When Array(0) or new Array(0) is handled by the generated code it is handled
by the same code as Array() and new Array(). For this to work the stack is
tweaked to remove the argument of value 0. However the argc was still passed
as 1 if a call to the runtime system was made.
When the stack is tweaked argc is also changed to 0.
BUG=634
TEST=test/mjsunittest/mjsunit/regress/regress-634.js
Review URL: http://codereview.chromium.org/668155
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4038 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Moved all the logic to a function on SharedFunctionInfo (including the flag check) to make things more readable.
Changed the check for setter to do a lookup for a named setter for each of the properties assigned in the constructor.
Added tests using accessors and interseptors set through the API.
Added fast case objects to the mjsunit test.
TEST=test/mjsunit/setter-on-constructor-prototype.js
TEST=test/cctest/test-api/SetterOnConstructorPrototype
TEST=test/cctest/test-api/InterceptorOnConstructorPrototype
Review URL: http://codereview.chromium.org/619006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3893 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Fix for issue 603.
Revision r3484 removed the property name from the call stack for
call ICs. When a non-function was called via a call IC and
Function.prototype.call, an extra value was left on the stack that the
caller could not know to clean up.
Fix is to change the JS builtin used for calling non-functions. It
now gets the callee as receiver, rather than iterating stack frames
and finding it on the expression stack of its JS caller.
Review URL: http://codereview.chromium.org/604064
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3882 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Simple objects which are constructed without calling the actual constructor function did not take setters defined on prototype chain of the new object into account.
Constructing objects this way is now not done if there are setters involved on the prototype chain of the new object.
This only fixes the case where the setter is found when the first object from a constructor is created. If the prototype chain is changed new objects will on take any change to setters into account.
TEST=test/mjsunit/setter-on-constructor-prototype.js
Review URL: http://codereview.chromium.org/606062
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3879 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This change add simple local live variable information to
the fast code generator. It supports only AST nodes that
are accepted by the syntax checker.
Each variable use points to a variable definition structure
which contains the last use of the definition.
To determine whether a variable is live after a certain point
we can check whether its last use occurs later in the evaluation
order defined by the AST labeling number.
The new information is currently only printed out together with
the IR and not yet used for code generation.
Review URL: http://codereview.chromium.org/603004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3839 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Do not use the speculative compiler for functions with other than one
statement in the body, and do not use it if subexpressions can have
side effects. Bailing out to the beginning of the full code is not
sound if side effects have already occurred.
Add tests that would fail without the restrictions.
Review URL: http://codereview.chromium.org/598016
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3826 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Support a binary operation (bitwise OR) so long as it's not nested in
the left subexpression. This ensures that the expression stack never
has height greater than two and so can be kept fully in registers.
The bounded expression stack height and the absence of any side
effects on the fast path allows us to still bailout out to the very
beginning of the function if any of our fast-path checks fail.
Review URL: http://codereview.chromium.org/594008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3822 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
on functions that takes five or more arguments. Original version runs
for a long time when there is 5 arguments in a runtime function (45+
seconds). The fuzzer can be run with all arguments on all functions
regardless of the number of arguments by setting
RUN_WITH_ALL_ARGUMENT_ENTRIES to true in fuzz-natives.js
Review URL: http://codereview.chromium.org/598011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3819 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This is a first step towards loading globals directly from property cells instead
of going through a load IC.
This change supports only properties with the DontDelete attribute since
we are only able to bailout into the generic code generated by the secondary
code generator the beginning of a function. The resulting fast-case code is
specialized for a specific context. When invoked with a different global object,
it will always bailout to the secondary code.
When loading a property that does not exist at compile-time or a property
that is deleteable we still generate the generic load IC.
Review URL: http://codereview.chromium.org/565034
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3808 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
this causes the debug check to fails since type() asserts that the
lookup_type != NOT_FOUND. This does not change any functionality since we
explicitly checked if it was one of the three types that we need to delete.
Also changed defineProperties in v8natives to actually return the object
being defined (as specified by spec)
Review URL: http://codereview.chromium.org/572003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3794 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
DefineOwnProperty (changed to allow for redefinition of existing property)
SameValue
Extra info on propertydescriptor
GetProperty
HasProperty
Currently the DefineOrRedefineAccessorProperty deletes the existing
property on the object if it is a dataproperty (FIELD or NORMAL) and
adds a new one. This can potentially be optimized.
