Commit Graph

2809 Commits

Author SHA1 Message Date
jkummerow@chromium.org
e4a18df7d1 Fix ASSERT violation when BinaryOpIC::Transition recurses into itself
BUG=chromium:352586
LOG=n
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/201313002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20000 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-17 14:51:31 +00:00
rossberg@chromium.org
c3c185c173 Make invalid LHSs a parse-time (reference) error
This is required by the spec. It also prevents crashes resulting from the attempt to read type feedback for the RHS of an invalid assignment which full codegen never actually allocated info for.

To do: check properly in preparser already.

R=marja@chromium.org, mstarzinger@chromium.org
BUG=351658
LOG=Y

Review URL: https://codereview.chromium.org/200473003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19976 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-17 10:21:01 +00:00
jkummerow@chromium.org
dc458525ad Fix typo in r19923 (bounds check offset propagation)
BUG=chromium:352929
LOG=n
R=ulan@chromium.org

Review URL: https://codereview.chromium.org/201303002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19969 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-17 09:38:01 +00:00
ishell@chromium.org
f77c51b0a6 Check elimination now sets known successor branch of HCompareObjectEqAndBranch (correctness fix).
BUG=chromium:352058
LOG=N
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/196383018

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19964 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-17 09:11:38 +00:00
mvstanton@chromium.org
e3f3f6d98b Revert "Continued fix for 351257. Reusing the feedback vector is too complex."
This reverts commit r19919.

TBR=bmeuer@chromium.org

Review URL: https://codereview.chromium.org/196343021

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19961 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-17 08:31:21 +00:00
yangguo@chromium.org
33ea8185e9 Suppress test failures on GC-stress for A64.
R=ulan@chromium.org
BUG=v8:3219
LOG=N

Review URL: https://codereview.chromium.org/197873021

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19960 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-17 08:30:04 +00:00
verwaest@chromium.org
0f2a324c8a Fix generalization with callbacks.
BUG=352588
LOG=n
R=danno@chromium.org

Review URL: https://codereview.chromium.org/200173003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19935 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-14 14:17:49 +00:00
mvstanton@chromium.org
11df4b8815 Fix for issue 351261.
This relands the following fix: "HAllocate should never generate
allocation code if the requested size does not fit into page. Regression
test included. (bug 347543)" along with additional fixes to KeyedStoreIC.

BUG=351261
LOG=N
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/200113002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19926 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-14 10:22:55 +00:00
ulan@chromium.org
2c99cba38b Propagate updated offsets in BoundsCheckBbData.
BUG=350863
LOG=Y
TEST=mjsunit/regress/regress-350863.js
R=bmeurer@chromium.org, jkummerow@chromium.org

Review URL: https://codereview.chromium.org/197823009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19923 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-14 10:02:25 +00:00
bmeurer@chromium.org
358e176d50 Add regression test for range analysis bug.
BUG=v8:3204
LOG=y
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/200103002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19922 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-14 09:54:26 +00:00
mvstanton@chromium.org
dd28969c1c Continued fix for 351257. Reusing the feedback vector is too complex.
Attempting to re-use the type feedback vector stored in the
SharedFunctionInfo turns out to be difficult among the various cases.
It will be much easier to do this when deferred type feedback processing
is removed, as is in the works.

Created bug v8:3212 to track re-introducing the optimization of reusing
the type vector on recompile before optimization.

The CL also brings back the type vector on the SharedFunctionInfo.

BUG=351257
LOG=Y
R=bmeurer@chromium.org, bmeuer@chromium.org

Review URL: https://codereview.chromium.org/199973004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19919 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-14 09:28:37 +00:00
yangguo@chromium.org
0f71a24f3a Correctly retain argument value when deopting from Math.round on x64.
R=jkummerow@chromium.org
BUG=351624
LOG=N

Review URL: https://codereview.chromium.org/199013002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19896 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-13 13:57:21 +00:00
ulan@chromium.org
c64b78f6da Check that constant is an integer before getting its value in HGraphBuilder::MatchRotateRight.
BUG=351263
LOG=N
TEST=mjsunit/regress/regress-351263
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/197803005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19890 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-13 11:50:50 +00:00
yangguo@chromium.org
4e390c64f1 Harmony: move math features to es-staging.
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/195123002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19886 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-13 09:51:59 +00:00
svenpanne@chromium.org
390d3a0b15 Make translation of modulus operation '--stress-opt'-proof.
Note that we unconditionally deopt later, anyway, but our compilation
pipeline has to survive long enough to reach that place. :-/

LOG=y
BUG=352059
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/198833002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19884 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-13 09:37:16 +00:00
jarin@chromium.org
713aa33f2a Fix of argument materialization of captured heap numbers.
The escape analysis calculates the number of slots in an object as
no-of-slots = object-size / pointer-size.  This gives 3 slots for
heap numbers on 32-bit architectures (one slot for the map, two for
the double value); however, my argument materialization code assumed
just two slots (map + value). Since Hydrogen allocates heap numbers
quite rarely, it is hard to produce a more meaningful repro than the
one provided by Clusterfuzz. Any suggestions are welcome.

The fix is simple - we just read out all extra slots (beyond the map
and the double) for heap numbers.

R=mstarzinger@chromium.org
BUG=351315
LOG=N

Review URL: https://codereview.chromium.org/196283004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19874 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-13 07:17:37 +00:00
adamk@chromium.org
8bd05193c7 Reland "Enable Object.observe by default" again
This re-re-re-lands enabling Object.observe. The Chromium tests that
failed last time this was rolled into Chromium have been disabled in
https://src.chromium.org/viewvc/chrome?view=revision&revision=256706

This patch should be safe to merge once that lands.

BUG=v8:2409
LOG=Y
TBR=rossberg@chromium.org,dslomov@chromium.org,rafaelw@chromium.org

Review URL: https://codereview.chromium.org/198383002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19868 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-13 00:20:06 +00:00
jkummerow@chromium.org
f9ee4f19b4 Use intrinsics for builtin ArrayBuffer property accesses
BUG=chromium:351787
LOG=y
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/197793003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19862 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-12 19:25:40 +00:00
svenpanne@chromium.org
be328fd4ce Disable special handling of flooring division by constant until it is fixed for real.
Added a test to check the various division-like operations more exhaustively.

R=bmeurer@chromium.org, ulan@chromium.org

Review URL: https://codereview.chromium.org/194863002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19852 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-12 14:28:59 +00:00
verwaest@chromium.org
8735adb2c4 Don't fast RemoveArrayHoles in case of arguments arrays.
BUG=351645
LOG=n
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/197043004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19848 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-12 13:42:18 +00:00
mvstanton@chromium.org
7477bc39ca 350884: KeyedStoreIC miss didn't handle a transitioning case.
It's possible to get a transitioned map with no links to the origin
map if it's a shared map. Code in KeyedStoreIC::StoreElementStub
assumes it can check if two maps are in the same family by
traversing the transition array. Long term, the "family" relationship
should be recognized with the Normalized Map Cache. For now, allow
the IC to remain monomorphic in this case if the receiver map and
the previous receiver map are the same.

Filed V8 issue 3210 (https://code.google.com/p/v8/issues/detail?id=3210)
to track the issue with the Normalized Map Cache.

BUG=350884
LOG=N
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/194623005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19847 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-12 13:35:40 +00:00
jkummerow@chromium.org
105c1e08b7 Fix HIsSmiAndBranch::KnownSuccessorBlock() by deleting it
Constants can still change their representation, so we cannot determine reachability of blocks based on their Smi-ness

BUG=chromium:351320
LOG=y
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/196943002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19836 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-12 10:14:29 +00:00
danno@chromium.org
ae1669b501 Fix handling of polymorphic array accesses with constant index
R=jkummerow@chromium.org
BUG=chromium:351319
LOG=Y

Review URL: https://codereview.chromium.org/196353004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19835 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-12 10:11:38 +00:00
jkummerow@chromium.org
8a1812f252 Fix lazy deopt after tagged binary ops
Also add policing code to ensure that optimized frames can in fact lazily deopt
at their respective current PC when we patch them for lazy bailout.

