Commit Graph

7203 Commits

Author SHA1 Message Date
svenpanne
cbf3b0bcc7 More -fsanitize=vptr fixes.
This actually fixes 3 different issues when accessing Operand1:

   * Object vs. HeapObject

   * Wrong defaults for equals/hash

   * silently dropping const

TEST=test/mjsunit/regress/regress-441099.js
BUG=chromium:441099
LOG=y

Review URL: https://codereview.chromium.org/812563002

Cr-Commit-Position: refs/heads/master@{#25843}
2014-12-16 14:20:28 +00:00
ishell
08146dc023 Introduced PropertyType ACCESSOR_FIELD.
Review URL: https://codereview.chromium.org/805453002

Cr-Commit-Position: refs/heads/master@{#25842}
2014-12-16 13:22:31 +00:00
Benedikt Meurer
2b4eb88cdd [turbofan] Cache conversions inserted during typed lowering.
This greatly reduces the number of nodes in the graph (by more than 20x in
some extreme cases) for the Emscripten python interpreter main function.

BUG=v8:3763
LOG=y
TEST=cctest,mjsunit,unittests
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/802353003

Cr-Commit-Position: refs/heads/master@{#25840}
2014-12-16 12:59:16 +00:00
erik.corry
d287f225a3 Limit code size generated for very large regexps
R=jkummerow@chromium.org, yangguo@chromium.org
BUG=

Review URL: https://codereview.chromium.org/799403003

Cr-Commit-Position: refs/heads/master@{#25839}
2014-12-16 12:33:32 +00:00
marja
978f41a1da RegExpParser: Fix Reset()ting to the end.
The bug would occur when we try to Reset() to a position already at the end.

This happens e.g., when the regexp ends with \u. What used to happen in that
case: 1) Advance past \ and u (to the end) (which wouldn't increase next_pos_
enough) 2) Try to parse 4 hex digits 3) When that failed, Reset() to the
position which should've been at the end but wasn't.

To be able to properly Reset() to a position at the end, we need to allow
next_pos_ to move beyond the end (since position() is next_pos_ - 1).

Minimal repro case:

var r = /foo\u/
r.test("foou") // should be true, was false.

(Note that \u not followed by 4 hex didits should be interpreted as an identity
escape. It already worked unless \u was at the end of the regexp.)

BUG=v8:3756
LOG=NO

Review URL: https://codereview.chromium.org/802313003

Cr-Commit-Position: refs/heads/master@{#25838}
2014-12-16 12:14:19 +00:00
titzer
0f619463f2 [turbofan] First version of loop analysis: loop finder on the soup of nodes.
R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/803993002

Cr-Commit-Position: refs/heads/master@{#25837}
2014-12-16 09:36:40 +00:00
Sven Panne
1ee700c45a Log V8 version in profiler log file
Patch from issue 800293002 authored by ben@strongloop.com

TBR=yangguo@chromium.org

Review URL: https://codereview.chromium.org/806143002

Cr-Commit-Position: refs/heads/master@{#25835}
2014-12-16 07:40:13 +00:00
Benedikt Meurer
54a31b628d [base] Add iterator_range helper class.
TEST=unittests
R=titzer@chromium.org

Review URL: https://codereview.chromium.org/810683003

Cr-Commit-Position: refs/heads/master@{#25834}
2014-12-16 07:32:03 +00:00
Benedikt Meurer
283175d984 [turbofan] Relax effects and context for JSToNumber(x:plain-primitive).
Relanded with fix for always returning Change for PlainPrimitive even
if there was no change. The performance regression on primes.js and
corrections.js is due to unlucky loop header alignment; will be addressed
separately.

TEST=unittests
R=svenpanne@chromium.org

Committed: 75484e8d16

Review URL: https://codereview.chromium.org/799413002

Cr-Commit-Position: refs/heads/master@{#25832}
2014-12-16 05:39:46 +00:00
bmeurer
2c30ab6616 Revert of [turbofan] Relax effects and context for JSToNumber(x:plain-primitive). (patchset #1 id:1 of https://codereview.chromium.org/799413002/)
Reason for revert:
Performance regressions on primes and corrections benchmarks.

