wingo@igalia.com
09fcac5e39
Use keyed-call inline caches in delegating yield
...
Since we can't assume anything about the shape of the iterator in a
yield* (delegating yield), use an IC to do the next() and throw()
iterator method calls.
BUG=v8:2691
R=rossberg@chromium.org
TEST=mjsunit/regress/regress-2691
Review URL: https://codereview.chromium.org/15455002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15111 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-13 10:18:28 +00:00
mvstanton@chromium.org
75afb8ce79
Fix for bug 245480. Calling new Array(a) with a single argument could result in creating a holey array with a packed elements kind.
...
BUG=245480
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/16341004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15095 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-12 18:04:16 +00:00
jkummerow@chromium.org
9447014780
Skip some conditional deopts for Div/Mul when all uses are truncating.
...
- set "can be minus zero" flag properly so minus-zero checks are skipped
- skip "integer result?" check in division code when uses are truncating
- drive-by cleanup: consolidated computation of kCanOverflow flag for Add/Sub into range inference phase
BUG=v8:2132
R=svenpanne@chromium.org
Review URL: https://codereview.chromium.org/16741002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15060 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-11 11:43:57 +00:00
wingo@igalia.com
f68d6a10f8
Fix crasher when checking for "of", but next token has no literal buffer
...
Also fix a typo in an assertion in scanner.h.
R=mstarzinger@chromium.org
BUG=248025
TEST=mjsunit/regress/regress-crbug-248025.js
Review URL: https://codereview.chromium.org/16549003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15059 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-11 11:30:03 +00:00
mstarzinger@chromium.org
ecc41e30c0
Fix re-initialization of existing double field.
...
R=verwaest@chromium.org
BUG=v8:2717
TEST=mjsunit/regress/regress-2717
Review URL: https://codereview.chromium.org/16735003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15033 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-10 11:55:47 +00:00
verwaest@chromium.org
3588aa45cd
Take all uses into account to clear int32 truncation.
...
R=jkummerow@chromium.org
Review URL: https://chromiumcodereview.appspot.com/16656002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15017 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-07 17:28:46 +00:00
verwaest@chromium.org
5e8679beea
Remove the optimized construct stub.
...
R=mstarzinger@chromium.org
Review URL: https://chromiumcodereview.appspot.com/15993016
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14946 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-05 08:43:25 +00:00
mvstanton@chromium.org
3d3c6b1599
Special Array constructor type feedback erroneously recorded when Array
...
was called as a function. Issue was found with optimize_constructed_array
turned on. This patch makes the fix, and turns the flag back on.
BUG=244461
R=danno@chromium.org
Review URL: https://codereview.chromium.org/16057005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14917 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-03 14:46:23 +00:00
jkummerow@chromium.org
b4058a3bd4
Fast literals: fixed initialization of non-copied in-object property fields
...
BUG=chromium:245424
R=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/16190008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14906 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-31 15:50:19 +00:00
verwaest@chromium.org
5b08a1a119
Fix DeferredTaggedToINoSSE2 to not unconditionally untag undefined to 0.
...
R=danno@chromium.org
Review URL: https://chromiumcodereview.appspot.com/16228002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14896 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-31 08:37:34 +00:00
verwaest@chromium.org
1a4a904bef
Replace DeoptimizeOnUndefined with whitelisting AllowUndefinedAsNan
...
R=danno@chromium.org
Review URL: https://chromiumcodereview.appspot.com/15952007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14894 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-30 09:11:06 +00:00
yurys@chromium.org
09959efe41
Add support for //# sourceURL similar to deprecated //@ sourceURL one.
...
BUG=v8:2702
R=yangguo@chromium.org , yurys@chromium.org
Review URL: https://codereview.chromium.org/15859010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14883 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-29 12:40:21 +00:00
mstarzinger@chromium.org
3b114cdd64
Fix IfBuilder::Deopt to clear the current block.
...
R=jkummerow@chromium.org
BUG=chromium:243868
TEST=mjsunit/regress/regress-crbug-243868
Review URL: https://codereview.chromium.org/16155003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14854 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-28 15:30:49 +00:00
verwaest@chromium.org
aa2444269b
Fix the hole loading optimization.