BUG=chromium:350434
LOG=y
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/194703008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19834 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-12 09:59:36 +00:00
dslomov@chromium.org
f6dac13dcb Revert "Enable Object.observe by default"
This reverts commit r19734 for breeaking ChromiumOS browser tests.
'OpenSpecialTypes/FileManagerBrowserTest.Test/3' started to time out,
bisecting the roll led to this change.
http://build.chromium.org/p/chromium.chromiumos/builders/Linux%20ChromiumOS%20Tests%20%282%29/builds/22224

TBR=rafaelw@chromium.org,rossberg@chromium.org
BUG=v8:2409
LOG=Y

Review URL: https://codereview.chromium.org/195123005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19816 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-11 18:15:44 +00:00
rossberg@chromium.org
85800eff3f Fix issue with getOwnPropertySymbols and hidden properties
When getting the symbols of an object we need to ignore the hidden
properties of the prototype object since the hidden properties are
represented by a single string key and we will not include that hidden
string in the found names.

BUG=350864
LOG=Y
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/192883005

Patch from Erik Arvidsson <arv@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19813 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-11 16:46:35 +00:00
dcarney@chromium.org
62fc099334 fix bad access check check
R=verwaest@chromium.org

BUG=

Review URL: https://codereview.chromium.org/195163002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19804 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-11 15:12:47 +00:00
rossberg@chromium.org
3f702d4bf9 Mode clean-up pt 1: rename classic/non-strict mode to sloppy mode
R=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/177683002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19799 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-11 14:39:08 +00:00
yangguo@chromium.org
6e1507331e Fix bug in constant folding object comparisons.
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/195063002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19798 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-11 13:34:01 +00:00
yangguo@chromium.org
dda0aa88b0 Revert "Mark mjsunit/string-case as flaky."
This reverts r19760 since the issue has been fixed in r19755.

R=dslomov@google.com, dslomov@chromium.org
BUG=v8:3208
LOG=N

Review URL: https://codereview.chromium.org/194823002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19793 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-11 11:38:53 +00:00
mvstanton@chromium.org
819d9f62d0 Fix for 350887: CHECK failure on new_length->IsSmi()
In ElementsAccessorBase::SetLengthImpl for a dictionary array, we try to
optimize setting array length if the new length is a smi. However, we
refuse to set an array length to less than the index of the highest
non-configurable array element. This index may be outside of smi range.

Handle this case accordingly.

BUG=350887
LOG=N
R=dslomov@chromium.org

Review URL: https://codereview.chromium.org/194803002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19787 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-11 10:30:10 +00:00
yangguo@chromium.org
1634e7de38 Fix assertion in RegExp parser to correctly expect stack overflow.
Advance() always checks for stack overflow. If stack indeed overflowed,
current() would hold the kEndMarker. ParseOctalLiteral does not expect
this in the assertion, which causes assertion failure.

R=mvstanton@chromium.org
BUG=350865
LOG=N

Review URL: https://codereview.chromium.org/192773002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19764 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-10 15:52:10 +00:00
yangguo@chromium.org
e25d51cc85 Fix constant folding of %_IsMinusZero.
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/190793015

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19762 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-10 15:06:54 +00:00
dslomov@chromium.org
9eefbda27f Mark mjsunit/string-case as flaky.
BUG=v8:3208
LOG=N
R=machenbach@chromium.org

Review URL: https://codereview.chromium.org/192573004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19760 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-10 14:52:05 +00:00
yangguo@chromium.org
78d23e5662 Implement KnownSuccessor method to some control instructions.
R=jkummerow@chromium.org
BUG=v8:3118
LOG=N

Review URL: https://codereview.chromium.org/174863002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19759 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-10 14:50:01 +00:00
verwaest@chromium.org
1180803953 Reland and fix "Allow ICs to be generated for own global proxy."
BUG=
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/176793003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19756 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-10 12:23:05 +00:00
rossberg@chromium.org
710ee827b5 Promise.all and Promise.race should reject non-array parameter.
Promise.all and Promise.race should reject the returned Promise if an
invalid parameter is given.
Since they don't support iterable now, they should reject the Promise
if a non-array parameter is given.

BUG=347453
LOG=Y
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/182613003

Patch from Yutaka Hirano <yhirano@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19754 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-10 12:01:06 +00:00
bmeurer@chromium.org
bf86e624d4 Reland "Handle non-power-of-2 divisors in division-like operations".
Fixed the flooring div bug and added a test case.

R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/191293012

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19749 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-10 10:39:17 +00:00
rafaelw@chromium.org
6503dfb72b Reland "Enable Object.observe by default"
Original Issue: https://codereview.chromium.org/183683022/

TBR=rossberg
BUG=v8:2409
LOG=Y

Review URL: https://codereview.chromium.org/189513010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19736 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-08 04:41:06 +00:00
rafaelw@chromium.org
0cc44c14e5 Revert "Enable Object.observe by default"
TBR=rossberg
BUG=

Review URL: https://codereview.chromium.org/190853007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19735 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-08 03:54:42 +00:00
rafaelw@chromium.org
dcf9842e07 Enable Object.observe by default
R=rossberg@chromium.org, rossberg
BUG=v8:2409
LOG=Y

Review URL: https://codereview.chromium.org/183683022

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19734 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-08 02:47:53 +00:00
yangguo@chromium.org
4f15fd2977 Reland "Introduce intrinsics for double values in Javascript."
This relands r19704 with a fix to the test case.

R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/189823003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19723 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-07 14:58:41 +00:00
ulan@chromium.org
06af80d42d Introduce Runtime_GetAllScopesDetails to get all scopes at once for a frame.
This will reduce heavy ScopeIterator instantiations.
Once incorporated into chromium, will give 30% speed boost.

BUG=chromium:340285
LOG=Y
R=ulan@chromium.org, Yang, rossberg, ulan

Review URL: https://codereview.chromium.org/181063008

Patch from Andrey Adaykin <aandrey@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19717 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-07 11:03:35 +00:00
yangguo@chromium.org
143902bebf Revert "Introduce intrinsics for double values in Javascript."
This reverts r19704.

R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/189533008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19710 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-07 09:49:28 +00:00
verwaest@chromium.org
8a3d715250 Revert "Use Representation::Integer32() for smi types on 32-bit-tagged systems."
Due to performance regression.

BUG=
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/189843006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19709 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-07 09:29:07 +00:00
yangguo@chromium.org
2aefde4443 Introduce intrinsics for double values in Javascript.
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/178583006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19704 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-07 09:05:10 +00:00
yangguo@chromium.org
ea8368f471 Use fast path for sliced and external strings in ConvertCase.
R=dcarney@chromium.org
BUG=v8:3180
LOG=N

Review URL: https://codereview.chromium.org/180063002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19699 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-07 08:36:18 +00:00
ishell@chromium.org
997ce05289 Fix for failing asserts in HBoundsCheck code generation on x64: use proper cmp operation width instead of asserting that Integer32 values should be zero extended. Similar to chromium:345820.
BUG=349465
LOG=N
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/188703002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19694 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 16:22:47 +00:00
jkummerow@chromium.org
1cc0bafc07 Fix HConstants with Smi-ranged HeapNumber values
BUG=chromium:349878
LOG=y
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/186123003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19693 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 16:21:09 +00:00
ulan@chromium.org
5af7d10af5 Mark mjsunit/whitespaces as slow and timeout for a64.
BUG=
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/182253008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19692 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 14:15:40 +00:00
mvstanton@chromium.org
6115a006fd Bugfix for 349874: we incorrectly believe we saw a growing store
When we set an out of bounds array index, the index might be so large that
it causes the array to go to dictionary mode. It's better to avoid
"learning" that this was a growing store in that case.

This fix also partially reverts a fix for bug 347543, as this fix is
comprehensive and satisfies that repro case as well (partial revert of
v19591).