Original issue's description:
> [turbofan] Relax effects and context for JSToNumber(x:plain-primitive).
>
> TEST=unittests
> R=svenpanne@chromium.org
>
> Committed: 75484e8d16

TBR=svenpanne@chromium.org
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/806103002

Cr-Commit-Position: refs/heads/master@{#25831}
2014-12-16 04:45:09 +00:00
caitpotter88
aed5d734e6 Use proper ToLength() operation in %ArrayConcat()
LOG=N
R=dslomov@chromium.org
BUG=

Review URL: https://codereview.chromium.org/799853003

Cr-Commit-Position: refs/heads/master@{#25828}
2014-12-15 19:08:41 +00:00
dslomov
6d35dedf6e Ship ES6 classes.
R=arv@chromium.org
BUG=v8:3330
LOG=Y

Review URL: https://codereview.chromium.org/808433002

Cr-Commit-Position: refs/heads/master@{#25826}
2014-12-15 16:44:00 +00:00
arv
a76419f0f4 Revert of ES6 computed property names (patchset #9 id:160001 of https://codereview.chromium.org/795573005/)
Reason for revert:
Crashes on Win32

http://build.chromium.org/p/client.v8/builders/V8%20Win32%20-%201/builds/1357

Test: mjsunit/harmony/computed-property-names
Flags: --stress-opt --always-opt
Command: build\Release\d8.exe --test --random-seed=-233815021 --stress-opt --always-opt --nohard-abort --nodead-code-elimination --nofold-constants --harmony-computed-property-names test\mjsunit\mjsunit.js test\mjsunit\harmony\computed-property-names.js

Run #1
Exit code: -1073741819
Result: CRASH
Expected outcomes: PASS

Run #2
Exit code: -1073741819
Result: CRASH
Expected outcomes: PASS

Run #3
Exit code: -1073741819
Result: CRASH
Expected outcomes: PASS

Original issue's description:
> ES6 computed property names
>
> This adds support for computed property names, under the flag
> --harmony-computed-property-names, for both object literals and
> classes.
>
> BUG=v8:3754
> LOG=Y

TBR=dslomov@chromium.org,wingo@igalia.com
NOTREECHECKS=true
NOTRY=true
BUG=v8:3754

Review URL: https://codereview.chromium.org/809433002

Cr-Commit-Position: refs/heads/master@{#25825}
2014-12-15 16:38:42 +00:00
jkummerow
c060f4e26c Internalize strings being stored into uninitialized property cells
Review URL: https://codereview.chromium.org/804993002

Cr-Commit-Position: refs/heads/master@{#25822}
2014-12-15 15:46:11 +00:00
arv
6e38caf8d3 ES6 computed property names
This adds support for computed property names, under the flag
--harmony-computed-property-names, for both object literals and
classes.

BUG=v8:3754
LOG=Y

Review URL: https://codereview.chromium.org/795573005

Cr-Commit-Position: refs/heads/master@{#25821}
2014-12-15 15:27:19 +00:00
Benedikt Meurer
75484e8d16 [turbofan] Relax effects and context for JSToNumber(x:plain-primitive).
TEST=unittests
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/799413002

Cr-Commit-Position: refs/heads/master@{#25818}
2014-12-15 13:42:54 +00:00
fedor.indutny
f6e68d2c2c Hydrogen: fix keyed loads with string keys
Keyed loads should not unconditionally be compiled to element loads. Update KeyedLoadICs to keep track of the key type, so that Hydrogen can emit ICs for string-keyed loads it doesn't have inline support for.

BUG=v8:3167
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/755513003

Cr-Commit-Position: refs/heads/master@{#25817}
2014-12-15 13:36:23 +00:00
ishell
b74cfe4a8f LayoutDescriptorHelper is now able to calculate the length of contiguous regions of tagged/non-tagged fields.
This functionality is now used by both object visitor and store buffer.

