AuroraMiddleware/v8 - v8 - Gitea: Git with a cup of tea

Author	SHA1	Message	Date
hpayer@chromium.org	dde49c9dc3	Set max new space size in tests to proper MB value. Revert "Limit old space size in test which require a large new space." This reverts commit r21103. Revert "Remove max space limits in tests." This reverts commit r21104. BUG= R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/263103006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@21149 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-05-05 16:48:33 +00:00
ishell@chromium.org	b4c1eda032	Checks for empty array case added before casting elements to FixedDoubleArray. BUG=chromium:369450 LOG=N R=bmeurer@chromium.org Review URL: https://codereview.chromium.org/264973008 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@21118 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-05-02 11:30:24 +00:00
svenpanne@chromium.org	7bfc426fc9	Object.defineProperty shouldn't be a hint that we're constructing a dictionary. BUG=362870 LOG=y R=bmeurer@chromium.org Review URL: https://codereview.chromium.org/261583004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@21109 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-05-02 06:02:00 +00:00
hpayer@chromium.org	56d0b9757e	Remove max space limits in tests. BUG= Review URL: https://codereview.chromium.org/263703003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@21104 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-30 19:32:47 +00:00
hpayer@chromium.org	3dd05f8fc7	Limit old space size in test which require a large new space. BUG= Review URL: https://codereview.chromium.org/265673003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@21103 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-30 18:57:25 +00:00
mvstanton@chromium.org	5e2ee2bac2	A new test needs to exit early on non-internationalization builds. R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/265513003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@21078 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-30 09:04:17 +00:00
mstarzinger@chromium.org	129c58c47d	Fix some more missing ToObject on Array.prototype. R=mvstanton@chromium.org BUG= Review URL: https://codereview.chromium.org/254103002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@21077 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-30 08:52:00 +00:00
mvstanton@chromium.org	0c3e70a3b6	Bugfix: internationalization routines fail on monkeypatching. Calls to Object.defineProperty() and Object.apply() are not safe. R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/253903003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@21071 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-30 07:36:12 +00:00
yangguo@chromium.org	1a9649ae13	Error stack getter should not overwrite itself with a data property. R=ulan@chromium.org BUG=v8:3294 LOG=Y Review URL: https://codereview.chromium.org/258933007 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@21016 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-28 12:14:36 +00:00
jarin@chromium.org	ff884e06ae	Fix materialization of accessor frames with captured receivers I have fixed skipping of the receiver object to materialize captured objects. This is done with a new DoTranslateSkip method. We should consider unifying DoTranslateSkip, DoTranslateObject and DoTranslateCommand as they do the almost the same thing - they only differ in where they store the result. The change also turns bunch of ASSERTs into CHECKs. R=mstarzinger@chromium.org BUG=359441 TEST=test/mjsunit/regress/regress-359441.js LOG=N Review URL: https://codereview.chromium.org/225283006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20978 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-25 12:58:15 +00:00
jarin@chromium.org	d557425a0c	Preserve Smi representation of non-escaping fields. R=mstarzinger@chromium.org BUG= Review URL: https://codereview.chromium.org/251493004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20971 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-25 11:29:02 +00:00
verwaest@chromium.org	d2179f2062	Don't adopt the AST id from previous if id is none, since previous may have mismatching expected stack height. Additionally, harden merging of simulates after instructions with side effects and ensure there's a simulate before HEnterInlined. R=jarin@chromium.org Review URL: https://codereview.chromium.org/252583004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20967 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-25 09:52:11 +00:00
hpayer@chromium.org	20107bf2d8	Remove lazy sweeping. BUG= R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/254603002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20966 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-25 09:50:42 +00:00
verwaest@chromium.org	a55821eef2	Mark the simulate before EnterInlined with BailoutId::None(), and set ReturnId on EnterInlined. When merging simulates into the simulate before enter-inlined, adopt the last AST id that gets merged into it. BUG=v8:3282 LOG=n R=titzer@chromium.org Review URL: https://codereview.chromium.org/257583004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20949 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-24 15:20:53 +00:00
bmeurer@chromium.org	052f9e9b6d	Make DescriptorArray::IsMoreGeneralThan() and DescriptorArray::Merge() compatible again. BUG=365172 LOG=y TEST=mjsunit/regress/regress-365172-[1-3] R=svenpanne@chromium.org Review URL: https://codereview.chromium.org/255513005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20922 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-24 08:07:14 +00:00
jarin@chromium.org	8c57b45042	Fix C++ type of Factory::NewFixedDoubleArray. The change fixes the C++ type of Factory::NewFixedDoubleArray to reflect the empty array case, where we return an empty FixedArray (rather than FixedDoubleArray). R=mvstanton@chromium.org BUG= Review URL: https://codereview.chromium.org/249593002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20918 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-24 05:29:00 +00:00
wingo@igalia.com	2194f3f858	Move bug 3280 regression test to mjsunit/harmony R=yangguo@chromium.org BUG= Review URL: https://codereview.chromium.org/248483004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20913 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-23 15:01:30 +00:00
mstarzinger@chromium.org	66ec299808	Fix ToObject and Object.isSealed in four Array builtins. R=mvstanton@chromium.org TEST=mjsunit/regress/regress-builtinbust-6 Review URL: https://codereview.chromium.org/240223006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20909 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-23 12:48:32 +00:00
jarin@chromium.org	783eb25a8c	Avoid setting transitions in-place for cached maps when observed R=verwaest@chromium.org BUG= Review URL: https://codereview.chromium.org/246523004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20900 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-23 09:21:24 +00:00
adamk@chromium.org	71750f7be8	Fix issue with Map/SetIterator and types BUG=v8:3281 LOG=N R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/246993003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20893 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-22 18:14:46 +00:00
