We did not properly combine the property names from the parameter map
and the arguments backing store. They could overwrite each other and
be unsorted.
Also fix an unrelated bug: deleting from a dictionary-mode arguments
backing store could corrupt the parameter map.
R=rossberg@chromium.org
BUG=1531
TEST=mjsunit/regress/regress-1531.js
Review URL: http://codereview.chromium.org/7278033
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8571 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The Advance() function of the class responsible for iterating
environment uses didn't always advance as far as it could (relying on
the HasNext predicate to finish advancing). This is brittle.
The HasNext predicate also didn't advance as far as it could when it
was at the end of an environment level. This is a bug.
R=jkummerow@chromium.org
BUG=
TEST=
Review URL: http://codereview.chromium.org/6993023
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8181 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
If type-feedback indicates that an expression was never executed in
the non-optimized code, we insert a forced deoptimization right away
to enable re-optimization if we ever hit this path.
With this change we still continue to build the graph. As a next step, we
should remove the dead code after the deoptimize.
I had to remove one assert about the optimization status in a test since
we now immediately deoptimize after exiting the loop that triggers OSR.
Also remove a restriction that control-flow from an inlined function in a
test context always reaches both true- and false-target.
Review URL: http://codereview.chromium.org/7105015
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8140 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Our testing infrastructure uses exceptions to indicate
errors. assertUnreachable therefore throws an exception to indicate
that it was reached. Therefore, it cannot be used to check that an
exception was thrown using the pattern:
try {
shouldThrow();
assertUnreachable();
} catch(e) {
}
Such a test will always pass because assertUnreachable will throw an
exception if shouldThrow does not.
R=ricow@chromium.org
Review URL: http://codereview.chromium.org/7053035
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8117 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The only difference to revision 7763 is the implementation in the
builtins file for arm and x64, plus a move of Array.prototype.toString
and Array.prototype.toLocaleString from should throw on null or
undefined to the non generic test cases in the function-call test (due
to us not currently supporting generic cases with these to functions)
Review URL: http://codereview.chromium.org/6928007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7786 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Encapsulate the helper functions in mjsunit.js.
Now only exposes the exception class and the assertXXX functions.
Make assertEquals use === instead of ==.
This prevents a lot of possiblefalse positives in tests, and avoids
having to do assertTrue(expected === actual) when you need it.
Fixed some tests that were either buggy or assuming == test.
Review URL: http://codereview.chromium.org/6869007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7628 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Fix %NewObjectFromBound to correctly handle optimized frames (including those with inlined functions).
Fix %_IsConstructCall handling in hydrogen: when called from inlined function return false constant directly instead of emiting HIsConstructCall.
Fix success case in TraceInline.
BUG=v8:1229
TEST=test/mjsunit/regress/regress-1229.js
Review URL: http://codereview.chromium.org/6740023
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7472 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This makes us compatible with firefox. Earlier on we were somehow
compatible with safari - which will allow defining a getter even when
an existing getter is present and non-configurable. We would, however,
in addition to overwriting the getter also change configurable to
true. The approach used by firefox seems much more sound, i.e., why
should it be possible to use __defineGetter__ or __defineSetter__ to
overwrite a non-configurable getter or setter respectively.
I will file a bug on the webkit bugtracker.
Review URL: http://codereview.chromium.org/6658037
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7143 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Used incorrect register for referencing RegExp data, so it always failed
to match the fast case.
When modifiying the object layout, it was possible to make it crash instead.
BUG=v8:1236
TEST=test/mjsunit/regress/regress-1236.js
Review URL: http://codereview.chromium.org/6635041
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7091 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When deoptimizing from the key subexpression of a keyed arguments access,
the unoptimized code expects to find the value of the receiver on the
expression stack. The environment of the optimizing compiler did not
contain this value during evaluation of the key subexpression.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6981 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Resubmit of patch for issue 1145 with a few additions:
- Now also clears exceptions when calling Runtime_LazyRecompile.
- Sets function where parsing fails to not be optimizable.
