port r9260 (af9cfd83).
Original commit message:
We passed this flag around in a lot of places and had differenc call
ICs based on it, but never did any real specialization based on its
value.
BUG=
TEST=
Review URL: http://codereview.chromium.org/7886028
Patch from Paul Lind <plind44@gmail.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9269 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We have to emit code for declarations later into the body block
(and not into the start block) so that the environment contains
the correct values.
In order to capture the environment effect of the declarations
that generate code (function declarations) I inserted a separate
AST id and a HSimulate after the declarations are visited.
Also fixes handling deopt in named function expressions:
BUG=v8:1647
TEST=test/mjsunit/regress/regress-fundecl.js, test/mjsunit/regress/regress-1647.js
Review URL: http://codereview.chromium.org/7776009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9083 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When recompiling code (e.g., when optimizing) we could incorrectly hoist
some function expressions. This leads to incorrect results or a crash. The
root cause was that functions were not correctly categorized as expression
or declaration at parse time.
This requires some extra hoops to prevent the print name "anonymous" for
functions created by 'new Function' from establishing a binding.
R=vegorov@chromium.org,kasperl@chromium.org
BUG=1583
TEST=regress-1583
Review URL: http://codereview.chromium.org/7572019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8838 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
for the individually bound functions.
Our existing code will generate a new function on every call to bind,
but it will use the same shared function. When setting the lenght this
will be set on the shared function, i.e., the length of all bound
functions will be that of the last bound function.
Review URL: http://codereview.chromium.org/7475002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8816 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Reapply r8783 with an additional fix.
Because the preparser and parser do not use the same scope analysis to
determine if a function can be lazily compiled, the parser can have false
positives. Rather than treating this as a parse error, treat the preparser
as authoritative and eagerly compile the function.
R=lrn@chromium.org
BUG=
TEST=
Review URL: http://codereview.chromium.org/7565003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8797 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
HGraphBuilder::TryArgumentsAccess does not emit any uses for receiver and will generate incorrect code when receiver for a property access is defined by a phi that returns either arguments object or something else.
BUG=v8:1582
TEST=test/mjsunit/regress/regress-1582.js
Review URL: http://codereview.chromium.org/7553006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8774 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When creating a CompilationInfo we always have the script and can
determine if it is a natives script.
Now that all natives functions are recognized as such, many of them
are called with undefined as the receiver. We have to use different
filtering for builtins functions when printing stack traces.
Also, fixed one call of CALL_NON_FUNCTION to be correctly marked as a
method call (with fixed receiver). Now that CALL_NON_FUNCTION is
marked as a native function this caused the receiver to be undefined.
R=svenpanne@chromium.org
BUG=
TEST=
Review URL: http://codereview.chromium.org/7395030
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8680 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We did not properly combine the property names from the parameter map
and the arguments backing store. They could overwrite each other and
be unsorted.
Also fix an unrelated bug: deleting from a dictionary-mode arguments
backing store could corrupt the parameter map.
R=rossberg@chromium.org
BUG=1531
TEST=mjsunit/regress/regress-1531.js
Review URL: http://codereview.chromium.org/7278033
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8571 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The Advance() function of the class responsible for iterating
environment uses didn't always advance as far as it could (relying on
the HasNext predicate to finish advancing). This is brittle.
The HasNext predicate also didn't advance as far as it could when it
was at the end of an environment level. This is a bug.
R=jkummerow@chromium.org
BUG=
TEST=
Review URL: http://codereview.chromium.org/6993023
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8181 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
If type-feedback indicates that an expression was never executed in
the non-optimized code, we insert a forced deoptimization right away
to enable re-optimization if we ever hit this path.
With this change we still continue to build the graph. As a next step, we
should remove the dead code after the deoptimize.
I had to remove one assert about the optimization status in a test since
we now immediately deoptimize after exiting the loop that triggers OSR.
Also remove a restriction that control-flow from an inlined function in a
test context always reaches both true- and false-target.