wingo@igalia.com	a2ac40aca7	Context-allocate all parameters in generators Generator function scopes have forced context allocation. Ensure that all variables in such scopes get context allocation -- even unused variables. This fixes an assertion when reifying generator scopes in the debugger. R=yangguo@chromium.org LOG=Y BUG=v8:3280 Review URL: https://codereview.chromium.org/246733003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20883 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-22 11:34:16 +00:00
bmeurer@chromium.org	63a477b29b	Clear invalid field maps in PropertyAccessInfo. BUG=363956 TEST=mjsunit/regress/regress-363956 LOG=y R=jarin@chromium.org Review URL: https://codereview.chromium.org/239623005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20788 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-16 09:48:32 +00:00
mstarzinger@chromium.org	e51d6462a7	Fix bogus call to Object.hasOwnProperty in Array builtin. R=mvstanton@chromium.org TEST=mjsunit/regress/regress-builtinbust-5 Review URL: https://codereview.chromium.org/239033002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20766 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-15 12:52:41 +00:00
mstarzinger@chromium.org	39137c81e6	Fix bogus Object.isSealed check in some Array builtins. R=mvstanton@chromium.org Review URL: https://codereview.chromium.org/237253002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20750 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-15 08:25:42 +00:00
ulan@chromium.org	8b445aaa5f	Fix result of LCodeGen::DoWrapReceiver for strict functions and builtins. BUG=362128 LOG=Y TEST=mjsunit/regress/regress-362128 R=jacob.bramley@arm.com Review URL: https://codereview.chromium.org/226363007 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20723 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-14 11:58:18 +00:00
mstarzinger@chromium.org	b280ad6c44	Try to switch Array builtins into strict mode. R=rossberg@chromium.org TEST=mjsunit,test262,webkit Review URL: https://codereview.chromium.org/233083003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20717 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-14 11:24:40 +00:00
ulan@chromium.org	4268ce0abd	Check stack limit in ArgumentAdaptorTrampoline. BUG=353058 LOG=N TEST=mjsunit/regress/regress-353058 R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/215853005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20692 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-11 13:39:19 +00:00
ulan@chromium.org	49d951d043	Do not call user defined getter of Error.stackTraceLimit. Handlify GetNormalizedProperty. BUG=360733 LOG=N R=yangguo@chromium.org Review URL: https://codereview.chromium.org/233243005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20691 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-11 13:16:36 +00:00
jarin@chromium.org	166ec11e43	Avoid type assertion on object comparison in Hydrogen - the comparison is unreachable because of previous checks. BUG= R=yangguo@chromium.org Review URL: https://codereview.chromium.org/232053004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20666 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-11 06:45:24 +00:00
jarin@chromium.org	fd988331ea	There is no definition for HArgumentsObject, so LDummyUse confuses the register allocator. I have recently made similar fix for HCapturedObject (see https://codereview.chromium.org/222283002/). BUG= R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/226613007 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20663 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-11 06:29:51 +00:00
svenpanne@chromium.org	5bddec047d	Do not use ranges after range analysis. Due to the SSA vs. SSI difference, we are only allowed to use the flags computed during range analysis, not the ranges themselves. For the case at hand, there is no such flag, so the condition is simply remvoed. BUG=361608 LOG=y R=bmeurer@chromium.org Review URL: https://codereview.chromium.org/232553004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20645 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-10 09:40:17 +00:00
jarin@chromium.org	008a70c47b	Revert "Make new space iterable when transitioning double array to objects" This reverts r20603. BUG= Review URL: https://codereview.chromium.org/230863003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20626 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-09 13:39:03 +00:00
jarin@chromium.org	57d70c149c	Avoid hydrogen compare-objects-equal assertions in dead code ClusterFuzz test is triggering assertions for dead code. This fix issues HDeoptimize instruction when it finds out that the compare instruction is dead (because of previous checks). R=yangguo@chromium.org BUG=359491 LOG=N Review URL: https://codereview.chromium.org/228883005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20620 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-09 13:08:28 +00:00
yangguo@chromium.org	4df132a878	Fix argument expectation Runtime_StringParseInt. R=svenpanne@chromium.org Review URL: https://codereview.chromium.org/230693002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20614 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-09 12:33:51 +00:00
jarin@chromium.org	69d5b3c155	Make new space iterable when transitioning double array to objects R=hpayer@chromium.org BUG= Review URL: https://codereview.chromium.org/228643002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20603 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-09 09:50:08 +00:00
mstarzinger@chromium.org	e3aec7a587	Fix return value of push() and unshift() on Array.prototype. R=ulan@chromium.org TEST=mjsunit/regress/regress-builtinbust-3 Review URL: https://codereview.chromium.org/230453002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20602 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-09 09:14:56 +00:00
jarin@chromium.org	05670b63bf	Add stack overflow check for inlined property getter We should check for overflow for each inlined property getter; otherwise, we can get an overflow from inlining property getter while still having pending overflow exception from some previous inlined getter (in the same polymorphic access). R=verwaest@chromium.org TEST=test/mjsunit/regress/regress-inline-getter-near-stack-limit.js Review URL: https://codereview.chromium.org/220813003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20588 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-09 07:35:12 +00:00
bmeurer@chromium.org	48e0d81205	Fix invalid local property lookup for transitions. BUG=361025 LOG=y R=verwaest@chromium.org Review URL: https://codereview.chromium.org/224903023 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20570 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-08 09:36:04 +00:00
jarin@chromium.org	c19764595f	Dead code elimination of inlined arguments objects causes wrong deopt info to be generated - instead of materializing the arguments, we get 'undefined'. Golem says the change is perf-neutral. R=mstarzinger@chromium.org BUG= Review URL: https://codereview.chromium.org/208683006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20529 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-07 08:42:34 +00:00
