The previous code relied on the tricky global invariant that there is no map
sharing when accessor properties are involved (or in other words: that
TransformToFastProperties is dumb enough :-). Although this is not a real
problem with the current code, this assumption breaks when map sharing in fast
mode is enabled, so we defensively copy an AccessorPair.
Review URL: https://chromiumcodereview.appspot.com/9430048
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10810 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This refactors the way we (re)define elements to perform normalization
and attribute updating at a much deeper level, thereby removing some
bogus special cases in upper runtime layers.
Most element setters take an indicator flag that distinguishes between
setting and defining. Setting of an element causes attributes to remain
unchanged, writability to be checked and callbacks to be called.
Defining of an element causes attributes to be updated and callbacks to
be overridden. The same approach could be taken for properties.
R=svenpanne@chromium.org
BUG=v8:1772
TEST=test262,test262/15.2.3.6-4-333-11
Review URL: https://chromiumcodereview.appspot.com/9443014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10808 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Only JSObject enumerables with enum cache (fast case properties, no interceptors, no enumerable properties on the prototype) are supported.
HLoadKeyedGeneric with keys produced by for-in enumeration are recognized and rewritten into direct property load by index. For this enum-cache was extended to store property indices in a separate array (see handles.cc).
New hydrogen instructions:
- HForInPrepareMap: checks for-in fast case preconditions and returns map that contains enum-cache;
- HForInCacheArray: extracts enum-cache array from the map;
- HCheckMapValue: map check with HValue map instead of immediate;
- HLoadFieldByIndex: load fast property by it's index, positive indexes denote in-object properties, negative - out of object properties;
Changed hydrogen instructions:
- HLoadKeyedFastElement: added hole check suppression for loads from internal FixedArrays that are knows to have no holes inside.
R=fschneider@chromium.org
BUG=
TEST=
Review URL: https://chromiumcodereview.appspot.com/9425045
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10794 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This CL is an intermediate step only, in the end we need to have a single
DefineOrRedefineAccessorProperty call for a single Object.defineProperty
call. Currently we can end up making two such calls, making the necessary access
checks extremely ugly and hard (impossible?) to get right for complete spec
conformance.
The bulk of the change is quite mechanical:
* Prepare an AccessorPair *before* we add it to our data structures,
eliminating the previous voodoo-like threading of a placeholder.
* The previous item makes it possible to activate our check that we do not
share AccessorPairs by accident.
* Split a monster method into 2 quite unrelated methods.
* Use templated To method in a few places.
Review URL: https://chromiumcodereview.appspot.com/9428026
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10788 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This change enables optimization of top-level and eval-code. For this to work, it adds
support for declaring global variables in optimized code.
At the same time it disables the eager generation of deoptimization support data
in the full code generator (originally introduced in
r10040). This speeds up initial compilation and saves
memory for functions that won't be optimized. It requires
recompiling the function with deoptimization
support when we decide to optimize it.
Review URL: https://chromiumcodereview.appspot.com/9187005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10700 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
With the upcoming changes to CALLBACKS properties, a predicate on the transition
type alone doesn't make sense anymore: For CALLBACKS one has to look into the
property's value to decide, and there is even the possibility of having a an
accessor function *and* a transition in the same property.
I am not completely happy with some parts of this CL, because they contain
redundant code, but given the various representations we currently have for
property type/value pairs, I can see no easy way around that. Perhaps one can
improve this a bit in a different CL, the current diversity really, really hurts
productivity...
As a bonus, this CL includes a few minor things:
* CaseClause::RecordTypeFeedback has been cleaned up and it handles the
NULL_DESCRIPTOR case correctly now. Under some (very unlikely) circumstances,
we previously missed some opportunities for monomorphic calls. In general, it
is rather unfortunate that NULL_DESCRIPTOR "shines through", it is just a
hack for the inability to remove a descriptor entry during GC, something
callers shouldn't have to be aware of.
* DescriptorArray::CopyInsert has been cleaned up a bit, preparing it for later
CALLBACKS-related changes.
* LookupResult::Print is now more informative for CONSTANT_TRANSITION.
Review URL: https://chromiumcodereview.appspot.com/9320066
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10600 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Yak shaving for map sharing with accessor properties contd.: When CALLBACKS can
have map transitions, simply looking at the property type is not sufficient
anymore to decide if a property is there or not. One has to look at the actual
contents of the descriptor entry then, but this breaks down sometimes when the
lookup is being done with a NULL holder. Luckily enough, we can oftren replace
IsProperty by the simpler IsFound, because we inspect the type immediately
afterwards, anyway.
Review URL: https://chromiumcodereview.appspot.com/9280007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10474 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The main goal is to cleanly separate between the several parts involved in the traversal:
* iterating over all transitions in a descriptor array
* iterating over all prototype transitions
* storing the parent and the current local traversal position in a map
* the iterative traversal algorithm itself
The previous algorithm for iterating over prototype transitions did a little bit too much here, iterating over the whole array instead only the filled part. This has been fixed on the way, too.
With this CL, it will be much easier to make the necessary changes to the descriptor array iterator to correctly handle map transitions for accessor properties. Furthermore, perhaps we represent transitions a bit different in the future, making finding them a bit easier. This would make some code in this CL (and elsewhere) quite a bit shorter and more efficient.
Review URL: https://chromiumcodereview.appspot.com/9252007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10473 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Loosen the requirement for Map equivalency on several map checks, including checks up the prototype chain, that are not sensitive to ElementsKinds. These selected map checks should also match against FAST_DOUBLE_ELEMENT and FAST_ELEMENT transitions of the original map. This specifically helps all variants of transitioned JSArrays to still efficiently call builtins like push, pop and sort.
BUG=none
TEST=none
Committed: http://code.google.com/p/v8/source/detail?r=10331
Review URL: http://codereview.chromium.org/9015020
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10356 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
CPU-eating DOS attacks against node.js servers. Based on code from
Bert Belder. This version only solves the issue for those that compile
V8 themselves or those that do not use snapshots. A snapshot-based
precompiled V8 will still have predictable string hash codes.
Review URL: http://codereview.chromium.org/9086006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10330 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This fixes how Object.defineProperty() defines JavaScript accessors on
objects with installed API interceptors. The definition itself does not
cause any interceptors to be called, whereas any subsequent accesses on
said object will still fire the interceptor. This behavior is in sync
with API accessors.
R=rossberg@chromium.org
BUG=v8:1651,chromium:94666
TEST=cctest/test-api
Review URL: http://codereview.chromium.org/9021019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10293 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This introduces an additional check into the StoreIC_ArrayLength builtin
checking that the array still has fast properties. Redifinitions of the
length property that would cause it's type or attributes to change, will
switch to slow properties, thereby invalidating said optimization.
R=svenpanne@chromium.org
BUG=v8:1756
TEST=test262
Review URL: http://codereview.chromium.org/8895025
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10254 ce2b1a6d-e550-0410-aec6-3dcde31c8c00