...
- Holes are only ever loaded as double or tagged.
- Change to tagged has to deoptimize on undefined (no implicit
conversions from double the hole NaN -> tagged undefined).
BUG=
R=jkummerow@chromium.org
Review URL: https://chromiumcodereview.appspot.com/16099006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14829 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-27 17:33:14 +00:00
yangguo@chromium.org
3e41834721
Regexp parser: reset flag after scanning ahead for capture groups.
...
When the regexp pattern parser encounters an unbound reference to a
capturing group, it needs to scan ahead to decide whether it really
is a reference. The scan advances to the end of the pattern string
and sets has_more_ to false, but fails to reset it to true so that
later on, parsing a character class wrongly fails.
R=ulan@chromium.org
BUG=v8:2690
Review URL: https://chromiumcodereview.appspot.com/15712006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14817 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-27 10:53:37 +00:00
yangguo@chromium.org
7c2a1346d6
Fix edge case in stack trace formatting.
...
Bug description: in strict mode, null as receiver is not implicitly converted
to the global object, so that when formatting the stack trace, the receiver of
the stack frame is null. The IS_OBJECT check returns true for null, but
%GetDataProperty expected a JSObject, which results in a failed RUNTIME_ASSERT.
R=mvstanton@chromium.org
BUG=237617
Review URL: https://chromiumcodereview.appspot.com/15670003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14797 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-24 11:33:46 +00:00
yangguo@chromium.org
1d39355405
Add belated test for the SeqStringSetChar bug.
...
R=titzer@chromium.org
BUG=
Review URL: https://chromiumcodereview.appspot.com/15849003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14790 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-24 08:37:27 +00:00
mstarzinger@chromium.org
8fb2086847
Fix embedded new-space pointer in LCmpObjectEqAndBranch.
...
R=mvstanton@chromium.org
BUG=chromium:240032
TEST=mjsunit/regress/regress-crbug-240032
Review URL: https://codereview.chromium.org/15779004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14777 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-23 14:06:28 +00:00
mstarzinger@chromium.org
b704cb9139
Fix bogus deopt in BuildEmitDeepCopy for holey arrays.
...
R=verwaest@chromium.org
BUG=chromium:242924
TEST=mjsunit/regress/regress-crbug-242924
Review URL: https://codereview.chromium.org/15735012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14757 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 17:58:21 +00:00
verwaest@chromium.org
b353b1d131
Don't allow copying holes to fields.
...
R=jkummerow@chromium.org
Review URL: https://chromiumcodereview.appspot.com/15745006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14753 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 15:33:53 +00:00
mstarzinger@chromium.org
bf413b5122
Fix VisitLogicalExpression for empty blocks on RHS.
...
R=jkummerow@chromium.org
BUG=chromium:242870
TEST=mjsunit/regress/regress-crbug-242870
Review URL: https://codereview.chromium.org/15744002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14747 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 13:27:00 +00:00
yangguo@chromium.org
9960b24694
Fix unexpected elements transition in JSON.parse
...
R=verwaest@chromium.org
BUG=241344
Review URL: https://chromiumcodereview.appspot.com/15739003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14746 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 13:24:18 +00:00
mstarzinger@chromium.org
db4a770c3f
Add regression test for fix from r14732.
...
R=verwaest@chromium.org
BUG=chromium:242502
TEST=mjsunit/regress/regress-crbug-242502
Review URL: https://codereview.chromium.org/15288008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14734 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-21 14:20:42 +00:00
titzer@chromium.org
5746d38351
Fix code gen bug on arm and mips; SeqStringSetChar overwrites a register; Add better default PrintDataTo for HInstruction
...
BUG=
Review URL: https://codereview.chromium.org/14895019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14710 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-16 14:27:39 +00:00
wingo@igalia.com
d6fa1d8ad9
Function constructor should avoid String.prototype methods
...
Replace a use of .indexOf with a call to StringIndexOf. As always,
lexical scoping to the rescue.
R=mstarzinger@chromium.org
TEST=mjsunit/regress/regress-2686
BUG=v8:2686
Review URL: https://codereview.chromium.org/14668013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14678 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-15 10:52:06 +00:00
wingo@igalia.com
1634369af7
Don't flush code for generator functions.
