we know that both sides are Smi and those where we don't. Fix inlined
symbol table probes to cope with strings, undefined and null (indicating
a deleted entry). Some changes to other architectures that were found
with the new asserts.
Review URL: http://codereview.chromium.org/6682026
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7172 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Ensure that there is always enough bytes between consequtive calls in optimized code to write a call instruction at the return points without overlapping.
Add a call to deoptimize all functions after running tests with --stress-opt. This will catch some issues with functions which cannot be forcefully deoptimized. Some of the tests failed on ARM with that change without the rest of the changes in this change.
Review URL: http://codereview.chromium.org/6661022
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7132 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Worth mentioning:
- Specialized versions of pixel array and store/loads inside the generic stubs have been removed, since to have parity for all external arrays, 8 different versions would have to be inlined/checked.
- There's a new constant in v8.h for external arrays with pixel array elements.
Review URL: http://codereview.chromium.org/6546036
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7106 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Refactor construction of switch statements so it doesn't use class
HSubgraph.
There are also a few improvements. We do not use an auxiliary list of
comparisons because they're embedded as a linked list in the graph
under construction. We share a common break block for all breaks from
the same switch. We do not insert empty blocks unless necessary to
maintain edge-split form.
There is also a bug fix. The entry to a clause body is a potential
join and must have a join ID set, otherwise deoptimization within the
body can go to an unpredictable place in the unoptimized code.
Review URL: http://codereview.chromium.org/6650021
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7099 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Non-moveable code-stube are allocated in large object space. They are only required on ARM where the different C-entry stubs are required to never move.
This gets rid of pre-computing these stubs and hope that they never move. Also for crankshaft the C-entry stub which saved doubles is not generated in the snapshot so it ends up being generated at runtime and potentially move.
Review URL: http://codereview.chromium.org/6626072
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7097 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Ensure that there is always enough bytes between consequtive calls in
unoptimized code to write a call instruction at the return points
without overlapping.
This handles the case where two return points were only four bytes
apart (because the latter call was to a register).
BUG=v8:1234
Review URL: http://codereview.chromium.org/6624091
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7089 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Move strict mode flag from TemporaryScope to Scope so that it can be accessed from variable binding code.
Arguments do not alias in strict mode (ia32, x64 and arm, codegen and full codegen).
Hydrogen tolerates null arguments_shadow().
In codegen-<arch> arguments object is allocated eagerly to capture values before they get modified.
Review URL: http://codereview.chromium.org/6625048/
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7083 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Change the way we construct the graph for polymorphic loads to match that of
polymorphic stores.
Introduce a stack-allocated helper for saving and restoring all the
function-specific graph builder state that needs to change when we begin
translating an inlined function. Make this class authoritative by moving
redundant state out of the builder and deferring to the current function's
state.
Ensure that we always print a tracing message when abandoning an inlining
attempt.
Review URL: http://codereview.chromium.org/6628012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7074 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
In built-in code we use arrays for internal computations.
This makes it possible to affect the built-in code by putting getters
or setters on the Array prototype chain.
This adds a new internal Array constructor that creates Arrays with
a very simplistic prototype chain that doesn't include any publicly
visible objects. These Arrays shoudl ofcourse never leak outside the
builtins, since that would expose the prototype object.
The prototype object contains only the array functions that we use:
push, pop and join (and not even a toString, so it doesn't stringify
well).
Also change uses of .call to %_CallFunction.
BUG=1206
Review URL: http://codereview.chromium.org/6602081
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7040 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This change makes the full code generator always materialize smi constants to match the behavior
of the environment tracked in the optimizing compiler. The mismatch between environment
and what the non-optimized code causes problems and potentially crashes when doing deoptimization
and OSR.
BUG=67732
Review URL: http://codereview.chromium.org/6592064
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6982 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Use ToBooleanStub in DoTest instead of runtime call.
Try allocation in generated code in VisitRegExpLiteral.
Use TranscendentalCacheStub for sin, cos and log instead of calling runtime.
Minor "alignment" of the full codegen code across platforms.
Review URL: http://codereview.chromium.org/6597003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6953 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The old version only added extra space when we did indirect calls, but
the problem remains the same with normal calls that can be represented
as a single byte. When doing patching each call will always be at
least 2 bytes long because we use RUNTIME_ENTY as the reloc mode.
Review URL: http://codereview.chromium.org/6541053
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6894 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
In revision 6795 I introduced an assertion in the deoptimizer that was
wrong. We check that curr_address - prev_address > patch_size(), but
prev_address is actually the address right after the last patched
call, so we just need to be larger than or equal to prev_address.
Review URL: http://codereview.chromium.org/6480068
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6797 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Strict mode flag is passed to runtime DELETE function
and then to JSObject::Delete(Property/Element) as STRICT_DELETION enum.
When deleting non-configurable property/eleemnt, TypeError is thrown.
Adding mozilla test to .gitignore.
Incorporate CR feedback.
Review URL: http://codereview.chromium.org/6515005/
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6782 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Strict mode assignment to undefined reference.
Simple assignments (x = <value>) use CODE_TARGET_CONTEXT.
StoreIC stores its own strictness in extra_ic_state.
The strcitness is propagated as further ic stubs are generated.
Details:
* ReferenceError on assignment to non-resolvable reference in strict mode.
* Fix es5conform test expectation file.
* Add es5conform test suite into .gitignore.
* Fix Xcode project.
* Change implemented in virtual frame code generator, as well as full-codegen
for all architectures.
* Fix debugger test.
* Fix comment for CODE_TARGET_CONTEXT
* Implement remaining StoreIC stubs to be strict mode aware.
* Trace extra_ic_state() for ic code stubs.
Code Review URL: http://codereview.chromium.org/6474026/
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6760 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Strict mode assignment to undefined reference.
Simple assignments (x = <value>) use CODE_TARGET_CONTEXT.
StoreIC stores its own strictness in extra_ic_state.
The strcitness is propagated as further ic stubs are generated.
Details:
* ReferenceError on assignment to non-resolvable reference in strict mode.
* Fix es5conform test expectation file.
* Add es5conform test suite into .gitignore.
* Fix Xcode project.
* Change implemented in virtual frame code generator, as well as full-codegen
for all architectures.
* Fix debugger test.
* Fix comment for CODE_TARGET_CONTEXT
* Implement remaining StoreIC stubs to be strict mode aware.
* Trace extra_ic_state() for ic code stubs.
Code Review URL: http://codereview.chromium.org/6474026/
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6756 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Before, an attempt to delete a parameter in a function that used the
arguments object in any way would succeed with true and delete both
the parameter and the corresponding arguments object property.
Now, an attempt to delete such a parameter does not delete and
evaluates to false.
Parameters can be deleted, as before, from functions that use the
arguments object, by deleting the corresponding arguments object
property (this is a spec violation).
BUG=fixes v8:1136
Review URL: http://codereview.chromium.org/6484023
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6745 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
There were a couple of bug fixes to this code on IA32 which have not yet
been ported to ARM. They are: failure to correctly handle non-JSObject
receivers and failure to restore the context register after calling JS code.
Review URL: http://codereview.chromium.org/6479019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6744 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Make esi available to the register allocator rather than dedicating it
permanently to the context.
The context is still passed in register esi to JavaScript and to the runtime
as part of the calling convention. Because some stubs might end up calling
JS or the runtime, it is also conservatively passed to stubs.
Roughly half the calls have been modified to use the context as an input
value in fixed register esi. The other half are marked as calls or deferred
code so esi is spilled and can be explicitly set.
It is no longer necessary to restore the context to esi after a call that
might change it.
Review URL: http://codereview.chromium.org/6452001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6713 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
If we have a property access of the form this.x, where the access site sees
the global object, we can specialize the IC stub so that it performs a map
check without first performing a heap object check.
Ensure that we do not get in JS code with a non-JSObject this value by
deoptimizing at Function.prototype.apply if the first argument is not a
JSObject.
BUG=v8:1128
Review URL: http://codereview.chromium.org/6463025
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6707 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Change the comparison in the full code generator to use CompareIC instead of the CompareStub to record the types. This also implements the patching in the full code generator where the inlined smi code is de-activated by default to call the CompareIC once and then activating the inlined smi code by patching the code.