BUG=349874
LOG=N
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/188643002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19691 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 13:07:51 +00:00
verwaest@chromium.org
cd6f3ef088 Only use the non-strict-arguments-stub if the store site is non-strict.
BUG=349874
LOG=N
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/176843018

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19690 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 12:19:06 +00:00
jkummerow@chromium.org
5ea3f0004a Let HTransitionElementsKind take part in RestoreActualValues phase
BUG=chromium:349853
LOG=n
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/183753005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19689 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 12:13:49 +00:00
yangguo@chromium.org
285f253af1 Remove outdated assertion scope.
R=jkummerow@chromium.org
BUG=349870
LOG=N

Review URL: https://codereview.chromium.org/182003004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19687 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 11:51:53 +00:00
yangguo@chromium.org
e2e2f4050d Fix issues with JSON stringify replacer array
If the replacer array contains a property key we should include the
property even if the property is non enumerable or if it is a non own
property.

String and Number wrappers in the replacer array should be treated as
string and number values.

R=yangguo@chromium.org
BUG=v8:3200, v8:3201
LOG=Y

Review URL: https://codereview.chromium.org/187053003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19685 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 09:50:53 +00:00
verwaest@chromium.org
7bf33c53eb Use Representation::Integer32() for smi types on 32-bit-tagged systems.
BUG=
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/187353005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19684 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 09:49:10 +00:00
verwaest@chromium.org
f913c3b492 Also delete force representations that have no uses.
BUG=
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/187773002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19683 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-06 09:47:27 +00:00
jarin@chromium.org
52fd520c96 Fix materialization of captured objects in adapted arguments.
R=mstarzinger@chromium.org
BUG=348512
LOG=N

Review URL: https://codereview.chromium.org/183063006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19676 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-05 12:57:18 +00:00
jarin@chromium.org
7ac668f753 Deoptimization fix for HPushArgument.
HPushArgument should never be used in a simulation environment
because the slot addresses for the arguments can be off (e.g.,
due to on-stack arguments object of an inlined caller).

R=mstarzinger@chromium.org
BUG=v8:3183
LOG=N

Review URL: https://codereview.chromium.org/178193026

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19675 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-05 12:45:46 +00:00
yangguo@chromium.org
26e4f4cc1c Handle exception when retrieving toJSON function in JSON.stringify.
R=mvstanton@chromium.org
BUG=349335
LOG=N

Review URL: https://codereview.chromium.org/187603002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19670 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-05 10:54:35 +00:00
jkummerow@chromium.org
3df5573195 x64: Fix LMathMinMax for constant Smi right-hand operands
BUG=chromium:349079
LOG=y
R=titzer@chromium.org

Review URL: https://codereview.chromium.org/186593003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19668 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-05 09:49:07 +00:00
mstarzinger@chromium.org
ee8cbc4fc8 Fix issue with setting __proto__ on a value
LOG=N
BUG=v8:3172
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/174113003

Patch from Erik Arvidsson <arv@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19666 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-05 08:58:38 +00:00
verwaest@chromium.org
1aeaeb2b90 Allow objects with "" properties to stay fast.
R=danno@chromium.org

Review URL: https://codereview.chromium.org/184453003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19648 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-04 12:43:05 +00:00
yangguo@chromium.org
b1a271a02c Fix HCheckValue::Canonicalize wrt uninitialized HConstant unique.
R=titzer@chromium.org
BUG=348280
LOG=N

Review URL: https://codereview.chromium.org/183383006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19642 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-04 08:08:08 +00:00
ulan@chromium.org
b9e0b87a5a Clear optimized code cache in shared function info when code gets deoptimized.
This adds a pointer to the shared function info into deoptimization data of an optimized code. Whenever the code is deoptimized, it clears the cache in the shared function info.

This fixes the problem when the optimized function dies in new space GC before the code is deoptimized due to code dependency and before the optimized code cache is cleared in old space GC (see mjsunit/regress/regress-343609.js).

This partially reverts r19603 because we need to be able to evict specific code from the optimized code cache.

BUG=343609
LOG=Y
TEST=mjsunit/regress/regress-343609.js
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/184923002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19635 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-03 11:11:39 +00:00
rossberg@chromium.org
5543263c19 Move all Harmony-only tests to harmony/
R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/178583005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19622 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 14:26:32 +00:00
ishell@chromium.org
c2601aea8a Check elimination did not mark some dead blocks.
R=danno@chromium.org

Review URL: https://codereview.chromium.org/180483003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19619 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 14:16:38 +00:00
svenpanne@chromium.org
e9273332ef Fixed constant folding for Math.clz32.
LOG=y
BUG=347906
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/184353002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19609 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 13:07:10 +00:00
jochen@chromium.org
ba981e58d5 Make a64.release a quickcheck target
I marked all tests as slow that take more than a minute on my machine.
With this, a64.release.quickcheck takes two minutes which is about as
fast as arm.optdebug.quickcheck.

BUG=none
R=ulan@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/183763008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19608 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 12:46:13 +00:00
mvstanton@chromium.org
b1ffc7901f A JSArray may have a filler map in the elements pointer.
We already have code that expects this, but incorrectly asserted that the
filler map case would never happen when allocation folding is turned on.
However, even folding has it's limits, bailing out of continued folding
when the object size grows too large. Therefore, it's a general problem
when verifying JSArray objects, that we might encounter a filler map
in elements().

Discovered by ClusterFuzz crbug 347903.

R=hpayer@chromium.org
LOG=N
BUG=347903

Review URL: https://codereview.chromium.org/184493002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19604 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 12:29:19 +00:00
yangguo@chromium.org
5c186bb197 Evict from optimized code map in sync with removing from optimized functions list.
R=ulan@chromium.org

Review URL: https://codereview.chromium.org/184443002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19603 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 12:27:31 +00:00
bmeurer@chromium.org
70242fe3bb Fix JSObject::PrintTransitions.
BUG=347912
LOG=y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/183683005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19601 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 11:41:07 +00:00
hpayer@chromium.org
38ca2629be Fix representation generalization for doubles.
BUG=
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/184393002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19599 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 11:07:10 +00:00
dcarney@chromium.org
98d1cedac4 Get array_function from NativeContext
R=mvstanton@chromium.org
LOG=N
BUG=347528

Review URL: https://codereview.chromium.org/184173003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19595 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 10:01:27 +00:00
bmeurer@chromium.org
5945f9ebb9 Fix handling of constant global variable assignments.
BUG=347904
LOG=y
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/184303003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19594 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 09:40:12 +00:00
svenpanne@chromium.org
c4e90c15b8 Removed bogus ASSERT.
LOG=y
BUG=347542
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/183763007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19592 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 08:45:07 +00:00
ishell@chromium.org
2ab83cf192 HAllocate should never generate allocation code if the requested size does not fit into page. Regression test included.
BUG=347543
LOG=N
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/180803005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19591 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 17:33:25 +00:00
rafaelw@chromium.org
d9a66ad941 Runtime::RunMicrotask should silent return if no pending microtask work (rather than asserting)
R=rossberg@chromium.org, rossberg
BUG=347532

Review URL: https://codereview.chromium.org/181013008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19588 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 16:49:55 +00:00
verwaest@chromium.org
aa14020bc7 Fix putting of prototype transitions. The length is also subject to GC, just like entry.
BUG=347536
LOG=n
R=danno@chromium.org

Review URL: https://codereview.chromium.org/183193003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19586 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 16:07:44 +00:00
jarin@chromium.org
05b98492a4 Handle arguments objects in frame when materializing arguments
R=mstarzinger@chromium.org
BUG=347262

Review URL: https://codereview.chromium.org/177293009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19584 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 15:12:12 +00:00
yangguo@chromium.org
6912a248ca Fix bogus assertion in SetFastDoubleElements.
R=danno@chromium.org
BUG=347530
LOG=N

Review URL: https://codereview.chromium.org/181433016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19579 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 14:45:53 +00:00
mvstanton@chromium.org
b8f8cfabca Fix for Clusterfuzz issue 343928.
The problem was that the debugger didn't expect that a JSFunction could
have a GlobalContext, which it can with harmony scoping.

