Commit Graph

684 Commits

Author SHA1 Message Date
wingo@igalia.com
09fcac5e39 Use keyed-call inline caches in delegating yield
Since we can't assume anything about the shape of the iterator in a
yield* (delegating yield), use an IC to do the next() and throw()
iterator method calls.

BUG=v8:2691
R=rossberg@chromium.org
TEST=mjsunit/regress/regress-2691

Review URL: https://codereview.chromium.org/15455002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15111 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-13 10:18:28 +00:00
mvstanton@chromium.org
75afb8ce79 Fix for bug 245480. Calling new Array(a) with a single argument could result in creating a holey array with a packed elements kind.
BUG=245480
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/16341004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15095 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-12 18:04:16 +00:00
jkummerow@chromium.org
9447014780 Skip some conditional deopts for Div/Mul when all uses are truncating.
- set "can be minus zero" flag properly so minus-zero checks are skipped
- skip "integer result?" check in division code when uses are truncating
- drive-by cleanup: consolidated computation of kCanOverflow flag for Add/Sub into range inference phase

BUG=v8:2132
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/16741002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15060 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-11 11:43:57 +00:00
wingo@igalia.com
f68d6a10f8 Fix crasher when checking for "of", but next token has no literal buffer
Also fix a typo in an assertion in scanner.h.

R=mstarzinger@chromium.org
BUG=248025
TEST=mjsunit/regress/regress-crbug-248025.js

Review URL: https://codereview.chromium.org/16549003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15059 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-11 11:30:03 +00:00
mstarzinger@chromium.org
ecc41e30c0 Fix re-initialization of existing double field.
R=verwaest@chromium.org
BUG=v8:2717
TEST=mjsunit/regress/regress-2717

Review URL: https://codereview.chromium.org/16735003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15033 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-10 11:55:47 +00:00
verwaest@chromium.org
3588aa45cd Take all uses into account to clear int32 truncation.
R=jkummerow@chromium.org

Review URL: https://chromiumcodereview.appspot.com/16656002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15017 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-07 17:28:46 +00:00
verwaest@chromium.org
5e8679beea Remove the optimized construct stub.
R=mstarzinger@chromium.org

Review URL: https://chromiumcodereview.appspot.com/15993016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14946 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-05 08:43:25 +00:00
mvstanton@chromium.org
3d3c6b1599 Special Array constructor type feedback erroneously recorded when Array
was called as a function. Issue was found with optimize_constructed_array
turned on. This patch makes the fix, and turns the flag back on.

BUG=244461
R=danno@chromium.org

Review URL: https://codereview.chromium.org/16057005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14917 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-03 14:46:23 +00:00
jkummerow@chromium.org
b4058a3bd4 Fast literals: fixed initialization of non-copied in-object property fields
BUG=chromium:245424
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/16190008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14906 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-31 15:50:19 +00:00
verwaest@chromium.org
5b08a1a119 Fix DeferredTaggedToINoSSE2 to not unconditionally untag undefined to 0.
R=danno@chromium.org

Review URL: https://chromiumcodereview.appspot.com/16228002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14896 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-31 08:37:34 +00:00
verwaest@chromium.org
1a4a904bef Replace DeoptimizeOnUndefined with whitelisting AllowUndefinedAsNan
R=danno@chromium.org

Review URL: https://chromiumcodereview.appspot.com/15952007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14894 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-30 09:11:06 +00:00
yurys@chromium.org
09959efe41 Add support for //# sourceURL similar to deprecated //@ sourceURL one.
BUG=v8:2702
R=yangguo@chromium.org, yurys@chromium.org

Review URL: https://codereview.chromium.org/15859010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14883 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-29 12:40:21 +00:00
mstarzinger@chromium.org
3b114cdd64 Fix IfBuilder::Deopt to clear the current block.
R=jkummerow@chromium.org
BUG=chromium:243868
TEST=mjsunit/regress/regress-crbug-243868

Review URL: https://codereview.chromium.org/16155003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14854 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-28 15:30:49 +00:00
verwaest@chromium.org
aa2444269b Fix the hole loading optimization.
- Holes are only ever loaded as double or tagged.
- Change to tagged has to deoptimize on undefined (no implicit
  conversions from double the hole NaN -> tagged undefined).

