ulan@chromium.org
b9e0b87a5a
Clear optimized code cache in shared function info when code gets deoptimized.
...
This adds a pointer to the shared function info into deoptimization data of an optimized code. Whenever the code is deoptimized, it clears the cache in the shared function info.
This fixes the problem when the optimized function dies in new space GC before the code is deoptimized due to code dependency and before the optimized code cache is cleared in old space GC (see mjsunit/regress/regress-343609.js).
This partially reverts r19603 because we need to be able to evict specific code from the optimized code cache.
BUG=343609
LOG=Y
TEST=mjsunit/regress/regress-343609.js
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/184923002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19635 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-03 11:11:39 +00:00
rossberg@chromium.org
5543263c19
Move all Harmony-only tests to harmony/
...
R=jkummerow@chromium.org
BUG=
Review URL: https://codereview.chromium.org/178583005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19622 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 14:26:32 +00:00
ishell@chromium.org
c2601aea8a
Check elimination did not mark some dead blocks.
...
R=danno@chromium.org
Review URL: https://codereview.chromium.org/180483003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19619 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 14:16:38 +00:00
svenpanne@chromium.org
e9273332ef
Fixed constant folding for Math.clz32.
...
LOG=y
BUG=347906
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/184353002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19609 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 13:07:10 +00:00
mvstanton@chromium.org
b1ffc7901f
A JSArray may have a filler map in the elements pointer.
...
We already have code that expects this, but incorrectly asserted that the
filler map case would never happen when allocation folding is turned on.
However, even folding has it's limits, bailing out of continued folding
when the object size grows too large. Therefore, it's a general problem
when verifying JSArray objects, that we might encounter a filler map
in elements().
Discovered by ClusterFuzz crbug 347903.
R=hpayer@chromium.org
LOG=N
BUG=347903
Review URL: https://codereview.chromium.org/184493002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19604 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 12:29:19 +00:00
yangguo@chromium.org
5c186bb197
Evict from optimized code map in sync with removing from optimized functions list.
...
R=ulan@chromium.org
Review URL: https://codereview.chromium.org/184443002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19603 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 12:27:31 +00:00
bmeurer@chromium.org
70242fe3bb
Fix JSObject::PrintTransitions.
...
BUG=347912
LOG=y
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/183683005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19601 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 11:41:07 +00:00
hpayer@chromium.org
38ca2629be
Fix representation generalization for doubles.
...
BUG=
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/184393002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19599 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 11:07:10 +00:00
dcarney@chromium.org
98d1cedac4
Get array_function from NativeContext
...
R=mvstanton@chromium.org
LOG=N
BUG=347528
Review URL: https://codereview.chromium.org/184173003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19595 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 10:01:27 +00:00
bmeurer@chromium.org
5945f9ebb9
Fix handling of constant global variable assignments.
...
BUG=347904
LOG=y
R=hpayer@chromium.org
Review URL: https://codereview.chromium.org/184303003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19594 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 09:40:12 +00:00
svenpanne@chromium.org
c4e90c15b8
Removed bogus ASSERT.
...
LOG=y
BUG=347542
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/183763007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19592 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 08:45:07 +00:00
ishell@chromium.org
2ab83cf192
HAllocate should never generate allocation code if the requested size does not fit into page. Regression test included.
...
BUG=347543
LOG=N
R=hpayer@chromium.org
Review URL: https://codereview.chromium.org/180803005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19591 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 17:33:25 +00:00
verwaest@chromium.org
aa14020bc7
Fix putting of prototype transitions. The length is also subject to GC, just like entry.
...
BUG=347536
LOG=n
R=danno@chromium.org
Review URL: https://codereview.chromium.org/183193003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19586 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 16:07:44 +00:00
jarin@chromium.org
05b98492a4
Handle arguments objects in frame when materializing arguments
...
R=mstarzinger@chromium.org
BUG=347262
Review URL: https://codereview.chromium.org/177293009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19584 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 15:12:12 +00:00
yangguo@chromium.org
6912a248ca
Fix bogus assertion in SetFastDoubleElements.
...
R=danno@chromium.org
BUG=347530
LOG=N
Review URL: https://codereview.chromium.org/181433016
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19579 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 14:45:53 +00:00
mvstanton@chromium.org
b8f8cfabca
Fix for Clusterfuzz issue 343928.
...
The problem was that the debugger didn't expect that a JSFunction could
have a GlobalContext, which it can with harmony scoping.
BUG=343928
R=yangguo@chromium.org
LOG=N
Review URL: https://codereview.chromium.org/183103003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 13:25:05 +00:00
ishell@chromium.org
1ae7e8a1e5
Fix for failing asserts in HBoundsCheck code generation on x64: index register should be zero extended.
...
BUG=345820
LOG=N
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/180013002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19549 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 16:33:54 +00:00
verwaest@chromium.org
d5caecccc5
Revert "Use stability to only conditionally flush information from the CheckMaps table."
...
R=ishell@chromium.org
Review URL: https://codereview.chromium.org/180023002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19548 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 16:11:58 +00:00
jkummerow@chromium.org
e7e93cd433
Mark HCompareMap as having Tagged representation
...