svenpanne@chromium.org	814be9b1b6	Yet another regression test for range analysis. BUG=v8:3204 LOG=y R=bmeurer@chromium.org Review URL: https://codereview.chromium.org/224723016 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20528 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-07 08:04:25 +00:00
mvstanton@chromium.org	eaacd968f1	Fix for v8:3255 Grow KeyedStoreIC doesn't respect String value wrappers BUG=v8:3255 LOG=N R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/226053002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20527 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-07 07:52:24 +00:00
hpayer@chromium.org	5230d8d330	Make sure value is a heap number when reusing the double box in BinaryOpICStub. BUG= R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/216823005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20501 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-04 08:46:49 +00:00
mstarzinger@chromium.org	775d9b022f	Use premordial Object.isSealed/isFrozen in builtins. R=mvstanton@chromium.org Review URL: https://codereview.chromium.org/223473002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20477 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-03 12:23:35 +00:00
jarin@chromium.org	fe37026116	When freezing global object, go through the property cell R=verwaest@chromium.org BUG= Review URL: https://codereview.chromium.org/223613002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20469 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-03 10:43:56 +00:00
jarin@chromium.org	42d2d3cb9d	Do not generate LDummyUse instruction for HCapturedObject LDummyUse confuses the register allocator (since there is no definition for the use). R=mstarzinger@chromium.org BUG= Review URL: https://codereview.chromium.org/222283002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20461 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-03 07:35:13 +00:00
jarin@chromium.org	0b53ed2d2b	Check in Lithium that allocation size in Smi range. This is to avoid triggering an assertion from Smi::FromInt. The generated code is unreachable, so it is not a real bug. R=ulan@chromium.org BUG= Review URL: https://codereview.chromium.org/221743005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20458 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-03 07:04:46 +00:00
jkummerow@chromium.org	511edabed2	Fix HGraphBuilder::BuildAddStringLengths length == String::kMaxLength is fine and should not bail out. BUG=chromium:357052 LOG=n R=yangguo@chromium.org Review URL: https://codereview.chromium.org/222113002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20433 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-02 12:24:42 +00:00
dslomov@chromium.org	19c354b7b0	Support typed arrays in IsMoreGeneralElementsKindTransition. R=verwaest@chromium.org BUG=357054 LOG=Y Review URL: https://codereview.chromium.org/220403004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20410 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-01 16:41:35 +00:00
yangguo@chromium.org	64901004be	Smi immediates are not supported on x64. Do not use it. R=jkummerow@chromium.org BUG=358059 LOG=N Review URL: https://codereview.chromium.org/217083003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20409 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-01 15:32:06 +00:00
mvstanton@chromium.org	d93c906acc	Monomorphic prototype failures should be reserved for already-seen keys. We incorrectly mark a KeyedStoreIC miss as a monomorphic prototype failure even though it's the first time a particular (string) key has been seen. BUG=358088 R=verwaest@chromium.org LOG=N Review URL: https://codereview.chromium.org/219313002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20407 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-01 14:16:54 +00:00
yangguo@chromium.org	10abff3498	Remove internalized cons string types. Currently, internalizing a cons string could result in either an in-place converted internalized cons string or a newly created internalized sequential string, depending on allocation success. The former could end up being embedded into an IC, which is not supported. R=mstarzinger@chromium.org BUG=357103 LOG=N Review URL: https://codereview.chromium.org/218993011 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20394 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-04-01 11:30:31 +00:00
jarin@chromium.org	5607582f3b	We should perform the illegal redeclaration check earlier so that we do not confuse the AST typer with missing type feedback nodes. R=yangguo@chromium.org Review URL: https://codereview.chromium.org/218493007 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20368 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-31 16:45:46 +00:00
rossberg@chromium.org	282a7ca14e	Fix Type::Intersect to skip uninhabited bitsets R=verwaest@chromium.org, bmeurer@chromium.org BUG=chromium:357330 LOG=Y Review URL: https://codereview.chromium.org/219333003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20366 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-31 15:53:21 +00:00
dslomov@chromium.org	b3148d921e	Fix PrepareKeyedOperand on arm. When additional_offset is specified, the 'key' operand can be negative and still pass the bounds check. Therefore, when converting key from Smi, arithmetic and not logical shift must be used. R=verwaest@chromium.org BUG=358057 LOG=Y Review URL: https://codereview.chromium.org/219473002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20363 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-31 15:14:28 +00:00
jarin@chromium.org	d02e1f2c25	Fix left trimming check for large objects BUG=358090 TEST=test/mjsunit/regress/regress-358090.js LOG=N R=hpayer@chromium.org Review URL: https://codereview.chromium.org/213833008 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20362 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-31 15:01:46 +00:00
verwaest@chromium.org	019e27d8db	Reland and fix "Fix LoadFieldByIndex to take mutable heap-numbers into account."" BUG= R=hpayer@chromium.org Review URL: https://codereview.chromium.org/218663005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20358 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-31 14:21:04 +00:00
yangguo@chromium.org	c0fa861726	Do not check for interrupt when allocating stack locals. R=dcarney@chromium.org BUG=357137 LOG=N Review URL: https://codereview.chromium.org/219373004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20357 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-31 14:14:54 +00:00
jochen@chromium.org	163044e7ba	Revert 20348 - "Fix LoadFieldByIndex to take mutable heap-numbers into account." Reason for revert: crashes benchmarks/sunspider/string-fasta on ia32.debug This also reverts r20350 and r20352 > Fix LoadFieldByIndex to take mutable heap-numbers into account. > > BUG= > R=ishell@chromium.org > > Review URL: https://codereview.chromium.org/213213002 BUG=none LOG=n TBR=verwaest@chromium.org Revert "Use sarq on x64" This reverts commit e2a8ef9321345c6bc091054443bf2b9535ff6b1c. Revert "Don't \| int and bool" This reverts commit c90d713d3a8ceba4fec41933a63beb6e50a3d7c0. Review URL: https://codereview.chromium.org/219393002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20354 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-31 13:23:32 +00:00
