mvstanton@chromium.org
7477bc39ca
350884: KeyedStoreIC miss didn't handle a transitioning case.
...
It's possible to get a transitioned map with no links to the origin
map if it's a shared map. Code in KeyedStoreIC::StoreElementStub
assumes it can check if two maps are in the same family by
traversing the transition array. Long term, the "family" relationship
should be recognized with the Normalized Map Cache. For now, allow
the IC to remain monomorphic in this case if the receiver map and
the previous receiver map are the same.
Filed V8 issue 3210 (https://code.google.com/p/v8/issues/detail?id=3210 )
to track the issue with the Normalized Map Cache.
BUG=350884
LOG=N
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/194623005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19847 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-12 13:35:40 +00:00
jkummerow@chromium.org
105c1e08b7
Fix HIsSmiAndBranch::KnownSuccessorBlock() by deleting it
...
Constants can still change their representation, so we cannot determine reachability of blocks based on their Smi-ness
BUG=chromium:351320
LOG=y
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/196943002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19836 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-12 10:14:29 +00:00
danno@chromium.org
ae1669b501
Fix handling of polymorphic array accesses with constant index
...
R=jkummerow@chromium.org
BUG=chromium:351319
LOG=Y
Review URL: https://codereview.chromium.org/196353004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19835 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-12 10:11:38 +00:00
jkummerow@chromium.org
8a1812f252
Fix lazy deopt after tagged binary ops
...
Also add policing code to ensure that optimized frames can in fact lazily deopt
at their respective current PC when we patch them for lazy bailout.
BUG=chromium:350434
LOG=y
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/194703008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19834 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-12 09:59:36 +00:00
rossberg@chromium.org
85800eff3f
Fix issue with getOwnPropertySymbols and hidden properties
...
When getting the symbols of an object we need to ignore the hidden
properties of the prototype object since the hidden properties are
represented by a single string key and we will not include that hidden
string in the found names.
BUG=350864
LOG=Y
R=rossberg@chromium.org
Review URL: https://codereview.chromium.org/192883005
Patch from Erik Arvidsson <arv@chromium.org>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19813 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-11 16:46:35 +00:00
dcarney@chromium.org
62fc099334
fix bad access check check
...
R=verwaest@chromium.org
BUG=
Review URL: https://codereview.chromium.org/195163002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19804 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-11 15:12:47 +00:00
rossberg@chromium.org
3f702d4bf9
Mode clean-up pt 1: rename classic/non-strict mode to sloppy mode
...
R=mstarzinger@chromium.org
BUG=
Review URL: https://codereview.chromium.org/177683002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19799 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-11 14:39:08 +00:00
yangguo@chromium.org
6e1507331e
Fix bug in constant folding object comparisons.
...
R=jkummerow@chromium.org
Review URL: https://codereview.chromium.org/195063002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19798 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-11 13:34:01 +00:00
mvstanton@chromium.org
819d9f62d0
Fix for 350887: CHECK failure on new_length->IsSmi()
...
In ElementsAccessorBase::SetLengthImpl for a dictionary array, we try to
optimize setting array length if the new length is a smi. However, we
refuse to set an array length to less than the index of the highest
non-configurable array element. This index may be outside of smi range.
Handle this case accordingly.
BUG=350887
LOG=N
R=dslomov@chromium.org
Review URL: https://codereview.chromium.org/194803002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19787 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-11 10:30:10 +00:00
yangguo@chromium.org
1634e7de38
Fix assertion in RegExp parser to correctly expect stack overflow.
...
Advance() always checks for stack overflow. If stack indeed overflowed,
current() would hold the kEndMarker. ParseOctalLiteral does not expect
this in the assertion, which causes assertion failure.
R=mvstanton@chromium.org
BUG=350865
LOG=N
Review URL: https://codereview.chromium.org/192773002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19764 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-10 15:52:10 +00:00
verwaest@chromium.org
1180803953
Reland and fix "Allow ICs to be generated for own global proxy."
...
BUG=
R=mvstanton@chromium.org
Review URL: https://codereview.chromium.org/176793003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19756 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-10 12:23:05 +00:00
verwaest@chromium.org
8a3d715250
Revert "Use Representation::Integer32() for smi types on 32-bit-tagged systems."
...
Due to performance regression.
BUG=
R=jkummerow@chromium.org
Review URL: https://codereview.chromium.org/189843006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19709 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-07 09:29:07 +00:00
ishell@chromium.org
997ce05289
Fix for failing asserts in HBoundsCheck code generation on x64: use proper cmp operation width instead of asserting that Integer32 values should be zero extended. Similar to chromium:345820.
...
BUG=349465
LOG=N
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/188703002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19694 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 16:22:47 +00:00
jkummerow@chromium.org
1cc0bafc07
Fix HConstants with Smi-ranged HeapNumber values
...
BUG=chromium:349878
LOG=y
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/186123003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19693 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 16:21:09 +00:00
mvstanton@chromium.org
6115a006fd
Bugfix for 349874: we incorrectly believe we saw a growing store
...