BUG=chromium:346636
LOG=y
R=svenpanne@chromium.org
Review URL: https://codereview.chromium.org/176923013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19545 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 15:09:47 +00:00
rossberg@chromium.org
63f1970c6c
Fix crasher in Object.getOwnPropertySymbols
...
R=arv@chromium.org , mstarzinger@chromium.org
BUG=346141
LOG=Y
Review URL: https://codereview.chromium.org/177883002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19539 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 12:01:34 +00:00
bmeurer@chromium.org
77f597d387
Don't eliminate loads with incompatible types or representations.
...
BUG=346343
LOG=y
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/179553002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19536 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 09:55:50 +00:00
ishell@chromium.org
6c1659becf
Fix for a smi stores optimization on x64 with a regression test.
...
BUG=345715
LOG=N
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/178833002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19535 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 09:55:02 +00:00
dcarney@chromium.org
cb05cff594
negative bounds checking on realm calls
...
R=rossberg@chromium.org
LOG=N
BUG=344285
Review URL: https://codereview.chromium.org/169393002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19533 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 09:15:05 +00:00
jkummerow@chromium.org
37b6fd07c1
Fix optimistic BCE to back off after deopt
...
BUG=v8:3176
LOG=n
R=danno@chromium.org
Review URL: https://codereview.chromium.org/177523002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19530 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-24 13:15:31 +00:00
verwaest@chromium.org
84b366516e
Don't turn objects with empty-string properties into fast-mode.
...
R=ishell@chromium.org
Review URL: https://codereview.chromium.org/165743003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19511 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-20 16:11:48 +00:00
ishell@chromium.org
1342cb8b00
Bugfix in check elimination with a regression test.
...
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/172173003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19481 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-19 12:34:50 +00:00
jkummerow@chromium.org
6e3b81a7b2
Fix Hydrogen bounds check elimination
...
When combining bounds checks, they must all be moved before the first load/store
that they are guarding.
BUG=chromium:344186
LOG=y
R=svenpanne@chromium.org
Review URL: https://codereview.chromium.org/172093002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19475 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-19 10:30:39 +00:00
verwaest@chromium.org
60c08a8bf2
Directly store the transition target on LookupResult in TransitionResult.
...
BUG=chromium:343964
LOG=N
R=jkummerow@chromium.org
Review URL: https://codereview.chromium.org/170343003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19440 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-18 12:19:32 +00:00
jarin@chromium.org
4c7ed144e1
Comparison in effect context lazy deopt fix.
...
R=jkummerow@chromium.org
BUG=
Review URL: https://codereview.chromium.org/163623002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19396 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-16 05:51:10 +00:00
ulan@chromium.org
6744ff61ae
Fix dictionary element load to pass correct elements kind.
...
Using FAST_SMI_ELEMENTS triggers optimization on 64-bit architectures that load
only the higher 32 bits of the element. If the element is a pointer to undefined
that has 0 in the higher half than it is erroneously treated as SMI 0.
BUG=v8:3158
LOG=N
TEST=mjsunit/sparse-array-reverse,mjsunit/regress/regress-3158.js
R=danno@chromium.org , ishell@chromium.org
Review URL: https://codereview.chromium.org/166653005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19387 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-14 15:52:24 +00:00
yangguo@chromium.org
68c7523e63
Fix assignment of function name constant.
...
If it's shadowed by a variable of the same name and both are forcibly
context-allocated, the function is assigned to the wrong context slot.
R=rossberg@chromium.org
BUG=v8:3138
LOG=Y
Review URL: https://codereview.chromium.org/159903008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19379 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-14 12:40:47 +00:00
jarin@chromium.org
8acefb33fe
Test and fix for polymorphic named call deoptimization.
...
The fix removes wrong simulates from the number branch of polymorphic
call/field access handling.
The change also fixes the same thing for polymorphic named field
access even thourgh the field access is probably safe in practice
(because it cannot deoptimize). It is better to keep all our simulates
in sync with full codegen.
R=jkummerow@chromium.org
BUG=
Review URL: https://codereview.chromium.org/166503002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19375 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-14 12:02:39 +00:00
yangguo@chromium.org
a676bc1bbf
Fix typed array error message.
...
R=dslomov@chromium.org
BUG=v8:3159
LOG=N
Review URL: https://codereview.chromium.org/163293002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19369 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-14 09:33:03 +00:00
verwaest@chromium.org
e0960e19aa
Fix polymorphic inlining of accessors in a test-context.
...
R=ishell@chromium.org
Review URL: https://codereview.chromium.org/164003002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19363 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-13 16:55:38 +00:00
verwaest@chromium.org
161b2f689a
Reland: "Use stability to only conditionally flush information from the CheckMaps table."
...
BUG=
R=ishell@chromium.org
Original CL: https://codereview.chromium.org/153823003
Review URL: https://codereview.chromium.org/153653007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19342 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 18:48:12 +00:00
verwaest@chromium.org
7b7e3658f7
Don't propagate information through phis in loop headers.
