yangguo@chromium.org
9559181b0e
Fix worst-case behavior of MergeRemovableSimulates().
...
Currently, when a long series of removable simulates are merged, we do
this by merging them one by one as we find them. As we merge the value
value lists of the simulates, those lists snowball so that we get a
quadratic complexity wrt runtime and memory consumption.
Instead, we gather simulates that need to be merged, and merge them
backwards starting from the last simulate.
R=jkummerow@chromium.org
BUG=v8:2612
Review URL: https://chromiumcodereview.appspot.com/13649003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14169 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-08 17:37:22 +00:00
yangguo@chromium.org
e33b68817b
Fix Array.prototype.concat when exceeding array size limit.
...
R=verwaest@chromium.org
BUG=v8:581
Review URL: https://chromiumcodereview.appspot.com/13465008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14154 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-05 15:12:59 +00:00
yangguo@chromium.org
deecbb2e01
Do not implicitly convert non-object receivers for strict mode functions.
...
This was still the case for Array.prototype.* builtin functions.
R=rossberg@chromium.org
BUG=v8:2273
Review URL: https://chromiumcodereview.appspot.com/13473009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14149 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-05 11:57:02 +00:00
mstarzinger@chromium.org
9e757a604c
Make __proto__ a real JavaScript accessor property.
...
This turns the __proto__ callback from a foreign callback into a real
JavaScript accessor. It makes the accessor behavior of this property
explicit.
R=rossberg@chromium.org
BUG=v8:1949,v8:2606
TEST=mjsunit/regress/regress-2606
Review URL: https://codereview.chromium.org/13533004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14139 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-04 12:10:23 +00:00
ulan@chromium.org
eee5884f8d
Add extra flag for load-ic stubs in code cache.
...
This allows to distinguish between stubs compiled for the current object from
stubs compiled for objects that have the current object as a prototype.
BUG=v8:2593
R=verwaest@chromium.org
Review URL: https://chromiumcodereview.appspot.com/13552003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14132 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-04 08:29:25 +00:00
danno@chromium.org
98281c62f0
Ensure UseRegisterAtStart not used with fixed temp/return register
...
R=vegorov@chromium.org
BUG=chromium:201590
Review URL: https://codereview.chromium.org/13527007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14124 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-03 14:45:39 +00:00
yangguo@chromium.org
443f85eed9
Add test to check that Function.caller must not expose native functions.
...
R=svenpanne@chromium.org
BUG=v8:105
Review URL: https://chromiumcodereview.appspot.com/13166002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14096 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-28 14:31:48 +00:00
dslomov@chromium.org
47d8af7616
Canonicalize NaNs on store to Fast(Float|Double) arrays
...
Also treat holey NaN coming from external float/double arrays correctly
BUG=2596
Review URL: https://codereview.chromium.org/12918028
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14094 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-28 13:30:16 +00:00
yangguo@chromium.org
9155d20282
Stack trace API: poison stack frames below the first strict mode frame.
...
Function and receiver objects are not accessible for poisoned frames.
R=rossberg@chromium.org
BUG=v8:2564
Review URL: https://chromiumcodereview.appspot.com/13150003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14085 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-28 10:40:07 +00:00
yangguo@chromium.org
a942fcd984
Add test case for missing deopt sequence after forced deopt.
...
R=danno@chromium.org
BUG=217858
Review URL: https://chromiumcodereview.appspot.com/13042005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14078 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-27 09:58:32 +00:00
yangguo@chromium.org
bb632dc49d
Only copy with, block and catch scopes in DebugEvaluate.
...
R=ulan@chromium.org
BUG=171715
Review URL: https://chromiumcodereview.appspot.com/13093003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14077 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-26 17:46:16 +00:00
danno@chromium.org
c3486bc4eb
Remove bogus test flags
...
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/12872007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14072 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-25 17:59:15 +00:00
danno@chromium.org
dfd9ea8087
Fix store_mode bug involving polymorphism with external and JS arrays.
...
Review URL: https://codereview.chromium.org/12987014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14064 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-25 15:19:22 +00:00
verwaest@chromium.org
a8b3215afa
Change LookupForWrite to always do a full lookup and check the result.