jochen@chromium.org	b7039334ae	Revert 20313 - "Ship promises and weak collections" > R=mstarzinger@chromium.org > BUG= > > Committed: https://code.google.com/p/v8/source/detail?r=20211 > > Review URL: https://codereview.chromium.org/206163004 R=rossberg@chromium.org TBR=rossberg@chromium.org LOG=y BUG=n Review URL: https://codereview.chromium.org/219303002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20353 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-31 12:40:32 +00:00
verwaest@chromium.org	55a6318560	Fix LoadFieldByIndex to take mutable heap-numbers into account. BUG= R=ishell@chromium.org Review URL: https://codereview.chromium.org/213213002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20348 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-31 11:59:29 +00:00
jarin@chromium.org	d65fe51ca0	Add missing lazy deopt point for the TransitionElementsKind instruction. R=mvstanton@chromium.org, yangguo@chromium.org BUG=357105 TEST=test/mjsunit/regress/regress-357105.js LOG=N Review URL: https://codereview.chromium.org/216963002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20347 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-31 11:58:53 +00:00
jarin@chromium.org	9e655afdb4	Reland "Fix property enum cache creation to include only own properties" Reland r20308 (reverted by r20310). TBR=verwaest@chromium.org Review URL: https://codereview.chromium.org/216383003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20321 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-28 06:59:20 +00:00
adamk@chromium.org	c2bbd9f9e2	Don't pass the hole to SetElement when creating Array.observe change records Also added comments to remind us why we were using the hole here in the first place (it's used for the case where Object.observe, rather than Array.observe, has been called on Array that's undergoing truncation). BUG=356589 LOG=N R=rossberg@chromium.org Review URL: https://codereview.chromium.org/213823002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20316 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-27 18:29:07 +00:00
rossberg@chromium.org	826cf64fd3	Ship promises and weak collections R=mstarzinger@chromium.org BUG= Committed: https://code.google.com/p/v8/source/detail?r=20211 Review URL: https://codereview.chromium.org/206163004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20313 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-27 16:42:34 +00:00
jarin@chromium.org	af74f1206e	Revert "Fix property enum cache creation to include only own properties" This reverts commit 4cf47a20b4846cf050ea4844433e9c57654da34e. BUG= Review URL: https://codereview.chromium.org/214893002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20310 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-27 16:18:42 +00:00
jarin@chromium.org	4608bdeccc	With this fix, we only create the enum cache for own property descriptors (originally we cached all descriptors in the map). The problem was that the size of all descriptors could be trimmed during GC triggered by allocating the storage for the cache, so we could have ended up with a wrong storage size. This is really Toon's fix, I have only created a small repro case. BUG= R=verwaest@chromium.org Review URL: https://codereview.chromium.org/212673011 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20308 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-27 15:33:06 +00:00
dslomov@chromium.org	4cdfb46a6d	Fix JSObject::SetElement for fixed typed array elements. R=ulan@chromium.org BUG=357108 LOG=N Review URL: https://codereview.chromium.org/214543003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20300 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-27 12:54:26 +00:00
svenpanne@chromium.org	fe58e3d7b8	Removed 'executable' bits from mjsunit tests. R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/214413006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20299 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-27 12:32:27 +00:00
jarin@chromium.org	10606aa756	Fix missing representation for the result of HIsSmiAndBranch. R=jkummerow@chromium.org BUG= Review URL: https://codereview.chromium.org/211273010 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20280 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-26 13:14:08 +00:00
dslomov@chromium.org	f66af4feb4	Refactor optimized in hydrogen only runtime functions. This splits all runtime function into 3 categories: 1) RUNTIME: implemented in runtime and called from both full and optimized code. 2) RUNTIME_HIDDEN: implemented in runtime, never called directly from JS builtins. 3) INLINE: inlined in both full and optimized code 4) INLINE_OPTIMIZED: inlined in optimized code, implemented in runtime for full code. R=yangguo@chromium.org, yannguo@chromium.org Review URL: https://codereview.chromium.org/209353006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20252 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-25 14:26:55 +00:00
verwaest@chromium.org	c432f7166c	Don't convert dictionary sloppy arguments to fast double mode. BUG= R=ishell@chromium.org Review URL: https://codereview.chromium.org/207683006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20251 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-25 14:14:58 +00:00
ulan@chromium.org	cb0f49c18a	Add index check in DoAccessArgumentsAt. BUG=355523 LOG=N TEST=mjsunit/regress/regress-355523 R=jarin@chromium.org Review URL: https://codereview.chromium.org/210053003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20245 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-25 13:26:41 +00:00
rossberg@chromium.org	2e1b16de2a	Revert "Ship promises and weak collections" Reason: breaks Blink layout tests. R=machenbach@chromium.org BUG= Review URL: https://codereview.chromium.org/210853003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20233 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-25 10:57:52 +00:00
yangguo@chromium.org	793d4cb0b6	Fix issues when changing FLAG_concurrent_recompilation after init. R=jarin@chromium.org BUG=356053 LOG=N Review URL: https://codereview.chromium.org/210363005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20228 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-25 09:38:48 +00:00
jarin@chromium.org	b765d3cdb9	Revert the (wrong) fix of the argument index check asserion. R=ishell@chromium.org BUG= Review URL: https://codereview.chromium.org/208423017 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20219 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-24 21:32:19 +00:00
jarin@chromium.org	56f2006605	Fix to get around an assertion that triggers when generating code that happens to be dead because the assertion is checked a bit earlier at runtime. R=ishell@chromium.org BUG=355486 LOG=N Review URL: https://codereview.chromium.org/201573011 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20218 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-24 20:51:36 +00:00