Review URL: http://codereview.chromium.org/7105015
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8140 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Our testing infrastructure uses exceptions to indicate
errors. assertUnreachable therefore throws an exception to indicate
that it was reached. Therefore, it cannot be used to check that an
exception was thrown using the pattern:
try {
shouldThrow();
assertUnreachable();
} catch(e) {
}
Such a test will always pass because assertUnreachable will throw an
exception if shouldThrow does not.
R=ricow@chromium.org
Review URL: http://codereview.chromium.org/7053035
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8117 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The only difference to revision 7763 is the implementation in the
builtins file for arm and x64, plus a move of Array.prototype.toString
and Array.prototype.toLocaleString from should throw on null or
undefined to the non generic test cases in the function-call test (due
to us not currently supporting generic cases with these to functions)
Review URL: http://codereview.chromium.org/6928007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7786 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Encapsulate the helper functions in mjsunit.js.
Now only exposes the exception class and the assertXXX functions.
Make assertEquals use === instead of ==.
This prevents a lot of possiblefalse positives in tests, and avoids
having to do assertTrue(expected === actual) when you need it.
Fixed some tests that were either buggy or assuming == test.
Review URL: http://codereview.chromium.org/6869007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7628 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Fix %NewObjectFromBound to correctly handle optimized frames (including those with inlined functions).
Fix %_IsConstructCall handling in hydrogen: when called from inlined function return false constant directly instead of emiting HIsConstructCall.
Fix success case in TraceInline.
BUG=v8:1229
TEST=test/mjsunit/regress/regress-1229.js
Review URL: http://codereview.chromium.org/6740023
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7472 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This makes us compatible with firefox. Earlier on we were somehow
compatible with safari - which will allow defining a getter even when
an existing getter is present and non-configurable. We would, however,
in addition to overwriting the getter also change configurable to
true. The approach used by firefox seems much more sound, i.e., why
should it be possible to use __defineGetter__ or __defineSetter__ to
overwrite a non-configurable getter or setter respectively.
I will file a bug on the webkit bugtracker.
Review URL: http://codereview.chromium.org/6658037
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7143 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Used incorrect register for referencing RegExp data, so it always failed
to match the fast case.
When modifiying the object layout, it was possible to make it crash instead.
BUG=v8:1236
TEST=test/mjsunit/regress/regress-1236.js
Review URL: http://codereview.chromium.org/6635041
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7091 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When deoptimizing from the key subexpression of a keyed arguments access,
the unoptimized code expects to find the value of the receiver on the
expression stack. The environment of the optimizing compiler did not
contain this value during evaluation of the key subexpression.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6981 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Resubmit of patch for issue 1145 with a few additions:
- Now also clears exceptions when calling Runtime_LazyRecompile.
- Sets function where parsing fails to not be optimizable.
BUG=v8:1145
TEST=test/mjsunit/regress/regress-1145.js
Review URL: http://codereview.chromium.org/6469050
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6945 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We can wrongly assume that exception which is not intended to be caught
by external try/catch should be caught if this exception inherits
external catcher from some previous exception. To prevent that,
clear external catcher when processing exceptions which cannot be
externally caught.
BUG=v8:1184
TEST=test/mjsunit/regress/regress-1184.js
Review URL: http://codereview.chromium.org/6538081
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6905 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The old version only added extra space when we did indirect calls, but
the problem remains the same with normal calls that can be represented
as a single byte. When doing patching each call will always be at
least 2 bytes long because we use RUNTIME_ENTY as the reloc mode.
Review URL: http://codereview.chromium.org/6541053
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6894 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Call accessors in the global object prototype when initializing global
variables. Function declarations are special cased for compatibility
with Safari and setters are not called for them. If this special
casing was not done webkit layout tests would fail.
Make the declaration of global const variables in the presence of
callbacks a redeclaration error.
Handle const context slot declarations conflicting with a CALLBACK as
a redeclaration error. That is, unless it is on a context extension
object which is not a real object and therefore conceptually have no
accessors in prototype chains. Accessors in prototype chains of
context extension objects are explicitly ignored in SetProperty.