...
If we find a property in the prototype-chain that we can overwrite, and
we have a transition, keep the holder in the lookup-result as the actual
holder. We will need it for the consistency-check in GenerateStoreField.
By directly checking the entire chain we avoid having to lazily bail out
to a copy of the miss stub while generating the Field Store IC.
Currently this CL disallows a normal non-receiver holder, given that
that would require a positive lookup + details verification to ensure
the property did not become read-only. This fixes the regressions in the
attached tests.
Review URL: https://chromiumcodereview.appspot.com/12810006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14061 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-25 12:55:27 +00:00
yangguo@chromium.org
b347a0dcae
Correctly materialize arguments object in Runtime_DebugEvaluate.
...
The problem was that if the # arguments specified in the function
declaration and the # arguments passed to the function are not
the same, we use an arguments adapter frame to make it work. This
confuses the existing implementation to materialize the arguments
object.
R=peter.rybin@gmail.com
BUG=222893
Review URL: https://chromiumcodereview.appspot.com/12674027
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14059 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-25 10:01:53 +00:00
yangguo@chromium.org
27b0979347
Restore correct regression test for crbug/146910.
...
For some reason (rebase conflicts?) the regression test introduced
in r12547 was overwritten by r13340.
The test in question already exists in regress-latin-1
R=dcarney@chromium.org
BUG=
Review URL: https://chromiumcodereview.appspot.com/13023003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14043 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-22 09:04:36 +00:00
yangguo@chromium.org
b522319a98
Extend test coverage for JSON.stringify's slow path.
...
R=verwaest@chromium.org
BUG=
Review URL: https://chromiumcodereview.appspot.com/12702009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14008 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-20 14:07:30 +00:00
verwaest@chromium.org
002ba9c76d
Turn Flags into a uint32_t typedef.
...
We cannot rely on C++ compilers inferring the int-type from the enum
value range. Whereas Linux/OSX find uint32_t as type for [0,MaxUInt32],
Windows insists it's int.
Update the test to execute its original intent on all platforms: 1 value
larger than max arguments, 1 smaller than max arguments (on all
platforms). This makes the test run a lot faster.
BUG=chromium:194749
Review URL: https://chromiumcodereview.appspot.com/12507010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13988 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-19 13:11:49 +00:00
verwaest@chromium.org
010f36f94b
Raise the limit since it is 2**16 (65536) on x64.
...
Review URL: https://chromiumcodereview.appspot.com/12700012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13973 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-18 15:49:33 +00:00
jkummerow@chromium.org
e2cd7aa423
Fix detection of |handle_smi| case in HOptimizedGraphBuilder::HandlePolymorphicCallNamed
...
BUG=chromium:196583
Review URL: https://codereview.chromium.org/12620014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13963 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-18 12:41:52 +00:00
yangguo@chromium.org
b85237a0bc
Fix white space matching in latin-1 strings wrt \u00a0.
...
R=dcarney@chromium.org
BUG=181422
Review URL: https://chromiumcodereview.appspot.com/12644008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13898 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-11 11:52:11 +00:00
mstarzinger@chromium.org
d70523dce6
Restore Function()'s expected string representation.
...
R=rossberg@chromium.org
BUG=v8:2470
TEST=mjsunit/regress/regress-2470
Review URL: https://codereview.chromium.org/12687002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13880 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-08 11:47:20 +00:00
mstarzinger@chromium.org
4b0395cc23
Harden Function()'s parsing of function literals.
...
R=rossberg@chromium.org
BUG=v8:2470
TEST=mjsunit/regress/regress-2470
Review URL: https://codereview.chromium.org/12613007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13867 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-07 15:46:14 +00:00
yangguo@chromium.org
3a497dfd51
Insert missing type cast in JSON.stringify.
...
R=dcarney@chromium.org
BUG=v8:2570
Review URL: https://chromiumcodereview.appspot.com/12599003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13853 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-07 09:58:27 +00:00
yangguo@chromium.org
a62cfd1db0
Fix Array.length, String.length and Function.prototype LoadICs on x64.
...
