Commit Graph

884 Commits

Author SHA1 Message Date
ulan@chromium.org
b9e0b87a5a Clear optimized code cache in shared function info when code gets deoptimized.
This adds a pointer to the shared function info into deoptimization data of an optimized code. Whenever the code is deoptimized, it clears the cache in the shared function info.

This fixes the problem when the optimized function dies in new space GC before the code is deoptimized due to code dependency and before the optimized code cache is cleared in old space GC (see mjsunit/regress/regress-343609.js).

This partially reverts r19603 because we need to be able to evict specific code from the optimized code cache.

BUG=343609
LOG=Y
TEST=mjsunit/regress/regress-343609.js
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/184923002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19635 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-03 11:11:39 +00:00
rossberg@chromium.org
5543263c19 Move all Harmony-only tests to harmony/
R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/178583005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19622 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 14:26:32 +00:00
ishell@chromium.org
c2601aea8a Check elimination did not mark some dead blocks.
R=danno@chromium.org

Review URL: https://codereview.chromium.org/180483003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19619 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 14:16:38 +00:00
svenpanne@chromium.org
e9273332ef Fixed constant folding for Math.clz32.
LOG=y
BUG=347906
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/184353002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19609 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 13:07:10 +00:00
mvstanton@chromium.org
b1ffc7901f A JSArray may have a filler map in the elements pointer.
We already have code that expects this, but incorrectly asserted that the
filler map case would never happen when allocation folding is turned on.
However, even folding has it's limits, bailing out of continued folding
when the object size grows too large. Therefore, it's a general problem
when verifying JSArray objects, that we might encounter a filler map
in elements().

Discovered by ClusterFuzz crbug 347903.

R=hpayer@chromium.org
LOG=N
BUG=347903

Review URL: https://codereview.chromium.org/184493002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19604 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 12:29:19 +00:00
yangguo@chromium.org
5c186bb197 Evict from optimized code map in sync with removing from optimized functions list.
R=ulan@chromium.org

Review URL: https://codereview.chromium.org/184443002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19603 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 12:27:31 +00:00
bmeurer@chromium.org
70242fe3bb Fix JSObject::PrintTransitions.
BUG=347912
LOG=y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/183683005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19601 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 11:41:07 +00:00
hpayer@chromium.org
38ca2629be Fix representation generalization for doubles.
BUG=
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/184393002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19599 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 11:07:10 +00:00
dcarney@chromium.org
98d1cedac4 Get array_function from NativeContext
R=mvstanton@chromium.org
LOG=N
BUG=347528

Review URL: https://codereview.chromium.org/184173003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19595 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 10:01:27 +00:00
bmeurer@chromium.org
5945f9ebb9 Fix handling of constant global variable assignments.
BUG=347904
LOG=y
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/184303003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19594 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 09:40:12 +00:00
svenpanne@chromium.org
c4e90c15b8 Removed bogus ASSERT.
LOG=y
BUG=347542
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/183763007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19592 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-28 08:45:07 +00:00
ishell@chromium.org
2ab83cf192 HAllocate should never generate allocation code if the requested size does not fit into page. Regression test included.
BUG=347543
LOG=N
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/180803005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19591 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 17:33:25 +00:00
verwaest@chromium.org
aa14020bc7 Fix putting of prototype transitions. The length is also subject to GC, just like entry.
BUG=347536
LOG=n
R=danno@chromium.org

Review URL: https://codereview.chromium.org/183193003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19586 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 16:07:44 +00:00
jarin@chromium.org
05b98492a4 Handle arguments objects in frame when materializing arguments
R=mstarzinger@chromium.org
BUG=347262

Review URL: https://codereview.chromium.org/177293009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19584 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 15:12:12 +00:00
yangguo@chromium.org
6912a248ca Fix bogus assertion in SetFastDoubleElements.
R=danno@chromium.org
BUG=347530
LOG=N

Review URL: https://codereview.chromium.org/181433016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19579 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 14:45:53 +00:00
mvstanton@chromium.org
b8f8cfabca Fix for Clusterfuzz issue 343928.
The problem was that the debugger didn't expect that a JSFunction could
have a GlobalContext, which it can with harmony scoping.