...
R=mstarzinger@chromium.org
BUG=v8:2681
TEST=mjsunit/regress/regress-2681
Review URL: https://codereview.chromium.org/14731023
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14649 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-13 17:36:26 +00:00
jkummerow@chromium.org
7636fdec27
Fix missing hole check for loads from Smi arrays when all uses are changes
...
BUG=chromium:233737
Review URL: https://codereview.chromium.org/14978004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14638 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-13 11:58:10 +00:00
ulan@chromium.org
cd4e9866b7
Fix environment in HOptimizedGraphBuilder::VisitCountOperation. Follow-up for r14584.
...
R=danno@chromium.org
BUG=v8:2671
TEST=mjsunit/regress/regress-2671-1.js
Review URL: https://chromiumcodereview.appspot.com/14972009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14596 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-08 14:58:06 +00:00
ulan@chromium.org
e5a29e8ff9
Do not change environment between simulate and scope with no observable side-effects in HandlePropertyAssignment.
...
LChunkBuilder reconstructs the environment by applying simulates. A scope with no observable side-effects has no simulates. If the scope deoptimizes, then LChunkBuilder would miss the changes to the environment between the last simulate and the scope.
R=danno@chromium.org
BUG=v8:2671
TEST=mjsunit/regress/regress-2671.js
Review URL: https://chromiumcodereview.appspot.com/14793009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14584 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-08 07:40:28 +00:00
danno@chromium.org
528792e39b
Fix beyond-heap load on x64 Crankshafted StringCharFromCode
...
BUG=chromium:235311
R=jkummerow@chromium.org
Review URL: https://codereview.chromium.org/14387008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14481 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-29 14:34:24 +00:00
jkummerow@chromium.org
628875475e
Fix overflow check in mul-i which was missing since r14322
...
Review URL: https://codereview.chromium.org/14471012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14430 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-25 07:36:59 +00:00
dslomov@chromium.org
852f90339a
Adds EXTERNAL_DOUBLE_ARRAY to a list of instance types
...
BUG=v8:2646
Patch by Andrei Kashcha <anvaka@gmail.com>
Review URL: https://codereview.chromium.org/14042008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14398 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-23 17:02:09 +00:00
ulan@chromium.org
bc4d7878e6
Do not emit Simulates in HandlePolymorphicElementAccess.
...
BUG=v8:2653
R=jkummerow@chromium.org
TEST=mjsunit/regress/regress-2653.js
Review URL: https://chromiumcodereview.appspot.com/14081025
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14396 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-23 15:28:44 +00:00
svenpanne@chromium.org
cd34acdae3
Do not emit double values at their use sites.
...
Revert part of r14179. From the regression test's comment:
Currently, the gap resolver doesn't handle moves from a ConstantOperand to a
DoubleRegister, but these kind of moves appeared when HConstant::EmitAtUses
was changed to allow special double values (-0, NaN, hole). So we should
either enhance the gap resolver or make sure that such moves don't happen.
BUG=chrome:234101
Review URL: https://codereview.chromium.org/14429002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14394 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-23 13:08:10 +00:00
mstarzinger@chromium.org
adf9afc09e
Fix missing Smi check in grow mode keyed stores.
...
R=danno@chromium.org
TEST=mjsunit/regress/regress-grow-store-smi-check
Review URL: https://codereview.chromium.org/14352011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14332 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-18 14:18:27 +00:00
yangguo@chromium.org
d7b78dc230
Fix OOB write in --print-code.
...
R=jkummerow@chromium.org
BUG=v8:2624
Review URL: https://chromiumcodereview.appspot.com/14018010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14267 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-15 15:19:51 +00:00
yangguo@chromium.org
da5c11a44a
Fix JSON.stringify's slow path wrt sliced strings.
...
R=mvstanton@chromium.org
BUG=229923
Review URL: https://chromiumcodereview.appspot.com/14107004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14224 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-11 09:53:00 +00:00
yangguo@chromium.org
996a80df45
Fix OSR for nested loops.
...