When we set an out of bounds array index, the index might be so large that
it causes the array to go to dictionary mode. It's better to avoid
"learning" that this was a growing store in that case.
This fix also partially reverts a fix for bug 347543, as this fix is
comprehensive and satisfies that repro case as well (partial revert of
v19591).
BUG=349874
LOG=N
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/188643002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19691 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 13:07:51 +00:00
jkummerow@chromium.org
5ea3f0004a
Let HTransitionElementsKind take part in RestoreActualValues phase
...
BUG=chromium:349853
LOG=n
R=mvstanton@chromium.org
Review URL: https://codereview.chromium.org/183753005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19689 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 12:13:49 +00:00
yangguo@chromium.org
285f253af1
Remove outdated assertion scope.
...
R=jkummerow@chromium.org
BUG=349870
LOG=N
Review URL: https://codereview.chromium.org/182003004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19687 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 11:51:53 +00:00
yangguo@chromium.org
e2e2f4050d
Fix issues with JSON stringify replacer array
...
If the replacer array contains a property key we should include the
property even if the property is non enumerable or if it is a non own
property.
String and Number wrappers in the replacer array should be treated as
string and number values.
R=yangguo@chromium.org
BUG=v8:3200, v8:3201
LOG=Y
Review URL: https://codereview.chromium.org/187053003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19685 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 09:50:53 +00:00
verwaest@chromium.org
7bf33c53eb
Use Representation::Integer32() for smi types on 32-bit-tagged systems.
...
BUG=
R=jkummerow@chromium.org
Review URL: https://codereview.chromium.org/187353005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19684 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 09:49:10 +00:00
verwaest@chromium.org
f913c3b492
Also delete force representations that have no uses.
...
BUG=
R=jkummerow@chromium.org
Review URL: https://codereview.chromium.org/187773002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19683 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 09:47:27 +00:00
jarin@chromium.org
52fd520c96
Fix materialization of captured objects in adapted arguments.
...
R=mstarzinger@chromium.org
BUG=348512
LOG=N
Review URL: https://codereview.chromium.org/183063006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19676 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-05 12:57:18 +00:00
jarin@chromium.org
7ac668f753
Deoptimization fix for HPushArgument.
...
HPushArgument should never be used in a simulation environment
because the slot addresses for the arguments can be off (e.g.,
due to on-stack arguments object of an inlined caller).
R=mstarzinger@chromium.org
BUG=v8:3183
LOG=N
Review URL: https://codereview.chromium.org/178193026
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19675 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-05 12:45:46 +00:00
jkummerow@chromium.org
3df5573195
x64: Fix LMathMinMax for constant Smi right-hand operands
...
BUG=chromium:349079
LOG=y
R=titzer@chromium.org
Review URL: https://codereview.chromium.org/186593003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19668 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-05 09:49:07 +00:00
yangguo@chromium.org
b1a271a02c
Fix HCheckValue::Canonicalize wrt uninitialized HConstant unique.
...
R=titzer@chromium.org
BUG=348280
LOG=N
Review URL: https://codereview.chromium.org/183383006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19642 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-04 08:08:08 +00:00
ulan@chromium.org
b9e0b87a5a
Clear optimized code cache in shared function info when code gets deoptimized.
...
This adds a pointer to the shared function info into deoptimization data of an optimized code. Whenever the code is deoptimized, it clears the cache in the shared function info.
This fixes the problem when the optimized function dies in new space GC before the code is deoptimized due to code dependency and before the optimized code cache is cleared in old space GC (see mjsunit/regress/regress-343609.js).
This partially reverts r19603 because we need to be able to evict specific code from the optimized code cache.
BUG=343609
LOG=Y
TEST=mjsunit/regress/regress-343609.js
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/184923002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19635 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-03 11:11:39 +00:00
rossberg@chromium.org
5543263c19
Move all Harmony-only tests to harmony/
...
R=jkummerow@chromium.org
BUG=
Review URL: https://codereview.chromium.org/178583005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19622 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 14:26:32 +00:00
ishell@chromium.org
c2601aea8a
Check elimination did not mark some dead blocks.
...
R=danno@chromium.org
Review URL: https://codereview.chromium.org/180483003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19619 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 14:16:38 +00:00
svenpanne@chromium.org
e9273332ef
Fixed constant folding for Math.clz32.
...
LOG=y
BUG=347906
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/184353002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19609 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 13:07:10 +00:00
mvstanton@chromium.org
b1ffc7901f
A JSArray may have a filler map in the elements pointer.
...
We already have code that expects this, but incorrectly asserted that the
filler map case would never happen when allocation folding is turned on.
However, even folding has it's limits, bailing out of continued folding
when the object size grows too large. Therefore, it's a general problem
when verifying JSArray objects, that we might encounter a filler map
in elements().
Discovered by ClusterFuzz crbug 347903.
R=hpayer@chromium.org
LOG=N
BUG=347903
Review URL: https://codereview.chromium.org/184493002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19604 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 12:29:19 +00:00
yangguo@chromium.org
5c186bb197
Evict from optimized code map in sync with removing from optimized functions list.