BUG=343928
R=yangguo@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/183103003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 13:25:05 +00:00
ishell@chromium.org
1ae7e8a1e5 Fix for failing asserts in HBoundsCheck code generation on x64: index register should be zero extended.
BUG=345820
LOG=N
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/180013002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19549 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 16:33:54 +00:00
verwaest@chromium.org
d5caecccc5 Revert "Use stability to only conditionally flush information from the CheckMaps table."
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/180023002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19548 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 16:11:58 +00:00
jkummerow@chromium.org
e7e93cd433 Mark HCompareMap as having Tagged representation
BUG=chromium:346636
LOG=y
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/176923013

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19545 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 15:09:47 +00:00
rossberg@chromium.org
63f1970c6c Fix crasher in Object.getOwnPropertySymbols
R=arv@chromium.org, mstarzinger@chromium.org
BUG=346141
LOG=Y

Review URL: https://codereview.chromium.org/177883002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19539 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 12:01:34 +00:00
bmeurer@chromium.org
77f597d387 Don't eliminate loads with incompatible types or representations.
BUG=346343
LOG=y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/179553002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19536 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 09:55:50 +00:00
ishell@chromium.org
6c1659becf Fix for a smi stores optimization on x64 with a regression test.
BUG=345715
LOG=N
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/178833002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19535 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 09:55:02 +00:00
dcarney@chromium.org
cb05cff594 negative bounds checking on realm calls
R=rossberg@chromium.org

LOG=N

BUG=344285

Review URL: https://codereview.chromium.org/169393002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19533 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 09:15:05 +00:00
jkummerow@chromium.org
37b6fd07c1 Fix optimistic BCE to back off after deopt
BUG=v8:3176
LOG=n
R=danno@chromium.org

Review URL: https://codereview.chromium.org/177523002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19530 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-24 13:15:31 +00:00
verwaest@chromium.org
84b366516e Don't turn objects with empty-string properties into fast-mode.
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/165743003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19511 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-20 16:11:48 +00:00
rossberg@chromium.org
0d34254f8d Upgrade Symbol implementation to match current ES6 behavior.
Refresh the implementation of Symbols to catch up with what the
specification now mandates:

* The global Symbol() function manufactures new Symbol values,
  optionally with a string description attached.

* Invoking Symbol() as a constructor will now throw.

* ToString() over Symbol values still throws, and
  Object.prototype.toString() stringifies like before.

* A Symbol value is wrapped in a Symbol object either implicitly if
  it is the receiver, or explicitly done via Object(symbolValue) or
  (new Object(symbolValue).)

* The Symbol.prototype.toString() method no longer throws on Symbol
  wrapper objects (nor Symbol values.) Ditto for Symbol.prototype.valueOf().

* Symbol.prototype.toString() stringifies as "Symbol("<description>"),
  valueOf() returns the wrapper's Symbol value.

* ToPrimitive() over Symbol wrapper objects now throws.

Overall, this provides a stricter separation between Symbol values and
wrapper objects than before, and the explicit fetching out of the
description (nee name) via the "name" property is no longer supported
(by the spec nor the implementation.)

Adjusted existing Symbol test files to fit current, adding some extra
tests for new/changed behavior.

LOG=N
R=arv@chromium.org, rossberg@chromium.org, arv, rossberg
BUG=v8:3053

Review URL: https://codereview.chromium.org/118553003

Patch from Sigbjorn Finne <sigbjornf@opera.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19490 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-19 14:19:42 +00:00
yangguo@chromium.org
139134acc2 Harmony: optimize Math.clz32.
R=svenpanne@chromium.org
BUG=v8:2938
LOG=N

Review URL: https://codereview.chromium.org/172133003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19487 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-19 13:51:49 +00:00
yangguo@chromium.org
84cf85598d Harmony: implement Math.cbrt, Math.expm1 and Math.log1p.
BUG=v8:2938
LOG=N
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/163563003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19486 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-19 13:49:59 +00:00
ishell@chromium.org
1342cb8b00 Bugfix in check elimination with a regression test.
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/172173003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19481 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-19 12:34:50 +00:00
rossberg@chromium.org
13d99fe778 ES6: Tighten up Object.prototype.__proto__
The spec requires that we throw under certain conditions.

BUG=v8:3064
LOG=y
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/103853006

Patch from Erik Arvidsson <arv@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19479 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-19 11:59:05 +00:00
jkummerow@chromium.org
6e3b81a7b2 Fix Hydrogen bounds check elimination
When combining bounds checks, they must all be moved before the first load/store
that they are guarding.

BUG=chromium:344186
LOG=y
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/172093002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19475 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-19 10:30:39 +00:00
alexandre.rames@arm.com
62116e2c12 A64: Let the MacroAssembler resolve branches to distant targets.
Code generation would fail when assembling a branch to a label that is bound
outside the immediate range of the instruction. A64 is sensitive to this, as the
various branching instructions have different ranges, going down to +-32KB for
TBZ/TBNZ.  The MacroAssembler is augmented to handle branches to targets that
may exceed the immediate range of instructions.

When branching backward to a label exceeding the instruction range, the
MacroAssembler can simply tweak the generated code to use an unconditional
branch with a longer range. For example instead of
    B(cond, &label);
the MacroAssembler can generate:
    b(InvertCondition(cond), &done);
    b(&label);
    bind(&done);

Since the target is not known when the branch is emitted, forward branches uses
a different mechanism. The MacroAssembler keeps track of forward branches to
unbound labels. When the code generation approaches the end of the range of a
branch, a veneer is generated for the branch.

BUG=v8:3148
LOG=Y
R=ulan@chromium.org

Review URL: https://codereview.chromium.org/169893002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19444 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-18 13:15:32 +00:00
verwaest@chromium.org
60c08a8bf2 Directly store the transition target on LookupResult in TransitionResult.
BUG=chromium:343964
LOG=N
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/170343003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19440 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-18 12:19:32 +00:00
yangguo@chromium.org
be7b023a5c Harmony: implement Math.clz32
R=dslomov@chromium.org, svenpanne@chromium.org
BUG=v8:2938
LOG=N

Review URL: https://codereview.chromium.org/169783002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19435 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-18 10:49:35 +00:00
svenpanne@chromium.org
dbce27047e Fixed and improved code for integral division. Fixed and extended tests.
Arithmetic right shifting is *not* division in two's complement
representation, only in one's complement. So we convert to one's
complement, shift, and go back to two's complement. By permutating the
last steps, one can get efficient branch-free code. This insight comes
from the paleozoic era of computer science, see the paper from 1976:

   Guy Lewis Steele Jr.: "Arithmetic Shifting Considered Harmful"
   ftp://publications.ai.mit.edu/ai-publications/pdf/AIM-378.pdf

This results in better and more correct code than our previous
"neg/shift/neg" dance.

LOG=y
BUG=v8:3151
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/166793002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19434 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-18 10:45:27 +00:00
yangguo@chromium.org
9ffe004ae4 Harmony: implement Math.fround.
R=jarin@chromium.org
BUG=v8:2938
LOG=N

Review URL: https://codereview.chromium.org/169513002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19433 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-18 10:43:06 +00:00
mvstanton@chromium.org
8bcdbc354f Revert "Add a premonomorphic state to the call target cache."
This reverts commit r19402

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/169713002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19412 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-17 14:22:18 +00:00
mvstanton@chromium.org
be731e6c95 Add a premonomorphic state to the call target cache.
From a CL by kasperl: https://codereview.chromium.org/162903004/

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/163413003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19402 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-17 11:59:45 +00:00
jarin@chromium.org
4c7ed144e1 Comparison in effect context lazy deopt fix.
R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/163623002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19396 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-16 05:51:10 +00:00
ulan@chromium.org
6744ff61ae Fix dictionary element load to pass correct elements kind.
Using FAST_SMI_ELEMENTS triggers optimization on 64-bit architectures that load
only the higher 32 bits of the element. If the element is a pointer to undefined
that has 0 in the higher half than it is erroneously treated as SMI 0.