R=jkummerow@chromium.org
BUG=v8:2618
Review URL: https://chromiumcodereview.appspot.com/13811014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14202 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-10 09:24:31 +00:00
verwaest@chromium.org
79d18ea332
Let ComputeTarget fail if it skips over NORMAL objects.
...
BUG=v8:2595
Review URL: https://chromiumcodereview.appspot.com/13862008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14190 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-09 16:38:51 +00:00
yangguo@chromium.org
fe6fc554b0
Fix slow path of JSON.stringifier when GC strikes.
...
FlatContent is not GC-safe.
R=verwaest@chromium.org
BUG=
Review URL: https://chromiumcodereview.appspot.com/13782002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14175 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-09 08:12:59 +00:00
verwaest@chromium.org
98d8c9e452
Always check global property cells for readonliness before storing.
...
Add check when the global object is the last in the chain.
Review URL: https://chromiumcodereview.appspot.com/13730002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14173 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-09 08:09:05 +00:00
yangguo@chromium.org
9559181b0e
Fix worst-case behavior of MergeRemovableSimulates().
...
Currently, when a long series of removable simulates are merged, we do
this by merging them one by one as we find them. As we merge the value
value lists of the simulates, those lists snowball so that we get a
quadratic complexity wrt runtime and memory consumption.
Instead, we gather simulates that need to be merged, and merge them
backwards starting from the last simulate.
R=jkummerow@chromium.org
BUG=v8:2612
Review URL: https://chromiumcodereview.appspot.com/13649003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14169 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-08 17:37:22 +00:00
yangguo@chromium.org
e33b68817b
Fix Array.prototype.concat when exceeding array size limit.
...
R=verwaest@chromium.org
BUG=v8:581
Review URL: https://chromiumcodereview.appspot.com/13465008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14154 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-05 15:12:59 +00:00
yangguo@chromium.org
deecbb2e01
Do not implicitly convert non-object receivers for strict mode functions.
...
This was still the case for Array.prototype.* builtin functions.
R=rossberg@chromium.org
BUG=v8:2273
Review URL: https://chromiumcodereview.appspot.com/13473009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14149 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-05 11:57:02 +00:00
mstarzinger@chromium.org
9e757a604c
Make __proto__ a real JavaScript accessor property.
...
This turns the __proto__ callback from a foreign callback into a real
JavaScript accessor. It makes the accessor behavior of this property
explicit.
R=rossberg@chromium.org
BUG=v8:1949,v8:2606
TEST=mjsunit/regress/regress-2606
Review URL: https://codereview.chromium.org/13533004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14139 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-04 12:10:23 +00:00
ulan@chromium.org
eee5884f8d
Add extra flag for load-ic stubs in code cache.
...
This allows to distinguish between stubs compiled for the current object from
stubs compiled for objects that have the current object as a prototype.
BUG=v8:2593
R=verwaest@chromium.org
Review URL: https://chromiumcodereview.appspot.com/13552003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14132 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-04 08:29:25 +00:00
danno@chromium.org
98281c62f0
Ensure UseRegisterAtStart not used with fixed temp/return register
...
R=vegorov@chromium.org
BUG=chromium:201590
Review URL: https://codereview.chromium.org/13527007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14124 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-03 14:45:39 +00:00
yangguo@chromium.org
443f85eed9
Add test to check that Function.caller must not expose native functions.
...
R=svenpanne@chromium.org
BUG=v8:105
Review URL: https://chromiumcodereview.appspot.com/13166002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14096 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-28 14:31:48 +00:00
dslomov@chromium.org
47d8af7616
Canonicalize NaNs on store to Fast(Float|Double) arrays
...
Also treat holey NaN coming from external float/double arrays correctly
BUG=2596
Review URL: https://codereview.chromium.org/12918028
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14094 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-28 13:30:16 +00:00
yangguo@chromium.org
9155d20282
Stack trace API: poison stack frames below the first strict mode frame.
...
Function and receiver objects are not accessible for poisoned frames.
R=rossberg@chromium.org
BUG=v8:2564
Review URL: https://chromiumcodereview.appspot.com/13150003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14085 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-28 10:40:07 +00:00