rossberg@chromium.org	33be68c2fa	Ship promises and weak collections R=mstarzinger@chromium.org BUG= Review URL: https://codereview.chromium.org/206163004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20211 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-24 16:59:04 +00:00
verwaest@chromium.org	e18e650582	Ensure the constant operand for heap-object store-named-field is not a smi. BUG= R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/210193002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20208 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-24 16:25:48 +00:00
yangguo@chromium.org	9c0f5be8d1	Correctly convert micro-sign to its upper case. R=dcarney@chromium.org BUG=355485 LOG=N Review URL: https://codereview.chromium.org/209323007 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20197 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-24 14:16:14 +00:00
ulan@chromium.org	fc2563f108	Visit return statement of inlined function in value context. BUG=354357 LOG=N TEST=mjsunit/regress/regress-354357.js R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/206413005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20158 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-21 12:14:44 +00:00
ulan@chromium.org	f20a9473f3	Ensure that lazy deopt sequence does not override calls. BUG=354433 LOG=N TEST=mjsunit/regress/regress-354433.js R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/198463006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20155 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-21 11:02:15 +00:00
jkummerow@chromium.org	2b722b663e	Fix polymorphic hydrogen handling of SLOPPY_ARGUMENTS_ELEMENTS BUG=chromium:354391 LOG=y R=verwaest@chromium.org Review URL: https://codereview.chromium.org/206073008 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20137 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-20 16:25:24 +00:00
yangguo@chromium.org	c9d391d87f	Fix assertions wrt concurrent OSR. R=ulan@chromium.org Review URL: https://codereview.chromium.org/206473002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20130 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-20 15:23:31 +00:00
ulan@chromium.org	41eab25615	A64: Fix write barrier input in KeyedStoreIC::GenerateSloppyArguments. This fixes flaky crashes in gc-stress bot: > Fatal error in ../src/incremental-marking.cc, line 84 > CHECK(obj->IsHeapObject()) failed BUG=353551 LOG=N TEST=test/mjsunit/regress/regress-353551.js R=m.m.capewell@googlemail.com Review URL: https://codereview.chromium.org/204453002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20098 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-20 08:32:58 +00:00
jkummerow@chromium.org	d9b6b6439d	Fix polymorphic keyed loads for SLOPPY_ARGUMENTS_ELEMENTS BUG=chromium:350867 LOG=y R=verwaest@chromium.org Review URL: https://codereview.chromium.org/203303010 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20087 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-19 15:49:29 +00:00
ulan@chromium.org	487ca9e384	Fix TransitionElementsKindStub to handle non-JSArray objects correctly. BUG=352982 LOG=N TEST=mjsunit/regress/regress-352982.js R=danno@chromium.org Review URL: https://codereview.chromium.org/196343023 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20033 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-18 13:29:29 +00:00
dslomov@chromium.org	6c01c3fd56	Apply numeric casts correctly in typed arrays and related code. R=jkummerow@chromium.org BUG=353004 LOG=Y Committed: https://code.google.com/p/v8/source/detail?r=20020 Review URL: https://codereview.chromium.org/201873005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20022 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-18 10:55:29 +00:00
dslomov@chromium.org	a6224272fd	Revert "Apply numeric casts correctly in typed arrays and related code." This reverts commit r20020 for breaking Win64 build. TBR=jkummerow@chromium.org Review URL: https://codereview.chromium.org/199523006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20021 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-18 10:50:00 +00:00
dslomov@chromium.org	849187eab0	Apply numeric casts correctly in typed arrays and related code. R=jkummerow@chromium.org BUG=353004 LOG=Y Review URL: https://codereview.chromium.org/201873005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20020 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-18 10:23:50 +00:00
rossberg@chromium.org	58d623f228	Stage ES6 promises and weak collections Split collections flag into weak and non-weak. R=mstarzinger@chromium.org BUG= Review URL: https://codereview.chromium.org/201593004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20019 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-18 09:57:14 +00:00
verwaest@chromium.org	5aaa513630	Don't generate keyed store ICs for global proxies. BUG=352983 LOG=y R=ishell@chromium.org Review URL: https://codereview.chromium.org/197873025 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20011 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-17 17:19:39 +00:00
ulan@chromium.org	e1e4071cbc	Fix date cache in strict mode. BUG=v8:3220 LOG=N TEST=mjsunit/regress/regress-3220.js R=rossberg@chromium.org Review URL: https://codereview.chromium.org/201753002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20006 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-17 15:47:58 +00:00
ishell@chromium.org	3b257c35e5	Fixed spec violation of storing to length of a frozen object. BUG=chromium:350890 LOG=N R=verwaest@chromium.org Review URL: https://codereview.chromium.org/196653015 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20005 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-17 15:43:33 +00:00
jkummerow@chromium.org	e4a18df7d1	Fix ASSERT violation when BinaryOpIC::Transition recurses into itself BUG=chromium:352586 LOG=n R=verwaest@chromium.org Review URL: https://codereview.chromium.org/201313002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20000 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-17 14:51:31 +00:00
rossberg@chromium.org	c3c185c173	Make invalid LHSs a parse-time (reference) error This is required by the spec. It also prevents crashes resulting from the attempt to read type feedback for the RHS of an invalid assignment which full codegen never actually allocated info for. To do: check properly in preparser already. R=marja@chromium.org, mstarzinger@chromium.org BUG=351658 LOG=Y Review URL: https://codereview.chromium.org/200473003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19976 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-17 10:21:01 +00:00
jkummerow@chromium.org	dc458525ad	Fix typo in r19923 (bounds check offset propagation) BUG=chromium:352929 LOG=n R=ulan@chromium.org Review URL: https://codereview.chromium.org/201303002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19969 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-17 09:38:01 +00:00
ishell@chromium.org	f77c51b0a6	Check elimination now sets known successor branch of HCompareObjectEqAndBranch (correctness fix). BUG=chromium:352058 LOG=N R=bmeurer@chromium.org Review URL: https://codereview.chromium.org/196383018 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19964 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-17 09:11:38 +00:00