Fixed the smi comparison in the ICCompareStub.
Fixed ToBooleanStub to ensure that the scratch register used is not the input. Use r9 as default as that will never be input with Crankshaft.
Implemented lithium instruction CmpTAndBranch.
Make sure that the lithium instruction CmpID have operands in registrers as the current optimized code expects that.
Review URL: http://codereview.chromium.org/6461017
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6704 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
- Don't use SmiSub when overflow can occur. It asserts that overflow
does not happen.
- Actually use CompareICs and signal to crankshaft whether or not smi
code was inlined.
- Fix bug in CmpI where 64 bits were compared instead of 32 bits.
- Implement Throw, DeferredStackCheck, StoreKeyedFastElement in
lithium backend.
BUG=
TEST=
Review URL: http://codereview.chromium.org/6312193
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6669 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Revision 6635 added an assert on IA32 that there were no 'const' parameters.
This assert could be hit at compile time because we compiled the unreachable
body of functions with illegal redeclarations, which are thrown at runtime.
Review URL: http://codereview.chromium.org/6286144
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6659 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Instead of constructing a temporary container for all LOperands of each
instruction, the register works directly on the LIR instructions that
provide an abstract interface for input/output/temp operands.
This saves allocation of zone memory and speeds up LIR construction,
but makes iterating over all uses in the register allocator slightly
more expensive because environment uses are stored in a linked list of
environments. We can fix this by using a flat representation of LOperands.
Review URL: http://codereview.chromium.org/6352006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6638 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
There was an unnecessary load on every statically-resolved context lookup.
Remove it.
This revealed a hidden bug in const initializers inside 'with'. They claim
to be statically resolved (having slot type CONTEXT) but they occur in a
spot where the runtime context chain and the static scope chain do not
agree. This is fixed by special casing const initializers in the backend.
Review URL: http://codereview.chromium.org/6384020
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6635 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Record a safepoint with a deoptimization id for throw in optimized code. We
don't seem to much care what the AST ID is because we will not be using it
for lazy deoptimization (throw doesn't return to the point of throw). For
hygiene we use the actual ID of the throw expression. Throw is no longer a
control-flow instruction, but it's followed by an unconditional abnormal
exit. This is required to insert a simulate between the throw and the exit.
Make our optimized treatment of Function.prototype.apply act like a call and
have side effects. This ensures that it will get a lazy deoptimization
environment. Use that deoptimization ID in the safepoint for the call.
Deleting a property was also missing a deoptimization ID, though there was a
deoptimization environment assigned to the instruction. Record the
environment and use the deoptimization ID at the safepoint.
Review URL: http://codereview.chromium.org/6250105
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
If we, immediately after the deoptimization, but before actually
running the patched code, get a compacting GC, the addresses from the
calls might no longer be valid.
I have validated that this works by patching the existing code to
always do a compacting gc after we finish deoptimizing. I will create
a real regression test for this, but this includes additional code for
allowing us to force a deopt/opt from javascript test code. I will
land this in a seperate change.
Review URL: http://codereview.chromium.org/6349043
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6565 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Change OSR stack check patching to use the stack check table to iterate over the calls to stack guards platform independent. Introduce Deoptimizer::PatchStackCheckAt for each platform to perform the platform specific patch at a given pc.
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/6392027
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6551 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Deletion of global properties puts 'the hole' in the global property
cell and updates the property details in the property dictionary with
the information that the property has been deleted. When setting
global properties that have been deleted in generated code we just
store the new value in the global property cell. This does not update
the property details in the property dictionary. Therefore, it looks
like the property is not there eventhough it was just reintroduced.
Perform 'the hole' checks in generated code for global property stores
and bail out of ICs and optimized code if storing to a property cell
that contains 'the hole'.
Review URL: http://codereview.chromium.org/6306014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6508 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Refactor SafepointTableBuilder::DefineSafepoint and ARM LCodeGen::RecordSafepoint to use an enum for different kinds of safepoints. This change removes a lot of duplicated code and makes it easier to include new kinds of safepoints in the future. The remaining variants of LCodeGen::RecordSafepoint remain as a convinient way to record common safepoint kinds.
BUG=http://code.google.com/p/v8/issues/detail?id=1043
TEST=none
Review URL: http://codereview.chromium.org/6341008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6505 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
To avoid deopts a few extra changes were needed:
o Enable megamorphic state for special property loads on
primitives. We used to flip between monomorphic stubs.
o Extract pure string (no string wrapper support) version of the
string length stub.
Review URL: http://codereview.chromium.org/6334015
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6472 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Change the ARM exit frame to have the same layout as the IA32 exit frame. This basically re-arranges the order of fp and sp and changes the sp location of the entry frame to hold the sp used by the gc and not the sp for popping the arguments. This removes the option of tearing down the frame and returning using one ldm instruction.
The main motivation for this is to avoid pushing an alignment word before generating the entry frame. The GC handling of optimized frames process the registers pushed as part of a safepoint and asumes that these are at the top of the frame, so if an alignment word is pushed this processing will be one off.
The alignment handling in the C entry stub have also been simplified. Now the value of lr is stored to a stack slot already reserved avoiding pushing it and keeping track of "frame skew".
This does result in more instructions in the exit frame on ARM, but we can look into improving this later.
Review URL: http://codereview.chromium.org/6247019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6448 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
files. On ARM it is not enough to iterate the relocation information
because that will only give us access to the constant pool and not to
the place in the instruction stream where the target in the constant
pool is called.
Review URL: http://codereview.chromium.org/6343005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6444 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The function Runtime_LookupContext searches the context chain for a
LOOKUP slot and returns the object holding the slot. It returned the
global context if the slot was not found or if it was found in a
function's context or arguments object. This is not the correct
object to use for 'delete'.
Since this lookup function is only ever used when deleting LOOKUP
slots (those that have to go through a with or a scope with eval), it
is simply replaced with a Runtime_DeleteContextSlot function that does
the appropriate thing for all kinds of context lookups.
This fixes Chromium bug 70066.
http://code.google.com/p/chromium/issues/detail?id=70066
Review URL: http://codereview.chromium.org/6280013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6442 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
conversions for external array types, which implement the Typed Array
spec. (Revision of http://codereview.chromium.org/6315004 .)
Prefer SSE2 code path on x86 processors. Non-SSE2 processors now make
a slow runtime call for float-to-int conversions. Use SSE3 for 32-bit
signed and unsigned int array types where possible.
The movement of code from ic-arm.cc to stub-cache-arm.cc caused the
VFP3 code path to be tested for the first time. Fixed bugs in the
register usage and in the constant value stored into integer arrays
for NaN and +/-Infinity.
Added new truncation test to test-api.cc. Storage of NaN and +/-Inf
was already covered. Ran unit tests on x86, x64 and ARM simulator.
Tested ia32 and x64 code in Chromium on Mac and Linux respectively
with Typed Array unit tests and WebGL content.
BUG=http://code.google.com/p/chromium/issues/detail?id=50972
TEST=test-api/ExternalArrays
Review URL: http://codereview.chromium.org/6303012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6431 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This is svn r6415 with a bugfix.
The bug was that we can have scopes with 0 heap slots (functions with
such scopes do not need a local context) and scopes with at least
Context::MIN_CONTEXT_SLOTS. The code generator only allocated a local
context if there were strictly more than Context::MIN_CONTEXT_SLOTS.
Before the change to with/arguments, it was impossible to actually get
a function scope with exactly Context::MIN_CONTEXT_SLOTS because every
such scope included a heap-allocated arguments (and arguments shadow)
slot.
Review URL: http://codereview.chromium.org/6248014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6426 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Rename HBranch (the instruction that coerces an arbitrary HValue to
control flow) to HTest to free up the term Branch to refer to any
control instruction with two successors.
Change the virtual FirstSuccessor and SecondSuccessor functions on
control instructions to a pair of data members.
Review URL: http://codereview.chromium.org/6366002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6417 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This patch adds H- and L-variants of StringCharCodeAt and StringLength.
