Only JSObject enumerables with enum cache (fast case properties, no interceptors, no enumerable properties on the prototype) are supported.
HLoadKeyedGeneric with keys produced by for-in enumeration are recognized and rewritten into direct property load by index. For this enum-cache was extended to store property indices in a separate array (see handles.cc).
New hydrogen instructions:
- HForInPrepareMap: checks for-in fast case preconditions and returns map that contains enum-cache;
- HForInCacheArray: extracts enum-cache array from the map;
- HCheckMapValue: map check with HValue map instead of immediate;
- HLoadFieldByIndex: load fast property by it's index, positive indexes denote in-object properties, negative - out of object properties;
Changed hydrogen instructions:
- HLoadKeyedFastElement: added hole check suppression for loads from internal FixedArrays that are knows to have no holes inside.
R=fschneider@chromium.org
BUG=
TEST=
Review URL: https://chromiumcodereview.appspot.com/9425045
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10794 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This implementation extends the internal ObjectHashTable to be able to
hold arbitrary objects (e.g. Smis, Strings, ...) as keys by applying
specialized hashing functions to primitive types. Equality of keys is
defined using the internal SameValue function.
R=rossberg@chromium.org
BUG=v8:1622
TEST=mjsunit/harmony/collections
Review URL: http://codereview.chromium.org/8372027
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9777 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Previously, the logic using the hidden properties backing object was
spread accross use sites. Now it's all contained in JSObject, with
only simple accessors available.
Also change the backing object to be a StringDictionary rather than a JSObject.
There's still room for improvement by making a hash-table that don't
store property details as well.
Review URL: http://codereview.chromium.org/8050013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9510 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
- Introduce a class JSReceiver, that is a common superclass of JSObject and
JSProxy. Use JSReceiver where appropriate (probably lots of places that we
still have to migrate, but we will find those later with proxy test suite).
- Move appropriate methods to JSReceiver class (SetProperty,
GetPropertyAttribute, Get/SetPrototype, Lookup, and so on).
- Introduce new JSFunctionProxy subclass of JSProxy. Currently only a stub.
- Overhaul enum InstanceType:
* Introduce FIRST/LAST_SPEC_OBJECT_TYPE that ranges over all types that
represent JS objects, and use that consistently to check language types.
* Rename FIRST/LAST_JS_OBJECT_TYPE and FIRST/LAST_FUNCTION_CLASS_TYPE
to FIRST/LAST_[NON]CALLABLE_SPEC_OBJECT_TYPE for clarity.
* Eliminate the overlap over JS_REGEXP_TYPE.
* Also replace FIRST_JS_OBJECT with FIRST_JS_RECEIVER, but only use it where
we exclusively talk about the internal representation type.
* Insert JS_PROXY and JS_FUNCTION_PROXY in the appropriate places.
- Fix all checks concerning classification, especially for functions, to
use the CALLABLE_SPEC_OBJECT range (that includes funciton proxies).
- Handle proxies in SetProperty (that was the easiest part :) ).
- A few simple test cases.
R=kmillikin@chromium.org
Review URL: http://codereview.chromium.org/6992072
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8126 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Correctly process failures which can be returned by Object::GetProperty
when performing GetRealNamedProperty* queries.
Callback properties can produce exceptions so we need to wrap access to them
into exception checks. However, despite of many other methods with exception
checks, property access doesn't mandatroy go via JavaScript and hence we
need to inject code to propagate exception to public API TryCatch handlers.
Review URL: http://codereview.chromium.org/6685087
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7548 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This allows fast calls and inlining of functions like:
var o = {f: function() { return "foo"; }}
o.f();
Object literals that contain function literals are initially created a dictionary mode
object and only transformed to fast properties once all properties are computed and
added. This allows us to create constant function properties for functions declared
inside the object literal. Function literals inside object literals are marked for
pretenuring so that they work as contant function properties.
Object literals without functions should just function as before.
Review URL: http://codereview.chromium.org/6240012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7283 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Correctly process failures which can be returned by Object::GetProperty
when performing GetRealNamedProperty* queries.
Callback properties can produce exceptions so we need to wrap access to them
into exception checks. However, despite of many other methods with exception
checks, property access doesn't mandatroy go via JavaScript and hence we
need to inject code to propagate exception to public API TryCatch handlers.
Review URL: http://codereview.chromium.org/6397011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7258 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Worth mentioning:
- Specialized versions of pixel array and store/loads inside the generic stubs have been removed, since to have parity for all external arrays, 8 different versions would have to be inlined/checked.
- There's a new constant in v8.h for external arrays with pixel array elements.
Review URL: http://codereview.chromium.org/6546036
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7106 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Resubmit of patch for issue 1145 with a few additions:
- Now also clears exceptions when calling Runtime_LazyRecompile.
- Sets function where parsing fails to not be optimizable.
BUG=v8:1145
TEST=test/mjsunit/regress/regress-1145.js
Review URL: http://codereview.chromium.org/6469050
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6945 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The main issue was due to multiple recompilations of functions. Now
code objects are grouped by function using SFI object address.