Review URL: http://codereview.chromium.org/6534029
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6846 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
variables.
Make the declaration of global const variables in the presence of
callbacks a redeclaration error.
Handle const context slot declarations conflicting with a CALLBACK as
a redeclaration error. That is, unless it is on a context extension
object which is not a real object and therefore conceptually have no
accessors in prototype chains. Accessors in prototype chains of
context extension objects are explicitly ignored in SetProperty.
Review URL: http://codereview.chromium.org/6519050
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6841 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The baseline compiler does not materialize a value for expressions of
the form !expr in an effect context so the graph translation should
not produce such an environment, otherwise we risk targeting it by
deoptimization.
BUG=v8:1167
Review URL: http://codereview.chromium.org/6537018
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6833 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We currently leave the exception as pending without returning a Failure::Exception() value. This is either caught immediately if running with --debug-code, or caught later by an assert in debug mode.
This change makes the pending exception be cleared before returning from the failed optimization attempt.
BUG=v8::1145
TEST=test/mjsunit/regress/regress-1145.js
Review URL: http://codereview.chromium.org/6524039
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6832 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When deoptimizing to after an expression of the form (expr0 || expr1)
or (expr0 && expr1) in an effect context, the unoptimized code could
incorrectly see the value of the expression.
Handle the short-circuit binary operators specially in effect contexts.
This fixes the issue and will generate better code when the left
subexpression is boolean-valued.
BUG=v8:1166
Review URL: http://codereview.chromium.org/6519046
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6831 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The current version uses SetObjectProperty which will not set the
value in case this is a readonly property. The spec explictly says
that a configurable but non writable property can have its value
changed with Object.defineProperty (because the same thing can be
accomplished by doing 3 calls (set writable to true, update the value,
set writable to false).
Review URL: http://codereview.chromium.org/6518004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6766 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
In the presence of JS accessors for elements on Object.prototype JSArray::SetFastElement
may throw or its behaviour can be altered. Instead operate on plain FixedArrays and
turn them into JSArry later.
BUG=v8:1130
TEST=test/mjsunit/regress/regress-1130.js
Review URL: http://codereview.chromium.org/6481001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6730 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When constructing stack traces we interpret the deoptimization data for
optimized frames to find the receiver value. This value could sometimes be
eliminated from the deoptimization data if we though it was unused.
BUG=v8:1118
Review URL: http://codereview.chromium.org/6465023
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6694 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
My previous patch added an assert which uncovered 1092 in the sputnik tests.
This patch adds the fix for 1092, which is to ensure that NormalizeProperties
does not get called for a JSGlobalProxy along all code paths.
Add sputnik tests to .gitignore.
BUG=
TEST=
Review URL: http://codereview.chromium.org/6286060
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6627 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Record a safepoint with a deoptimization id for throw in optimized code. We
don't seem to much care what the AST ID is because we will not be using it
for lazy deoptimization (throw doesn't return to the point of throw). For
hygiene we use the actual ID of the throw expression. Throw is no longer a
control-flow instruction, but it's followed by an unconditional abnormal
exit. This is required to insert a simulate between the throw and the exit.
Make our optimized treatment of Function.prototype.apply act like a call and
have side effects. This ensures that it will get a lazy deoptimization
environment. Use that deoptimization ID in the safepoint for the call.
Deleting a property was also missing a deoptimization ID, though there was a
deoptimization environment assigned to the instruction. Record the
environment and use the deoptimization ID at the safepoint.
Review URL: http://codereview.chromium.org/6250105
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Fixes JS portion of DefineOwnProperty when there is
an existing property and the new descriptor is generic.
Makes code follow spec steps more closely.
Fixes typo for check for unchanged enumerable in step 6.
Adds regression tests.