StringCharCodeAt is used to inline a constant function call of
String.prototype.charCodeAt and to implement the corresponding inline
runtime function. It does not yet use the recently introduced extra IC
state. (We can specialize on string encoding and avoid deopts because
of out of bounds accesses.)
StringLength needs more work because the stub version of it also
supports strings wrappers and it matters in some cases. (We have to
separate the string only case.)
Review URL: http://codereview.chromium.org/6243008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6408 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We hit an assertion failure when we tried to record the AST ID of
the (shared) .arguments variable proxy more than once. This was hit
when we had multiple calls to the same parameter in a function that
used the arguments object. The fix is to not visit the subexpressions
of the (shared) property access expression.
BUG=1060
Review URL: http://codereview.chromium.org/6368007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6404 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Extra IC state is only two bits and only supported for call IC-s for
now. To change its extra state an IC stub jumps to a new miss stub
that goes to runtime as usual but then instead of going megamorphic
generates a monomorphic stub with the updated state.
Review URL: http://codereview.chromium.org/6344005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6370 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This change introduces the third template parameters for LIR instructions
to specify the number of temp-operands. This is one step towards
removing the instruction-summaries.
I also added hydrogen-accessors in more places and refactored
the LIR-branch instructions to have common super-classes to
avoid code duplication.
Added MUST_USE_RESULT to the functions that record uses
and definitions so that all LOperands are stored in the
LIR instructions (and not only in the summaries).
Review URL: http://codereview.chromium.org/6237002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6345 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Instead of spilling and then immediately restoring eax to resolve
memory to memory moves, the gap move resolver now tracks registers
that are known to be free and uses one if available. If not it spills
but restores lazily when the spilled value is needed or at the end of
the algorithm.
Instead of using esi for resolving cycles and assuming it is free to
overwrite because it can be rematerialized, the gap move resolver now
resolves cycles using swaps, possibly using a free register as above.
The algorithm is also changed to be simpler: a recursive depth-first
traversal of the move dependence graph. It uses a list of moves to be
performed (because it mutates the moves themselves), but does not use
any auxiliary structure other than the control stack. It does not
build up a separate list of scheduled moves to be interpreted by the
code generate, but emits code on the fly.
Review URL: http://codereview.chromium.org/6263005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6344 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This puts us very close to being able to compile the empty function.
This changes only has a small number of 64 bit specific assembler instructions.
The remaining changes are much more platform specific and will go in another change.
Review URL: http://codereview.chromium.org/6247005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6306 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This instruction only depends on the prototype and the holder and can
completely ignore the receiver and its map.
This change also fixes a small bug on arm where a cell was loaded
instead of the prototype from new space.
Review URL: http://codereview.chromium.org/6094020
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6290 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Each LInstruction is now a subclass of LTemplateInstruction<R, I, T>
where R is number of outputs, I number of inputs and T number of temps.
This change only actually uses the parameter I for input operands.
Since the parameter T for temps is 0, it incurs no extra cost.
A separate change will introduce using the temps parameter.
Review URL: http://codereview.chromium.org/6215002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6275 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Remove unused LOperands from keyed-loads. We do not have multiple representations
for load instructions anymore.
Correct number of output operands as for a couple of instructions form 1 to 0
because they do not produce a result (e.g. PushArgument)
Review URL: http://codereview.chromium.org/6158004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6258 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This change introduces LTemplateInstruction which is a specialized version
of LInstruction and takes one template parameter to indicate whether the
instruction produces a result operand.
All instruction that do not have a result inherit from LTemplateInstruction<0>.
Instructions that have a result operand from LTemplateInstruction<1>
All the Define* function only operate on instructions with a result.
For this to work I also refactored the places where we do
LInstruction* result = new Lxyy
into
Lxyz* result = new Lxyz
Review URL: http://codereview.chromium.org/6219001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6245 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The the call of the builtin in InstanceofStub was not correctly protected with an internal frame leading to the return address being handled as a pointer during GC.
Marked the Instanceof stub as allowing stub calls (the RecordWriteStub was removed some days ago).
This issue was not caught by the assertion designed for this when debug mode is run with --debug-code (which out tests always does) as generating code for Abort set the allow stub calls flag to true. This has been fixed by restoring the allow stub calls flag correctly.
Review URL: http://codereview.chromium.org/6097010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6218 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
If the instanceof stub was requested to deliver true/false objects as the result instead of 0/1 then 0/1 was actually returned if the builtin INSTANCE_OF ended up being called. This is now fixed.
BUG=v8:1020
TEST=test/mjsunit/regress/regress-1020.js
Review URL: http://codereview.chromium.org/6014013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6185 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
If the instance of is performed against what is beliwed to be a constant global function inline the instance of check and have the call to the instanceof stub in deferred code. The inlined check will be patched by the instanceof stub when called from deferred code. This is indicated by the lithium instruction LInstanceOfKnownGlobal.
To help the patching the delta from the return address to the patch site is placed just below the return address in the edi slot of the pushad/popad ares. This is safe because the edi register (which is pushed last) is a temporary for the lithium instruction.
As the instanceof stub can call other JavaScript an additional marking for saving all double registers have been added.
Also tweaked the instanceof stub to produce true/false objects instead of 0/1 for the case with deferred code.
Review URL: http://codereview.chromium.org/5990005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6173 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The function HEnvironment::SetExpressionStackAt did not update the
environment's history. This function is used to patch the bailout
environment for count operations and global function calls.
Reorganize class HEnvironment to make it fit V8's style a bit better
and to try to add some sanity to which C++ functions are intended to
be inlined.
Remove the flag --trace-environment which merely duplicated data in
the hydrogen.cfg file except without enough context to be useful.
BUG=1004
Review URL: http://codereview.chromium.org/5992011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6137 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
1. Separating out the instance-type check from the array-length operation.
2. I also changed the bounds-check on keyed loads to use the length property
for JS arrays (like we do for array stores).
The new pattern should use less registers and allow more checks to be eliminated.
Review URL: http://codereview.chromium.org/5961016
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6125 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Before, when we deoptimized after a branch we jumped to before the branch
was taken in the unoptimized code with a token value that indicated when
edge to take. There was a lot of machinery to track this value through the
short-circuit logical operations and logical negation, and to handle it
properly at inline function return sites. There was also machinery to
prevent incorrectly seeing this environment with the extra value never
actually materialized in the unoptimized code.
Instead, now we deoptimize directly to one of the targets of the branch.
Much but not yet all of the extra machinery has been removed or simplified.
The cost is that branching control structures (the looping statements, if
statements, conditional expressions, and the short-circuit binary logical
operations) need extra AST IDs to identify the branch targets.
Review URL: http://codereview.chromium.org/5908001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6049 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When entering a finally block in unoptimized code, we unconditionally
save the accumulator register in the stack in case it holds a return
value or an exception. In the case of a break, continue, or falling
off the end of the try or catch block, this value is unpredictable and
not necessarily safe for GC.
Review URL: http://codereview.chromium.org/5883003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6035 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This is an improved version of my earlier change r5970. It avoids degrading the
non-optimized code.
Initially we emit a conditional branch that is either always- or never-taken
after a smi-check (depending on whether we test for smi for for non-smi)
Since test-eax always sets the carry-flag to 0 we use jump-if-carry and
jump-if-not-carry.
The first invocation of the stub patches a jc with a jz and
jnc with a jnz-instruction so that the code looks exactly as it was
without patching. The only difference is the test- or nop-instruction
after the IC-call.
Review URL: http://codereview.chromium.org/5763004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6030 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This fixes V8 issue 989.
Before, assignments used the AST ID of the assignment expression to
mark the side effect of the store, which became a target for
deoptimization bailout for code after the assignment. In effect
contexts this environment included the value of the assignment, which
was unexpected by the unoptimized code.
Now we introduce a new assignment ID for AST node types that include
an assignment (Assignment, CountOperation, and ForInStatement) and use
it for the side effect of the store.
Review URL: http://codereview.chromium.org/5682010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5990 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
In the case of inlined smi code in non-optimzied code we could not
distinguish between the smi-only case and the case that the operation was
never executed.
With this change the first execution of a binary operation always jumps
to the stub which in turn patches the smi-check into the correct
conditional branch, so that we benefit from inlined smi code after the
first invocation.
