Commit Graph

172 Commits

Author SHA1 Message Date
sgjesse@chromium.org
800b6df2a6 Correct handling of adding a string and a smal integer
The fast case of looking up the string convertion of the smi did not handle the case where left/reghe operands could be in eax/edx instead of edx/eax which is the default.

Also got rid of creating an internal frame for calling string and instead patched the argument on the stack and performed a tail call.

BUG=http://code.google.com/p/v8/issues/detail?id=636
TEST=test/mjsunit/regress/regress-636.js
Review URL: http://codereview.chromium.org/720001

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4061 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2010-03-09 09:40:35 +00:00
sgjesse@chromium.org
df4471c8f3 Fix stack tweaking in array allocation
When Array(0) or new Array(0) is handled by the generated code it is handled
by the same code as Array() and new Array(). For this to work the stack is
tweaked to remove the argument of value 0. However the argc was still passed
as 1 if a call to the runtime system was made.

When the stack is tweaked argc is also changed to 0.

BUG=634
TEST=test/mjsunittest/mjsunit/regress/regress-634.js
Review URL: http://codereview.chromium.org/668155

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4038 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2010-03-05 13:43:53 +00:00
kmillikin@chromium.org
3c0d77f32e Fix stack corruption when calling non-function.
Fix for issue 603.

Revision r3484 removed the property name from the call stack for
call ICs.  When a non-function was called via a call IC and
Function.prototype.call, an extra value was left on the stack that the
caller could not know to clean up.

Fix is to change the JS builtin used for calling non-functions.  It
now gets the callee as receiver, rather than iterating stack frames
and finding it on the expression stack of its JS caller.

Review URL: http://codereview.chromium.org/604064

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3882 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2010-02-17 08:26:50 +00:00
antonm@chromium.org
087fedeae8 Normalize the object before updating getter/setter info.
BUG=612

Review URL: http://codereview.chromium.org/608014

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3880 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2010-02-17 06:53:19 +00:00
sgjesse@chromium.org
10910394e6 Handle insertion order for simple constructors
When functions only have simple assignments of the form this.x = ... the object is created in generated code without actually calling the constructor. In this case the initial map for the function already contains the properties assigned in the constructor. The field descriptors in this initial map now has an enumeration index assigned to make property enumeration order the insertion order. The insertion order here is the order of the this.x assignments in the code.

BUG=http://crbug.com/3867
TEST=test/mjsunit/regress/regress-crbug-3867.js

Review URL: http://codereview.chromium.org/566016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3768 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2010-02-02 13:33:29 +00:00
whesse@chromium.org
04e9399694 Fix V8 issue 580: Arithmetic on some integer constants gives wrong anwers.
Review URL: http://codereview.chromium.org/545134

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3664 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2010-01-20 17:01:34 +00:00
mikhail.naganov@gmail.com
23fe22e7c8 Fix build problems.
Review URL: http://codereview.chromium.org/543087

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3622 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2010-01-15 20:15:47 +00:00
mikhail.naganov@gmail.com
a3c0f20035 Submit Object.getOwnPropertyNames patch by Pavel Feldman. See http://codereview.chromium.org/549050.
Add copyright to regression test to fix build broken by r3619.

TBR=sgjesse@chromium.org

Review URL: http://codereview.chromium.org/542092

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3620 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2010-01-15 15:34:32 +00:00
sgjesse@chromium.org
562f90d375 Ensure correct boxing of values when calling functions on them
When a function is called with a value type as the receiver this is now boxed as an object.

This is a low-impact solution where the receiver is only boxed when required. For IC calls to the V8 builtins values are not boxed and as most of the functions on String.prototype, Number.prototype and Boolean.prototype are sitting there most IC calls on values will not need any boxing of the receiver.

For calls which are not IC calls but calls through the CallFunctionStub a flag is used to determine whether the receiver might be a value and only when that is the case will the receiver be boxed.

No changtes to Function.call and Function.apply - they already boxed values. According to the ES5 spec the receiver should not be boxed for these functions, but current browsers have not adopted that change yet.