...
R=ulan@chromium.org
Review URL: https://codereview.chromium.org/184443002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19603 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 12:27:31 +00:00
bmeurer@chromium.org
70242fe3bb
Fix JSObject::PrintTransitions.
...
BUG=347912
LOG=y
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/183683005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19601 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 11:41:07 +00:00
hpayer@chromium.org
38ca2629be
Fix representation generalization for doubles.
...
BUG=
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/184393002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19599 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 11:07:10 +00:00
dcarney@chromium.org
98d1cedac4
Get array_function from NativeContext
...
R=mvstanton@chromium.org
LOG=N
BUG=347528
Review URL: https://codereview.chromium.org/184173003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19595 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 10:01:27 +00:00
bmeurer@chromium.org
5945f9ebb9
Fix handling of constant global variable assignments.
...
BUG=347904
LOG=y
R=hpayer@chromium.org
Review URL: https://codereview.chromium.org/184303003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19594 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 09:40:12 +00:00
svenpanne@chromium.org
c4e90c15b8
Removed bogus ASSERT.
...
LOG=y
BUG=347542
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/183763007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19592 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 08:45:07 +00:00
ishell@chromium.org
2ab83cf192
HAllocate should never generate allocation code if the requested size does not fit into page. Regression test included.
...
BUG=347543
LOG=N
R=hpayer@chromium.org
Review URL: https://codereview.chromium.org/180803005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19591 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 17:33:25 +00:00
verwaest@chromium.org
aa14020bc7
Fix putting of prototype transitions. The length is also subject to GC, just like entry.
...
BUG=347536
LOG=n
R=danno@chromium.org
Review URL: https://codereview.chromium.org/183193003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19586 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 16:07:44 +00:00
jarin@chromium.org
05b98492a4
Handle arguments objects in frame when materializing arguments
...
R=mstarzinger@chromium.org
BUG=347262
Review URL: https://codereview.chromium.org/177293009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19584 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 15:12:12 +00:00
yangguo@chromium.org
6912a248ca
Fix bogus assertion in SetFastDoubleElements.
...
R=danno@chromium.org
BUG=347530
LOG=N
Review URL: https://codereview.chromium.org/181433016
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19579 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 14:45:53 +00:00
mvstanton@chromium.org
b8f8cfabca
Fix for Clusterfuzz issue 343928.
...
The problem was that the debugger didn't expect that a JSFunction could
have a GlobalContext, which it can with harmony scoping.
BUG=343928
R=yangguo@chromium.org
LOG=N
Review URL: https://codereview.chromium.org/183103003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 13:25:05 +00:00
ishell@chromium.org
1ae7e8a1e5
Fix for failing asserts in HBoundsCheck code generation on x64: index register should be zero extended.
...
BUG=345820
LOG=N
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/180013002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19549 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 16:33:54 +00:00
verwaest@chromium.org
d5caecccc5
Revert "Use stability to only conditionally flush information from the CheckMaps table."
...
R=ishell@chromium.org
Review URL: https://codereview.chromium.org/180023002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19548 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 16:11:58 +00:00
jkummerow@chromium.org
e7e93cd433
Mark HCompareMap as having Tagged representation
...
BUG=chromium:346636
LOG=y
R=svenpanne@chromium.org
Review URL: https://codereview.chromium.org/176923013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19545 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 15:09:47 +00:00
rossberg@chromium.org
63f1970c6c
Fix crasher in Object.getOwnPropertySymbols
...
R=arv@chromium.org , mstarzinger@chromium.org
BUG=346141
LOG=Y
Review URL: https://codereview.chromium.org/177883002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19539 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 12:01:34 +00:00
bmeurer@chromium.org
77f597d387
Don't eliminate loads with incompatible types or representations.
...
BUG=346343
LOG=y
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/179553002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19536 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 09:55:50 +00:00
ishell@chromium.org
6c1659becf
Fix for a smi stores optimization on x64 with a regression test.
...
BUG=345715
LOG=N
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/178833002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19535 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 09:55:02 +00:00
dcarney@chromium.org
cb05cff594
negative bounds checking on realm calls
...
R=rossberg@chromium.org
LOG=N
BUG=344285
Review URL: https://codereview.chromium.org/169393002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19533 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 09:15:05 +00:00
jkummerow@chromium.org
37b6fd07c1
Fix optimistic BCE to back off after deopt
...
BUG=v8:3176
LOG=n
R=danno@chromium.org
Review URL: https://codereview.chromium.org/177523002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19530 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-24 13:15:31 +00:00
verwaest@chromium.org
84b366516e
Don't turn objects with empty-string properties into fast-mode.
...
R=ishell@chromium.org
Review URL: https://codereview.chromium.org/165743003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19511 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-20 16:11:48 +00:00
ishell@chromium.org
1342cb8b00
Bugfix in check elimination with a regression test.
...
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/172173003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19481 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-19 12:34:50 +00:00