=mjsunit/regress/regress-crbug-306851

Review URL: https://codereview.chromium.org/27702002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17254 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-17 12:48:28 +00:00
dslomov@chromium.org
5ccd697875 Do not look up ArrayBuffer on global object in typed array constructor.
BUG=v8:2931
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/27238009

Patch from Ben Noordhuis <info@bnoordhuis.nl>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17215 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-15 11:27:12 +00:00
yangguo@chromium.org
71ba8c5fb4 Retire concurrent recompilation delay for non-stress testing.
Instead, we block concurrent recompilation until unblocked. This makes
affected tests more predictable and run shorter.

R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/26758003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17199 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-14 14:15:22 +00:00
mstarzinger@chromium.org
f878c1c359 Fix pre-parsing of 'use strict' directive after string literals.
R=ulan@chromium.org
TEST=mjsunit/regress/regress-parse-use-strict

Review URL: https://codereview.chromium.org/27025002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17164 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-11 14:03:54 +00:00
olivf@chromium.org
4b6d0e33f2 Only set binary operation side effects flags, when observable.
BUG=
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/26712002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17147 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-10 16:49:25 +00:00
mstarzinger@chromium.org
63d8abb6c6 Unify and fix checkers for duplicate object literal properties.
R=ulan@chromium.org
TEST=preparser/duplicate-property,mjsunit/regress/regress-parse-object-literal

Review URL: https://codereview.chromium.org/26375004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17136 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-10 11:58:16 +00:00
verwaest@chromium.org
7e0ea6ab46 Only fold polymorphic into monomorphic load if all load from either receiver or same prototype.
R=jkummerow@chromium.org

Review URL: https://chromiumcodereview.appspot.com/25718002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17078 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-02 13:24:08 +00:00
olivf@chromium.org
d268078ce0 Fix flaky parallel recompilation test.
On very rare circumstances parallel recompilation would install
the optimized method earlier than expected and the test would fail.

BUG=
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/24495005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16933 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-09-25 08:23:14 +00:00
olivf@chromium.org
6fc2875d51 Fix Environment size mismatch in r6849.
TBR=svenpanne@chromium.org
BUG=

Review URL: https://codereview.chromium.org/23983043

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16851 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-09-20 08:34:23 +00:00
yangguo@chromium.org
cb10ceb19d Reland "Clean up after r16292 (disable optimization for StringWrappers)."
BUG=
R=ulan@chromium.org

Review URL: https://codereview.chromium.org/23619036

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16691 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-09-12 16:17:58 +00:00
yangguo@chromium.org
ad25a2969d Revert "Clean up after r16292 (disable optimization for StringWrappers)."
R=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/23600040

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16679 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-09-12 11:15:12 +00:00
yangguo@chromium.org
996813cca2 Clean up after r16292 (disable optimization for StringWrappers).
R=jochen@chromium.org
BUG=v8:2855

Review URL: https://codereview.chromium.org/22891028

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16677 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-09-12 10:55:57 +00:00
titzer@chromium.org
49d9555a97 Generate a custom OSR entrypoint for OSR compiles on all platforms, and transition to optimized code using the special entrypoint, instead of through the deoptimizer. Do not install the OSR compiled code as _the_ optimized code for a function.
Remove OSR-related stuff from deoptimizer.
BUG=
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/21340002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16599 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-09-09 16:34:40 +00:00
jkummerow@chromium.org
daee0d83db Fix bitwise negation on x64
BUG=chromium:285355
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/24037003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16579 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-09-06 15:21:38 +00:00
yangguo@chromium.org
d9659da6f4 Fix bug in regexp result object construction.
R=verwaest@chromium.org
BUG=

Review URL: https://codereview.chromium.org/23548018

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16556 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-09-05 14:32:49 +00:00
verwaest@chromium.org
b41a7b9cea Properly close the CountOperation value/effect context after leaving the store effect context.
R=jkummerow@chromium.org

Review URL: https://chromiumcodereview.appspot.com/23897003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16554 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-09-05 12:33:14 +00:00