BUG=223
TEST=test/mjsunit/value-wrapper.js
TEST=test/mjsunit/regress/regress-crbug-3184.js
Review URL: http://codereview.chromium.org/542087

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3617 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2010-01-15 13:42:32 +00:00
sgjesse@chromium.org
44b7c59eb5 Extend the maximum size map space
On 32-bit the maps are now aligned on a 32-byte boundary in order to encode more maps during compacting GC. The actual size of a map on 32-bit is 28 bytes making this change waste 4 bytes per map.

On 64-bit the encoding for compacting GC is now using more than 32-bits and the maps here are still pointer size aligned. The actual size of a map on 64-bit is 48 bytes and this change does not intruduce any waste.

My choice of 16 bits for kMapPageIndexBits for 64-bit should give the same maximum number of pages (8K) for map space. As maps on 64-bit are larger than on 32-bit the total number of maps on 64-bit will be smaller than on 32-bit. We could consider raising this to 17 or 18.

I moved the kPageSizeBits to globals.h as the calculation of the encoding really depended on this.

There are still an #ifdef/#endif in objects.h and this constant could be moved to globaks.h as well, but I kept it together with the related constants.

All the tests run in debug mode with additional options --gc-global --always-compact as well (except for a few tests on which also fails before this change when run with --gc-global --always-compact).

BUG=http://code.google.com/p/v8/issues/detail?id=524
BUG=http://crbug.com/29428
TEST=test/mjsunit/regress/regress-524.js

Review URL: http://codereview.chromium.org/504026

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3481 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-12-17 08:53:18 +00:00
lrn@chromium.org
5bbb1d7bd6 Fix for issue 545: don't reuse this VariableProxy.
Review URL: http://codereview.chromium.org/464069


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3432 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-12-08 09:43:51 +00:00
kmillikin@chromium.org
0bf2822266 The toplevel code generator assumed that declarations did not shadow
parameters.  This could case the initial value to be lost or worse, a
crash.

Fix by handling the case of a declaration shadowing both
stack-allocated parameters and those in the arguments object.

This is related to V8 issue 540.
http://code.google.com/p/v8/issues/detail?id=540

BUG=29565
Review URL: http://codereview.chromium.org/469006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3429 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-12-07 13:31:47 +00:00
kmillikin@chromium.org
7266bd0b9a Fix issue 540 by handling the case that a declaration is in the
arguments object.

See http://code.google.com/p/v8/issues/detail?id=540
Review URL: http://codereview.chromium.org/460070

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3421 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-12-04 11:59:09 +00:00
erik.corry@gmail.com
a0e12a3124 Fix toLocaleString-related breakage on buildbot.
TBR=ager
Review URL: http://codereview.chromium.org/449055

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3392 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-12-01 14:19:23 +00:00
fschneider@chromium.org
1c90793581 Fix bug in the fast compiler's object literal code
Fixes issue 526:

BUG=http://code.google.com/p/v8/issues/detail?id=526

The object literals code in the fast compiler returned an incorrect result 
when getter or setters are defined together with computed properties.

Added a regression test that captures the most reduced version of this
problem. 

Also added a test for object literals with getters/setters and 
prototype properties.


Review URL: http://codereview.chromium.org/444001

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3370 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-11-26 21:13:20 +00:00
ager@chromium.org
3cf9ce4736 Fix crash in string replace with regexp. If the suffix of the subject
string is larger than 2047 chars we will encode the slice as two Smis
instead of one.  The calculation of the max size of the string builder
did not take this into account.

BUG=http://code.google.com/p/v8/issues/detail?id=515
Review URL: http://codereview.chromium.org/402056

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3334 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-11-18 18:48:04 +00:00
erik.corry@gmail.com
cc3896dfac Fix bug 503: undefined <= undefined should return false on ARM.
Review URL: http://codereview.chromium.org/399001

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3309 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-11-16 14:12:27 +00:00
fschneider@chromium.org
2e3e770ab9 Add a regression test that exposes a stack corruption problem.
See http://code.google.com/p/chromium/issues/detail?id=27227

Review URL: http://codereview.chromium.org/385092

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3303 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-11-13 13:58:48 +00:00
christian.plesner.hansen@gmail.com
5d4d5944dd Remove special-case for arguments.toString to match ES5
Patch by Jan de Mooij <jandemooij@gmail.com>
Review: http://codereview.chromium.org/273073

Review URL: http://codereview.chromium.org/389008


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3279 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-11-11 11:28:37 +00:00
ager@chromium.org
2252cc1bc9 Fix inline constructor code bailout.
Remove variable that is currently unused.