...
To properly do this, we'd have to iterate over CompareMaps (and their bodies) handling phis, until we have learned enough to decide which paths can be taken. For now, just disable learning from phis in loop headers.
BUG=
R=ishell@chromium.org
Review URL: https://codereview.chromium.org/147023005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19341 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 18:30:41 +00:00
verwaest@chromium.org
75432b7696
Revert "Use stability to only conditionally flush information from the CheckMaps table."
...
R=ishell@chromium.org
BUG=
Review URL: https://codereview.chromium.org/137863005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19331 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 15:38:42 +00:00
verwaest@chromium.org
2b7d33572a
Use stability to only conditionally flush information from the CheckMaps table.
...
BUG=
R=ishell@chromium.org
Review URL: https://codereview.chromium.org/153823003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19330 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 15:07:41 +00:00
jarin@chromium.org
af29e31a11
Fix for (One|Two)ByteSeqStringSetChar evaluation order/deopt.
...
This makes the evaluation order consistent between full codegen
and Hydrogen (so that deopt does not screw up stack).
R=jkummerow@chromium.org
BUG=
Review URL: https://codereview.chromium.org/159983008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19326 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 13:31:24 +00:00
ulan@chromium.org
e95bc7eec8
Merge experimental/a64 to bleeding_edge.
...
BUG=v8:3113
LOG=Y
R=jochen@chromium.org , rmcilroy@chromium.org , rodolph.perfetta@arm.com
Review URL: https://codereview.chromium.org/148293020
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19311 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 09:19:30 +00:00
jarin@chromium.org
21bf99e53e
Fix environment of the optimized version of the _SetValueOf intrinsic.
...
R=jkummerow@chromium.org
BUG=
Review URL: https://codereview.chromium.org/158723006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19289 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-11 16:11:53 +00:00
rossberg@chromium.org
e8175a3e9f
Revert "Make Function.length and Function.name configurable properties."
...
Plenty of test failures on test262, Mozilla, Webkit. Will have to investigate.
TBR=mstarzinger@chromium.org
BUG=
Review URL: https://codereview.chromium.org/139983003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19203 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-07 15:29:18 +00:00
rossberg@chromium.org
7317b71f02
Make Function.length and Function.name configurable properties.
...
ES6 makes the Function object properties "length" and "name"
configurable; switch the implementation over to follow that.
Doing so exposed a problem in the handling of non-writable, but
configurable properties backed by foreign callback accessors
internally. As an optimization, if such an accessor property is
re-defined with a new value, its setter was passed the new value
directly, keeping the property as an accessor property. However, this
is not correct should the property be non-writable, as its setter will
then simply ignore the updated value. Adjust the enabling logic for
this optimization accordingly, along with adding a test.
LOG=N
R=rossberg@chromium.org , rossberg
BUG=v8:3045
Review URL: https://codereview.chromium.org/116083006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19200 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-07 14:55:30 +00:00
jarin@chromium.org
476881ce5b
Test and fix for _CallFunction intrinsic deoptimization.
...
I have also cleaned up HOptimizedGraphBuilder::GenerateCallFunction
to use IfBuilder.
R=jkummerow@chromium.org
BUG=
Review URL: https://codereview.chromium.org/131343013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19151 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-06 12:42:26 +00:00
jarin@chromium.org
eb502fe599
Binary operation deoptimization fix.
...
R=jkummerow@chromium.org
BUG=
Review URL: https://codereview.chromium.org/132453009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19132 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-06 09:36:55 +00:00
dslomov@chromium.org
a03d31394c
Check the offset argument of TypedArray.set for fitting into Smi.
...
R=jkummerow@chromium.org
BUG=340125
LOG=Y
Review URL: https://codereview.chromium.org/145623009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19051 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-04 09:53:05 +00:00
yangguo@chromium.org
9e70f6a4e7
Fix short-circuiting logical and/or in HOptimizedGraphBuilder.
...
R=jkummerow@chromium.org
BUG=336148
LOG=Y
Review URL: https://codereview.chromium.org/143263022
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19031 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-03 14:29:34 +00:00
verwaest@chromium.org
db7124dc28
Return a valid map for PropertyAccessInfos with Boolean type.
...
BUG=340064
LOG=N
R=dcarney@chromium.org
Review URL: https://codereview.chromium.org/152603002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19023 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-03 10:20:32 +00:00
jarin@chromium.org
3c2363f4b4
Simpler repro for bug 2989.
...
We do not correctly handle accesses to f.arguments after one
of the argument has changed (where f is crankshafted).
R=machenbach@chromium.org
BUG=v8:2989
LOG=n
Review URL: https://codereview.chromium.org/151403003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18999 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-31 16:12:58 +00:00
bmeurer@chromium.org
3214cf11ff
Don't crash in Array.join() if the resulting string exceeds the max string length.
...
LOG=y
BUG=336820
R=svenpanne@chromium.org
Review URL: https://codereview.chromium.org/144533003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18986 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-31 12:21:17 +00:00