mvstanton@chromium.org	e3f3f6d98b	Revert "Continued fix for 351257. Reusing the feedback vector is too complex." This reverts commit r19919. TBR=bmeuer@chromium.org Review URL: https://codereview.chromium.org/196343021 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19961 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-17 08:31:21 +00:00
verwaest@chromium.org	0f2a324c8a	Fix generalization with callbacks. BUG=352588 LOG=n R=danno@chromium.org Review URL: https://codereview.chromium.org/200173003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19935 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-14 14:17:49 +00:00
mvstanton@chromium.org	11df4b8815	Fix for issue 351261. This relands the following fix: "HAllocate should never generate allocation code if the requested size does not fit into page. Regression test included. (bug 347543)" along with additional fixes to KeyedStoreIC. BUG=351261 LOG=N R=verwaest@chromium.org Review URL: https://codereview.chromium.org/200113002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19926 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-14 10:22:55 +00:00
ulan@chromium.org	2c99cba38b	Propagate updated offsets in BoundsCheckBbData. BUG=350863 LOG=Y TEST=mjsunit/regress/regress-350863.js R=bmeurer@chromium.org, jkummerow@chromium.org Review URL: https://codereview.chromium.org/197823009 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19923 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-14 10:02:25 +00:00
bmeurer@chromium.org	358e176d50	Add regression test for range analysis bug. BUG=v8:3204 LOG=y R=svenpanne@chromium.org Review URL: https://codereview.chromium.org/200103002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19922 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-14 09:54:26 +00:00
mvstanton@chromium.org	dd28969c1c	Continued fix for 351257. Reusing the feedback vector is too complex. Attempting to re-use the type feedback vector stored in the SharedFunctionInfo turns out to be difficult among the various cases. It will be much easier to do this when deferred type feedback processing is removed, as is in the works. Created bug v8:3212 to track re-introducing the optimization of reusing the type vector on recompile before optimization. The CL also brings back the type vector on the SharedFunctionInfo. BUG=351257 LOG=Y R=bmeurer@chromium.org, bmeuer@chromium.org Review URL: https://codereview.chromium.org/199973004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19919 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-14 09:28:37 +00:00
yangguo@chromium.org	0f71a24f3a	Correctly retain argument value when deopting from Math.round on x64. R=jkummerow@chromium.org BUG=351624 LOG=N Review URL: https://codereview.chromium.org/199013002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19896 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-13 13:57:21 +00:00
ulan@chromium.org	c64b78f6da	Check that constant is an integer before getting its value in HGraphBuilder::MatchRotateRight. BUG=351263 LOG=N TEST=mjsunit/regress/regress-351263 R=svenpanne@chromium.org Review URL: https://codereview.chromium.org/197803005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19890 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-13 11:50:50 +00:00
svenpanne@chromium.org	390d3a0b15	Make translation of modulus operation '--stress-opt'-proof. Note that we unconditionally deopt later, anyway, but our compilation pipeline has to survive long enough to reach that place. :-/ LOG=y BUG=352059 R=bmeurer@chromium.org Review URL: https://codereview.chromium.org/198833002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19884 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-13 09:37:16 +00:00
jarin@chromium.org	713aa33f2a	Fix of argument materialization of captured heap numbers. The escape analysis calculates the number of slots in an object as no-of-slots = object-size / pointer-size. This gives 3 slots for heap numbers on 32-bit architectures (one slot for the map, two for the double value); however, my argument materialization code assumed just two slots (map + value). Since Hydrogen allocates heap numbers quite rarely, it is hard to produce a more meaningful repro than the one provided by Clusterfuzz. Any suggestions are welcome. The fix is simple - we just read out all extra slots (beyond the map and the double) for heap numbers. R=mstarzinger@chromium.org BUG=351315 LOG=N Review URL: https://codereview.chromium.org/196283004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19874 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-13 07:17:37 +00:00
jkummerow@chromium.org	f9ee4f19b4	Use intrinsics for builtin ArrayBuffer property accesses BUG=chromium:351787 LOG=y R=yangguo@chromium.org Review URL: https://codereview.chromium.org/197793003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19862 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-12 19:25:40 +00:00
verwaest@chromium.org	8735adb2c4	Don't fast RemoveArrayHoles in case of arguments arrays. BUG=351645 LOG=n R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/197043004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19848 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-12 13:42:18 +00:00
mvstanton@chromium.org	7477bc39ca	350884: KeyedStoreIC miss didn't handle a transitioning case. It's possible to get a transitioned map with no links to the origin map if it's a shared map. Code in KeyedStoreIC::StoreElementStub assumes it can check if two maps are in the same family by traversing the transition array. Long term, the "family" relationship should be recognized with the Normalized Map Cache. For now, allow the IC to remain monomorphic in this case if the receiver map and the previous receiver map are the same. Filed V8 issue 3210 (https://code.google.com/p/v8/issues/detail?id=3210) to track the issue with the Normalized Map Cache. BUG=350884 LOG=N R=verwaest@chromium.org Review URL: https://codereview.chromium.org/194623005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19847 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-12 13:35:40 +00:00
jkummerow@chromium.org	105c1e08b7	Fix HIsSmiAndBranch::KnownSuccessorBlock() by deleting it Constants can still change their representation, so we cannot determine reachability of blocks based on their Smi-ness BUG=chromium:351320 LOG=y R=yangguo@chromium.org Review URL: https://codereview.chromium.org/196943002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19836 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-12 10:14:29 +00:00
danno@chromium.org	ae1669b501	Fix handling of polymorphic array accesses with constant index R=jkummerow@chromium.org BUG=chromium:351319 LOG=Y Review URL: https://codereview.chromium.org/196353004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19835 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-12 10:11:38 +00:00
jkummerow@chromium.org	8a1812f252	Fix lazy deopt after tagged binary ops Also add policing code to ensure that optimized frames can in fact lazily deopt at their respective current PC when we patch them for lazy bailout. BUG=chromium:350434 LOG=y R=jarin@chromium.org Review URL: https://codereview.chromium.org/194703008 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19834 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-12 09:59:36 +00:00