BUG=http://code.google.com/p/v8/issues/detail?id=502
Review URL: http://codereview.chromium.org/392001

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3267 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-11-11 09:00:09 +00:00
erik.corry@gmail.com
57c919e414 Fix bug 486, Cyrillic character ranges in case independent regexps.
http://code.google.com/p/v8/issues/detail?id=486
Review URL: http://codereview.chromium.org/361033

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3236 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-11-06 11:15:20 +00:00
ager@chromium.org
f39fbb206e Fix case where we treat an unaliased call to eval as an aliased call
to eval.

BUG=http://code.google.com/p/v8/issues/detail?id=496
Review URL: http://codereview.chromium.org/366027

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3225 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-11-05 11:19:37 +00:00
sgjesse@chromium.org
77a71c90c7 Fix issue 491: constantpool dump violates ARM debugger assertion for return point
The generation of the return sequence is now protected from having the constant pool emitted inside of it in both compilers.

BUG=http://code.google.com/p/v8/issues/detail?id=491
TEST=test/mjsunit/regress/regress-491.js
Review URL: http://codereview.chromium.org/362003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3215 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-11-04 14:45:50 +00:00
sgjesse@chromium.org
54ec6c031a Fix xssue 492: ARM debug crash: mozilla/ecma/FunctionObjects/15.3.1.1-3
When the number of parameters times 4 (kPointerSize) to a function cannot be encoded in 12 bits the return sequence gets one more instruction. Changed the assertion to check for this case.

BUG=http://code.google.com/p/v8/issues/detail?id=492
TEST=test/mjsunit/regress/regress-492.js
Review URL: http://codereview.chromium.org/354028

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3211 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-11-04 10:04:22 +00:00
sgjesse@chromium.org
b4c11d0816 Don't use string slices when processing RexExp replace (re-apply r3153)
Re-apply r3153 with a fix for issue 490. Except for the change in line 1756 and the added test this change is identical to http://codereview.chromium.org/342015.

BUG=490
TEST=test/mjsunit/regress/regress-490.js
Review URL: http://codereview.chromium.org/341064

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3197 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-11-02 12:21:43 +00:00
lrn@chromium.org
0aecc29024 Issue 485: Fix leak of builtins object through call and apply functions.
Review URL: http://codereview.chromium.org/345007


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3164 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-10-28 13:51:30 +00:00
sgjesse@chromium.org
7a509f2101 Fix issue with running some constructors having only this.x = ... assignments.
If we had compiled the comment instead of the code it would have worked.

BUG=483
TEST=mjsunit/regress/regress-483.js
Review URL: http://codereview.chromium.org/332007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3120 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-10-23 12:18:47 +00:00
sgjesse@chromium.org
a637f45385 Fix issue 475
The check for arguments in registers in one of the three versions of GenericBinaryOpStub::GenerateCall was plain wrong.

BUG=475
TEST=mjsunit/regress/regress-475.js
Review URL: http://codereview.chromium.org/307002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3092 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-10-20 12:13:31 +00:00
peter.rybin@gmail.com
3b955790a0 Redo "running" field in debug-delay.js and support "suspend" command
It also fixes "backtrace" command so that it didn't give away random stack if we are running

Review URL: http://codereview.chromium.org/242034


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3077 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-10-15 20:06:08 +00:00
lrn@chromium.org
aed6a37c10 X64: Convert smis to holding 32 bits of payload.
Review URL: http://codereview.chromium.org/196139


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3037 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-10-08 12:36:12 +00:00
ager@chromium.org
e9acdc7a00 Follow the spec in disallowing function declarations without a name. We
used to allow these for compatibility, but both Safari and Firefox now
disallow them.
Review URL: http://codereview.chromium.org/242124