BUG=343928
R=yangguo@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/183103003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-27 13:25:05 +00:00
ishell@chromium.org
1ae7e8a1e5 Fix for failing asserts in HBoundsCheck code generation on x64: index register should be zero extended.
BUG=345820
LOG=N
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/180013002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19549 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 16:33:54 +00:00
verwaest@chromium.org
d5caecccc5 Revert "Use stability to only conditionally flush information from the CheckMaps table."
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/180023002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19548 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 16:11:58 +00:00
jkummerow@chromium.org
e7e93cd433 Mark HCompareMap as having Tagged representation
BUG=chromium:346636
LOG=y
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/176923013

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19545 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 15:09:47 +00:00
rossberg@chromium.org
63f1970c6c Fix crasher in Object.getOwnPropertySymbols
R=arv@chromium.org, mstarzinger@chromium.org
BUG=346141
LOG=Y

Review URL: https://codereview.chromium.org/177883002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19539 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 12:01:34 +00:00
bmeurer@chromium.org
77f597d387 Don't eliminate loads with incompatible types or representations.
BUG=346343
LOG=y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/179553002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19536 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 09:55:50 +00:00
ishell@chromium.org
6c1659becf Fix for a smi stores optimization on x64 with a regression test.
BUG=345715
LOG=N
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/178833002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19535 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 09:55:02 +00:00
dcarney@chromium.org
cb05cff594 negative bounds checking on realm calls
R=rossberg@chromium.org

LOG=N

BUG=344285

Review URL: https://codereview.chromium.org/169393002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19533 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-25 09:15:05 +00:00
jkummerow@chromium.org
37b6fd07c1 Fix optimistic BCE to back off after deopt
BUG=v8:3176
LOG=n
R=danno@chromium.org

Review URL: https://codereview.chromium.org/177523002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19530 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-24 13:15:31 +00:00
verwaest@chromium.org
84b366516e Don't turn objects with empty-string properties into fast-mode.
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/165743003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19511 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-20 16:11:48 +00:00
ishell@chromium.org
1342cb8b00 Bugfix in check elimination with a regression test.
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/172173003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19481 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-19 12:34:50 +00:00
jkummerow@chromium.org
6e3b81a7b2 Fix Hydrogen bounds check elimination
When combining bounds checks, they must all be moved before the first load/store
that they are guarding.

BUG=chromium:344186
LOG=y
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/172093002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19475 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-19 10:30:39 +00:00
verwaest@chromium.org
60c08a8bf2 Directly store the transition target on LookupResult in TransitionResult.
BUG=chromium:343964
LOG=N
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/170343003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19440 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-18 12:19:32 +00:00
jarin@chromium.org
4c7ed144e1 Comparison in effect context lazy deopt fix.
R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/163623002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19396 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-16 05:51:10 +00:00
ulan@chromium.org
6744ff61ae Fix dictionary element load to pass correct elements kind.
Using FAST_SMI_ELEMENTS triggers optimization on 64-bit architectures that load
only the higher 32 bits of the element. If the element is a pointer to undefined
that has 0 in the higher half than it is erroneously treated as SMI 0.

BUG=v8:3158
LOG=N
TEST=mjsunit/sparse-array-reverse,mjsunit/regress/regress-3158.js
R=danno@chromium.org, ishell@chromium.org

Review URL: https://codereview.chromium.org/166653005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19387 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-14 15:52:24 +00:00
yangguo@chromium.org
68c7523e63 Fix assignment of function name constant.
If it's shadowed by a variable of the same name and both are forcibly
context-allocated, the function is assigned to the wrong context slot.

R=rossberg@chromium.org
BUG=v8:3138
LOG=Y

Review URL: https://codereview.chromium.org/159903008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19379 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-14 12:40:47 +00:00
jarin@chromium.org
8acefb33fe Test and fix for polymorphic named call deoptimization.
The fix removes wrong simulates from the number branch of polymorphic
call/field access handling.

The change also fixes the same thing for polymorphic named field
access even thourgh the field access is probably safe in practice
(because it cannot deoptimize). It is better to keep all our simulates
in sync with full codegen.

R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/166503002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19375 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-14 12:02:39 +00:00
yangguo@chromium.org
a676bc1bbf Fix typed array error message.
R=dslomov@chromium.org
BUG=v8:3159
LOG=N

Review URL: https://codereview.chromium.org/163293002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19369 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-14 09:33:03 +00:00
verwaest@chromium.org
e0960e19aa Fix polymorphic inlining of accessors in a test-context.
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/164003002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19363 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-13 16:55:38 +00:00
verwaest@chromium.org
161b2f689a Reland: "Use stability to only conditionally flush information from the CheckMaps table."
BUG=
R=ishell@chromium.org

Original CL: https://codereview.chromium.org/153823003

Review URL: https://codereview.chromium.org/153653007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19342 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 18:48:12 +00:00
verwaest@chromium.org
7b7e3658f7 Don't propagate information through phis in loop headers.
To properly do this, we'd have to iterate over CompareMaps (and their bodies) handling phis, until we have learned enough to decide which paths can be taken. For now, just disable learning from phis in loop headers.