TEST=cctest/test-unboxed-doubles

Review URL: https://codereview.chromium.org/726713003

Cr-Commit-Position: refs/heads/master@{#25816}
2014-12-15 12:13:21 +00:00
Benedikt Meurer
6e7ceee4d0 [turbofan] Correctify TruncateFloat64ToInt32 reduction in MachineOperatorReducer.
TEST=unittests
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/801263002

Cr-Commit-Position: refs/heads/master@{#25812}
2014-12-15 07:46:21 +00:00
mathiasb
b24f04d4c3 Make RegExp.prototype.flags getter configurable
TEST=mjsunit/harmony
BUG=v8:3751
LOG=N

Review URL: https://codereview.chromium.org/788053003

Cr-Commit-Position: refs/heads/master@{#25809}
2014-12-13 22:36:29 +00:00
caitpotter88
48054170e9 Implement ES6 @@isConcatSpreadable / Array.prototype.concat
Add support for Symbol.isConcatSpreadable in Array.prototype.concat. This enables spreading non-Array objects with the symbol.

LOG=N
R=dslomov@chromium.org
BUG=

Review URL: https://codereview.chromium.org/771483002

Cr-Commit-Position: refs/heads/master@{#25808}
2014-12-12 18:38:48 +00:00
danno
10b38df268 [turbofan]: Fix x64 regression during ia32 lea port
Review URL: https://codereview.chromium.org/795353008

Cr-Commit-Position: refs/heads/master@{#25807}
2014-12-12 18:17:01 +00:00
adamk
a32291fa1f Stop sending Object.observe notifications for API accessor properties
Such properties never notified prior to r21558, but the combination of
that change and r23163 led to sending notifications when they were
set via Object.defineProperty (but not when set via other means).

This also allows some cleanup in v8natives.js and objects.cc,
both of which were doing unnecessary contortions to produce the right
change records.

BUG=v8:3745
LOG=n

Review URL: https://codereview.chromium.org/791243002

Cr-Commit-Position: refs/heads/master@{#25806}
2014-12-12 18:15:52 +00:00
ishell
ac9c9fc5ca Using PropertyKind in transitions instead of PropertyType.
Review URL: https://codereview.chromium.org/801813002

Cr-Commit-Position: refs/heads/master@{#25802}
2014-12-12 15:27:50 +00:00
Michael Stanton
22302b5179 Hydrogen code stubs for vector-based ICs.
This patch finally allows running and passing tests with vector-based
Load and KeyedLoad ICs.

BUG=
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/767743002

Cr-Commit-Position: refs/heads/master@{#25800}
2014-12-12 13:56:35 +00:00
ishell
9134c7a629 PropertyType is divided into PropertyKind and PropertyStoreMode.
Review URL: https://codereview.chromium.org/786193004

Cr-Commit-Position: refs/heads/master@{#25798}
2014-12-12 13:06:08 +00:00
dcarney
3595176565 [turbofan] improve register allocator testing framework
R=bmeurer@chromium.org

BUG=

Review URL: https://codereview.chromium.org/800493002

Cr-Commit-Position: refs/heads/master@{#25794}
2014-12-12 11:15:26 +00:00
Benedikt Meurer
14409abc22 [turbofan] Quickfix for invalid number truncation of typed array loads.
TEST=mjsunit/compiler/regress-int32array-outofbounds-nan
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/803483002

Cr-Commit-Position: refs/heads/master@{#25793}
2014-12-12 10:45:38 +00:00
svenpanne
71bb00e261 Consistently use only one of virtual/OVERRIDE/FINAL.
FINAL implies OVERRIDE, which in turn implies virtual, so there's no need to use
more than one of these. The Google C++ style guide even requires this, see
http://google-styleguide.googlecode.com/svn/trunk/cppguide.html#Inheritance.

While we're here, port r24662 to x87.

The net result is that v8 compiles again with a current clang.