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3009 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-10-02 12:47:15 +00:00
kasperl@chromium.org
6621a43833 Add regression test case for http://crbug.com/18639 which
was fixed in r2642.
Review URL: http://codereview.chromium.org/192037

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2840 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-09-08 07:22:35 +00:00
whesse@chromium.org
3703231636 Add safe handling of NaN to Posix platform-dependent time functions.
Review URL: http://codereview.chromium.org/160580

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2615 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-08-04 09:41:18 +00:00
whesse@chromium.org
18c6337a2c Fix an error in a keyed lookup stub - HeapNumbers treated as strings.
Review URL: http://codereview.chromium.org/155924

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2527 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-07-23 13:01:17 +00:00
kmillikin@chromium.org
1ca19c383d Fix ARM compiler crash in short-circuited boolean expressions.
We did not handle the case where the left-hand-side expression was
fully compiled to control flow.  There were also some assertions for
unary and binary expressions that crashed debug builds when the
expression was fully compiled to control flow.

Regression test added.

Review URL: http://codereview.chromium.org/160006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2524 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-07-23 11:40:14 +00:00
kmillikin@chromium.org
6443cb99f7 Fix issue 345 by avoiding duplicates in the list of escaping labels
from a try...catch...finally statement.

Review URL: http://codereview.chromium.org/149670

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2466 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-07-15 08:57:25 +00:00
lrn@chromium.org
e3bb851efb X64: Fix bug in left-shift.
Also changed a few other places that looked suspicious in the same way.
Added more info to failing test case and rewrote incorrect uses of mjsunit "fail" function.

Review URL: http://codereview.chromium.org/155279


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2409 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-07-09 08:00:12 +00:00
kasperl@chromium.org
b0f411c298 Fix issue 397 and issue 399.
Review URL: http://codereview.chromium.org/149247

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2372 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-07-07 11:57:09 +00:00
kasperl@chromium.org
f0053e89aa Add regression test case for issue 396.
Review URL: http://codereview.chromium.org/150215

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2333 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-07-02 09:08:15 +00:00
sgjesse@chromium.org
25405ddd9c Handle JavaScript accessors on the global object.
With the new representation of the global object adding JavaScript accessors for a property after global inline caches was created for that property did not work property as the inline caches did not take the JavaScript accessor information (fixed array with two elements) that could be present in a global object property cell into account.

This is now fixed by changing the map for a global object when a JavaScript accessor is defined on it.

BUG=394
TEST=test\mjsunit\regress\regress-394.js
Review URL: http://codereview.chromium.org/150162

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2317 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-07-01 11:20:33 +00:00
kasperl@chromium.org
3ae01ab8ef Fix issue 392 by disabling the TakeValue optimization for
access to the arguments object.
Review URL: http://codereview.chromium.org/150016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2285 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-06-29 06:20:52 +00:00
lrn@chromium.org
2dd9717c4b Fix bug in static type inference for loops.
Review URL: http://codereview.chromium.org/140058


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2236 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-06-22 12:36:01 +00:00
whesse@chromium.org
74ddab9d94 Fix issue 386, a bug in JSObject::ReplaceSlowProperty with constant transitions.
Review URL: http://codereview.chromium.org/141031

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2228 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-06-22 07:41:15 +00:00
erik.corry@gmail.com
e2a01ed4fb Fix regexp bug reported by Ian where [6-9] would match any digit.
Review URL: http://codereview.chromium.org/140021

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2226 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-06-20 17:57:09 +00:00
lrn@chromium.org
945245393c Fix for issue 351 - lastIndexOf.
Review URL: http://codereview.chromium.org/113838


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2060 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-05-26 15:42:06 +00:00
lrn@chromium.org
2ff3901cf7 Fix for issue 349: Make initial boundary check for BM text search.
There was a case where the BMH algorithm bailed out exactly at the end of the string, and the BM algorithm that takes over wasn't expecting this.