rossberg@chromium.org	85800eff3f	Fix issue with getOwnPropertySymbols and hidden properties When getting the symbols of an object we need to ignore the hidden properties of the prototype object since the hidden properties are represented by a single string key and we will not include that hidden string in the found names. BUG=350864 LOG=Y R=rossberg@chromium.org Review URL: https://codereview.chromium.org/192883005 Patch from Erik Arvidsson <arv@chromium.org>. git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19813 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-11 16:46:35 +00:00
dcarney@chromium.org	62fc099334	fix bad access check check R=verwaest@chromium.org BUG= Review URL: https://codereview.chromium.org/195163002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19804 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-11 15:12:47 +00:00
rossberg@chromium.org	3f702d4bf9	Mode clean-up pt 1: rename classic/non-strict mode to sloppy mode R=mstarzinger@chromium.org BUG= Review URL: https://codereview.chromium.org/177683002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19799 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-11 14:39:08 +00:00
yangguo@chromium.org	6e1507331e	Fix bug in constant folding object comparisons. R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/195063002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19798 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-11 13:34:01 +00:00
mvstanton@chromium.org	819d9f62d0	Fix for 350887: CHECK failure on new_length->IsSmi() In ElementsAccessorBase::SetLengthImpl for a dictionary array, we try to optimize setting array length if the new length is a smi. However, we refuse to set an array length to less than the index of the highest non-configurable array element. This index may be outside of smi range. Handle this case accordingly. BUG=350887 LOG=N R=dslomov@chromium.org Review URL: https://codereview.chromium.org/194803002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19787 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-11 10:30:10 +00:00
yangguo@chromium.org	1634e7de38	Fix assertion in RegExp parser to correctly expect stack overflow. Advance() always checks for stack overflow. If stack indeed overflowed, current() would hold the kEndMarker. ParseOctalLiteral does not expect this in the assertion, which causes assertion failure. R=mvstanton@chromium.org BUG=350865 LOG=N Review URL: https://codereview.chromium.org/192773002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19764 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-10 15:52:10 +00:00
verwaest@chromium.org	1180803953	Reland and fix "Allow ICs to be generated for own global proxy." BUG= R=mvstanton@chromium.org Review URL: https://codereview.chromium.org/176793003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19756 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-10 12:23:05 +00:00
verwaest@chromium.org	8a3d715250	Revert "Use Representation::Integer32() for smi types on 32-bit-tagged systems." Due to performance regression. BUG= R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/189843006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19709 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-07 09:29:07 +00:00
ishell@chromium.org	997ce05289	Fix for failing asserts in HBoundsCheck code generation on x64: use proper cmp operation width instead of asserting that Integer32 values should be zero extended. Similar to chromium:345820. BUG=349465 LOG=N R=verwaest@chromium.org Review URL: https://codereview.chromium.org/188703002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19694 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-06 16:22:47 +00:00
jkummerow@chromium.org	1cc0bafc07	Fix HConstants with Smi-ranged HeapNumber values BUG=chromium:349878 LOG=y R=yangguo@chromium.org Review URL: https://codereview.chromium.org/186123003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19693 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-06 16:21:09 +00:00
mvstanton@chromium.org	6115a006fd	Bugfix for 349874: we incorrectly believe we saw a growing store When we set an out of bounds array index, the index might be so large that it causes the array to go to dictionary mode. It's better to avoid "learning" that this was a growing store in that case. This fix also partially reverts a fix for bug 347543, as this fix is comprehensive and satisfies that repro case as well (partial revert of v19591). BUG=349874 LOG=N R=verwaest@chromium.org Review URL: https://codereview.chromium.org/188643002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19691 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-06 13:07:51 +00:00
jkummerow@chromium.org	5ea3f0004a	Let HTransitionElementsKind take part in RestoreActualValues phase BUG=chromium:349853 LOG=n R=mvstanton@chromium.org Review URL: https://codereview.chromium.org/183753005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19689 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-06 12:13:49 +00:00
yangguo@chromium.org	285f253af1	Remove outdated assertion scope. R=jkummerow@chromium.org BUG=349870 LOG=N Review URL: https://codereview.chromium.org/182003004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19687 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-06 11:51:53 +00:00
yangguo@chromium.org	e2e2f4050d	Fix issues with JSON stringify replacer array If the replacer array contains a property key we should include the property even if the property is non enumerable or if it is a non own property. String and Number wrappers in the replacer array should be treated as string and number values. R=yangguo@chromium.org BUG=v8:3200, v8:3201 LOG=Y Review URL: https://codereview.chromium.org/187053003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19685 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-06 09:50:53 +00:00
verwaest@chromium.org	7bf33c53eb	Use Representation::Integer32() for smi types on 32-bit-tagged systems. BUG= R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/187353005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19684 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-06 09:49:10 +00:00
verwaest@chromium.org	f913c3b492	Also delete force representations that have no uses. BUG= R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/187773002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19683 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-06 09:47:27 +00:00
jarin@chromium.org	52fd520c96	Fix materialization of captured objects in adapted arguments. R=mstarzinger@chromium.org BUG=348512 LOG=N Review URL: https://codereview.chromium.org/183063006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19676 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-05 12:57:18 +00:00
jarin@chromium.org	7ac668f753	Deoptimization fix for HPushArgument. HPushArgument should never be used in a simulation environment because the slot addresses for the arguments can be off (e.g., due to on-stack arguments object of an inlined caller). R=mstarzinger@chromium.org BUG=v8:3183 LOG=N Review URL: https://codereview.chromium.org/178193026 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19675 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-05 12:45:46 +00:00