R=jkummerow@chromium.org
BUG=v8:2568
Review URL: https://chromiumcodereview.appspot.com/12545004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13847 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-06 18:19:35 +00:00
adamk@chromium.org
7fe9bd5a09
Properly handle misses for StoreArrayLengthStub on ia32 and x64
...
Both failed to generate a miss if the key wasn't "length".
ARM and MIPS were already correct.
BUG=v8:2566
Review URL: https://codereview.chromium.org/12378085
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13828 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-05 16:31:11 +00:00
mstarzinger@chromium.org
2aabf6257d
Add workaround for redefinition of __proto__ property.
...
This is a temporary workaround when the __proto__ property is being
redefined (e.g. by Object.freeze()) to not loose the foreign callback.
Once the __proto__ property is a real JavaScript accessor this hack is
no longer necessary. This change also makes __proto__ configurable.
R=rossberg@chromium.org
BUG=v8:2565
TEST=mjsunit/regress/regress-2565
Review URL: https://codereview.chromium.org/12398010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13817 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-04 17:53:40 +00:00
yangguo@chromium.org
358311e8ec
Limit EatAtLeast recursion by a budget.
...
BUG=178790
Review URL: https://chromiumcodereview.appspot.com/12380026
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13788 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-01 14:50:14 +00:00
yangguo@chromium.org
2a3063a7c3
Handle negative input in inlined Math.round on Intel CPUs.
...
R=jkummerow@chromium.org
BUG=v8:2451
Review URL: https://chromiumcodereview.appspot.com/12342037
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13764 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-02-27 14:44:57 +00:00
mstarzinger@chromium.org
ea5e9edac4
Fix materialization of arguments objects with unknown values.
...
This fixes the deoptimizer to materialize arguments objects of correct
length even in cases where the actual argument values are unknown and
were optimized away by Crankshaft. This can happen if only the length
property or the identity of an arguments object is used.
R=svenpanne@chromium.org
BUG=chromium:163530
TEST=mjsunit/regress/regress-crbug-163530
Review URL: https://codereview.chromium.org/12335132
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13763 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-02-27 14:37:51 +00:00
dcarney@chromium.org
52a015b1af
Fix overflow in WriteQuoteJsonString and SlowQuoteJsonString
...
R=yangguo@chromium.org
BUG=
Review URL: https://codereview.chromium.org/12326120
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13730 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-02-26 11:02:39 +00:00
mstarzinger@chromium.org
ce1e10f5fc
Make __proto__ a foreign callback on Object.prototype.
...
This moves the __proto__ property to Object.prototype and turns it into
a callback property actually present in the descriptor array as opposed
to a hack in the properties lookup. For now it still is a "magic" data
property using foreign callbacks and not an accessor property visible to
JavaScript.
The second effect of this change is that JSON.parse() no longer treats
the __proto__ property specially, it will be defined as any other data
property. Note that object literals still have their special handling.
R=rossberg@chromium.org
BUG=v8:621,v8:1949,v8:2441
TEST=mjsunit,cctest,test262
Review URL: https://codereview.chromium.org/12212011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13728 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-02-26 10:46:00 +00:00
mstarzinger@chromium.org
300413b5a9
Fix f.apply() optimization when declared arguments are mutated.
...
R=verwaest@chromium.org
BUG=v8:2539
TEST=mjsunit/regress/regress-2539
Review URL: https://codereview.chromium.org/12255033
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13673 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-02-14 15:12:49 +00:00
jkummerow@chromium.org
19dab057b4
Fix NegateCompareOp and InvertCompareOp
...
BUG=v8:2537
Review URL: https://codereview.chromium.org/12217136
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13658 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-02-13 14:36:19 +00:00
jkummerow@chromium.org
e83ff197bf
Add regression test for r13617
...
Many thanks to Vyacheslav Egorov for coming up with this test!
BUG=173907
Review URL: https://codereview.chromium.org/12212066
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13622 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-02-07 15:38:24 +00:00
mstarzinger@chromium.org
79607d20e6
Make the GC stress builder go green.
...