Review URL: http://codereview.chromium.org/113575


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1995 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-05-19 09:01:03 +00:00
whesse@chromium.org
1ae8a7da3d Fix bug 344: always keep attributes of existing properties.
Review URL: http://codereview.chromium.org/113197

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1931 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-05-13 10:46:28 +00:00
kmillikin@chromium.org
18f69a7171 Fix for issue 341. In the stub for instanceof, we could try to read
an object's map before we were sure it was a heap object.
Review URL: http://codereview.chromium.org/115236

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1914 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-05-12 11:40:14 +00:00
lrn@chromium.org
889eac7f13 Fix Issue 326. Handle sorting of non-array objects correctly.
Change handling of sorting to be the same for all JS-arrays.
Collect undefined values as well while removing holes.

Review URL: http://codereview.chromium.org/92123


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1800 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-04-27 11:16:59 +00:00
kmillikin@chromium.org
cb9d66638b Fix regression test by wrapping expression in a thunk^H^H^H^H^Hstring.
Review URL: http://codereview.chromium.org/95001

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1776 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-04-22 17:44:28 +00:00
kmillikin@chromium.org
b39f4383dc When merging a frame to an expected on at block entry, the static type
of elements is set to a safe lower bound.  Move the setting of the
static type out of VirtualFrame::MergeTo (which is not necessarily run
for all frames) and into VirtualFrame::PrepareMergeTo (which is).
Review URL: http://codereview.chromium.org/92009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1767 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-04-22 13:19:38 +00:00
lrn@chromium.org
bfb33b1e2f Fix for Issue 317 - bug in string.replace(string, "$foo").
Fix for Issue 317. Replace string with something containing dollar now works.

Review URL: http://codereview.chromium.org/94002


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1764 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-04-22 11:43:05 +00:00
kmillikin@chromium.org
22896c8304 Change the function name collector to tolerate expressions that contain
multiple anonymous function literals as subexpressions.

Choose the rightmost one the one to attach a name to.
Review URL: http://codereview.chromium.org/67165

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1715 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-04-15 13:14:23 +00:00
sgjesse@chromium.org
a74fcf458c Fixed the step in handling for function.apply.
The generic step-in mechanism floods the function called with break points to ensure a break is hit when entering the function. This generic mechanism was also used for function.apply. The code for function.apply contains a keyed load IC which was patched when stepping into function.apply. However function.apply enteres an internal frame not a JavaScript frame. This caused the logic for returning from the break in function.apply to fail as it forced a jump to the IC on the top JavaScript frame. The top JavaScript frame was the frame for the function calling function.apply not the frame for the apply function. Now returning from the break point in the keyed load IC in the apply code caused a jump to the code for the call IC for the function calling function.apply in the first place. Not a pretty sight.

Step-in now handles function.apply as a separate case where the actual JavaScript function called through apply is flodded with breakpoints instead of the function.apply function.

BUG=269
BUG=8210@chromium.org
Review URL: http://codereview.chromium.org/63055

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1683 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-04-07 09:54:53 +00:00
kmillikin@chromium.org
c80b013999 Fix issue 294 by ensuring that we don't lose the copy flag on memory
frame elements when allocating them to a register as a result of
popping one of their copies.
Review URL: http://codereview.chromium.org/57053

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1655 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-31 14:01:25 +00:00
kmillikin@chromium.org
1ba34bf86b Fix issue 286. Ensure frame elements are invalidated by
InvalidateFrameSlotAt.

Review URL: http://codereview.chromium.org/53008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1594 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-24 12:42:28 +00:00
kmillikin@chromium.org
5e2f3adfd0 Fix issue 284.
The problem was continuing out of the body of a for/in (where we do
register allocation) to the loop update (where we do not).  Variables
allocated to registers where not preserved.

Review URL: http://codereview.chromium.org/53002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1585 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-24 08:29:24 +00:00
olehougaard
a8c50151fc Reapply revisions 1432, 1433, 1469 and 1472 while fixing issue 279.
Review URL: http://codereview.chromium.org/48006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1571 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-23 07:27:47 +00:00
ager@chromium.org
2fcad0aec1 Revert change 1509 that flush ICs when adding setters on an object or
when setting a __proto__ to an object that holds a setter.