BUG=v8:3753
LOG=y

Review URL: https://codereview.chromium.org/797943002

Cr-Commit-Position: refs/heads/master@{#25792}
2014-12-12 10:44:25 +00:00
Benedikt Meurer
4c583fee26 [turbofan] Various cleanups.
- Decouple JSBuiltinReducer from JSTypedLowering.
- Unify JSTypedLowering::ReduceJSToXXX() lowering.
- Cleanup several includes and forward declarations.
- Unify helper methods.

TEST=cctest
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/797903003

Cr-Commit-Position: refs/heads/master@{#25790}
2014-12-12 07:44:15 +00:00
caitpotter88
c78a65967a Perf tests for Template Literals
Review URL: https://codereview.chromium.org/769113002

Cr-Commit-Position: refs/heads/master@{#25789}
2014-12-12 05:14:28 +00:00
jarin
5913c7cc3f Reland of "Avoid number range holes in bitset types."
This reverts commit 8a6cbf0a86.

R=rossberg@chromium.org
BUG=

Review URL: https://codereview.chromium.org/788313002

Cr-Commit-Position: refs/heads/master@{#25786}
2014-12-11 17:50:11 +00:00
caitpotter88
17ba366bb8 Implement Array.from()
A helpful utility which converts iterables and array-like objects into Arrays

https://people.mozilla.org/~jorendorff/es6-draft.html#sec-array.from

LOG=Y
BUG=v8:3336
R=arv@chromium.org, rossberg@chromium.org

Review URL: https://codereview.chromium.org/363833006

Cr-Commit-Position: refs/heads/master@{#25785}
2014-12-11 17:16:27 +00:00
vogelheim
efdb6c8de1 Fix builds w/ component=="shared_library" and v8_use_external_startup_data==1.
R=machenbach@chromium.org
BUG=

Review URL: https://codereview.chromium.org/794213002

Cr-Commit-Position: refs/heads/master@{#25784}
2014-12-11 16:41:56 +00:00
dslomov
e6198a0fed Update tests in preparation for shipping classes.
R=arv@chromium.org
BUG=v8:3330
LOG=N

Review URL: https://codereview.chromium.org/788773003

Cr-Commit-Position: refs/heads/master@{#25783}
2014-12-11 15:54:09 +00:00
caitpotter88
ed29ecd838 Add materialized literals for tagged templates in preparser
LOG=N
R=arv@chromium.org, dslomov@chromium.org, marja@chromium.org
BUG=

Review URL: https://codereview.chromium.org/792083002

Cr-Commit-Position: refs/heads/master@{#25782}
2014-12-11 15:43:08 +00:00
rossberg
7e9ca491a4 Introduce unsigned representation types
To make space in the type bitset, remove Function, RegExp, and Buffer
types for now, since they aren't really relied upon anyway.

R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/795993002

Cr-Commit-Position: refs/heads/master@{#25776}
2014-12-11 13:47:46 +00:00
baptiste.afsa
49baecc42b [turbofan] Mark arm64 cbz/cbnz tbz/tbnz instructions as branch instructions.
The instruction selector now selects pseudo instructions: CompareAndBranch or
TestAndBranch which are associated with their continuations so that generic
code in the code generator will treat them as branch instruction and will be
able to apply optimization like avoiding branches when the code can falltrhough.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/798553002

Cr-Commit-Position: refs/heads/master@{#25773}
2014-12-11 12:45:33 +00:00
danno
2f7a5af0e3 [turbofan]: Port lea changes to ia32
Review URL: https://codereview.chromium.org/747283005

Cr-Commit-Position: refs/heads/master@{#25771}
2014-12-11 11:53:00 +00:00
yangguo
dae6dfe08b Implement Math.log2 via ported extract from fdlibm.
Adapted from Raymond Toy's (rtoy@chromium.org) port, extracted from fdlibm's pow implementation.