R=jkummerow@chromium.org
Review URL: https://codereview.chromium.org/12218034
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13608 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-02-06 13:21:28 +00:00
verwaest@chromium.org
aca87c2fcd
Tag stubs that rely on instance types as MEGAMORPHIC.
...
BUG=chromium:173974
Review URL: https://chromiumcodereview.appspot.com/12178017
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13586 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-02-04 13:12:03 +00:00
verwaest@chromium.org
c8636a2809
Do not try to collect the map if the monomorphic IC stub has no map.
...
This is necessary for monomorphic stubs that rely on instance types,
such as ArrayLength, StringLength and FunctionPrototype.
BUG=chromium:172345
Review URL: https://chromiumcodereview.appspot.com/12082023
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13526 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-28 13:19:53 +00:00
yangguo@chromium.org
24ec13cbd2
Fix additional spec violations wrt RegExp.lastIndex.
...
R=svenpanne@chromium.org
BUG=v8:2437
Review URL: https://chromiumcodereview.appspot.com/12033099
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13504 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-25 10:53:26 +00:00
ulan@chromium.org
e6224d275f
Make embedded maps in optimized code weak.
...
Each map has a weak array of dependent codes, where the map tracks all the optimized codes that embed it.
Old space GC either clears the dead dependent codes from the array if the corresponding map is alive or deoptimizes the live dependent codes if the map is dead.
BUG=v8:2073
R=mstarzinger@chromium.org
Review URL: https://chromiumcodereview.appspot.com/11575007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13490 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-24 11:55:05 +00:00
ulan@chromium.org
d29826544e
Correctly set kCanBeDivByZero flag for HMathFloorOfDiv.
...
After r13289 the divisor can be non-constant, so we should check for zero.
BUG=171641
R=yangguo@chromium.org
Review URL: https://chromiumcodereview.appspot.com/12047050
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13479 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-23 15:58:49 +00:00
yangguo@chromium.org
9296975c04
Correctly reset lastIndex in an RegExp object.
...
R=svenpanne@chromium.org
BUG=170856
Review URL: https://chromiumcodereview.appspot.com/11896060
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13471 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-23 12:28:16 +00:00
ulan@chromium.org
79a0e3b017
Fix pattern detection for replacing shifts by rotation.
...
BUG=2499
R=svenpanne@chromium.org
Review URL: https://chromiumcodereview.appspot.com/12047015
Patch from Hirofumi Mako <mkhrfm@gmail.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13464 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-22 13:55:22 +00:00
mvstanton@chromium.org
c3746b4388
allocation-site-info.js broken on arm with new changes. Reverting to previous version until diagnosed.
...
Regress-2185.js test takes too long on slow path when allocation site info is discovered.
BUG=
Review URL: https://codereview.chromium.org/12049003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13456 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-21 16:15:08 +00:00
yangguo@chromium.org
0c822b21cb
Fix some latin-1 webkit units tests
...
R=yangguo@chromium.org
BUG=
Review URL: https://chromiumcodereview.appspot.com/11962035
Patch from Dan Carney <dcarney@google.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13455 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-21 16:11:31 +00:00
mstarzinger@chromium.org
0484ddcf50
Fix arguments materialization for inlined apply().
...
This fixes materialization of the arguments object in case the constant
function check if TryCallApply() inside an inlined frame fails.
R=svenpanne@chromium.org
BUG=v8:2489
TEST=mjsunit/regress/regress-2489
Review URL: https://codereview.chromium.org/11931012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13386 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-16 09:25:45 +00:00
yangguo@chromium.org
f15f294127
Sync laziness between BuildFunctionInfo and MakeFunctionInfo.
...
BuildFunctionInfo compiles the function eagerly when there are debug
break points. However, the AST may have been parsed lazily since
MakeFunctionInfo does not check for debug break points.
This fixes a regression introduced in r11866.
BUG=147497
Review URL: https://chromiumcodereview.appspot.com/11661008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13382 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-15 10:16:52 +00:00
mstarzinger@chromium.org
c5cff2c75a
Make recent regression test resilient against GC stress.
...
R=danno@chromium.org
TEST=mjsunit/regress/regress-165637
Review URL: https://codereview.chromium.org/11824062
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13353 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-10 14:21:27 +00:00
mstarzinger@chromium.org
1079642c97
Fix missing exception check in typed array constructor (2).