BUG=
R=jkummerow@chromium.org

Review URL: https://chromiumcodereview.appspot.com/16099006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14829 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-27 17:33:14 +00:00
yangguo@chromium.org
3e41834721 Regexp parser: reset flag after scanning ahead for capture groups.
When the regexp pattern parser encounters an unbound reference to a
capturing group, it needs to scan ahead to decide whether it really
is a reference.  The scan advances to the end of the pattern string
and sets has_more_ to false, but fails to reset it to true so that
later on, parsing a character class wrongly fails.

R=ulan@chromium.org
BUG=v8:2690

Review URL: https://chromiumcodereview.appspot.com/15712006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14817 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-27 10:53:37 +00:00
yangguo@chromium.org
7c2a1346d6 Fix edge case in stack trace formatting.
Bug description: in strict mode, null as receiver is not implicitly converted
to the global object, so that when formatting the stack trace, the receiver of
the stack frame is null. The IS_OBJECT check returns true for null, but
%GetDataProperty expected a JSObject, which results in a failed RUNTIME_ASSERT.

R=mvstanton@chromium.org
BUG=237617

Review URL: https://chromiumcodereview.appspot.com/15670003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14797 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-24 11:33:46 +00:00
yangguo@chromium.org
1d39355405 Add belated test for the SeqStringSetChar bug.
R=titzer@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/15849003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14790 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-24 08:37:27 +00:00
mstarzinger@chromium.org
8fb2086847 Fix embedded new-space pointer in LCmpObjectEqAndBranch.
R=mvstanton@chromium.org
BUG=chromium:240032
TEST=mjsunit/regress/regress-crbug-240032

Review URL: https://codereview.chromium.org/15779004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14777 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-23 14:06:28 +00:00
mstarzinger@chromium.org
b704cb9139 Fix bogus deopt in BuildEmitDeepCopy for holey arrays.
R=verwaest@chromium.org
BUG=chromium:242924
TEST=mjsunit/regress/regress-crbug-242924

Review URL: https://codereview.chromium.org/15735012

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14757 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 17:58:21 +00:00
verwaest@chromium.org
b353b1d131 Don't allow copying holes to fields.
R=jkummerow@chromium.org

Review URL: https://chromiumcodereview.appspot.com/15745006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14753 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 15:33:53 +00:00
mstarzinger@chromium.org
bf413b5122 Fix VisitLogicalExpression for empty blocks on RHS.
R=jkummerow@chromium.org
BUG=chromium:242870
TEST=mjsunit/regress/regress-crbug-242870

Review URL: https://codereview.chromium.org/15744002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14747 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 13:27:00 +00:00
yangguo@chromium.org
9960b24694 Fix unexpected elements transition in JSON.parse
R=verwaest@chromium.org
BUG=241344

Review URL: https://chromiumcodereview.appspot.com/15739003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14746 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 13:24:18 +00:00
mstarzinger@chromium.org
db4a770c3f Add regression test for fix from r14732.
R=verwaest@chromium.org
BUG=chromium:242502
TEST=mjsunit/regress/regress-crbug-242502

Review URL: https://codereview.chromium.org/15288008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14734 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-21 14:20:42 +00:00
titzer@chromium.org
5746d38351 Fix code gen bug on arm and mips; SeqStringSetChar overwrites a register; Add better default PrintDataTo for HInstruction
BUG=

Review URL: https://codereview.chromium.org/14895019

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14710 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-16 14:27:39 +00:00
wingo@igalia.com
d6fa1d8ad9 Function constructor should avoid String.prototype methods
Replace a use of .indexOf with a call to StringIndexOf.  As always,
lexical scoping to the rescue.