A nop instruction after the call to the BinaryOpIC indicates that no
smi code was inlined. A "test eax" instruction says that there was smi
code inlined and encodes the delta to the patch site and the condition
code of the branch at the patch site to restore the original jump.
Review URL: http://codereview.chromium.org/5714001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5970 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
inline allocation code used the expected number of properties to
calculate the number of inobject properties for an object instead of
getting the actual number from the initial map.
It is safer to use the inobject property count from the initial map in
any case because that is the amount the instances will get. I think
this disconnect got introduced when adding shrinking of objects.
Unfortuntely I haven't been able to create a simple reproduction for a
test case but this fixes the webpage that exhibits the crash. I'll see
if I can create a reproduction tomorrow.
Review URL: http://codereview.chromium.org/5278003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5879 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This switches out the existing constant splitting with masking that works like this:
1. Generate a random 32-bit value at compilation time.
2. XOR the 32-bit constant with the random value.
3. Emit the resulting immediate value along with the XOR operation to generate the original value.
BUG=http://code.google.com/p/v8/issues/detail?id=908
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5734 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Change more functions used by the Compiler class to have a uniform
interface: they get passed as argument an input/output pointer to a
CompilationInfo that they mutate if they succeed, and they return a
flag telling whether they succeeded.
Also, remove some unnecessary timers.
Review URL: http://codereview.chromium.org/3561012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5583 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The plan is to use the CompilationInfo class to communicate inputs and
outputs to compilation pipeline phases, which each return a boolean
success/failure flag.
The intent is to make it easier to compose small pieces of the
pipeline without having to grow a custom function each time, each
taking a half dozen arguments.
This change modifies the very front end (the parser).
Review URL: http://codereview.chromium.org/3586006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5581 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
For some reason, the scope's arguments and arguments shadow were
variable proxies, which resulted in all references to the arguments
shadow being shared in the AST. This makes it hard to put per-node
state on the AST nodes.
I took the opportunity to remove Variable::AsVariable which has
confused people in the past, and to rename Variable::slot to the more
accurate Variable::AsSlot.
Review URL: http://codereview.chromium.org/3432022
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5517 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The number of inobject properties used to be derived from the number
of this property assignments in the constructor (and increased by 2 to
allow for properties added later). This very often leads to wasted inobject
slots.
This patch reclaims some of the unused inobject space by the following method:
- for each constructor function the first several objects are allocated using the initial
("generous) instance size estimation (this is called 'tracking phase').
- during the tracking phase map transitions are tracked and actual property counts are collected.
- at the end of the tracking phase instance sizes in the maps are decreased if necessary
(starting with the function's initial map and traversing the transition tree).
- all further allocation use more realistic instance size estimation.
Shrinking generously allocated objects without costly heap traversal is made possible
by initializing their inobject properties with one_pointer_filler_map (instead of undefined).
The initial slack for the generous allocation is increased from 2 to 6 which really helps some tests.
Review URL: http://codereview.chromium.org/3329019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5510 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Contextual load requires only a map check followed by a cell hole
check so we can generate pretty compact code for that. The fact that
we have inlined code is marked by mov ecx, offset instruction after
the IC call. Inlining is only enabled inside loops and in non-builtin
functions.
The generated code size increase is about 3%. This descreased the
pc-to-code cache hit rate in some of the benchmarks that trigger
GC. To compensate we now have 4 times as much entries in the cache.
Review URL: http://codereview.chromium.org/3402014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5497 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When running profiling in debug mode, several assertions in frame
iterators that are undoubtedly useful when iterator is started from a
VM thread in a known "good" state, may fail when running over a stack
of a suspended VM thread. This patch makes SafeStackFrameIterator
to proactively check addresses and bail out from iteration early,
before an assertion will be triggered.
BUG=crbug/55565
Review URL: http://codereview.chromium.org/3436006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5467 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This change introduces near labels in the assembler, allowing us to
uptimize forward jumps (conditional and unconditional) if we can
guarantee that the jump is witin range -128 to +127.
I changed a large fractions of the existing Labels to NearLabels, and
left out cases where it was not immediately clear if it could be used
or not (not immediately clear means labels covering a large code
block, or used in function calls which we could potentially change to
accept near labels).
Review URL: http://codereview.chromium.org/3388004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5460 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
the code object's instructions.
This allows us to find a code object using just the pc. This approach
uses a cache (PcToCodeCache) to make sure we don't continuously have
to iterate heap pages.
This change eliminates the need for cooking and uncooking of stack frames.
Review URL: http://codereview.chromium.org/3226014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5369 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The live registers are now only stored to the expression stack with the non pointer values being stored as smis (on the 32-bit platforms these values are assumed to be 31-bit max).
This makes the CEntryStub entry/exit code much simpler, and there is no longer any need for a mode (debug or normal) on it.
Fix a missing live register when breaking at ARM keyed load.
Review URL: http://codereview.chromium.org/3141047
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5358 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Object model changes
----------------------------------------
New fixed_cow_array_map is used for the elements array of a JSObject
to mark it as COW. The JSObject's map and other fields are not
affected. The JSObject's map still has the "fast elements" bit set. It
means we can do only the receiver map check in keyed loads and the
receiver and the elements map checks in keyed stores. So introducing
COW arrays doesn't hurt performance of these operations. But note that
the elements map check is necessary in all mutating operations because
the "has fast elements" bit now means "has fast elements for reading".
EnsureWritableFastElements can be used in runtime functions to perform
the necessary lazy copying.
Generated code changes
----------------------------------------
Generic keyed load is updated to only do the receiver map check (this
could have been done earlier). FastCloneShallowArrayStub now has two
modes: clone elements and use COW elements. AssertFastElements macro
is added to check the elements when necessary. The custom call IC
generators for Array.prototype.{push,pop} are updated to avoid going
to the slow case (and patching the IC) when calling the builtin should
work.
COW enablement
----------------------------------------
Currently we only put shallow and simple literal arrays in the COW
mode. This is done by the parser.
Review URL: http://codereview.chromium.org/3144002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5275 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Upgraded the CodeGenerator::ToBoolean() function in the ARM backend to use complete JIT code generation and not make runtime calls to ToBool (when VFP is enabled).
This change also includes the vcmp VFP instruction that supports a constant 0.0 as the second operand.
Patch by Subrato K De <subratokde@codeaurora.org>
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5267 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This should help in cases like:
function Constructor() {
this.foo = constFunction;
this.bar = "baz";
}
for (...) {
o = new Constructor();
// Constant call IC will work.
o.foo();
// Inlined property load will see the same map.
use(o.bar);
}
This change also fixes a latent bug in custom call IC-s for strings
exposed by string-charcodeat.js.
Review URL: http://codereview.chromium.org/3160006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5254 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This adds a check to the fast case string add to ensure that the String object still have the default valueOf function. The default valueOf is sitting on a hidden prototype of String.prototype.
Before using the fast case valueOf the object is checked for a local valueOf property. For slow case objects this check always reports true (the dictionary is not probed, so valueOf might be there) and for fast case objects the descriptor array is checked for the valueOf symbol (just liniar scan). After that the prototype is checked for beeing the initial value of String.prototype. If this all pass (that is the default valueOf is still in place) this result is cached on the map making the check fast the next time.
This is only implemented in the optimizing compiler, as the two usages of %_IsStringWrapperSafeForDefaultValueOf is never hit by the full compiler.
I will port to x64 and ARM when this has been reviewed for ia32.
I will remove the performance counters prior to final commit.
BUG=http://code.google.com/p/v8/issues/detail?id=760
TEST=test/mjsunit/regress/regress-760-1.js
TEST=test/mjsunit/regress/regress-760-2.js
Review URL: http://codereview.chromium.org/3117006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5252 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
in allowing more flexible compilation and to simplify builtins lookup.
This changes a number of places where code objects are assigned to
SharedFunctionInfo objects to also assign this code object to the
JSFunction. In addition, the code flushing is changed slightly to
accomodate this (we need to flush the code from functions pointing to
SharedFunctionInfo objects that has already been flushed).