...
This fixes another crash when the the typed array constructor accesses
an array that has a throwing accessor defined on one of it's elements.
R=verwaest@chromium.org
BUG=chromium:168545
TEST=mjsunit/regress/regress-crbug-168545.js
Review URL: https://codereview.chromium.org/11791052
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13351 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-10 11:45:29 +00:00
yangguo@chromium.org
e41c17084f
Continues Latin-1 support. All tests pass with ENABLE_LATIN_1 flag.
...
R=yangguo@chromium.org
BUG=
Review URL: https://chromiumcodereview.appspot.com/11818025
Patch from Dan Carney <dcarney@google.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13344 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-09 15:47:53 +00:00
yangguo@chromium.org
45f20e366a
Introduce ENABLE_LATIN_1 compile flag
...
Mostly a bunch of renaming when flag is disabled.
R=yangguo@chromium.org
BUG=
Review URL: https://chromiumcodereview.appspot.com/11759008
Patch from Dan Carney <dcarney@google.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13340 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-09 10:30:54 +00:00
svenpanne@chromium.org
0aacbf9619
Added %FlattenString and use it to speed up a regression test.
...
Flattening strings is relatively costly and by doing it after every duplication
we avoid combinatorial explosion.
Note that flattening could have been done by e.g. using a regular expression,
too, but this is just another implementation detail and %FlattenString seems
general enough to be useful in other tests, too.
Review URL: https://codereview.chromium.org/11828014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13337 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-09 09:32:12 +00:00
mstarzinger@chromium.org
0e46919c32
Fix missing exception check in typed array constructor.
...
The typed array constructor might fail if the first argument is an
object with a length property. Accessing the property can cause an
exception to be thrown and an explicit check needs to be performed.
R=verwaest@chromium.org
BUG=chromium:168545
TEST=mjsunit/regress/regress-crbug-168545.js
Review URL: https://codereview.chromium.org/11777014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13325 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-07 14:01:04 +00:00
yangguo@chromium.org
4ee20d857b
Check for read-only-ness when preparing for array sort.
...
R=verwaest@chromium.org
BUG=v8:2419
Review URL: https://chromiumcodereview.appspot.com/11759022
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13313 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-04 15:24:47 +00:00
ulan@chromium.org
b64f834383
Fix x64 MathMinMax for negative untagged int32 arguments.
...
An untagged int32 has zeros in the upper half even if it is negative.
Using cmpq to compare such numbers will incorrectly ignore the sign.
BUG=164442
R=mvstanton@chromium.org
Review URL: https://chromiumcodereview.appspot.com/11665007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13273 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-12-21 17:52:00 +00:00
yangguo@chromium.org
362218a037
Deopt on overflow in integer mod.
...
R=ulan@chromium.org
BUG=166379
Review URL: https://chromiumcodereview.appspot.com/11618017
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13241 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-12-19 12:01:22 +00:00
ulan@chromium.org
8574054b59
Correctly handle negative codes in String.fromCharCode()
...
BUG=166553
R=yangguo@chromium.org
Review URL: https://chromiumcodereview.appspot.com/11576069
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13235 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-12-18 12:37:57 +00:00
rossberg@chromium.org
c6bb497437
Simplify implementation of assignment-to-const checks.
...
Also, add test that assignment to function name is a syntax error with harmony scoping.
Does not fix issue 2243 directly, but with ES6, the required behaviour will change to what is implemented already anyway.
R=yangguo@chromium.org
BUG=v8:2243
Review URL: https://codereview.chromium.org/11607016
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13234 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-12-18 12:00:50 +00:00
danno@chromium.org
facad070e9
Remove over-zealous hole checking in Array.slice()
...
R=jkummerow@chromium.org
BUG=chromium:165637
TEST=regress-165637.js
Review URL: https://codereview.chromium.org/11442054
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13211 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-12-12 15:20:45 +00:00
rossberg@chromium.org
76375de29d
Object.observe: prevent observed objects from using fast elements.
...