JSFunction objects are no longer tracked, instead we track SFI object
moves. To pick a correct code version, we now sample return addresses
instead of JSFunction addresses.
tools/{linux|mac|windows}-tickprocessor scripts differentiate
between code optimization states for the same function
(using * and ~ prefixes introduced earlier).
DevTools CPU profiler treats all variants of function code as
a single function.
ll_prof treats each optimized variant as a separate entry, because
it can disassemble each one of them.
tickprocessor.py not updated -- it is deprecated and will be removed.
BUG=v8/1087,b/3178160
TEST=all existing tests pass, including Chromium layout tests
Review URL: http://codereview.chromium.org/6551011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6902 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We currently leave the exception as pending without returning a Failure::Exception() value. This is either caught immediately if running with --debug-code, or caught later by an assert in debug mode.
This change makes the pending exception be cleared before returning from the failed optimization attempt.
BUG=v8::1145
TEST=test/mjsunit/regress/regress-1145.js
Review URL: http://codereview.chromium.org/6524039
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6832 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
My previous patch added an assert which uncovered 1092 in the sputnik tests.
This patch adds the fix for 1092, which is to ensure that NormalizeProperties
does not get called for a JSGlobalProxy along all code paths.
Add sputnik tests to .gitignore.
BUG=
TEST=
Review URL: http://codereview.chromium.org/6286060
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6627 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
inline allocation code used the expected number of properties to
calculate the number of inobject properties for an object instead of
getting the actual number from the initial map.
It is safer to use the inobject property count from the initial map in
any case because that is the amount the instances will get. I think
this disconnect got introduced when adding shrinking of objects.
Unfortuntely I haven't been able to create a simple reproduction for a
test case but this fixes the webpage that exhibits the crash. I'll see
if I can create a reproduction tomorrow.
Review URL: http://codereview.chromium.org/5278003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5879 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This allows to remove explicit copy from line ends JS accessor which is used for formatting of stack traces.
Eager copying of line ends array might cause multiple full GC collections for huge scripts (e.g. scripts generated by GWT compiler with PRETY preset).
Review URL: http://codereview.chromium.org/5148002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5839 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The problem is other array may have holes, for example
when fixed array comes from JSArray (in case of named interceptor).
If that would prove to be a performance problem, we could
pass an additional argument into UnionOfKeys to hold actual length.
Review URL: http://codereview.chromium.org/3595013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5591 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The plan is to use the CompilationInfo class to communicate inputs and
outputs to compilation pipeline phases, which each return a boolean
success/failure flag.
The intent is to make it easier to compose small pieces of the
pipeline without having to grow a custom function each time, each
taking a half dozen arguments.
This change modifies the very front end (the parser).
Review URL: http://codereview.chromium.org/3586006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5581 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The current parameters (initial slack = 6, kGenerousAllocationsCount = 16)
caused 15-20% performance regression on 3d-raytrace on x64
(visible both in standalone shell and in the web harness). This is very
likely some kind of an alignment problem (it goes away completely with --prof).
A similar problem can be observed on ia32 with initial slack=2.
Increased initial slack to 8 and decreased constructions count to 8.
This made the regression go away (and did not harm any of the other tests).
Review URL: http://codereview.chromium.org/3595002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5571 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
It was a wart that we had three handle fields, exactly one of which
was non-null; and that we had three overloaded constructors. Instead,
introduce subclasses and virtual methods.
Remove some unused fields from class CompilationInfo.
Review URL: http://codereview.chromium.org/3566003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5560 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The number of inobject properties used to be derived from the number
of this property assignments in the constructor (and increased by 2 to
allow for properties added later). This very often leads to wasted inobject
slots.
This patch reclaims some of the unused inobject space by the following method:
- for each constructor function the first several objects are allocated using the initial
("generous) instance size estimation (this is called 'tracking phase').
- during the tracking phase map transitions are tracked and actual property counts are collected.
- at the end of the tracking phase instance sizes in the maps are decreased if necessary
(starting with the function's initial map and traversing the transition tree).
- all further allocation use more realistic instance size estimation.
Shrinking generously allocated objects without costly heap traversal is made possible
by initializing their inobject properties with one_pointer_filler_map (instead of undefined).
The initial slack for the generous allocation is increased from 2 to 6 which really helps some tests.
Review URL: http://codereview.chromium.org/3329019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5510 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
in allowing more flexible compilation and to simplify builtins lookup.
This changes a number of places where code objects are assigned to
SharedFunctionInfo objects to also assign this code object to the
JSFunction. In addition, the code flushing is changed slightly to
accomodate this (we need to flush the code from functions pointing to
SharedFunctionInfo objects that has already been flushed).
Review URL: http://codereview.chromium.org/3120006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5233 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Currently one can only define accessors on object templates. This patch
allows to create accessors on the fly.
These accessors could control access to elements as well. This element
support is somewhat rudimentary and may require future work (for example,
we probably don't want to convert index into a string.)
Review URL: http://codereview.chromium.org/2123012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4714 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
* Added Get and Set taking uint32_t for faster and more convenient
access to elements.
* Added less verbose casting for handles. Now instead of
v8::Local<v8::String>::Cast(args[0])
one can write
args[0].As<v8::String>().
Review URL: http://codereview.chromium.org/660243
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@4002 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