Fixes errors in object-define-property test
Don't normalize the JSGlobalProxy. Gets webkit http/tests/security/xss-DENIED-defineProperty.html working.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6561 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
With SVN r6465 (reverting changes to scopes), a regression test for
deleting parameter variables has to change to reflect a semantic
change. It is now again possible to delete parameters from a function
that uses 'with' or 'try...catch'.
Review URL: http://codereview.chromium.org/6307014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6466 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The function Runtime_LookupContext searches the context chain for a
LOOKUP slot and returns the object holding the slot. It returned the
global context if the slot was not found or if it was found in a
function's context or arguments object. This is not the correct
object to use for 'delete'.
Since this lookup function is only ever used when deleting LOOKUP
slots (those that have to go through a with or a scope with eval), it
is simply replaced with a Runtime_DeleteContextSlot function that does
the appropriate thing for all kinds of context lookups.
This fixes Chromium bug 70066.
http://code.google.com/p/chromium/issues/detail?id=70066
Review URL: http://codereview.chromium.org/6280013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6442 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We hit an assertion failure when we tried to record the AST ID of
the (shared) .arguments variable proxy more than once. This was hit
when we had multiple calls to the same parameter in a function that
used the arguments object. The fix is to not visit the subexpressions
of the (shared) property access expression.
BUG=1060
Review URL: http://codereview.chromium.org/6368007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6404 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
If the instanceof stub was requested to deliver true/false objects as the result instead of 0/1 then 0/1 was actually returned if the builtin INSTANCE_OF ended up being called. This is now fixed.
BUG=v8:1020
TEST=test/mjsunit/regress/regress-1020.js
Review URL: http://codereview.chromium.org/6014013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6185 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
In the past we only accepted functions as argument for setting an
accessor. Since one should be able to set an accessor to undefined
this had to be changed to take either.
In addition, we did not lookup properties in the prototype chain,
causing us to call the setter of an existing accessor up the prototype
chain when trying to replace an existing accessor (that was not local)
with a data property.
Review URL: http://codereview.chromium.org/5861006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6045 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When entering a finally block in unoptimized code, we unconditionally
save the accumulator register in the stack in case it holds a return
value or an exception. In the case of a break, continue, or falling
off the end of the try or catch block, this value is unpredictable and
not necessarily safe for GC.
Review URL: http://codereview.chromium.org/5883003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6035 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This fixes V8 issue 989.
Before, assignments used the AST ID of the assignment expression to
mark the side effect of the store, which became a target for
deoptimization bailout for code after the assignment. In effect
contexts this environment included the value of the assignment, which
was unexpected by the unoptimized code.
Now we introduce a new assignment ID for AST node types that include
an assignment (Assignment, CountOperation, and ForInStatement) and use
it for the side effect of the store.
Review URL: http://codereview.chromium.org/5682010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5990 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
SplitBetween (formely known as Split with 3 arguments) should select split position from [start, end] instead of [start, end[. This should also improve allocation quality (remove certain redundant move patterns).
Also some minor renaming and refactoring to make register allocator code more readable.
BUG=v8:962
TEST=test/mjsunit/regress/regress-962.js
Review URL: http://codereview.chromium.org/5720001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5969 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
see http://code.google.com/p/v8/issues/detail?id=944
This patch makes DateParser::TimeComposer process times that have
millisecond values with only 1 or 2 digits.
Without this patch, Date.parse("2010-11-25T22:02:30.5") returns
1290690150005 and
Date.parse("2010-11-25T22:02:30.5") == Date.parse("2010-11-25T22:02:30.005")
evaluates to true.
With this patch, Date.parse("2010-11-25T22:02:30.5") returns
1290690150500 instead, and
Date.parse("2010-11-25T22:02:30.5") == Date.parse("2010-11-25T22:02:30.005")
evaluates to false.
Review URL: http://codereview.chromium.org/5336005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5893 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Object.freeze and Object.seal uses GetOwnPropertyNames which
returns an array with local property names. This array will also have
the additional properties defined on Array.prototype or
Object.prototype.
Note that, the implementation of GetOwnPropertyNames (when used as
Object.getOwnPropertyNames) is correct, since the spec says to create
a new Array (which would also have these properties).