This is necessary because polymorphic stores generally
do not perform a map check but only an instance type check,
which misses out on changes in the observation status.
Unfortunately, there currently is no efficient way in V8
to maintain that optimisation in the presence of Object.observe.
R=mstarzinger@chromium.org
BUG=v8:2409
Review URL: https://codereview.chromium.org/11477006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13205 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-12-12 11:38:24 +00:00
rossberg@chromium.org
3348b5c2b4
Allow lazy compilation (and thus optimisation) of functions inside eval.
...
For strict-mode eval, this requires _disabling_ lazy parsing of inner functions,
because we need to collect their free variables to do allocation for the
eval scope properly.
R=mstarzinger@chromium.org
BUG=v8:2315
Review URL: https://codereview.chromium.org/11438042
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13161 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-12-07 10:35:50 +00:00
yangguo@chromium.org
3388f92e63
Fix spec violations in methods of Number.prototype.
...
R=svenpanne@chromium.org
BUG=v8:2443
Review URL: https://chromiumcodereview.appspot.com/11465005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13160 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-12-07 10:20:35 +00:00
yangguo@chromium.org
276c790c61
Iterate through all arguments for side effects in Math.min/max.
...
R=svenpanne@chromium.org
BUG=v8:2444
Review URL: https://chromiumcodereview.appspot.com/11444030
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13150 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-12-06 13:13:38 +00:00
yangguo@chromium.org
c75ca45000
Improve array to string conversion.
...
BUG=v8:2435
Review URL: https://chromiumcodereview.appspot.com/11348349
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13144 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-12-05 15:49:22 +00:00
yangguo@chromium.org
6c92aba643
Fix spec violations related to regexp.lastIndex
...
BUG=v8:2437, v8:2438
Review URL: https://chromiumcodereview.appspot.com/11451005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13143 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-12-05 12:32:25 +00:00
verwaest@chromium.org
7553f0d68e
CopyPackedSmiToDoubleElements should fill the FixedDoubleArray with holes
...
BUG=v8:2433
Review URL: https://chromiumcodereview.appspot.com/11280223
Patch from Adam Klein <adamk@chromium.org>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13082 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-11-29 08:34:19 +00:00
verwaest@chromium.org
09b1574baa
Make ElementsAccessors more tolerant of varying backing store types
...
This avoids bogus calls to Fixed*Array::cast() when FastElements-backed objects are empty (and thus backed by empty_fixed_array).
Review URL: https://chromiumcodereview.appspot.com/11299190
Patch from Adam Klein <adamk@chromium.org>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13071 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-11-28 08:41:45 +00:00
verwaest@chromium.org
1b0e373f09
Avoid double initialization of arrays.
...
Review URL: https://chromiumcodereview.appspot.com/11413179
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13064 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-11-27 12:01:14 +00:00
verwaest@chromium.org
beeb751278
Ensure we do not clobber the register holding the elements backing store.
...
Review URL: https://chromiumcodereview.appspot.com/11316168
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13061 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-11-26 15:58:27 +00:00
verwaest@chromium.org
ebeaad6cb5
Ensure double arrays are filled with holes when extended from variations of empty arrays.
...
BUG=162085
Review URL: https://chromiumcodereview.appspot.com/11414155
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13056 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-11-26 14:29:21 +00:00
jkummerow@chromium.org
a956594fc2
Fix corner case in x64 compare stubs.
...
BUG=v8:2416
Review URL: https://codereview.chromium.org/11413087
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13019 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-11-20 15:57:10 +00:00
rossberg@chromium.org
8d79ff46d0
Clean-up refactoring to eliminate GetLocalElementKind.
...
Eliminates substantial amounts of fragile code duplication and special casing.
Also fixes "a".propertyIsEnumerable(0) to correctly return true.
R=mstarzinger@chromium.org
BUG=
Review URL: https://codereview.chromium.org/11420011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12990 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-11-16 13:28:34 +00:00
mstarzinger@chromium.org
3d1582c474
Fix Array.prototype.join evaluation order.
...