Review URL: http://codereview.chromium.org/3120006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5233 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
and the value can share a register. We need to remove this aliasing
before modifying the registers.
I haven't managed to generate a stand-alon test case for this
yet. I'll do that as a separate change. This was found while loading
Wave.
Review URL: http://codereview.chromium.org/3039025
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5127 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This includes adding a new inline IsSpecObject method to the code
generator. The old approach was somehow ineffecient since we would
call both IsObject, IsUndetectable and IsFunction to determine if
something was an object according to the spec. This change introduces
a new macro that determines if something is an object according to the
spec (and this does not include null).
This change also corrects a few places where undetectable objects was
not allowed even when they should be (priorly they would use only
IS_SPEC_OBJECT_OR_NULL, which would return false on an undetectable
object, the new IS_SPEC_OBJECT returns true on an undetectable object.
Review URL: http://codereview.chromium.org/2877018
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5087 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
to the runtime will both patch in the more specialized binary op
stub and calculate the answer. This eliminates the need to call
both the rest of the binary op and the patching runtime call. The
runtime routines are altered to be more agressive in returning
Smis so we don't get spurious heap numbers as inputs to binary ops
while we are patching the binary op ICs.
Review URL: http://codereview.chromium.org/2843049
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5026 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The IC stub is completely generic, so there will only be one such stub
in the system.
Added a new overloaded version of the macro assembler RecordWrite
method for cases where we have the address we store to computed up
front.
Review URL: http://codereview.chromium.org/2804029
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4991 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
A potential issue with this change is creating lots of maps when
objects flip between fast/slow elements modes. We could add special
transitions to avoid this. Yet testing this on our benchmarks, gmail,
and wave seems to indicate that this is not a real problem.
Review URL: http://codereview.chromium.org/2870018
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4941 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Similar or duplicate checks are scattered around the code before doing the dictionary load.
Also the entire branch in GenerateCallNormal that handles global/builtin receiver is
guaranteed to bail out from GenerateDictionaryLoad, so there is no point in generating it at all.
The purpose of the patch is:
- making C++ code more compact and transparent,
- not generating dead code.
There is a tiny performance gain. The patch is ia32 only for now.
Please tell me if I am missing anything.
Review URL: http://codereview.chromium.org/2801007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4926 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
If a two-byte string only contains ascii characters, then we can save
memory when flattening a cons string containing it. Similarly we can
use this in Array.prototype.join implementation. To track this a new
bit is added to instance type. This bit is used as a hint in generated
code and in runtime functions.
To enable testing a new V8 extension is added controlled by
--expose-externalize-string flag.
Review URL: http://codereview.chromium.org/2762008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4894 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Generating code for function return on ARM is now aligned with the other platforms. The first non-shadowed return statement encountered will emit code for function return and all other returns including the fall through at the bottom of a function will jump to that.
Review URL: http://codereview.chromium.org/2815003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4856 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
With the change in r4820 all return statements are now breakable like any statement, so stepping will stop before the return statement actually returning from a function. With this change the position when breaking in the function return (after executing the return statement) will be the actual end of the function. At this point the return value is available as it saved to the stack by the debug break at return handling. Added information on the actual value returned from the function to the debugger.
Review URL: http://codereview.chromium.org/2783002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4835 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Added support for more precise break points when debugging and stepping. To achieve that additional nop instructions are inserted where breaking would otherwise be impossible. The number of nop instructions inserted are sufficient to make place for patching with a call to a debug break code stub. On Intel that is 5 nop's for 32-bit and 13 for 64-bit. Om ARM 3 nop instructions (12 bytes) are required.
In order to avoid inserting nop's in to many places a simple ast checker have been added to check whether there are breakable code in a statement or expression. If it is possible to break in an expression no additional break enabeling code is inserted.
Added break locations to the true and false part of a conditional expression.
Added stepping tests to cover more constructs.
These changes are only in the full compiler.
Changed the default value for the option --debugger in teh d8 shell from true to false. The reason for this is that with --debugger turned on the full compiler will be used for all code in when running d8, which can be unexpeceted.
Review URL: http://codereview.chromium.org/2693002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4820 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
perform a context lookup in the runtime system for the 'eval'
function. Instead load the 'eval' function from the global context in
generated code if it is not shadowed.
Will port to other platforms as a separate change.
Review URL: http://codereview.chromium.org/2666001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4794 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
NumberToUint32 that I was trying to use maps -0 to +0 (as desired) but
also maps +/-Infinity to +0, which made +/-Infinity a valid string
index. I fixed it by introducing a new runtime function with the right
semantics.
TEST=LayoutTests/fast/js/char-at.html,mjsunit/string-charat.js
Review URL: http://codereview.chromium.org/2223003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4734 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
These string methods can be composed from two basic blocks: charCodeAt
and fromCharCode, both of which have fast cases for certain types of
inputs. In this patch these two blocks are refactored to allow
generating the fast cases without having to jump around the slow
cases. In the slow cases since they can now be invoked both from
inline runtime functions and from IC stubs we either have to
save/restore state of the current frame or enter/leave a new internal
frame. This is handled by new RuntimeCallHelper interface. Its
implementation for virtual frame is based on FrameRegisterState class
extracted from DeferredCode class.
Review URL: http://codereview.chromium.org/2087009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4733 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
1) do not push receiver early---that simplifies tail call preparation
on ia32/x64 and renders special cleanup unnecessary;
2) do not do second map check if interceptor's and cached holder
are the same;
3) do not push/pop receiver if receiver and holder registers are the same
(means that receiver is interceptor's holder);
4) do batch pushes on arm;
5) minor cosmetic improvements.
Review URL: http://codereview.chromium.org/2282001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4732 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The full compiler is now complete on ARM as well. The syntax checker is still used to determine whether to use it for top level code or not during normal execution. When debugging is enabled all code will be compiled with the full compiler.
This change removes the temporary flag --force-full-compiler and now the flag --always-full-compiler enables the full compiler for all code on all platforms.
This also fixes building on Intel platform without debugger support (ENABLE_DEBUGGER_SUPPORT not defined) and adds full check for the full compiler for lazily compiled code.
Review URL: http://codereview.chromium.org/2163006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4716 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
- New сardmarking write barrier handles large objects and normal objects in a similar fashion (no more additional space for pointer tracking is required, no conditional branches in WB code).
- Changes to enable oldspaces iteration without maps decoding:
-- layout change for FixedArrays: length is stored as a smis (initial patch by
Kevin Millikin)
-- layout change for SharedFunctionInfo: integer fields are stored as smi on
arm, ia32 and rearranged on x64.
-- layout change for String: meaning of LSB bit is fliped (1 now means hash not
computed); on x64 padding is added.
-- layout of maps is _not_ changed. Map space is currently iterated in a special
way.
Review URL: http://codereview.chromium.org/2144006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4715 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
-- layout change for FixedArrays: length is stored as a smis (initial patch by Kevin Millikin)
-- layout change for SharedFunctionInfo: integer fields are stored as smi on arm, ia32 and rearranged on x64.
-- layout change for String: meaning of LSB bit is fliped (1 now means hash not computed); on x64 padding is added.
-- layout of maps is _not_ changed. Map space is currently iterated in a special way.
- Cardmarking write barrier. New barrier handles large objects and normal objects in a similar fashion (no more additional space for pointer tracking is required, no conditional branches in WB code).
Review URL: http://codereview.chromium.org/2101002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4685 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This makes the full compiler handle all constructs on ia32. However the syntax checker for the full compiler is still the same so for both normal operation and with the flag --always-full-compiler the coverage of the full compiler will be the same.
This is on preparation for improving the debugger break point experience where the plan is to only use code from full code generator when debugging JavaScript.
Runs all tests on all three platforms in release and debug mode. The tests also run with both the following flags to the test runner
--special-command="@ --nofull-compiler"
--special-command="@ --always-full-compiler"
The changes to the x64 and ARM architectures are mainly structural due to the change to EmitVariableAssignment to handle initialization of const variables.
Review URL: http://codereview.chromium.org/1989012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4676 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Chromium build.
v8.gyp no longer sets any V8_TARGET_ARCH_* macro on the Mac. Instead, the
proper V8_TARGET_ARCH_* macro will be set by src/globals.h in the same way as
the V8_HOST_ARCH_* macro when it detects that no target macro is currently
defined. The Mac build will attempt to compile all ia32 and x86_64 .cc files.