BUG=
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/147023005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19341 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 18:30:41 +00:00
verwaest@chromium.org
75432b7696 Revert "Use stability to only conditionally flush information from the CheckMaps table."
R=ishell@chromium.org

BUG=

Review URL: https://codereview.chromium.org/137863005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19331 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 15:38:42 +00:00
verwaest@chromium.org
2b7d33572a Use stability to only conditionally flush information from the CheckMaps table.
BUG=
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/153823003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19330 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 15:07:41 +00:00
jarin@chromium.org
af29e31a11 Fix for (One|Two)ByteSeqStringSetChar evaluation order/deopt.
This makes the evaluation order consistent between full codegen
and Hydrogen (so that deopt does not screw up stack).

R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/159983008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19326 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 13:31:24 +00:00
ulan@chromium.org
e95bc7eec8 Merge experimental/a64 to bleeding_edge.
BUG=v8:3113
LOG=Y
R=jochen@chromium.org, rmcilroy@chromium.org, rodolph.perfetta@arm.com

Review URL: https://codereview.chromium.org/148293020

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19311 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-12 09:19:30 +00:00
jarin@chromium.org
21bf99e53e Fix environment of the optimized version of the _SetValueOf intrinsic.
R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/158723006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19289 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-11 16:11:53 +00:00
rossberg@chromium.org
e8175a3e9f Revert "Make Function.length and Function.name configurable properties."
Plenty of test failures on test262, Mozilla, Webkit. Will have to investigate.

TBR=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/139983003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19203 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-07 15:29:18 +00:00
rossberg@chromium.org
7317b71f02 Make Function.length and Function.name configurable properties.
ES6 makes the Function object properties "length" and "name"
configurable; switch the implementation over to follow that.

Doing so exposed a problem in the handling of non-writable, but
configurable properties backed by foreign callback accessors
internally. As an optimization, if such an accessor property is
re-defined with a new value, its setter was passed the new value
directly, keeping the property as an accessor property. However, this
is not correct should the property be non-writable, as its setter will
then simply ignore the updated value. Adjust the enabling logic for
this optimization accordingly, along with adding a test.

LOG=N
R=rossberg@chromium.org, rossberg
BUG=v8:3045

Review URL: https://codereview.chromium.org/116083006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19200 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-07 14:55:30 +00:00
jarin@chromium.org
476881ce5b Test and fix for _CallFunction intrinsic deoptimization.
I have also cleaned up HOptimizedGraphBuilder::GenerateCallFunction
to use IfBuilder.

R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/131343013

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19151 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-06 12:42:26 +00:00
jarin@chromium.org
eb502fe599 Binary operation deoptimization fix.
R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/132453009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19132 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-06 09:36:55 +00:00
dslomov@chromium.org
a03d31394c Check the offset argument of TypedArray.set for fitting into Smi.
R=jkummerow@chromium.org
BUG=340125
LOG=Y

Review URL: https://codereview.chromium.org/145623009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19051 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-04 09:53:05 +00:00
yangguo@chromium.org
9e70f6a4e7 Fix short-circuiting logical and/or in HOptimizedGraphBuilder.
R=jkummerow@chromium.org
BUG=336148
LOG=Y

Review URL: https://codereview.chromium.org/143263022

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19031 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-03 14:29:34 +00:00
verwaest@chromium.org
db7124dc28 Return a valid map for PropertyAccessInfos with Boolean type.
BUG=340064
LOG=N
R=dcarney@chromium.org

Review URL: https://codereview.chromium.org/152603002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19023 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-02-03 10:20:32 +00:00
jarin@chromium.org
3c2363f4b4 Simpler repro for bug 2989.
We do not correctly handle accesses to f.arguments after one
of the argument has changed (where f is crankshafted).

R=machenbach@chromium.org
BUG=v8:2989
LOG=n

Review URL: https://codereview.chromium.org/151403003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18999 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-31 16:12:58 +00:00
bmeurer@chromium.org
3214cf11ff Don't crash in Array.join() if the resulting string exceeds the max string length.
LOG=y
BUG=336820
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/144533003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18986 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-01-31 12:21:17 +00:00