BUG=v8:3158
LOG=N
TEST=mjsunit/sparse-array-reverse,mjsunit/regress/regress-3158.js
R=danno@chromium.org, ishell@chromium.org

Review URL: https://codereview.chromium.org/166653005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19387 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-14 15:52:24 +00:00
yangguo@chromium.org
68c7523e63 Fix assignment of function name constant.
If it's shadowed by a variable of the same name and both are forcibly
context-allocated, the function is assigned to the wrong context slot.

R=rossberg@chromium.org
BUG=v8:3138
LOG=Y

Review URL: https://codereview.chromium.org/159903008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19379 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-14 12:40:47 +00:00
jarin@chromium.org
8acefb33fe Test and fix for polymorphic named call deoptimization.
The fix removes wrong simulates from the number branch of polymorphic
call/field access handling.

The change also fixes the same thing for polymorphic named field
access even thourgh the field access is probably safe in practice
(because it cannot deoptimize). It is better to keep all our simulates
in sync with full codegen.

R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/166503002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19375 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-14 12:02:39 +00:00
yangguo@chromium.org
a676bc1bbf Fix typed array error message.
R=dslomov@chromium.org
BUG=v8:3159
LOG=N

Review URL: https://codereview.chromium.org/163293002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19369 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-14 09:33:03 +00:00
verwaest@chromium.org
e0960e19aa Fix polymorphic inlining of accessors in a test-context.
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/164003002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19363 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-13 16:55:38 +00:00
m.m.capewell@googlemail.com
028ff21445 A64: Fix some int32 accesses in lithium
This fixes mjsunit/sin-cos. There are further int32 accesses being investigated.

BUG=
R=jochen@chromium.org

Review URL: https://codereview.chromium.org/163553005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19358 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-13 15:49:01 +00:00
ishell@chromium.org
6bb57517c0 Restore of compare-objeq-elim test accidentally removed in r19229.
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/162903005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19354 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-13 12:22:24 +00:00
rafaelw@chromium.org
6b5a4cdef2 V8 Microtask Queue & API
This patch generalizes Object.observe callbacks and promise resolution into a FIFO queue called a "microtask queue".

It also exposes new V8 API which exposes the microtask queue to the embedder. In particular, it allows the embedder to

-schedule a microtask (EnqueueExternalMicrotask)
-run the microtask queue (RunMicrotasks)
-control whether the microtask queue is run automatically within V8 when the last script exits (SetAutorunMicrotasks).

R=dcarney@chromium.org, rossberg@chromium.org, dcarney, rossberg, svenpanne
BUG=

Review URL: https://codereview.chromium.org/154283002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19344 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 22:04:19 +00:00
verwaest@chromium.org
161b2f689a Reland: "Use stability to only conditionally flush information from the CheckMaps table."
BUG=
R=ishell@chromium.org

Original CL: https://codereview.chromium.org/153823003

Review URL: https://codereview.chromium.org/153653007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19342 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 18:48:12 +00:00
verwaest@chromium.org
7b7e3658f7 Don't propagate information through phis in loop headers.
To properly do this, we'd have to iterate over CompareMaps (and their bodies) handling phis, until we have learned enough to decide which paths can be taken. For now, just disable learning from phis in loop headers.

BUG=
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/147023005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19341 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 18:30:41 +00:00
rmcilroy@chromium.org
26e8009997 [a64]: Disable failing sparse-array-reverse on a64 debug builds.
BUG=v8:3158
LOG=N
R=ulan@chromium.org

Review URL: https://codereview.chromium.org/160633002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19340 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 18:22:28 +00:00
verwaest@chromium.org
75432b7696 Revert "Use stability to only conditionally flush information from the CheckMaps table."
R=ishell@chromium.org

BUG=

Review URL: https://codereview.chromium.org/137863005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19331 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 15:38:42 +00:00
verwaest@chromium.org
2b7d33572a Use stability to only conditionally flush information from the CheckMaps table.
BUG=
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/153823003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19330 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 15:07:41 +00:00
jarin@chromium.org
af29e31a11 Fix for (One|Two)ByteSeqStringSetChar evaluation order/deopt.
This makes the evaluation order consistent between full codegen
and Hydrogen (so that deopt does not screw up stack).

R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/159983008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19326 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 13:31:24 +00:00
jochen@chromium.org
b0fcc801e9 A64: Skip tests failing on gc stress bots
BUG=none
TBR=ulan@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/160353002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19321 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 12:18:36 +00:00
jochen@chromium.org
96a1886637 A64: Skip more known failures
TBR=ulan@chromium.org
BUG=none
LOG=n

Review URL: https://codereview.chromium.org/160073007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19318 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 11:57:50 +00:00
ulan@chromium.org
e95bc7eec8 Merge experimental/a64 to bleeding_edge.
BUG=v8:3113
LOG=Y
R=jochen@chromium.org, rmcilroy@chromium.org, rodolph.perfetta@arm.com

Review URL: https://codereview.chromium.org/148293020

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19311 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 09:19:30 +00:00
jarin@chromium.org
21bf99e53e Fix environment of the optimized version of the _SetValueOf intrinsic.
R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/158723006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19289 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-11 16:11:53 +00:00
ishell@chromium.org
994f0f6dda Fix for a smi stores optimization on x64 with a test case.
BUG=338425
LOG=N
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/152923006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19288 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-11 16:02:18 +00:00
yangguo@chromium.org
0870702436 Harmony: fix spec violation in Math.cosh.
R=jarin@chromium.org
BUG=v8:3141
LOG=N

Review URL: https://codereview.chromium.org/159353003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19272 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-11 11:48:32 +00:00
yangguo@chromium.org
f78bfaa857 Fix spec violations in JSON.stringify wrt replacer array.
R=verwaest@chromium.org
BUG=v8:3135
LOG=Y

Review URL: https://codereview.chromium.org/146623009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19266 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-11 10:45:39 +00:00
mvstanton@chromium.org
95ad971d0f Fix gcstress test failure
Map collection complicates a test that wants to assert on code opt/deopt
because of prototype-chain changes. It can happen that a gc occurs
in the stack guard at the start of optimized function foo that deopts
function foo because of a map being collected and deoptimizing it's
dependent code.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/159653002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19258 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-11 09:06:13 +00:00
ishell@chromium.org
f46da9d43b Reland of r19102: Check elimination improvement: propagation of state through phis is supported, CheckMap narrowing implemented with tests.
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/146623006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19229 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-10 15:32:54 +00:00
yangguo@chromium.org
b618d2a42a Fix inconsistencies wrt whitespaces.
This relands r19196 with fixes.

BUG=v8:3109
LOG=Y
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/141323007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19222 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-10 12:43:10 +00:00
mstarzinger@chromium.org
23bfeabcfd Remove duplicate third-party test cases.
Some of the third-party test cases in the mjsunit test suite were
originally taken from WebKit and are now fully covered by the equally
named test suite.

Mapping of test cases:
 - array-isarray.js -> test/webkit/Array-isArray.js
 - array-splice-webkit.js -> test/webkit/array-splice.js

R=machenbach@chromium.org
BUG=

Review URL: https://codereview.chromium.org/158803002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19220 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-10 11:29:59 +00:00
rossberg@chromium.org
e8175a3e9f Revert "Make Function.length and Function.name configurable properties."
Plenty of test failures on test262, Mozilla, Webkit. Will have to investigate.

TBR=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/139983003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19203 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-07 15:29:18 +00:00
rossberg@chromium.org
7317b71f02 Make Function.length and Function.name configurable properties.
ES6 makes the Function object properties "length" and "name"
configurable; switch the implementation over to follow that.