R=yangguo@chromium.org
BUG=v8:2263
TEST=mjsunit/regress/regress-2263
Review URL: https://codereview.chromium.org/11280025
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12989 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-11-16 12:45:23 +00:00
rossberg@chromium.org
af824eab8f
When using an Object as a set in Object.getOwnPropertyNames, null out the proto
...
Also apply the same fix elsewhere in v8natives.js
BUG=v8:2410
Review URL: https://codereview.chromium.org/11364237
Patch from Adam Klein <adamk@chromium.org>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12982 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-11-16 09:32:39 +00:00
yangguo@chromium.org
4783d3c31b
Remove 'type' and 'arguments' properties from Error object.
...
R=svenpanne@chromium.org
BUG=v8:2397
Review URL: https://chromiumcodereview.appspot.com/11358214
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12956 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-11-14 09:14:47 +00:00
yangguo@chromium.org
4cca6c6081
Make formatting error message side-effect-free.
...
BUG=v8:2398
Review URL: https://chromiumcodereview.appspot.com/11359130
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12926 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-11-12 10:33:20 +00:00
yangguo@chromium.org
ef1b3d3a76
Fix length check in JSON.stringify.
...
R=verwaest@chromium.org
BUG=160010
Review URL: https://chromiumcodereview.appspot.com/11410031
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12925 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-11-12 10:20:07 +00:00
mstarzinger@chromium.org
a31889e2de
Fix slack tracking when instance prototype changes.
...
This fixes a corner case when the instance prototype of a function is
changed while inobject slack tracking is still in progress. This caused
the intial map to be unrelated for functions with the same shared info
and hence the shared construct stub is no longer generic enough to work
for all those functions.
R=danno@chromium.org
BUG=chromium:157019
TEST=mjsunit/regress/regress-crbug-157019
Review URL: https://codereview.chromium.org/11293059
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12896 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-11-08 11:56:44 +00:00
yangguo@chromium.org
e8d91b424c
Handle edge cases in basic JSON.stringify.
...
BUG=
Review URL: https://chromiumcodereview.appspot.com/11315009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12842 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-11-02 14:46:57 +00:00
verwaest@chromium.org
14abf05bd5
Ensure reducing the length of an array doesn't make it go holey.
...
Also only transition and/or change anything to the backing store if we are
actually going to delete anything.
BUG=
Review URL: https://chromiumcodereview.appspot.com/11358011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12840 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-11-02 10:24:56 +00:00
yangguo@chromium.org
8ed2e560ea
Treat leading zeros in JSON.parse correctly.
...
R=verwaest@chromium.org
BUG=158185
Review URL: https://chromiumcodereview.appspot.com/11273075
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12830 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-10-29 12:01:29 +00:00
mstarzinger@chromium.org
e363cd3425
Fix ugly typo in GenerateNewNonStrictFast.
...
R=svenpanne@chromium.org
BUG=chromium:157520
TEST=mjsunit/regress/regress-crbug-157520
Review URL: https://codereview.chromium.org/11300008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12826 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-10-26 10:55:25 +00:00
yangguo@chromium.org
e50ee08ad6
Reland JSON.stringify reimplementation.
...
BUG=
Review URL: https://chromiumcodereview.appspot.com/11189112
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12790 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-10-22 14:22:58 +00:00
yangguo@chromium.org
f910052543
Always invoke the default Array.sort functions from builtin functions, part 2.
...
R=vegorov@chromium.org
BUG=v8:2372
Review URL: https://chromiumcodereview.appspot.com/11175007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12774 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-10-19 12:30:18 +00:00
verwaest@chromium.org
fa53250dd2
Fixed json regression
...
BUG=v8:2374
Review URL: https://chromiumcodereview.appspot.com/11186059
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12766 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-10-19 08:23:45 +00:00
verwaest@chromium.org
7bc94a92c5
Fixed error introduced in r12761.
...
BUG=2373
Review URL: https://chromiumcodereview.appspot.com/11198068
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12765 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-10-18 18:43:19 +00:00
fschneider@chromium.org
971e834a8d
Always invoke the default Array.sort functions from builtin functions.
...
TEST=mjsunit/regress/regress-builtin-array-op.js
BUG=v8:2372
Review URL: https://chromiumcodereview.appspot.com/10559005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12752 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-10-18 11:18:08 +00:00
verwaest@chromium.org
7c28995e5d
Invalidate the enum cache when converting a transition across which the descriptors are shared.