R=mstarzinger@chromium.org
TEST=mjsunit/regress/regress-2686
BUG=v8:2686

Review URL: https://codereview.chromium.org/14668013

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14678 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-15 10:52:06 +00:00
wingo@igalia.com
1634369af7 Don't flush code for generator functions.
R=mstarzinger@chromium.org
BUG=v8:2681
TEST=mjsunit/regress/regress-2681

Review URL: https://codereview.chromium.org/14731023

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14649 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-13 17:36:26 +00:00
jkummerow@chromium.org
7636fdec27 Fix missing hole check for loads from Smi arrays when all uses are changes
BUG=chromium:233737

Review URL: https://codereview.chromium.org/14978004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14638 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-13 11:58:10 +00:00
ulan@chromium.org
cd4e9866b7 Fix environment in HOptimizedGraphBuilder::VisitCountOperation. Follow-up for r14584.
R=danno@chromium.org
BUG=v8:2671
TEST=mjsunit/regress/regress-2671-1.js

Review URL: https://chromiumcodereview.appspot.com/14972009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14596 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-08 14:58:06 +00:00
ulan@chromium.org
e5a29e8ff9 Do not change environment between simulate and scope with no observable side-effects in HandlePropertyAssignment.
LChunkBuilder reconstructs the environment by applying simulates. A scope with no observable side-effects has no simulates. If the scope deoptimizes, then LChunkBuilder would miss the changes to the environment between the last simulate and the scope.

R=danno@chromium.org
BUG=v8:2671
TEST=mjsunit/regress/regress-2671.js

Review URL: https://chromiumcodereview.appspot.com/14793009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14584 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-08 07:40:28 +00:00
danno@chromium.org
528792e39b Fix beyond-heap load on x64 Crankshafted StringCharFromCode
BUG=chromium:235311
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/14387008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14481 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-29 14:34:24 +00:00
jkummerow@chromium.org
628875475e Fix overflow check in mul-i which was missing since r14322
Review URL: https://codereview.chromium.org/14471012

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14430 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-25 07:36:59 +00:00
dslomov@chromium.org
852f90339a Adds EXTERNAL_DOUBLE_ARRAY to a list of instance types
BUG=v8:2646

Patch by Andrei Kashcha <anvaka@gmail.com>

Review URL: https://codereview.chromium.org/14042008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14398 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-23 17:02:09 +00:00
ulan@chromium.org
bc4d7878e6 Do not emit Simulates in HandlePolymorphicElementAccess.
BUG=v8:2653
R=jkummerow@chromium.org
TEST=mjsunit/regress/regress-2653.js

Review URL: https://chromiumcodereview.appspot.com/14081025

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14396 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-23 15:28:44 +00:00
svenpanne@chromium.org
cd34acdae3 Do not emit double values at their use sites.
Revert part of r14179. From the regression test's comment:

Currently, the gap resolver doesn't handle moves from a ConstantOperand to a
DoubleRegister, but these kind of moves appeared when HConstant::EmitAtUses
was changed to allow special double values (-0, NaN, hole). So we should
either enhance the gap resolver or make sure that such moves don't happen.

BUG=chrome:234101

Review URL: https://codereview.chromium.org/14429002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14394 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-23 13:08:10 +00:00
mstarzinger@chromium.org
adf9afc09e Fix missing Smi check in grow mode keyed stores.
R=danno@chromium.org
TEST=mjsunit/regress/regress-grow-store-smi-check

Review URL: https://codereview.chromium.org/14352011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14332 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-18 14:18:27 +00:00
yangguo@chromium.org
d7b78dc230 Fix OOB write in --print-code.
R=jkummerow@chromium.org
BUG=v8:2624

Review URL: https://chromiumcodereview.appspot.com/14018010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14267 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-15 15:19:51 +00:00
yangguo@chromium.org
da5c11a44a Fix JSON.stringify's slow path wrt sliced strings.
R=mvstanton@chromium.org
BUG=229923

Review URL: https://chromiumcodereview.appspot.com/14107004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14224 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-11 09:53:00 +00:00
yangguo@chromium.org
996a80df45 Fix OSR for nested loops.
R=jkummerow@chromium.org
BUG=v8:2618

Review URL: https://chromiumcodereview.appspot.com/13811014

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14202 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-10 09:24:31 +00:00
verwaest@chromium.org
79d18ea332 Let ComputeTarget fail if it skips over NORMAL objects.
BUG=v8:2595

Review URL: https://chromiumcodereview.appspot.com/13862008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14190 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-09 16:38:51 +00:00
yangguo@chromium.org
fe6fc554b0 Fix slow path of JSON.stringifier when GC strikes.
FlatContent is not GC-safe.