Doing so exposed a problem in the handling of non-writable, but
configurable properties backed by foreign callback accessors
internally. As an optimization, if such an accessor property is
re-defined with a new value, its setter was passed the new value
directly, keeping the property as an accessor property. However, this
is not correct should the property be non-writable, as its setter will
then simply ignore the updated value. Adjust the enabling logic for
this optimization accordingly, along with adding a test.

LOG=N
R=rossberg@chromium.org, rossberg
BUG=v8:3045

Review URL: https://codereview.chromium.org/116083006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19200 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-07 14:55:30 +00:00
yangguo@chromium.org
db1a685b8f Revert "Fix inconsistencies wrt whitespaces."
This reverts r19196.

TBR=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/147443008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19199 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-07 14:13:00 +00:00
yangguo@chromium.org
d0f57e1195 Fix inconsistencies wrt whitespaces.
\u0085 (NEL) is now considered a whitespace in accordance to http://www.unicode.org/Public/6.3.0/ucd/PropList.txt

R=mstarzinger@chromium.org
BUG=v8:3109
LOG=Y

Review URL: https://codereview.chromium.org/146983007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19196 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-07 12:34:45 +00:00
rafaelw@chromium.org
41039c4f13 Revert "Implement Microtask Delivery Queue"
TBR=adamk,rossberg
BUG=

Review URL: https://codereview.chromium.org/150103012

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19176 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-07 01:08:50 +00:00
rossberg@chromium.org
01f5601129 ES6: Remove __proto__ setter poison pill
http://people.mozilla.org/~jorendorff/es6-draft.html#sec-set-object.prototype.__proto__

The __proto__ setter should be reusable on other objects.

BUG=v8:2804
LOG=y
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/103343005

Patch from Erik Arvidsson <arv@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19165 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-06 16:09:45 +00:00
jarin@chromium.org
476881ce5b Test and fix for _CallFunction intrinsic deoptimization.
I have also cleaned up HOptimizedGraphBuilder::GenerateCallFunction
to use IfBuilder.

R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/131343013

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19151 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-06 12:42:26 +00:00
jarin@chromium.org
eb502fe599 Binary operation deoptimization fix.
R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/132453009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19132 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-06 09:36:55 +00:00
verwaest@chromium.org
7dc05b57fd Move failing ASSERT on ARM to a more sane place.
Objects can actually be stored into themselves. This fails when no write
barrier is needed (eg, the object was just allocated).

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/148733005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19095 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-05 10:12:14 +00:00
rafaelw@chromium.org
7de9fc0a12 Implement Microtask Delivery Queue
R=rossberg@chromium.org, rossberg
BUG=

Review URL: https://codereview.chromium.org/131413008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19084 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-04 19:58:49 +00:00
dslomov@chromium.org
a03d31394c Check the offset argument of TypedArray.set for fitting into Smi.
R=jkummerow@chromium.org
BUG=340125
LOG=Y

Review URL: https://codereview.chromium.org/145623009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19051 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-04 09:53:05 +00:00
yangguo@chromium.org
9e70f6a4e7 Fix short-circuiting logical and/or in HOptimizedGraphBuilder.
R=jkummerow@chromium.org
BUG=336148
LOG=Y

Review URL: https://codereview.chromium.org/143263022

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19031 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-03 14:29:34 +00:00
verwaest@chromium.org
db7124dc28 Return a valid map for PropertyAccessInfos with Boolean type.
BUG=340064
LOG=N
R=dcarney@chromium.org

Review URL: https://codereview.chromium.org/152603002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19023 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-03 10:20:32 +00:00
machenbach@chromium.org
d34938fe34 Fix expectations for new regression test.
TBR=jarin@chromium.org

Review URL: https://codereview.chromium.org/150853004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19013 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-01 09:56:20 +00:00
verwaest@chromium.org
ae7a209e71 Remove CallICs
BUG=
R=dcarney@chromium.org

Review URL: https://codereview.chromium.org/148223002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19001 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-31 16:52:17 +00:00
machenbach@chromium.org
30fb7b83b3 [Sheriff] Mark new regression test flaky on linux 32.
BUG=
TBR=jarin@chromium.org

Review URL: https://codereview.chromium.org/148483004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19000 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-31 16:47:52 +00:00
jarin@chromium.org
3c2363f4b4 Simpler repro for bug 2989.
We do not correctly handle accesses to f.arguments after one
of the argument has changed (where f is crankshafted).

R=machenbach@chromium.org
BUG=v8:2989
LOG=n

Review URL: https://codereview.chromium.org/151403003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18999 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-31 16:12:58 +00:00
machenbach@chromium.org
275437023f [Sheriff] Mark new regression test as flaky.
BUG=336820
LOG=n
R=bmeurer@chromium.org
TBR=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/139923007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18990 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-31 13:56:00 +00:00
bmeurer@chromium.org
3214cf11ff Don't crash in Array.join() if the resulting string exceeds the max string length.
LOG=y
BUG=336820
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/144533003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18986 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-31 12:21:17 +00:00
ishell@chromium.org
2aa17c6e62 Load elimination fix: load should not be replaced with another load if the former is not dominated by the latter.
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/151333003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18985 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-31 12:03:32 +00:00
hpayer@chromium.org
27c385bf69 Revert "[Sheriff] Mark profviz flaky on GC stress."
This reverts commit f70687c1e5ef15254887e0619939e25a834e936e.

BUG=
R=machenbach@chromium.org

Review URL: https://codereview.chromium.org/148493006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18977 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-31 09:59:22 +00:00
verwaest@chromium.org
bef13f739c Fix regression caused by supporting inlining accesses to non-JSObjects
TBR=dcarney@chromium.org
BUG=

Review URL: https://codereview.chromium.org/150983002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18966 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-31 00:29:04 +00:00
machenbach@chromium.org
c3c064360d Disable unsuitable tests in ASAN mode.
BUG=
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/148963010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18944 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-30 12:52:22 +00:00
verwaest@chromium.org
73529a7d14 Support loads from primitive values.
This also changes load computation to use HeapTypes rather than Maps.
TODO: move conversion between maps and heaptypes earlier in the process, already in the oracle.

BUG=
R=dcarney@chromium.org

Review URL: https://codereview.chromium.org/147763006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18938 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-30 11:30:38 +00:00
jarin@chromium.org
99ce5a2484 The current
version is passing all the existing test + a bunch of new tests
(packaged in the change list, too).

The patch extends the SlotRef object to describe captured and duplicated
objects. Since the SlotRefs are not independent of each other anymore,
there is a new SlotRefValueBuilder class that stores the SlotRefs and
later materializes the objects from the SlotRefs.

Note that unlike the previous implementation of SlotRefs, we now build
the SlotRef entries for the entire frame, not just the particular
function.  This is because duplicate objects might refer to previous
captured objects (that might live inside other inlined function's part
of the frame).

We also need to store the materialized objects between other potential
invocations of the same arguments object so that we materialize each
captured object at most once.  The materialized objects of frames live
in the new MaterielizedObjectStore object (contained in Isolate),
indexed by the frame's FP address.  Each argument materialization (and
deoptimization) tries to lookup its captured objects in the store before
building new ones.  Deoptimization also removes the materialized objects
from the store. We also schedule a lazy deopt to be sure that we always
get rid of the materialized objects and that the optmized function
adopts the materialized objects (instead of happily computing with its
captured representations).

Concerns:

- Is the FP address the right key for a frame? (Note that deoptimizer's
representation of frame is different from the argument object
materializer's one - it is not easy to find common ground.)

- Performance is suboptimal in several places, but a quick local run of
benchmarks does not seem to show a perf hit. Examples of possible
improvements: smarter generation of SlotRefs (build other functions'
SlotRefs only for captured objects and only if necessary), smarter
lookup of stored materialized objects.

- Ideally, we would like to share the code for argument materialization
with deoptimizer's materializer.  However, the supporting data structures
(mainly the frame descriptor) are quite different in each case, so it
looks more like a separate project.

Thanks for any feedback.