#ifdef guards in each of these target-specific source files prevent their
compilation when the associated target is not selected. For completeness,
these #ifdef guards are also provided for the arm and mips .cc files.
BUG=706
TEST=x86_64 Mac GYP/Xcode-based Chromium build (still depends on other changes)
Review URL: http://codereview.chromium.org/2133003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4666 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Also check more than one character at a time.
16-bit immediates requires a prefix that changes the length of the instruction.
This causes predecoder mispredictions and subsequent pipeline stalls.
Also removed redundant "atStart" local variable which is equivalent to startIndex == 0.
Review URL: http://codereview.chromium.org/1988009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4639 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
of having a list of virtual frame pointers in the jump
target we have one virtual frame, which is the frame that
all have to merge to to branch to that frame. The virtual
frame in the JumpTarget is inside the JumpTarget, rather than
being an allocated object that is pointed to. Unfortunately
this means that the JumpTarget class has to be able to see
the size of a VirtualFrame object to compile, which in turn
lead to a major reorganization of related .h files. The
actual change of functionality in this change is intended
to be minimal (we now assert that the virtual frames match
when using JumpTarget instead of just assuming that they do).
Review URL: http://codereview.chromium.org/1961004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4631 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Added a simple new space check on the elements fixed array which can allow
updating with other values than smis without updating the remembered set.
Also combined the positive smi and range check so that a separate smi check can be avoided when the key is known to be a smi.
This is a port of r4543.
Review URL: http://codereview.chromium.org/1702013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4547 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
A reference to the caches array was embedded directly into the builtin
code and this allowed sharing objects between contexts.
Unfortunately, clearing the cache on GC won't prevent sharing so we
either have to have per-context builtin code or load the cache
indirectly from the current context. This change implements the second
approach. The first approach may be interesting to consider in the
future for some perfomance critical functions, and the current
approach can still be improved by putting the caches directly into the
global context (or even global objects).
Review URL: http://codereview.chromium.org/1731002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4486 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
(Fixed handling of out-of-bounds keys.)
String keyed load used to call STRING_CHAR_AT builtin that performs
two steps (get a char code, construct a one-char string from the
code), both of which have fast cases implemented as inline runtime
functions. In this chage most of the code from these functions is
extracted to a set of common generator functions in StringStubBase and
the fast cases are grouped together in the IC code.
Review URL: http://codereview.chromium.org/1582041
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4450 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
String keyed load used to call STRING_CHAR_AT builtin that performs
two steps (get a char code, construct a one-char string from the
code), both of which have fast cases implemented as inline runtime
functions. In this chage most of the code from these functions is
extracted to a set of common generator functions in StringStubBase and
the fast cases are grouped together in the IC code.
Review URL: http://codereview.chromium.org/1539039
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4444 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We need to be careful to check global property cells for the property
encountered during lookup. Therefore, the ICs have to be specific to
the name of the property if global objects are involved. In
principle, this means that we could get a large number of monomorphic
ICs for the same map if there is a global object in the prototype
chain. However, since this is only done for normal load ICs and not
for keyed load ICs I do not expect this to be a problem. I will
experiment with it once this goes in.
BUG=675
Review URL: http://codereview.chromium.org/1559033
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4426 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
In the CEntryStub keep track of the actual skew from the correct alignment to ensure proper alignment before calling the runtime. Add checks to test the expected skew when running on hardware.
Use the PrepareCallCFunction/CallCFunction in a few other places.
Add check to the ARM simulator for correct alignment.
Add option --sim-stack-alignment to set the stack alignment in the simulator. Currntly only values 4 and 8 makes sense. 8 is the default to make snapshots generated with the simulator work on hardware requiring 8 byte stack alignment.
Review URL: http://codereview.chromium.org/1530043
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4425 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This re-applies r4220 and r4233, which was reverted in r4254 due to a bug. This bug has now been fixed, with the only change being line 2884 changed from
__ SmiTag(left_side->reg());
to
__ SmiTag(operand->reg());
Added a regression test.
BUG=http://crbug.com/39160
TEST=test/mjsunit/regress/regress-crbug-39160.js
Review URL: http://codereview.chromium.org/1251009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4261 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Instead of testing the value of a constant frame element to determine
the type we compute its type information at construction time.
This speeds up querying the type information during code generation.
This change also adds support for Integer32 constants and sets
the type information accordingly.
Review URL: http://codereview.chromium.org/1277001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4256 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
registration of external references in Proxy objects).
I moved the declaration of the two functions to stub-cache.h
because with all the types they use it's hard to declare them
anywhere else. But the actual definition is still in runtime.cc
near to the place where they are used.
Review URL: http://codereview.chromium.org/1079012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4231 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Previously we marked compare operations that occurred as for loop
conditions so as to avoid inlining the floating-point code for them.
Begin marking all expressions that occur as any loop condition
(because they are never dead code).
Review URL: http://codereview.chromium.org/1074009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4227 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Inline floating point compare instead of calling the stub when the following conditions are met:
* Code is in a loop
* Compare is not a for loop condition
* Compare is not an equal comparison
This inlined code handles heap number to heap number and heap number to smi compare. It can also handle smi to smi compare, but whenever there is a chance of comparing two smis the smi compare is inlined before the inlined floating point compare. Support for non SSE2 hardware is included.
A new set of variants of the compare stub without the floating point comparison code is called if the inline comapre fails due to the operands not beeing heap numbers or smis.
The virtual frame has been extended with a branch taking two live results to be carried through to the destination. This makes this change much simpler as the inlined code have two live results in registers and a number of bailouts.
CompareStub::GetName needs to be updated as well. I will do that as a separate change.
Also inlined equality check if both operands can't be NaN. This can only provide positive equals if it is the same object.
Review URL: http://codereview.chromium.org/1117011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4220 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We may encounter an invalid frame after generating code
for the loop body in case the loop body ends in an unconditional
return. Before setting the type information for the loop variable
we need to check for a valid frame.
Review URL: http://codereview.chromium.org/1106002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4182 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
With my previous change to limit memory for object literals, we get more slow-case elements and this makes up for the slowdown when loading from those slow-case elements.
The most complicated part here is the computation of the integer hash code. We might want to simplify the integer hash function.
Review URL: http://codereview.chromium.org/857003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4109 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The inline runtime functions are now included in the fuzzing of the natives. The chack for the expected number of arguments passed have been moved to the parser which will generate a syntax error if a runtime function (either C++ or inline) is called with a different number of arguments than expected.
Review URL: http://codereview.chromium.org/573056
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4096 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This change adds a pass over the AST that computes the
set of assigned variables for locals and parameters for each expression.
The result of this analysis is used to for two purposes:
1. Recognize variables that are trivial subexpressions. A left sub-expression
of a binary operation is trivial if it is a local variable or a parameter
and it is not assigned in the right sub-expression. In the case of a
trivial left sub-expression we evaluate the right first.
Currently only binary operations and compare operations are considered
when finding trivial left sub-expressions.
2. Recogize certain simple for-loops with a constant trip count where the loop
variable is always within smi range. If the loop count variable is not
assigned in the body of the loop (except in the update expression the
for-loop). This allows omitting smi checks on operation using the loop
count variable.
Review URL: http://codereview.chromium.org/669155
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4087 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When Array(0) or new Array(0) is handled by the generated code it is handled
by the same code as Array() and new Array(). For this to work the stack is
tweaked to remove the argument of value 0. However the argc was still passed
as 1 if a call to the runtime system was made.
When the stack is tweaked argc is also changed to 0.
BUG=634
TEST=test/mjsunittest/mjsunit/regress/regress-634.js
Review URL: http://codereview.chromium.org/668155
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4038 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Introducing a virtual-frame-inl.h file containing some platform-independent
virtual frame function which are small enough to be inlined.
Removed unnecessary #include of virtual-frame.h from register-allocator-inl.h
and added the necessary explicit includes in a number of files.