This seems to cause a major page load regression, so we need to tune
the clearing.
Review URL: http://codereview.chromium.org/50011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1548 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-19 15:06:00 +00:00
kasperl@chromium.org
0a09a08ec8 Add copyright notice to new test case.
Review URL: http://codereview.chromium.org/42216

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1514 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-15 22:44:23 +00:00
erik.corry@gmail.com
99063fe0f8 Fix GC related crash bug in search-replace.
Review URL: http://codereview.chromium.org/42214

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1513 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-15 22:28:26 +00:00
erik.corry@gmail.com
3aa57f7f65 Revert 1432, 1433, 1469 and 1472 due to a bug with literal objects.
Review URL: http://codereview.chromium.org/46088

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1511 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-15 16:18:20 +00:00
christian.plesner.hansen@gmail.com
8dffcb9efa Flush ICs when adding setters to an object or setting a __proto__ to
an object that holds a setter.  If there are no store ics then no
flushing is done.  The implementation has been tweaked so that no ICs
are cleared during normal context creation.
This may cost us some performance but I'm submitting it as it is and
if there are problems we can either decide to be smarter about when,
what and/or how we clear, or back this change out altogether.


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1509 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-13 13:43:07 +00:00
kmillikin@chromium.org
0e60cf38dc Fix issue 265 by handling extra statement state on the frame based on
the expectation at the break, continue, and return labels (including
shadowed ones) instead of based on the AST nodes.

See http://code.google.com/p/v8/issues/detail?id=265

Review URL: http://codereview.chromium.org/42017

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1482 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-11 06:17:19 +00:00
lrn@chromium.org
34db0ff86c Issue 267: Calls to arguments in eval-tainted function scope uses global object as receiver.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1476 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-10 12:28:34 +00:00
christian.plesner.hansen@gmail.com
782b53799d Implemented invalid UTF8 detection in decodeURI. That is, detection
of invalid utf8 not invalid utf8-detection.


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1471 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-10 09:08:05 +00:00
ager@chromium.org
bab4b3b2e0 Simplify the map collection regression test. This test is the minimal
example that would trigger the bug.
Review URL: http://codereview.chromium.org/43004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1467 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-10 07:23:22 +00:00
ager@chromium.org
38548e3da6 Make map collection test run faster in an attempt to make it pass on
buildbot (not timeout).

This consistently fails with the old build.

TBR=whesse
Review URL: http://codereview.chromium.org/40302

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1462 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-09 18:00:39 +00:00
whesse@chromium.org
7977c6c680 Fix garbage collection of unused maps. Null descriptors, created
by map collection, are now handled correctly everywhere.  The 
map-collect flag is now true by default.
Review URL: http://codereview.chromium.org/40218

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1459 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-09 16:24:46 +00:00
kmillikin@chromium.org
34af9f2ecf Work around issue 260 for now by disabling duplication of the loop
condition for while and for loops.

http://code.google.com/p/v8/issues/detail?id=260

Review URL: http://codereview.chromium.org/40294

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1453 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-09 14:12:20 +00:00
kmillikin@chromium.org
ece2c03160 Fix issue 263:
http://code.google.com/p/v8/issues/detail?id=263

Sharing the code to unlink the exception handler for a try/finally
causes us to try to merge virtual frames with different heights (due
to statements that keep state on the stack) at the entry to the unlink
code.

Avoid this by unlinking the handler separately for each exit from the
try block.
Review URL: http://codereview.chromium.org/39331

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1449 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-09 10:51:57 +00:00
kmillikin@chromium.org
182c3ebb2d Reapply r1434 and port to ARM.
Review URL: http://codereview.chromium.org/40220

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1441 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-06 14:18:03 +00:00
christian.plesner.hansen@gmail.com
2a2c9381ea Reverted r1434
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1437 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-06 11:59:53 +00:00
kmillikin@chromium.org
b638d5c613 Fix issue 259.
http://code.google.com/p/v8/issues/detail?id=259

Due to constant folding of loop conditions, it is possible to have a
try/finally with no exits from the try block (eg, an infinite loop in
the try block).  In that case the code to unlink the try handler is
dead and should not be emitted.