R=danno@chromium.org, mstarzinger@chromium.org
LOG=N
BUG=

Committed: https://code.google.com/p/v8/source/detail?r=18918

Review URL: https://codereview.chromium.org/103243005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18936 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-30 10:33:53 +00:00
machenbach@chromium.org
f815198288 [Sheriff] Mark profviz flaky on GC stress.
BUG=
TBR=hpayer@chromium.org

Review URL: https://codereview.chromium.org/149763002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18929 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-29 20:50:51 +00:00
jarin@chromium.org
ec51f26b9e Revert "Captured arguments object materialization"
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/130803009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18923 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-29 15:49:48 +00:00
jarin@chromium.org
868ad01ecb This is a preview of the captured arguments object materialization,
mostly to make sure that it is going in the right direction. The current
version is passing all the existing test + a bunch of new tests
(packaged in the change list, too).

The patch extends the SlotRef object to describe captured and duplicated
objects. Since the SlotRefs are not independent of each other anymore,
there is a new SlotRefValueBuilder class that stores the SlotRefs and
later materializes the objects from the SlotRefs.

Note that unlike the previous implementation of SlotRefs, we now build
the SlotRef entries for the entire frame, not just the particular
function.  This is because duplicate objects might refer to previous
captured objects (that might live inside other inlined function's part
of the frame).

We also need to store the materialized objects between other potential
invocations of the same arguments object so that we materialize each
captured object at most once.  The materialized objects of frames live
in the new MaterielizedObjectStore object (contained in Isolate),
indexed by the frame's FP address.  Each argument materialization (and
deoptimization) tries to lookup its captured objects in the store before
building new ones.  Deoptimization also removes the materialized objects
from the store. We also schedule a lazy deopt to be sure that we always
get rid of the materialized objects and that the optmized function
adopts the materialized objects (instead of happily computing with its
captured representations).

Concerns:

- Is there a simpler/more correct way to store the already-materialized
objects? (At the moment there is a custom root reference to JSArray
containing frames' FixedArrays with their captured objects.)

- Is the FP address the right key for a frame? (Note that deoptimizer's
representation of frame is different from the argument object
materializer's one - it is not easy to find common ground.)

- Performance is suboptimal in several places, but a quick local run of
benchmarks does not seem to show a perf hit. Examples of possible
improvements: smarter generation of SlotRefs (build other functions'
SlotRefs only for captured objects and only if necessary), smarter
lookup of stored materialized objects.

- Ideally, we would like to share the code for argument materialization
with deoptimizer's materializer.  However, the supporting data structures
(mainly the frame descriptor) are quite different in each case, so it
looks more like a separate project.

Thanks for any feedback.

R=mstarzinger@chromium.org, danno@chromium.org
LOG=N
BUG=

Review URL: https://codereview.chromium.org/103243005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18918 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-29 15:14:15 +00:00
svenpanne@chromium.org
abe807db7f ES6: Map and Set needs to normalize minus zero
BUG=v8:3069
LOG=Y
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/147143003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18892 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-29 07:27:05 +00:00
ishell@chromium.org
d330d4801d Load elimination fix with a test case.
R=titzer@chromium.org, verwaest@chromium.org

Review URL: https://codereview.chromium.org/143413019

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18884 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-28 16:45:04 +00:00
mvstanton@chromium.org
371d6f6a98 We shouldn't throw under FLAG_debug_code, rather abort.
Throwing under FLAG_debug_code confuses the rest of our infrastructure
which expects a safe point at the site of call into the runtime
for throw. We were doing that to make a clusterfuzz test happy, but
the better solution is to assert/abort under debug_code, and prevent
clusterfuzz from fuzzing on internal APIs that crash on incorrect
values.

We'll need to alter the fuzzer to turn off fuzzing for:

string-natives.js
lithium/SeqStringSetChar.js
regress/regress-seqstrsetchar-ex3.js
regress/regress-seqstrsetchar-ex1.js
regress/regress-crbug-320922.js

So as to prevent the fuzzer from running
%_OneByteSeqStringSetChar() and
%_TwoByteSeqStringSetChar().

BUG=
R=hpayer@chromium.org, machenbach@chromium.org

Review URL: https://codereview.chromium.org/139903005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18878 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-28 11:53:11 +00:00
ishell@chromium.org
1776dffa56 Make String.prototype.{starts,ends}With throw when passing a regular expression
Contributed by Mathias Bynens <mathiasb@opera.com>.

TEST=mjsunit/harmony
BUG=v8:3070
LOG=Y
R=arv@chromium.org, ishell@chromium.org

Review URL: https://codereview.chromium.org/120683002

Patch from Mathias Bynens <mathiasb@opera.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18870 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-28 10:31:05 +00:00
machenbach@chromium.org
fd4a006eb3 [Sheriff] Fix status file entry.
BUG=
TBR=hpayer@chromium.org

Review URL: https://codereview.chromium.org/148183007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18861 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-27 16:46:16 +00:00
hpayer@chromium.org
e624346e68 Skip regression test 320948 temporarily.
BUG=
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/131503008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18859 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-27 15:59:10 +00:00
hpayer@chromium.org
86cf9ca690 Enable concurrent sweeping.
BUG=
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/146833012

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18855 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-27 14:37:22 +00:00
dslomov@chromium.org
1a67b7f86a External Array renaming and boilerplate scrapping
Replaced symbolic names with correct JS name (byte -> int8, unsigned int -> uint32 etc).
Using macros to scrap the boilerplate
BUG=
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/145133013

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18835 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-24 16:01:15 +00:00
verwaest@chromium.org
21532ddfdc Reland ArrayPop / ArrayPush.
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/138443012

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18814 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-24 11:47:53 +00:00
machenbach@chromium.org
cde3ed1fe3 Speed up some mjsunit test cases and clean up test expectations for arm and mips.
Many skipped test cases already run very fast. Removing the corresponding expectations.

BUG=
R=jkummerow@chromium.org, mvstanton@chromium.org

Review URL: https://codereview.chromium.org/138503008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18812 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-24 11:36:45 +00:00
jkummerow@chromium.org
ee4e034d70 Revert broken ArrayPop changes
This reverts:
r18749 "Reland (and fix) "Add hydrogen support for ArrayPop, and remove the handwritten call stubs."",
r18790 "Remove ArrayPush from the custom call generators, and instead call directly to the handler in crankshaft.", and
r18798 "MIPS: Remove ArrayPush from the custom call generators, and instead call directly to the handler in crankshaft."

For causing crashes on Canary.

BUG=chromium:337686
LOG=N
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/146003006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18805 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-24 08:32:50 +00:00
machenbach@chromium.org
ca0d99196d Disable SetAllocationTimeout in fuzz-natives test since it has varargs.
BUG=
R=mstarzinger@chromium.org
TBR=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/145803002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18791 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-23 16:33:35 +00:00
verwaest@chromium.org
6b60546b16 Remove ArrayPush from the custom call generators, and instead call directly to the handler in crankshaft.
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/137693003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18790 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-23 16:20:25 +00:00
hpayer@chromium.org
83a1df2354 Remove Heap::MaxRegularSpaceAllocationSize and use Page::MaxRegularHeapObjectSize instead.
BUG=
R=mstarzinger@chromium.org, mvstanton@chromium.org

Review URL: https://codereview.chromium.org/141653016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18776 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-23 13:02:27 +00:00
hpayer@chromium.org
a92e87e100 Make the full object memory size of a page available for a single allocation.
BUG=
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/145493004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18774 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-23 12:13:20 +00:00
machenbach@chromium.org
c159485fb1 [Sheriff] Temporarily mark test as flaky.
BUG=
TBR=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/145593002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18770 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-23 10:54:30 +00:00
verwaest@chromium.org
f30330325e Reland (and fix) "Add hydrogen support for ArrayPop, and remove the handwritten call stubs."
BUG=
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/144913003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18749 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-22 13:22:58 +00:00
dslomov@chromium.org
33d7e64b51 ES6: Implement Object.setPrototypeOf
This reverts commit bdc89ae76c15f3ef2626f8849744500248aec3ba.