Review URL: http://codereview.chromium.org/660104
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3962 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
A list of bailout descriptions is kept in the CompilationInfo
structure that is shared between the primary and secondary code
generators. The primary adds a description to the list for each
bailout position.
Responsibility for binding labels is moved from the primary to the
secondary code generator. All the labels still target the start of the
secondary code and the compilation state of the primary is still
ignored.
Move the compilation mode flag to the CompilationInfo.
Review URL: http://codereview.chromium.org/651031
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3920 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Add a (currently) syntactic predicate to AST expression nodes telling
whether they are 'trivial'. Trivial expressions have no side effects,
do not require storage to be allocated for them, and can be evaluated
out of order (because their value does not change between when they
are visited by the code generator as expressions in the AST and when
it is consumed).
Mark 'this' and literals as trivial. Allow them to be pushed on the
virtual frame. Make use of them to push 'this' more lazily in this
property assignments.
Review URL: http://codereview.chromium.org/647018
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3906 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Replaced IsValid by IsPropertyOrTransition and used IsProperty in most
of the places where IsValid was used before. Most of the time when
inspecting a lookup result we really want to know if there is a real
property present. Only for stores are we interested in transitions.
BUG=http://crbug.com/20104
TEST=cctest/test-api/NamedInterceptorMapTransitionRead
Review URL: http://codereview.chromium.org/647015
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3901 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Fix for issue 603.
Revision r3484 removed the property name from the call stack for
call ICs. When a non-function was called via a call IC and
Function.prototype.call, an extra value was left on the stack that the
caller could not know to clean up.
Fix is to change the JS builtin used for calling non-functions. It
now gets the callee as receiver, rather than iterating stack frames
and finding it on the expression stack of its JS caller.
Review URL: http://codereview.chromium.org/604064
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3882 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Currently we only pass a boolean parameter indicating whether
the input operands to the GenericBinaryOpStub are guaranteed
to be numbers or not.
Instead we pass the complete number type as a parameters. This
allows to use more precise type information for code generation
in the stub.
Also make the computation of the result type more precise and correct on both ia32 and x64.
Review URL: http://codereview.chromium.org/593110
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3873 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
NumberToString in runtime JavaScript is inlined through a call to a stub. Currently the stub only checks the number string cache and only if the number is a smi. Code is shared with the inlining of number string cache lookup when adding a smi to a string.
Review URL: http://codereview.chromium.org/604062
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3865 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Each frame element gets a new attribute with number type information. A frame element can be:
- smi
- heap number
- number (i.e. either of the above)
- or something else.
The type information is propagated along with all virtual frame operations.
Results popped from the frame carry the number information with them.
Two optimizations in the code generator make use of the new
information:
- GenericBinaryOpSyub omits map checks if input operands are numbers.
- Boolean conversion for numbers: Emit inline code for converting a number (smi or heap number) to boolean. Do not emit call to ToBoolean stub in this case.
Review URL: http://codereview.chromium.org/545007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3861 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
All two character string results from adding two strings and from sub string used to be handled in the runtime system as a lookup in the symbol table was done before allocating a new string. The native code for string add and sub string now probes the symbol cache for two character strings to avoid the runtime call. If the result string is not found in the symbol table within a fixed number of probes a new string is just allocated. Newly allocated two character strings are not added to the symbol table immediately.
Review URL: http://codereview.chromium.org/598062
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3842 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Initial implementation of ad hoc must-be-smi tracking in the fast code
generator. Type information is used to avoid the write barrier for
smi property stores and to avoid the smi check for the inputs/output
of bitwise OR.
Review URL: http://codereview.chromium.org/597021
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3833 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
function instead of baking in the address of the first one that we see
in code.
This removes the need for fixups processing and makes the stubs safe
when there is no natives cache and therefore multiple versions of the
builtin functions.
Review URL: http://codereview.chromium.org/594009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3832 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Support a binary operation (bitwise OR) so long as it's not nested in
the left subexpression. This ensures that the expression stack never
has height greater than two and so can be kept fully in registers.
The bounded expression stack height and the absence of any side
effects on the fast path allows us to still bailout out to the very
beginning of the function if any of our fast-path checks fail.
Review URL: http://codereview.chromium.org/594008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3822 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This is a first step towards loading globals directly from property cells instead
of going through a load IC.
This change supports only properties with the DontDelete attribute since
we are only able to bailout into the generic code generated by the secondary
code generator the beginning of a function. The resulting fast-case code is
specialized for a specific context. When invoked with a different global object,
it will always bailout to the secondary code.
When loading a property that does not exist at compile-time or a property
that is deleteable we still generate the generic load IC.
Review URL: http://codereview.chromium.org/565034
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3808 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
bailouts. For now the virtual-frame state at entry of a function is
hard-coded when using the virtual-frame based compiler as the
secondary compiler.
Setup frame pointer correctly on function entry on ARM in
fast-codegen-arm.
Review URL: http://codereview.chromium.org/569010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3776 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
on ia32.
1. Operate on the values in edx,eax when possible (all operations
except DIV and MOD). This saves moving them on entry and when falling
out to the non-smi code.
2. Do not perform ADD and SUB before the smi check of their inputs.
This saves undoing the operation in the case that we fall through to
the non-smi case due to non-smi inputs (probably common?), and we can
avoid emitting the smi check code twice (code size reduction).
3. Don't perform OR twice (once to smi check the inputs and once to
smi check the result).
Review URL: http://codereview.chromium.org/556019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3712 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
As the start index is already passed it is easy to calculate the "at start" boolean in generated code. Also as direct entry has been implemented this needs to be done in generated code anyway, and therefore might as well be moved to the generated code for RegExp. The "at start" value is now calcualted as a local variable on the native RegExp frame based on the value of the start index argument.
The x64 version have been tested on both Linux and 64-bit Windows Vista.
For ARM I have tested cctest/test-regexp on ARM hardware, but the rest of the tests have only been run on the ARM simulator.
Review URL: http://codereview.chromium.org/554078
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3709 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Currently arguments are never passed on registers (due to the way ArgsInRegistersSupported is written) and
if they were, the stub would break in several places because registers are not preserved properly in the
course of execution. This CL makes use of registers more often (than never) and makes sure that registers are
handler properly.
A peformance gain is small (0.2-0.3%) but stable.
This CL was extracted from the one sent out earlier (http://codereview.chromium.org/551093).
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3692 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This is a preparation step for including number type information
in the virtual frame. We need a common place where we can update
the number type information of the result of a binary operation
since we should not modify the state of the virtual frame elements
directly.
Review URL: http://codereview.chromium.org/551080
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3661 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
generator.
Contexts are no longer stored in the AST but in the code generator's
state. This means that the running the code generator selector is not
required to use the toplevel code generator (for instance, if we
already know that we can and should use it).
Review URL: http://codereview.chromium.org/546075
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3645 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When a function is called with a value type as the receiver this is now boxed as an object.
This is a low-impact solution where the receiver is only boxed when required. For IC calls to the V8 builtins values are not boxed and as most of the functions on String.prototype, Number.prototype and Boolean.prototype are sitting there most IC calls on values will not need any boxing of the receiver.
For calls which are not IC calls but calls through the CallFunctionStub a flag is used to determine whether the receiver might be a value and only when that is the case will the receiver be boxed.
No changtes to Function.call and Function.apply - they already boxed values. According to the ES5 spec the receiver should not be boxed for these functions, but current browsers have not adopted that change yet.
BUG=223
TEST=test/mjsunit/value-wrapper.js
TEST=test/mjsunit/regress/regress-crbug-3184.js
Review URL: http://codereview.chromium.org/542087
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3617 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
in particular).
* Called function is passed on the stack instead of
using a static variable.
* Builtins that don't need the called function don't
get it.
* Made is_construct statically known to HandleApiCall
by setting custom construct stub for API functions.
Review URL: http://codereview.chromium.org/536065
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3613 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
* Refactor VisitProperty to use the platform-specific methods for emitting the IC calls.
* Refactor recording of source positions in the top-level compiler.
* Correct the recorded source positions for assignments and property loads.
* Fix bug on x64 where source positions were not recorded before a calling a call-IC.
* Correct some inconsistencies between IA-32 and X64 top-level code generator.