Review URL: http://codereview.chromium.org/3137041
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5350 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This adds a check to the fast case string add to ensure that the String object still have the default valueOf function. The default valueOf is sitting on a hidden prototype of String.prototype.
Before using the fast case valueOf the object is checked for a local valueOf property. For slow case objects this check always reports true (the dictionary is not probed, so valueOf might be there) and for fast case objects the descriptor array is checked for the valueOf symbol (just liniar scan). After that the prototype is checked for beeing the initial value of String.prototype. If this all pass (that is the default valueOf is still in place) this result is cached on the map making the check fast the next time.
This is only implemented in the optimizing compiler, as the two usages of %_IsStringWrapperSafeForDefaultValueOf is never hit by the full compiler.
I will port to x64 and ARM when this has been reviewed for ia32.
I will remove the performance counters prior to final commit.
BUG=http://code.google.com/p/v8/issues/detail?id=760
TEST=test/mjsunit/regress/regress-760-1.js
TEST=test/mjsunit/regress/regress-760-2.js
Review URL: http://codereview.chromium.org/3117006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5252 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The existing version will overwrite the existing writable flag with
false even in the case where no new value is given and the existing
writable flag is true.
The reason for the issue is that there is no check to see if the
provided descriptor actually has a writable attribute. This causes us
to use the default value (false) even in the case where nothing was
provided. In addition, the existing tests makes wrong assumptions (that writable is always set to false if not provided) and has been changed to follow the specification.
Review URL: http://codereview.chromium.org/2271001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4720 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Object.defineProperty with empty property descriptor.
The issue is fixed by implementing step 5 and 6 from DefineOwnProperty in the
specification (ES5 8.12.9).
This also fixes a bug in SameValue when used on boolean values (it
would priorly return a number - not a boolean).
Review URL: http://codereview.chromium.org/2131019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4708 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This change allows Object.create to take a function as input in the
proto argument. The spec says that Type(O) for the proto argument
should be true but our IS_OBJECT does not check for this. I will make a
IS_SPEC_OBJECT in macros.py and refactor v8natives in another CL.
Review URL: http://codereview.chromium.org/2051001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4622 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The error was introduced in revision 4557 where support was added for
ES5 date time format strings. Because there was no check for a valid
year a random string starting with a non-digit character would be
parsed.
This change disallows ES5 formatted dates where there is no date
fraction (i.e., with only a timestamp). Since none of the other
browsers support Date.parse on only timestamps I have disabled this
totally instead of just correcting the parser.
Review URL: http://codereview.chromium.org/2017005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4613 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We need to be careful to check global property cells for the property
encountered during lookup. Therefore, the ICs have to be specific to
the name of the property if global objects are involved. In
principle, this means that we could get a large number of monomorphic
ICs for the same map if there is a global object in the prototype
chain. However, since this is only done for normal load ICs and not
for keyed load ICs I do not expect this to be a problem. I will
experiment with it once this goes in.
BUG=675
Review URL: http://codereview.chromium.org/1559033
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4426 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This re-applies r4220 and r4233, which was reverted in r4254 due to a bug. This bug has now been fixed, with the only change being line 2884 changed from
__ SmiTag(left_side->reg());
to
__ SmiTag(operand->reg());
Added a regression test.
BUG=http://crbug.com/39160
TEST=test/mjsunit/regress/regress-crbug-39160.js
Review URL: http://codereview.chromium.org/1251009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4261 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When Array(0) or new Array(0) is handled by the generated code it is handled
by the same code as Array() and new Array(). For this to work the stack is
tweaked to remove the argument of value 0. However the argc was still passed
as 1 if a call to the runtime system was made.
When the stack is tweaked argc is also changed to 0.
BUG=634
TEST=test/mjsunittest/mjsunit/regress/regress-634.js
Review URL: http://codereview.chromium.org/668155
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4038 ce2b1a6d-e550-0410-aec6-3dcde31c8c00