This is a revert of the revert with test/webkit updated as needed.

Original CL Description:

http://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.setprototypeof

This just exposes the internal %SetPrototype and adds all the required
type checks as specified.

BUG=v8:2675
LOG=Y
R=dslomov@chromium.org, rossberg@chromium.org

Review URL: https://codereview.chromium.org/144193005

Patch from Erik Arvidsson <arv@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18739 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-22 12:15:57 +00:00
svenpanne@chromium.org
b4949cfd62 Fixed floor-of-div optimization.
We removed an HDiv by hand which was still used by an HChange. The
solution is letting dead code removal do the cleanup.

Removed a fragile "optimization" (looking through an HChange), too,
this obviously never triggered and is hard to get right given all our
global invariants and state/type/... changes.

The repro is a bit tricky, because you need inlining to make our
representations and types disagree in this case.

LOG=y
BUG=334708
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/143903016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18737 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-22 11:54:51 +00:00
machenbach@chromium.org
1864f7388e Add infrastructure for skipping tests in GC stress mode.
Also move the GC stress configuration from the buildbot to the test runner.

BUG=
R=jkummerow@chromium.org, mvstanton@chromium.org

Review URL: https://codereview.chromium.org/141653008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18708 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-21 12:41:25 +00:00
machenbach@chromium.org
63cd984538 [Sheriff] Temporarily mark array-literal-feedback as flaky for GC stress.
The test is blocking the v8 lkgr. It will be unmarked again after there is infrastructure to disable it on GC stress only.

BUG=
TBR=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/143463004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18700 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-21 07:58:54 +00:00
machenbach@chromium.org
3be4500877 [Sheriff] Temporarily mark two mjsunit tests as flaky.
The tests are blocking the v8 lkgr. They will be unmarked again after there is infrastructure to disable them on GC stress only.

TBR=mvstanton@chromium.org
BUG=

Review URL: https://codereview.chromium.org/139343008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18698 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-20 19:05:31 +00:00
titzer@chromium.org
5771b0975a Fix representation requirement in HReturn.
BUG=
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/143523002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18697 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-20 19:00:11 +00:00
verwaest@chromium.org
9f64f43a1c Turn ArrayPush into a stub specialized on the elements kind and argc.
BUG=
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/143213003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18696 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-20 17:09:24 +00:00
dslomov@chromium.org
5b7b4b99b7 Revert "ES6: Implement Object.setPrototypeOf"
This reverts commit r18685 for breaking WebKit tests.

TBR=arv@chromium.org

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18687 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-20 10:59:07 +00:00
dslomov@chromium.org
1e3a14da44 ES6: Implement Object.setPrototypeOf
http://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.setprototypeof

This just exposes the internal %SetPrototype and adds all the required
type checks as specified.

BUG=v8:2675
LOG=Y
R=dslomov@chromium.org, rossberg@chromium.org

Review URL: https://codereview.chromium.org/141913002

Patch from Erik Arvidsson <arv@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18685 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-20 10:38:01 +00:00
verwaest@chromium.org
ef52aeb701 Remove special ArrayCode CallIC.
Once Call ICs are replaced by LoadIC + CallFunctionStub, we'll need a new way
of tracking this information.

R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/141073006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18662 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-17 11:24:36 +00:00
mvstanton@chromium.org
155ef100e9 Fix logic error in assert in IsUndeclaredGlobal()
Recent changes in IC logic meant that CallStubs no longer use the Contextual bit. IsUndeclaredGlobal() needed to adjust for that.

In fact, now the CL has morphed to remove the notion of storing contextual state in the IC at all, it just becomes some extra ic state of the load ic. This took some adjustment in harmony code to use the global receiver for certain stores.

Now it's clearer that only LoadICs actually record any information about contextual or not.

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/140943002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18660 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-17 11:08:24 +00:00
verwaest@chromium.org
53f46c5214 Get rid of ContextualMode for call ICs.
BUG=
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/137083002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18594 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-14 16:15:05 +00:00
mstarzinger@chromium.org
4d338985b9 Closed generator returns a completed object instead of throwing a error
From ES6 rev20 draft, closed generator returns completed object (the
value is `undefined` and done is `true`).
Since a error thrown in generator is propagated to the caller without
setting status of a thrown generator to "completed", once a generator is
suspended by a error, status becomes "executing" forever. This is filed
as v8:3096

LOG=N
BUG=v8:3097
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/136003003

Patch from Yusuke Suzuki <yusukesuzuki@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18591 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-14 15:19:34 +00:00
jkummerow@chromium.org
be4c1bdac2 Fix test after r18586
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/138063003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18588 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-14 14:00:10 +00:00
jkummerow@chromium.org
1ed94acf0c Turn Runtime_MigrateInstance into Runtime_TryMigrateInstance
because it must not cause lazy deopts because it is called from deferred code that cannot handle lazy deopts.

Hat tip to Ben for doing most of the debugging work, and to Toon for writing the regression test.

BUG=chromium:315252
LOG=Y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/131243003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18586 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-14 13:41:09 +00:00
verwaest@chromium.org
f2245a9cf9 Make the strict-mode calling convention for contextual calls the default one.
BUG=
R=dcarney@chromium.org

Review URL: https://codereview.chromium.org/131663003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18581 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-14 12:04:10 +00:00
hpayer@chromium.org
dcf7f73ec0 Enable allocation site pretenuring.
Disable elements-kind.js unit test temporarily on gc stress builders.

BUG=
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/136813002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18571 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-13 17:11:36 +00:00
jarin@chromium.org
c0f622a45b Fix of Hydrogen environment building for function "apply" calls.
BUG=
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/133773002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18548 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-11 13:59:04 +00:00
bmeurer@chromium.org
967d6499d2 Revert "Temporarily disable performance.now() in the d8 shell."
This reverts commit r18529.

R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/133523003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18531 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-10 12:07:29 +00:00
bmeurer@chromium.org
1b1c27d916 Temporarily disable performance.now() in the d8 shell.
Review URL: https://codereview.chromium.org/133663002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18529 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-10 11:17:57 +00:00
rossberg@chromium.org
014a86ef8c ES6: Add Object.getOwnPropertySymbols
http://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.getownpropertysymbols

This allows you to get the symbols used as property keys for an object.

  var object = {};
  var sym = Symbol();
  object[sym] = 42;
  assert(Object.getOwnPropertySymbols(object)[0] === sym);

This is only available with --harmony-symbols

BUG=v8:3049
R=rossberg@chromium.org, rossberg
LOG=Y

Review URL: https://codereview.chromium.org/108083005

Patch from Erik Arvidsson <arv@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18520 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-09 15:57:30 +00:00
rossberg@chromium.org
3286bc71e3 Promises: some adaptations to spec
- Rename Promise.{resolved,rejected,deferred} to Promise.{resolve,reject,defer}
- Rename Promise.one to Promise.race
- Make all failures asynchronous, EXCEPT type errors for resolver
- Disallow non-construct call to Promise constructor
- Don't make combinators go through public this.defer

Also, don't bother using IsCallable.

R=dslomov@chromium.org, yhirano@chromium.org
BUG=

Review URL: https://codereview.chromium.org/99573002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18515 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-09 13:00:56 +00:00
ulan@chromium.org
8db7aaa03d Correctly handle instances without elements in polymorphic keyed load/store.
BUG=331416
TEST=mjsunit/regress/regress-331416.js
LOG=Y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/121893003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18484 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-08 09:57:28 +00:00
ulan@chromium.org
43d1c23e2a Fix selection of popular pages in store buffer.
BUG=331444
TEST=mjsunit/regress/regress-331444.js
LOG=Y
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/125983002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18483 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-08 09:49:37 +00:00
jkummerow@chromium.org
7761059a98 Fix d8's Shell::ReadBuffer after r18227
BUG=v8:3085
LOG=N
R=jochen@chromium.org

Review URL: https://codereview.chromium.org/127853003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18482 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-08 09:48:38 +00:00