Review URL: http://codereview.chromium.org/39251

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1434 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-06 10:18:33 +00:00
lrn@chromium.org
21fb24e0b2 Issue 254 - now correctly updates lastIndexof when using the test method.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1418 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-04 12:29:37 +00:00
olehougaard
7bd50d046d Fixed issue 253. No longer assuming that the target of a property lookup is a JSObject.
Review URL: http://codereview.chromium.org/39126

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1416 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-04 11:57:24 +00:00
lrn@chromium.org
4852bef23d Issue 246 - wait until regexp is parsed to detect whether it's simple.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1412 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-03-04 09:52:01 +00:00
lrn@chromium.org
80bb2cc546 Missing handle check. Triggers bug if the runtime stack overflows and it is detected by a global regexp.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1263 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-02-13 09:40:15 +00:00
lrn@chromium.org
0b1f3f2134 Issue 231 - Irregexp backtracking stack pointer could become corrupted.
http://code.google.com/p/v8/issues/detail?id=231


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1257 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-02-12 13:07:58 +00:00
lrn@chromium.org
396fa22799 Regular Expression literal flags may contain unicode escapes. If these escape any of the
valid flags, "gim", they should work.


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1253 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-02-12 09:09:28 +00:00
lrn@chromium.org
c621bbbe45 Issue 227 Fixed. Properly handles non-ASCII characters in quick-check on ASCII strings.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1248 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-02-11 11:54:30 +00:00
lrn@chromium.org
b0e3ee6274 Fix bug 225 in regexp replace with function.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1232 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-02-05 13:24:13 +00:00
sgjesse@chromium.org
d131ecf3dd Changed the debugger API to allow only one debug event listener to be registered. The public API now only has SetDebugEventListener instead of AddDebugEventListener and RemoveDebugEventListener.
Moved the registrered debug event listener from the context to a global handle in the Debugger class. Storing it in the context did not make much sense.

Changed a lot of tests to handle the API change.

BUG=1242707
Review URL: http://codereview.chromium.org/19753

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1212 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-02-03 07:59:12 +00:00
ager@chromium.org
c33e51681f Fix issue 221:
http://code.google.com/p/v8/issues/detail?id=221

The attempt to resolve 'eval' went into an infinite loop.  Also, we
need to throw a reference error in case 'eval' cannot be resolved.
Review URL: http://codereview.chromium.org/19536

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1206 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-02-02 13:18:20 +00:00
kmillikin@chromium.org
46023fb742 Fix for off-by-one when initializing a constant or function
declaration that was not a slot.
Review URL: http://codereview.chromium.org/19745

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1203 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-02-02 12:05:13 +00:00
lrn@chromium.org
0730ada63e Allow duplicate flags in regexps to match other browsers.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1193 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-01-30 12:36:40 +00:00
lrn@chromium.org
2de5de495f Irregexp: Backtrack past look-aheads works correctly.
Allows backtracking to clear registers instead of pushing and popping
them to restore state.
Redo of 1135 with bug fixed.


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1156 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-01-26 14:38:17 +00:00
ager@chromium.org
524e34b8f8 Fix issue 192 by propagating out exceptions from object literal
boilerplate creation.

Removed declaration of unused and unimplemented function.
Review URL: http://codereview.chromium.org/18749

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1151 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-01-26 13:10:26 +00:00
erik.corry@gmail.com
108fe9dbcc complete revert by removing empty files
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1139 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-01-23 15:50:33 +00:00
erik.corry@gmail.com
f6c3ef2d2a Reverting r1136 due to crashes
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1138 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-01-23 14:33:19 +00:00
lrn@chromium.org
18c2d3ef4e Clears captures of look-aheads on backtrack.
Reduces number of pushes when flushing a trace. Some are converted to clears
in the undo-code instead, and some just ignored if they have no value worth restoring.


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1136 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-01-23 13:34:51 +00:00
ager@chromium.org
39842baecf Do not violate the assumption that fast-case arrays have Smi length
when transforming from slow to fast-case array elements.