R=rtoy@chromium.org
BUG=v8:3579
LOG=N

Review URL: https://codereview.chromium.org/786823003

Cr-Commit-Position: refs/heads/master@{#25768}
2014-12-11 11:23:37 +00:00
kozyatinskiy
affe4c03b6 [V8] Report v8::AfterCompile and v8::CompileError to listener on pause
V8 didn't report compile events on pause before this patch. These events can be important for listener. For example, DevTools allows user to execute some JS code on pause and needs to show correct stack trace in message from it.

BUG=396013
R=yurys@chromium.org

Review URL: https://codereview.chromium.org/781623004

Cr-Commit-Position: refs/heads/master@{#25767}
2014-12-11 10:59:00 +00:00
mathiasb
33f0cf5acd Implement the RegExp.prototype.flags getter
TEST=mjsunit/harmony
BUG=v8:3751
LOG=N

Review URL: https://codereview.chromium.org/770333005

Cr-Commit-Position: refs/heads/master@{#25762}
2014-12-10 20:41:10 +00:00
dslomov
4bf531c1ea Update strict mode function declaration tests before block scoping.
R=arv@chromium.org,marja@chromium.org
BUG=v8:2198
LOG=N

Review URL: https://codereview.chromium.org/788143004

Cr-Commit-Position: refs/heads/master@{#25760}
2014-12-10 20:09:42 +00:00
adamk
4fa7ae1c07 Optimize Object.seal and Object.preventExtensions
They both now run fast (due to utilizing transitions instead of always
creating new maps) and sealed or non-extensible objects can stay in
fast mode after transitioning.

This almost entirely reuses the code for transitioning objects
frozen by Object.freeze(), with the added benefit of freeing
up a bit on the map (we no longer keep track of frozen-ness,
as that bit wasn't used for anything interesting).

BUG=v8:3662,chromium:115960
LOG=y

Review URL: https://codereview.chromium.org/776143005

Cr-Commit-Position: refs/heads/master@{#25759}
2014-12-10 20:02:59 +00:00
Adam Klein
986e7cefe1 Ensure class prototype objects have the right Map::constructor field
The null constructor they had previously could be observed as crashes in
the V8 API's Object::CreationContext() method and in Object.observe.

BUG=v8:3750
LOG=n
R=arv@chromium.org, dslomov@chromium.org

Review URL: https://codereview.chromium.org/787763005

Cr-Commit-Position: refs/heads/master@{#25757}
2014-12-10 18:25:55 +00:00
jarin
8a6cbf0a86 Revert of Avoid number range holes in bitset types. (patchset #5 id:80001 of https://codereview.chromium.org/759013003/)
Reason for revert:
For breaking the waterfall (run-json-stringify test).

Original issue's description:
> Avoid number range holes in bitset types.
>
> BUG=

TBR=rossberg@chromium.org
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/794663002

Cr-Commit-Position: refs/heads/master@{#25756}
2014-12-10 18:25:38 +00:00
ulan
e51e86f459 Skip slow webkit/array-iterate-backwards in arm64.debug/gc-stress mode.
BUG=
TBR=hpayer@chromium.org

Review URL: https://codereview.chromium.org/795633002

Cr-Commit-Position: refs/heads/master@{#25755}
2014-12-10 16:57:36 +00:00
jarin
4de4f74cf2 Avoid number range holes in bitset types.
BUG=

Review URL: https://codereview.chromium.org/759013003

Cr-Commit-Position: refs/heads/master@{#25754}
2014-12-10 16:39:10 +00:00
ishell
7d13ca278a Reland of "TransitionArray now uses <is_data_property, name, attributes> tuple as a key, which allows to have several entries for the same property name."
Review URL: https://codereview.chromium.org/793453004

Cr-Commit-Position: refs/heads/master@{#25750}
2014-12-10 15:18:52 +00:00
Benedikt Meurer
f6849d9ed4 [turbofan] Fix cycles introduced by pushing ToNumbers into phis.
TEST=cctest
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/790123002

Cr-Commit-Position: refs/heads/master@{#25743}
2014-12-10 11:59:44 +00:00