We now pass all regression tests with
--always-fast-compiler.
Review URL: http://codereview.chromium.org/550043
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3612 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Replace runtime call to NumberAdd with call to binary op stub.
Until now the top-level compiler always called a runtime function
for count operations.
In some places we expected in the JS builtins smis as arguments.
If we perform a count operation before all smis would get converted into
heap numbers by the runtime number add function and result in a runtime
assert.
Also: Add missing debugger information in the top-level compiler for
do-while loops.
Review URL: http://codereview.chromium.org/548029
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3610 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When initializing the special local variable containing the reference to the enclosing
function in named functions we now (correctly) emit an INIT_CONST instead of INIT_VAR,
and we correctly bail out in the top-level code generator.
Also part of this change is adding missing statement position information
for some statements in the top-level code generator.
Review URL: http://codereview.chromium.org/536029
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3587 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
* Rename the operation of filling a context with a value. Formerly it
was 'Move', now it's 'Apply' so as to avoid confusion with various
other Moves (eg, in the toplevel codegen, in the macro assemblers).
* Use the abstraction Drop rather than math on the stack pointer.
* Add a predicate on AST expression nodes to abstract a repeated test
whether we should us a regular (named) IC or a keyed IC.
Review URL: http://codereview.chromium.org/546006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3580 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Added newly added instructions to test-disasem-ia32.cc and implemented the missi
ng ones in the disasembler.
Added some asserts to 8-bit instructions which only work with eax, ebx, ecx and
edx (al, bl, cl and dl).
Removed the loope instruction.
Review URL: http://codereview.chromium.org/548002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3577 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Instead of going through a runtime function for keyed loads
on strings we invoke a separate specialized stub that
assumes string as receiver type and the key to be a number.
The stub calls a JS builtin function to return the corresponding one-character string.
Review URL: http://codereview.chromium.org/521041
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3556 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Added a stub to allocate and fill a string object with a substring from another string.
Use the rep movs instruction to copy the string data as it turned out to be the fastest way.
While preparing this I experimented with some SSE2 instructions, so the instructions movdqa and movdqu are still in the IA-32 assembler even though they are not used.
Review URL: http://codereview.chromium.org/525085
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3554 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Calls to RegExp no longer have to be via a call to the runtime system. A new stub have been added which can handle this call in generated code. The stub checks all the parameters and creates RegExp entry frame in the same way as it is created by the runtime system. Bailout to the runtime system is done whenever an uncommon situation is encountered or when the static data used is not initialized. After running the native RegExp code the last match info is updated like in the runtime system.
Currently only ASCII strings are handled.
Added another argument to the RegExp entry frame. It indicated whether the call is direct from JavaScript code or through the runtime system. This information is used when RegExp execution is interrupted. If an interruption happens when RegExp code is called directly a retry is issued causing the interruption to be handled via the runtime system. The reason for this is that the direct call to RegExp code does not support garbage collection.
Review URL: http://codereview.chromium.org/521028
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3542 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
generator.
The Slot::Type enumeration has four values. It should never be
necessary to use a default to handle the case of a value out of range
of the enumeration. Doing so silences a useful warning when one of
the enumeration values is actually forgotten or when a new enumeration
value is added.
Review URL: http://codereview.chromium.org/521019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3532 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Until now we only supported postfix operations on global variables.
This change add generic count operations to the top-level compiler.
I tried to re-use code from the code generator used for assignment expressions
where possible.
Review URL: http://codereview.chromium.org/496009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3530 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
If a function contains more than a certain number of locals (IA32: 9, X64: 6, ARM: 4)
a loop for initializing the locals with 'undefined' is more compact.
For less locals we unroll that loop by emitting a sequence of push instructions.
Review URL: http://codereview.chromium.org/515012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3521 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
that attempt to run with a small heap. Additionally, it can
potentially keep a lot of string data alive and it is never flushed.
Can we make it grow dynamically if used so that we can still start the
VM with a small heap size?
Review URL: http://codereview.chromium.org/503081
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3517 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
to floating point and then converting back we convert directly to a
32 bit integer. In addition the bit twiddling implementation of float-
to-integer conversion has been ported from ARM. Testing has shown that
this runs faster than the x87 or SSE3 rounding instructions. This change
is IA32 only. There may be a smaller benefit from doing the same on x64.
Review URL: http://codereview.chromium.org/506052
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3492 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
callback load (or keyed load) IC.
The problem was that the IC code calls a stub, which can allocate and
thus trigger a GC if the stub is not already generated. Problem is
solved by adding the ability to "try" to call a stub, trying to
generate the stub code if necessary but signaling an allocation
failure if generating the code is not possible.
Review URL: http://codereview.chromium.org/472002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3440 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When generating code for object and array literals we performed
the check if the a boilerplate already exists in generated code.
In the top-level compiler we now do this check in a new runtime
function. This makes the generated code more compact for top-level code.
Review URL: http://codereview.chromium.org/465148
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3437 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
1. Refactor the structure of VisitAssignment: The existing code is not ideal
to be extended with support for compound assignments.
2. Reuse common code for keyed property assigments: Now variables rewritten
to a property (.arguments access) are treated like normal keyed property
assignments. This allows us to remove some code duplication.
Review URL: http://codereview.chromium.org/456024
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3425 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This adds a code stub which can do most of what Heap::AllocateConsString can do. It bails out if the result cannot fit in new space or if the result is a short (flat) string and one argument is an ascii string and the other a two byte string. It also bails out if adding two one character strings as Heap::AllocateConsString has special handling of this utilizing the symbol table. The stub is used both for the binary add operation and for StringAdd calls from runtime JavaScript files. Extended the string add test to cover all sizes of flat result stings.
Review URL: http://codereview.chromium.org/442024
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3400 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The different length string types was used to encode the string length and the hash in one field. This is now split into two fields one for length and one for hash. The hash field still encodes the array index of the string if it has one. If an array index is encoded in the hash field the string length is added to the top bits of the hash field to avoid a hash value of zero.
On 32-bit this causes an additional 4 bytes to be used for all string objects. On 64-bit this will be half on average dur to pointer alignment.
Review URL: http://codereview.chromium.org/436001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3350 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Summary:
This change fixes a performance regression introduced by the special
handling of regular expressions in typeof expressions.
As a result we regain ~8% speedup on 3d-raytrace and ~13% on boyer
(vs bleeding edge)
Description:
The macros IS_OBJECT and IS_FUNCTION are frequently used in the
JS runtime functions.
By introducing new inlined runtime functions %_IsFunction and %_IsObject
we avoid invoking the more expensive %_ClassOf function plus comparing
its result to a string.
Review URL: http://codereview.chromium.org/399111
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3335 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Change name of shifts picking the shift count from cl to sal_cl, shl_cl and shr_cl.
Add special encoding of shift by one for shr which was missing it.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3314 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This change fixes the problem with the original version of this approach
(r3032) that may lead to a corrupted stack if we would invoke spilling during
syncing a large SMI constant (unsafe SMIs) in the virtual frame.
The new code for storing unsafe SMI constants does not use an extra temporary
register. This prevents the compiler from ever having to spill during a
virutal frame sync operation.
For storing a large SMI constant we previously generated:
mov ecx, (large_smi & 0x0000ffff)
xor ecx, (large_smi & 0xffff0000)
push ecx
we now generate:
push (large_smi & 0x0000ffff)
or [esp], (large_smi & 0xffff0000)
Not using a temporary register avoids spilling within an nvocation
of VirtualFrame::SyncRange.
Review URL: http://codereview.chromium.org/391079
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3313 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Condition block of do/while statements is a valid break location so it should have its own position. The block is represented by a regular Expression node so we cannot store the position in it, instead the position is stored in a separate field in DoWhileStatement AST node.
BUG=514
Review URL: http://codereview.chromium.org/385136
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3312 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This optimization is already done on x64 and ARM.
Until now we used a push immediate for each local variable on IA32:
push $undefined
push $undefined
...
to initialize each local variable. This change does:
mov eax, $undefined
push eax
push eax
...
Review URL: http://codereview.chromium.org/393009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3304 ce2b1a6d-e550-0410-aec6-3dcde31c8c00