BUG=v8:1145
TEST=test/mjsunit/regress/regress-1145.js
Review URL: http://codereview.chromium.org/6469050
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6945 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We can wrongly assume that exception which is not intended to be caught
by external try/catch should be caught if this exception inherits
external catcher from some previous exception. To prevent that,
clear external catcher when processing exceptions which cannot be
externally caught.
BUG=v8:1184
TEST=test/mjsunit/regress/regress-1184.js
Review URL: http://codereview.chromium.org/6538081
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6905 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The old version only added extra space when we did indirect calls, but
the problem remains the same with normal calls that can be represented
as a single byte. When doing patching each call will always be at
least 2 bytes long because we use RUNTIME_ENTY as the reloc mode.
Review URL: http://codereview.chromium.org/6541053
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6894 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Call accessors in the global object prototype when initializing global
variables. Function declarations are special cased for compatibility
with Safari and setters are not called for them. If this special
casing was not done webkit layout tests would fail.
Make the declaration of global const variables in the presence of
callbacks a redeclaration error.
Handle const context slot declarations conflicting with a CALLBACK as
a redeclaration error. That is, unless it is on a context extension
object which is not a real object and therefore conceptually have no
accessors in prototype chains. Accessors in prototype chains of
context extension objects are explicitly ignored in SetProperty.
Review URL: http://codereview.chromium.org/6534029
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6846 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
variables.
Make the declaration of global const variables in the presence of
callbacks a redeclaration error.
Handle const context slot declarations conflicting with a CALLBACK as
a redeclaration error. That is, unless it is on a context extension
object which is not a real object and therefore conceptually have no
accessors in prototype chains. Accessors in prototype chains of
context extension objects are explicitly ignored in SetProperty.
Review URL: http://codereview.chromium.org/6519050
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6841 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The baseline compiler does not materialize a value for expressions of
the form !expr in an effect context so the graph translation should
not produce such an environment, otherwise we risk targeting it by
deoptimization.
BUG=v8:1167
Review URL: http://codereview.chromium.org/6537018
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6833 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We currently leave the exception as pending without returning a Failure::Exception() value. This is either caught immediately if running with --debug-code, or caught later by an assert in debug mode.
This change makes the pending exception be cleared before returning from the failed optimization attempt.
BUG=v8::1145
TEST=test/mjsunit/regress/regress-1145.js
Review URL: http://codereview.chromium.org/6524039
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6832 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When deoptimizing to after an expression of the form (expr0 || expr1)
or (expr0 && expr1) in an effect context, the unoptimized code could
incorrectly see the value of the expression.
Handle the short-circuit binary operators specially in effect contexts.
This fixes the issue and will generate better code when the left
subexpression is boolean-valued.
BUG=v8:1166
Review URL: http://codereview.chromium.org/6519046
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6831 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The current version uses SetObjectProperty which will not set the
value in case this is a readonly property. The spec explictly says
that a configurable but non writable property can have its value
changed with Object.defineProperty (because the same thing can be
accomplished by doing 3 calls (set writable to true, update the value,
set writable to false).
Review URL: http://codereview.chromium.org/6518004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6766 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
In the presence of JS accessors for elements on Object.prototype JSArray::SetFastElement
may throw or its behaviour can be altered. Instead operate on plain FixedArrays and
turn them into JSArry later.
BUG=v8:1130
TEST=test/mjsunit/regress/regress-1130.js
Review URL: http://codereview.chromium.org/6481001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6730 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When constructing stack traces we interpret the deoptimization data for
optimized frames to find the receiver value. This value could sometimes be
eliminated from the deoptimization data if we though it was unused.
BUG=v8:1118
Review URL: http://codereview.chromium.org/6465023
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6694 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
My previous patch added an assert which uncovered 1092 in the sputnik tests.
This patch adds the fix for 1092, which is to ensure that NormalizeProperties
does not get called for a JSGlobalProxy along all code paths.
Add sputnik tests to .gitignore.
BUG=
TEST=
Review URL: http://codereview.chromium.org/6286060
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6627 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Record a safepoint with a deoptimization id for throw in optimized code. We
don't seem to much care what the AST ID is because we will not be using it
for lazy deoptimization (throw doesn't return to the point of throw). For
hygiene we use the actual ID of the throw expression. Throw is no longer a
control-flow instruction, but it's followed by an unconditional abnormal
exit. This is required to insert a simulate between the throw and the exit.
