This adds a pointer to the shared function info into deoptimization data of an optimized code. Whenever the code is deoptimized, it clears the cache in the shared function info.
This fixes the problem when the optimized function dies in new space GC before the code is deoptimized due to code dependency and before the optimized code cache is cleared in old space GC (see mjsunit/regress/regress-343609.js).
This partially reverts r19603 because we need to be able to evict specific code from the optimized code cache.
BUG=343609
LOG=Y
TEST=mjsunit/regress/regress-343609.js
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/184923002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19635 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We already have code that expects this, but incorrectly asserted that the
filler map case would never happen when allocation folding is turned on.
However, even folding has it's limits, bailing out of continued folding
when the object size grows too large. Therefore, it's a general problem
when verifying JSArray objects, that we might encounter a filler map
in elements().
Discovered by ClusterFuzz crbug 347903.
R=hpayer@chromium.org
LOG=N
BUG=347903
Review URL: https://codereview.chromium.org/184493002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19604 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Refresh the implementation of Symbols to catch up with what the
specification now mandates:
* The global Symbol() function manufactures new Symbol values,
optionally with a string description attached.
* Invoking Symbol() as a constructor will now throw.
* ToString() over Symbol values still throws, and
Object.prototype.toString() stringifies like before.
* A Symbol value is wrapped in a Symbol object either implicitly if
it is the receiver, or explicitly done via Object(symbolValue) or
(new Object(symbolValue).)
* The Symbol.prototype.toString() method no longer throws on Symbol
wrapper objects (nor Symbol values.) Ditto for Symbol.prototype.valueOf().
* Symbol.prototype.toString() stringifies as "Symbol("<description>"),
valueOf() returns the wrapper's Symbol value.
* ToPrimitive() over Symbol wrapper objects now throws.
Overall, this provides a stricter separation between Symbol values and
wrapper objects than before, and the explicit fetching out of the
description (nee name) via the "name" property is no longer supported
(by the spec nor the implementation.)
Adjusted existing Symbol test files to fit current, adding some extra
tests for new/changed behavior.
LOG=N
R=arv@chromium.org, rossberg@chromium.org, arv, rossberg
BUG=v8:3053
Review URL: https://codereview.chromium.org/118553003
Patch from Sigbjorn Finne <sigbjornf@opera.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19490 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Code generation would fail when assembling a branch to a label that is bound
outside the immediate range of the instruction. A64 is sensitive to this, as the
various branching instructions have different ranges, going down to +-32KB for
TBZ/TBNZ. The MacroAssembler is augmented to handle branches to targets that
may exceed the immediate range of instructions.
When branching backward to a label exceeding the instruction range, the
MacroAssembler can simply tweak the generated code to use an unconditional
branch with a longer range. For example instead of
B(cond, &label);
the MacroAssembler can generate:
b(InvertCondition(cond), &done);
b(&label);
bind(&done);
Since the target is not known when the branch is emitted, forward branches uses
a different mechanism. The MacroAssembler keeps track of forward branches to
unbound labels. When the code generation approaches the end of the range of a
branch, a veneer is generated for the branch.
BUG=v8:3148
LOG=Y
R=ulan@chromium.org
Review URL: https://codereview.chromium.org/169893002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19444 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Arithmetic right shifting is *not* division in two's complement
representation, only in one's complement. So we convert to one's
complement, shift, and go back to two's complement. By permutating the
last steps, one can get efficient branch-free code. This insight comes
from the paleozoic era of computer science, see the paper from 1976:
Guy Lewis Steele Jr.: "Arithmetic Shifting Considered Harmful"
ftp://publications.ai.mit.edu/ai-publications/pdf/AIM-378.pdf
This results in better and more correct code than our previous
"neg/shift/neg" dance.
LOG=y
BUG=v8:3151
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/166793002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19434 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The fix removes wrong simulates from the number branch of polymorphic
call/field access handling.
The change also fixes the same thing for polymorphic named field
access even thourgh the field access is probably safe in practice
(because it cannot deoptimize). It is better to keep all our simulates
in sync with full codegen.
R=jkummerow@chromium.org
BUG=
Review URL: https://codereview.chromium.org/166503002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19375 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This patch generalizes Object.observe callbacks and promise resolution into a FIFO queue called a "microtask queue".
It also exposes new V8 API which exposes the microtask queue to the embedder. In particular, it allows the embedder to
-schedule a microtask (EnqueueExternalMicrotask)
-run the microtask queue (RunMicrotasks)
-control whether the microtask queue is run automatically within V8 when the last script exits (SetAutorunMicrotasks).
R=dcarney@chromium.org, rossberg@chromium.org, dcarney, rossberg, svenpanne
BUG=
Review URL: https://codereview.chromium.org/154283002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19344 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