Review URL: http://codereview.chromium.org/555149
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3786 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When functions only have simple assignments of the form this.x = ... the object is created in generated code without actually calling the constructor. In this case the initial map for the function already contains the properties assigned in the constructor. The field descriptors in this initial map now has an enumeration index assigned to make property enumeration order the insertion order. The insertion order here is the order of the this.x assignments in the code.
BUG=http://crbug.com/3867
TEST=test/mjsunit/regress/regress-crbug-3867.js
Review URL: http://codereview.chromium.org/566016
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3768 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The problem appeared due to a fact that stubs doesn't create a stack
frame, reusing the stack frame of the caller function. When building
stack traces, the current function is retrieved from PC, and its
callees are retrieved by traversing the stack backwards. Thus, for
stubs, the stub itself was discovered via PC, and then stub's caller's
caller was retrieved from stack.
To fix this problem, a pointer to JSFunction object is now captured
from the topmost stack frame, and is saved into stack trace log
record. Then a simple heuristics is applied whether a referred
function should be added to decoded stack, or not, to avoid reporting
the same function twice (from PC and from the pointer.)
BUG=553
TEST=added to mjsunit/tools/tickprocessor
Review URL: http://codereview.chromium.org/546089
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3673 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
non-optimizing compiler can cope with. By default it bails out
to the old compiler on encountering a for loop (for performance)
but with this change the --always-fast-compiler flag will enable
functions with for loops to be compiled in the non-optimizing
compiler. Also enables the non-optimizing compiler on functions
that can be lazily compiled (again only with the flag).
Review URL: http://codereview.chromium.org/552065
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3667 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When a function is called with a value type as the receiver this is now boxed as an object.
This is a low-impact solution where the receiver is only boxed when required. For IC calls to the V8 builtins values are not boxed and as most of the functions on String.prototype, Number.prototype and Boolean.prototype are sitting there most IC calls on values will not need any boxing of the receiver.
For calls which are not IC calls but calls through the CallFunctionStub a flag is used to determine whether the receiver might be a value and only when that is the case will the receiver be boxed.
No changtes to Function.call and Function.apply - they already boxed values. According to the ES5 spec the receiver should not be boxed for these functions, but current browsers have not adopted that change yet.
BUG=223
TEST=test/mjsunit/value-wrapper.js
TEST=test/mjsunit/regress/regress-crbug-3184.js
Review URL: http://codereview.chromium.org/542087
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3617 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Until now we only supported postfix operations on global variables.
This change add generic count operations to the top-level compiler.
I tried to re-use code from the code generator used for assignment expressions
where possible.
Review URL: http://codereview.chromium.org/496009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3530 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
On 32-bit the maps are now aligned on a 32-byte boundary in order to encode more maps during compacting GC. The actual size of a map on 32-bit is 28 bytes making this change waste 4 bytes per map.
On 64-bit the encoding for compacting GC is now using more than 32-bits and the maps here are still pointer size aligned. The actual size of a map on 64-bit is 48 bytes and this change does not intruduce any waste.
My choice of 16 bits for kMapPageIndexBits for 64-bit should give the same maximum number of pages (8K) for map space. As maps on 64-bit are larger than on 32-bit the total number of maps on 64-bit will be smaller than on 32-bit. We could consider raising this to 17 or 18.
I moved the kPageSizeBits to globals.h as the calculation of the encoding really depended on this.
There are still an #ifdef/#endif in objects.h and this constant could be moved to globaks.h as well, but I kept it together with the related constants.
All the tests run in debug mode with additional options --gc-global --always-compact as well (except for a few tests on which also fails before this change when run with --gc-global --always-compact).
BUG=http://code.google.com/p/v8/issues/detail?id=524
BUG=http://crbug.com/29428
TEST=test/mjsunit/regress/regress-524.js
Review URL: http://codereview.chromium.org/504026
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3481 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This adds a code stub which can do most of what Heap::AllocateConsString can do. It bails out if the result cannot fit in new space or if the result is a short (flat) string and one argument is an ascii string and the other a two byte string. It also bails out if adding two one character strings as Heap::AllocateConsString has special handling of this utilizing the symbol table. The stub is used both for the binary add operation and for StringAdd calls from runtime JavaScript files. Extended the string add test to cover all sizes of flat result stings.
Review URL: http://codereview.chromium.org/442024
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3400 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Condition block of do/while statements is a valid break location so it should have its own position. The block is represented by a regular Expression node so we cannot store the position in it, instead the position is stored in a separate field in DoWhileStatement AST node.
BUG=514
Review URL: http://codereview.chromium.org/385136
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3312 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