Make our optimized treatment of Function.prototype.apply act like a call and
have side effects. This ensures that it will get a lazy deoptimization
environment. Use that deoptimization ID in the safepoint for the call.
Deleting a property was also missing a deoptimization ID, though there was a
deoptimization environment assigned to the instruction. Record the
environment and use the deoptimization ID at the safepoint.
Review URL: http://codereview.chromium.org/6250105
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Fixes JS portion of DefineOwnProperty when there is
an existing property and the new descriptor is generic.
Makes code follow spec steps more closely.
Fixes typo for check for unchanged enumerable in step 6.
Adds regression tests.
Fixes errors in object-define-property test
Don't normalize the JSGlobalProxy. Gets webkit http/tests/security/xss-DENIED-defineProperty.html working.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6561 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
With SVN r6465 (reverting changes to scopes), a regression test for
deleting parameter variables has to change to reflect a semantic
change. It is now again possible to delete parameters from a function
that uses 'with' or 'try...catch'.
Review URL: http://codereview.chromium.org/6307014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6466 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The function Runtime_LookupContext searches the context chain for a
LOOKUP slot and returns the object holding the slot. It returned the
global context if the slot was not found or if it was found in a
function's context or arguments object. This is not the correct
object to use for 'delete'.
Since this lookup function is only ever used when deleting LOOKUP
slots (those that have to go through a with or a scope with eval), it
is simply replaced with a Runtime_DeleteContextSlot function that does
the appropriate thing for all kinds of context lookups.
This fixes Chromium bug 70066.
http://code.google.com/p/chromium/issues/detail?id=70066
Review URL: http://codereview.chromium.org/6280013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6442 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We hit an assertion failure when we tried to record the AST ID of
the (shared) .arguments variable proxy more than once. This was hit
when we had multiple calls to the same parameter in a function that
used the arguments object. The fix is to not visit the subexpressions
of the (shared) property access expression.
BUG=1060
Review URL: http://codereview.chromium.org/6368007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6404 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
If the instanceof stub was requested to deliver true/false objects as the result instead of 0/1 then 0/1 was actually returned if the builtin INSTANCE_OF ended up being called. This is now fixed.
BUG=v8:1020
TEST=test/mjsunit/regress/regress-1020.js
Review URL: http://codereview.chromium.org/6014013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6185 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
In the past we only accepted functions as argument for setting an
accessor. Since one should be able to set an accessor to undefined
this had to be changed to take either.
In addition, we did not lookup properties in the prototype chain,
causing us to call the setter of an existing accessor up the prototype
chain when trying to replace an existing accessor (that was not local)
with a data property.
Review URL: http://codereview.chromium.org/5861006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6045 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When entering a finally block in unoptimized code, we unconditionally
save the accumulator register in the stack in case it holds a return
value or an exception. In the case of a break, continue, or falling
off the end of the try or catch block, this value is unpredictable and
not necessarily safe for GC.
Review URL: http://codereview.chromium.org/5883003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6035 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This fixes V8 issue 989.
Before, assignments used the AST ID of the assignment expression to
mark the side effect of the store, which became a target for
deoptimization bailout for code after the assignment. In effect
contexts this environment included the value of the assignment, which
was unexpected by the unoptimized code.
Now we introduce a new assignment ID for AST node types that include
an assignment (Assignment, CountOperation, and ForInStatement) and use
it for the side effect of the store.
Review URL: http://codereview.chromium.org/5682010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5990 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
SplitBetween (formely known as Split with 3 arguments) should select split position from [start, end] instead of [start, end[. This should also improve allocation quality (remove certain redundant move patterns).
Also some minor renaming and refactoring to make register allocator code more readable.
BUG=v8:962
TEST=test/mjsunit/regress/regress-962.js
Review URL: http://codereview.chromium.org/5720001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5969 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
see http://code.google.com/p/v8/issues/detail?id=944
This patch makes DateParser::TimeComposer process times that have
millisecond values with only 1 or 2 digits.