R=verwaest@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/13782002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14175 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-09 08:12:59 +00:00
verwaest@chromium.org
98d8c9e452 Always check global property cells for readonliness before storing.
Add check when the global object is the last in the chain.

Review URL: https://chromiumcodereview.appspot.com/13730002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14173 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-09 08:09:05 +00:00
yangguo@chromium.org
9559181b0e Fix worst-case behavior of MergeRemovableSimulates().
Currently, when a long series of removable simulates are merged, we do
this by merging them one by one as we find them.  As we merge the value
value lists of the simulates, those lists snowball so that we get a
quadratic complexity wrt runtime and memory consumption.

Instead, we gather simulates that need to be merged, and merge them
backwards starting from the last simulate.

R=jkummerow@chromium.org
BUG=v8:2612

Review URL: https://chromiumcodereview.appspot.com/13649003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14169 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-08 17:37:22 +00:00
yangguo@chromium.org
e33b68817b Fix Array.prototype.concat when exceeding array size limit.
R=verwaest@chromium.org
BUG=v8:581

Review URL: https://chromiumcodereview.appspot.com/13465008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14154 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-05 15:12:59 +00:00
yangguo@chromium.org
deecbb2e01 Do not implicitly convert non-object receivers for strict mode functions.
This was still the case for Array.prototype.* builtin functions.

R=rossberg@chromium.org
BUG=v8:2273

Review URL: https://chromiumcodereview.appspot.com/13473009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14149 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-05 11:57:02 +00:00
mstarzinger@chromium.org
9e757a604c Make __proto__ a real JavaScript accessor property.
This turns the __proto__ callback from a foreign callback into a real
JavaScript accessor. It makes the accessor behavior of this property
explicit.

R=rossberg@chromium.org
BUG=v8:1949,v8:2606
TEST=mjsunit/regress/regress-2606

Review URL: https://codereview.chromium.org/13533004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14139 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-04 12:10:23 +00:00
ulan@chromium.org
eee5884f8d Add extra flag for load-ic stubs in code cache.
This allows to distinguish between stubs compiled for the current object from
stubs compiled for objects that have the current object as a prototype.

BUG=v8:2593
R=verwaest@chromium.org

Review URL: https://chromiumcodereview.appspot.com/13552003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14132 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-04 08:29:25 +00:00
danno@chromium.org
98281c62f0 Ensure UseRegisterAtStart not used with fixed temp/return register
R=vegorov@chromium.org
BUG=chromium:201590

Review URL: https://codereview.chromium.org/13527007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14124 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-03 14:45:39 +00:00
yangguo@chromium.org
443f85eed9 Add test to check that Function.caller must not expose native functions.
R=svenpanne@chromium.org
BUG=v8:105

Review URL: https://chromiumcodereview.appspot.com/13166002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14096 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-28 14:31:48 +00:00
dslomov@chromium.org
47d8af7616 Canonicalize NaNs on store to Fast(Float|Double) arrays
Also treat holey NaN coming from external float/double arrays correctly

BUG=2596

Review URL: https://codereview.chromium.org/12918028

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14094 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-28 13:30:16 +00:00
yangguo@chromium.org
9155d20282 Stack trace API: poison stack frames below the first strict mode frame.
Function and receiver objects are not accessible for poisoned frames.

R=rossberg@chromium.org
BUG=v8:2564

Review URL: https://chromiumcodereview.appspot.com/13150003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14085 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-28 10:40:07 +00:00