jkummerow@chromium.org	3df5573195	x64: Fix LMathMinMax for constant Smi right-hand operands BUG=chromium:349079 LOG=y R=titzer@chromium.org Review URL: https://codereview.chromium.org/186593003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19668 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-05 09:49:07 +00:00
yangguo@chromium.org	b1a271a02c	Fix HCheckValue::Canonicalize wrt uninitialized HConstant unique. R=titzer@chromium.org BUG=348280 LOG=N Review URL: https://codereview.chromium.org/183383006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19642 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-04 08:08:08 +00:00
ulan@chromium.org	b9e0b87a5a	Clear optimized code cache in shared function info when code gets deoptimized. This adds a pointer to the shared function info into deoptimization data of an optimized code. Whenever the code is deoptimized, it clears the cache in the shared function info. This fixes the problem when the optimized function dies in new space GC before the code is deoptimized due to code dependency and before the optimized code cache is cleared in old space GC (see mjsunit/regress/regress-343609.js). This partially reverts r19603 because we need to be able to evict specific code from the optimized code cache. BUG=343609 LOG=Y TEST=mjsunit/regress/regress-343609.js R=yangguo@chromium.org Review URL: https://codereview.chromium.org/184923002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19635 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-03-03 11:11:39 +00:00
rossberg@chromium.org	5543263c19	Move all Harmony-only tests to harmony/ R=jkummerow@chromium.org BUG= Review URL: https://codereview.chromium.org/178583005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19622 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-02-28 14:26:32 +00:00
ishell@chromium.org	c2601aea8a	Check elimination did not mark some dead blocks. R=danno@chromium.org Review URL: https://codereview.chromium.org/180483003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19619 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-02-28 14:16:38 +00:00
svenpanne@chromium.org	e9273332ef	Fixed constant folding for Math.clz32. LOG=y BUG=347906 R=yangguo@chromium.org Review URL: https://codereview.chromium.org/184353002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19609 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-02-28 13:07:10 +00:00
mvstanton@chromium.org	b1ffc7901f	A JSArray may have a filler map in the elements pointer. We already have code that expects this, but incorrectly asserted that the filler map case would never happen when allocation folding is turned on. However, even folding has it's limits, bailing out of continued folding when the object size grows too large. Therefore, it's a general problem when verifying JSArray objects, that we might encounter a filler map in elements(). Discovered by ClusterFuzz crbug 347903. R=hpayer@chromium.org LOG=N BUG=347903 Review URL: https://codereview.chromium.org/184493002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19604 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-02-28 12:29:19 +00:00
yangguo@chromium.org	5c186bb197	Evict from optimized code map in sync with removing from optimized functions list. R=ulan@chromium.org Review URL: https://codereview.chromium.org/184443002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19603 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-02-28 12:27:31 +00:00
bmeurer@chromium.org	70242fe3bb	Fix JSObject::PrintTransitions. BUG=347912 LOG=y R=verwaest@chromium.org Review URL: https://codereview.chromium.org/183683005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19601 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-02-28 11:41:07 +00:00
hpayer@chromium.org	38ca2629be	Fix representation generalization for doubles. BUG= R=verwaest@chromium.org Review URL: https://codereview.chromium.org/184393002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19599 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-02-28 11:07:10 +00:00
dcarney@chromium.org	98d1cedac4	Get array_function from NativeContext R=mvstanton@chromium.org LOG=N BUG=347528 Review URL: https://codereview.chromium.org/184173003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19595 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-02-28 10:01:27 +00:00
bmeurer@chromium.org	5945f9ebb9	Fix handling of constant global variable assignments. BUG=347904 LOG=y R=hpayer@chromium.org Review URL: https://codereview.chromium.org/184303003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19594 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-02-28 09:40:12 +00:00
svenpanne@chromium.org	c4e90c15b8	Removed bogus ASSERT. LOG=y BUG=347542 R=yangguo@chromium.org Review URL: https://codereview.chromium.org/183763007 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19592 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-02-28 08:45:07 +00:00
ishell@chromium.org	2ab83cf192	HAllocate should never generate allocation code if the requested size does not fit into page. Regression test included. BUG=347543 LOG=N R=hpayer@chromium.org Review URL: https://codereview.chromium.org/180803005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19591 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-02-27 17:33:25 +00:00
verwaest@chromium.org	aa14020bc7	Fix putting of prototype transitions. The length is also subject to GC, just like entry. BUG=347536 LOG=n R=danno@chromium.org Review URL: https://codereview.chromium.org/183193003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19586 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-02-27 16:07:44 +00:00
jarin@chromium.org	05b98492a4	Handle arguments objects in frame when materializing arguments R=mstarzinger@chromium.org BUG=347262 Review URL: https://codereview.chromium.org/177293009 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19584 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-02-27 15:12:12 +00:00
yangguo@chromium.org	6912a248ca	Fix bogus assertion in SetFastDoubleElements. R=danno@chromium.org BUG=347530 LOG=N Review URL: https://codereview.chromium.org/181433016 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19579 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-02-27 14:45:53 +00:00
mvstanton@chromium.org	b8f8cfabca	Fix for Clusterfuzz issue 343928. The problem was that the debugger didn't expect that a JSFunction could have a GlobalContext, which it can with harmony scoping. BUG=343928 R=yangguo@chromium.org LOG=N Review URL: https://codereview.chromium.org/183103003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-02-27 13:25:05 +00:00
ishell@chromium.org	1ae7e8a1e5	Fix for failing asserts in HBoundsCheck code generation on x64: index register should be zero extended. BUG=345820 LOG=N R=verwaest@chromium.org Review URL: https://codereview.chromium.org/180013002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19549 ce2b1a6d-e550-0410-aec6-3dcde31c8c00	2014-02-25 16:33:54 +00:00

1 2 3 4 5 ...

1117 Commits