Without this patch, Date.parse("2010-11-25T22:02:30.5") returns
1290690150005 and
Date.parse("2010-11-25T22:02:30.5") == Date.parse("2010-11-25T22:02:30.005")
evaluates to true.
With this patch, Date.parse("2010-11-25T22:02:30.5") returns
1290690150500 instead, and
Date.parse("2010-11-25T22:02:30.5") == Date.parse("2010-11-25T22:02:30.005")
evaluates to false.
Review URL: http://codereview.chromium.org/5336005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5893 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Object.freeze and Object.seal uses GetOwnPropertyNames which
returns an array with local property names. This array will also have
the additional properties defined on Array.prototype or
Object.prototype.
Note that, the implementation of GetOwnPropertyNames (when used as
Object.getOwnPropertyNames) is correct, since the spec says to create
a new Array (which would also have these properties).
Review URL: http://codereview.chromium.org/3137041
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5350 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This adds a check to the fast case string add to ensure that the String object still have the default valueOf function. The default valueOf is sitting on a hidden prototype of String.prototype.
Before using the fast case valueOf the object is checked for a local valueOf property. For slow case objects this check always reports true (the dictionary is not probed, so valueOf might be there) and for fast case objects the descriptor array is checked for the valueOf symbol (just liniar scan). After that the prototype is checked for beeing the initial value of String.prototype. If this all pass (that is the default valueOf is still in place) this result is cached on the map making the check fast the next time.
This is only implemented in the optimizing compiler, as the two usages of %_IsStringWrapperSafeForDefaultValueOf is never hit by the full compiler.
I will port to x64 and ARM when this has been reviewed for ia32.
I will remove the performance counters prior to final commit.
BUG=http://code.google.com/p/v8/issues/detail?id=760
TEST=test/mjsunit/regress/regress-760-1.js
TEST=test/mjsunit/regress/regress-760-2.js
Review URL: http://codereview.chromium.org/3117006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5252 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The existing version will overwrite the existing writable flag with
false even in the case where no new value is given and the existing
writable flag is true.
The reason for the issue is that there is no check to see if the
provided descriptor actually has a writable attribute. This causes us
to use the default value (false) even in the case where nothing was
provided. In addition, the existing tests makes wrong assumptions (that writable is always set to false if not provided) and has been changed to follow the specification.
Review URL: http://codereview.chromium.org/2271001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4720 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Object.defineProperty with empty property descriptor.
The issue is fixed by implementing step 5 and 6 from DefineOwnProperty in the
specification (ES5 8.12.9).
This also fixes a bug in SameValue when used on boolean values (it
would priorly return a number - not a boolean).
Review URL: http://codereview.chromium.org/2131019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4708 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This change allows Object.create to take a function as input in the
proto argument. The spec says that Type(O) for the proto argument
should be true but our IS_OBJECT does not check for this. I will make a
IS_SPEC_OBJECT in macros.py and refactor v8natives in another CL.
Review URL: http://codereview.chromium.org/2051001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4622 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The error was introduced in revision 4557 where support was added for
ES5 date time format strings. Because there was no check for a valid
year a random string starting with a non-digit character would be
parsed.
This change disallows ES5 formatted dates where there is no date
fraction (i.e., with only a timestamp). Since none of the other
browsers support Date.parse on only timestamps I have disabled this
totally instead of just correcting the parser.
Review URL: http://codereview.chromium.org/2017005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4613 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We need to be careful to check global property cells for the property
encountered during lookup. Therefore, the ICs have to be specific to
the name of the property if global objects are involved. In
principle, this means that we could get a large number of monomorphic
ICs for the same map if there is a global object in the prototype
chain. However, since this is only done for normal load ICs and not
for keyed load ICs I do not expect this to be a problem. I will
experiment with it once this goes in.
BUG=675
Review URL: http://codereview.chromium.org/1559033
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4426 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This re-applies r4220 and r4233, which was reverted in r4254 due to a bug. This bug has now been fixed, with the only change being line 2884 changed from
__ SmiTag(left_side->reg());
to
__ SmiTag(operand->reg());
Added a regression test.