This fixes issue 201:
  
   http://code.google.com/p/v8/issues/detail?id=201
   
Review URL: http://codereview.chromium.org/18711

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1135 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-01-23 13:08:29 +00:00
ager@chromium.org
8a731355be Make sure that eval and try-catch introduced context extension objects
act as if they have no properties in their prototype chains.

This fixes V8 issue 193:

  http://code.google.com/p/v8/issues/detail?id=193.
Review URL: http://codereview.chromium.org/18709

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1132 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-01-23 12:16:03 +00:00
ager@chromium.org
c23dbc1928 Fix handling of const initialization. We did not handle the fact that
a const variable can be deleted between its declaration and its
initialization.

This fixes issue 189:

  http://code.google.com/p/v8/issues/detail?id=189

Review URL: http://codereview.chromium.org/18660

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1127 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-01-22 13:53:06 +00:00
sgjesse@chromium.org
c2c780bfc4 Added handles to the mirror objects. When a mirror for an object is created
it is assigned a numeric handle. Handles are used to make a 1:1
correspondence between objects and mirrors. Currently the mirrors are
cached in a JavaScript array and when creating a mirror this cache is
checked to see if a mirror already exists for the object. This cache is
cleared when leaving the debugger.

Changed the serialization format to take advantage of these handles. When
an object is serialized referenced objects are represented just by their
handle id serialized as '{ref:<handle>}'. During serialization the
referenced handles are collected and the serializer can provide a
serialization of all the referenced objects.

Removed the special handling of array properties. Indexed properties and
the length property are now rendered as named properties in the
serialization.

Removed the special serialization handling of RegExp properties. The
properties 'source', 'global', 'ignoreCase' and 'multiline' are serialized
with the rest of the properties.

Changed a lot of tests to handle the changed format.
Review URL: http://codereview.chromium.org/18092

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1093 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-01-16 09:54:46 +00:00
ager@chromium.org
47d1298236 Change the handling of catch blocks to use context extension objects
instead of normal JSObjects.

This ensures that __proto__ and accessors on the Object prototype do
not interfere with catch scopes.  Also, it fixes the bug that catch
variables were not DontDelete (issue 74).

Next step is to create special lookup routines for context extension
objects and remove the special handling of context extension objects
from the general javascript object lookup routines.
Review URL: http://codereview.chromium.org/18143

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1091 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-01-16 09:42:08 +00:00
sgjesse@chromium.org
dc2a0ec3e9 Reverted r1078 as it was committed by accident without review.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1079 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-01-15 12:29:05 +00:00
sgjesse@chromium.org
6bc1d40a57 Added handles to the mirror objects. When a mirror for an object is created it is assigned a numeric handle. Handles are used to make a 1:1 correspondence between objects and mirrors. Currently the mirrors are cached in a JavaScript array and when creating a mirror this cache is checked to see if a mirror already exists for the object. This cache is cleared when leaving the debugger.
Changed the serialization format to take advantage of these handles. When an object is serialized referenced objects are represented just by their handle id serialized as '{ref:<handle>}'. During serialization the referenced handles are collected and the serializer can provide a serialization of all the referenced objects.

Removed the special handling of array properties. Indexed properties and the length property are now rendered as named properties in the serialization.

Removed the special serialization handling of RegExp properties. The properties 'source', 'global', 'ignoreCase' and 'multiline' are serialized with the rest of the properties.

Changed a lot of tests to handle the changed format.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1078 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-01-15 12:10:34 +00:00
ager@chromium.org
384b0a5408 Fix issue 191:
http://code.google.com/p/v8/issues/detail?id=191

Accessor setters should not be called for eval-introduced context
extension objects.

This change fixes the issue, but I think it is time to separate out
the lookup routines for eval-introduced context extension objects.
There is no reason to use the general lookup routines for this.  I'll
do that in a separate changelist.
Review URL: http://codereview.chromium.org/18090

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1076 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-01-15 11:31:08 +00:00
ager@chromium.org
d4dae20a12 Fix issue 186:
http://code.google.com/p/v8/issues/detail?id=186

Create a new instance type for context extension objects.  Use it to
not use the __proto__ accessor for context extension objects.
Review URL: http://codereview.chromium.org/18044

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1072 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-01-14 12:13:26 +00:00