BUG=http://crbug.com/39160
TEST=test/mjsunit/regress/regress-crbug-39160.js
Review URL: http://codereview.chromium.org/1251009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4261 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When Array(0) or new Array(0) is handled by the generated code it is handled
by the same code as Array() and new Array(). For this to work the stack is
tweaked to remove the argument of value 0. However the argc was still passed
as 1 if a call to the runtime system was made.
When the stack is tweaked argc is also changed to 0.
BUG=634
TEST=test/mjsunittest/mjsunit/regress/regress-634.js
Review URL: http://codereview.chromium.org/668155
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4038 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Fix for issue 603.
Revision r3484 removed the property name from the call stack for
call ICs. When a non-function was called via a call IC and
Function.prototype.call, an extra value was left on the stack that the
caller could not know to clean up.
Fix is to change the JS builtin used for calling non-functions. It
now gets the callee as receiver, rather than iterating stack frames
and finding it on the expression stack of its JS caller.
Review URL: http://codereview.chromium.org/604064
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3882 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When functions only have simple assignments of the form this.x = ... the object is created in generated code without actually calling the constructor. In this case the initial map for the function already contains the properties assigned in the constructor. The field descriptors in this initial map now has an enumeration index assigned to make property enumeration order the insertion order. The insertion order here is the order of the this.x assignments in the code.
BUG=http://crbug.com/3867
TEST=test/mjsunit/regress/regress-crbug-3867.js
Review URL: http://codereview.chromium.org/566016
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3768 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When a function is called with a value type as the receiver this is now boxed as an object.
This is a low-impact solution where the receiver is only boxed when required. For IC calls to the V8 builtins values are not boxed and as most of the functions on String.prototype, Number.prototype and Boolean.prototype are sitting there most IC calls on values will not need any boxing of the receiver.
For calls which are not IC calls but calls through the CallFunctionStub a flag is used to determine whether the receiver might be a value and only when that is the case will the receiver be boxed.
No changtes to Function.call and Function.apply - they already boxed values. According to the ES5 spec the receiver should not be boxed for these functions, but current browsers have not adopted that change yet.
BUG=223
TEST=test/mjsunit/value-wrapper.js
TEST=test/mjsunit/regress/regress-crbug-3184.js
Review URL: http://codereview.chromium.org/542087
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3617 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
On 32-bit the maps are now aligned on a 32-byte boundary in order to encode more maps during compacting GC. The actual size of a map on 32-bit is 28 bytes making this change waste 4 bytes per map.
On 64-bit the encoding for compacting GC is now using more than 32-bits and the maps here are still pointer size aligned. The actual size of a map on 64-bit is 48 bytes and this change does not intruduce any waste.
My choice of 16 bits for kMapPageIndexBits for 64-bit should give the same maximum number of pages (8K) for map space. As maps on 64-bit are larger than on 32-bit the total number of maps on 64-bit will be smaller than on 32-bit. We could consider raising this to 17 or 18.
I moved the kPageSizeBits to globals.h as the calculation of the encoding really depended on this.
There are still an #ifdef/#endif in objects.h and this constant could be moved to globaks.h as well, but I kept it together with the related constants.
All the tests run in debug mode with additional options --gc-global --always-compact as well (except for a few tests on which also fails before this change when run with --gc-global --always-compact).
BUG=http://code.google.com/p/v8/issues/detail?id=524
BUG=http://crbug.com/29428
TEST=test/mjsunit/regress/regress-524.js
Review URL: http://codereview.chromium.org/504026
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3481 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We did not handle the case where the left-hand-side expression was
fully compiled to control flow. There were also some assertions for
unary and binary expressions that crashed debug builds when the
expression was fully compiled to control flow.
Regression test added.
Review URL: http://codereview.chromium.org/160006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2524 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
With the new representation of the global object adding JavaScript accessors for a property after global inline caches was created for that property did not work property as the inline caches did not take the JavaScript accessor information (fixed array with two elements) that could be present in a global object property cell into account.
This is now fixed by changing the map for a global object when a JavaScript accessor is defined on it.
BUG=394
TEST=test\mjsunit\regress\regress-394.js
Review URL: http://codereview.chromium.org/150162
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2317 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