...
Review URL: https://chromiumcodereview.appspot.com/11145017
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12722 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-10-15 08:38:51 +00:00
verwaest@chromium.org
b75705f07b
Don't clear EnumLength but rather copy the enum cache. Added regression test for crashes from chromecrash.
...
Review URL: https://chromiumcodereview.appspot.com/11103036
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12704 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-10-11 15:33:34 +00:00
verwaest@chromium.org
dde1cdfb8e
Fix transition conversion from CONSTANT_FUNCTION to FIELD.
...
Review URL: https://chromiumcodereview.appspot.com/11094044
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12688 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-10-10 12:31:50 +00:00
verwaest@chromium.org
55e924c595
Fix CNLT regression.
...
This happens when a map A with no descriptors in fast_holey_elements
mode first gets some properties, making it share descriptor arrays with
a map B to which it transitions. Then map A transitions elements kind to
dictionary_elements in map C. C stores the empty_descriptor_array in its
own transition array. When adding a property to C, C transitions to D
and shares the descriptors. If D dies, a CNLT clears the transition
array of C, making the descriptor array of A (and thus also of B) shine
through. If a property is now added to an object in state C, it'll inherit
all the properties of A (and B). If those properties had high field indices,
we do not have a large enough backing store for the single newly added
property, and we'll write out of bounds.
BUG=chromium:151749
Review URL: https://chromiumcodereview.appspot.com/11017054
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12687 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-10-10 12:29:44 +00:00
svenpanne@chromium.org
5d11c5ee69
Fixed Accessors::FunctionGetPrototype's proto chain traversal.
...
Actually it didn't traverse that far... ;-) Did some cleanup on the way.
R=rossberg@chromium.org
BUG=chrome:143967
TEST=regress/regress-143967.js
Review URL: https://codereview.chromium.org/11087004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12677 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-10-08 12:58:46 +00:00
rossberg@chromium.org
329cf12363
Make sure that names of temporaries do not clash with real variables.
...
R=mstarzinger@chromium.org
BUG=v8:2322
Review URL: https://codereview.chromium.org/11035054
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12668 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-10-05 12:47:34 +00:00
rossberg@chromium.org
3f7b5c338a
Reject uses of lexical for-loop variable on the RHS.
...
R=mstarzinger@chromium.org
BUG=v8:2322
Review URL: https://codereview.chromium.org/11031045
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12664 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-10-05 09:07:53 +00:00
mmassi@chromium.org
8fbfad63cd
Avoid wrong imul deopt on ia32 and x64 (fixes v8 bug 2339).
...
BUG=v8:2339
Review URL: https://chromiumcodereview.appspot.com/10963032
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12614 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-26 09:57:30 +00:00
erik.corry@gmail.com
72e9f1bea1
x64 and ARM: Fix issue 2346 (order of operations in keyed store
...
on arrays) and turn get-own-property-descriptor.js test into
a regression test.
Review URL: https://chromiumcodereview.appspot.com/10985017
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12604 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-25 13:35:42 +00:00
jkummerow@chromium.org
8a3ec89824
Delete test/mjsunit/regress-1969.
...
It was flaky, and its usefulness was doubtful.
Review URL: https://codereview.chromium.org/10961075
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12595 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-24 10:48:14 +00:00
jkummerow@chromium.org
cc6fe90b2b
Remove trailing whitespace
...
R=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/10969064
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12594 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-24 10:44:04 +00:00
jkummerow@chromium.org
cf0cae7eb1
Speed up test/mjsunit/regress/regress-crbug-119926
...
Review URL: https://codereview.chromium.org/10958063
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12584 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-24 09:56:11 +00:00
verwaest@chromium.org
083ee63a83
Fix CNLT for enum indices.
...
Review URL: https://chromiumcodereview.appspot.com/10958015
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12569 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-20 15:18:00 +00:00
verwaest@chromium.org
ea31f868e8
Deopt on storing undefined into double elements.
...
Review URL: https://chromiumcodereview.appspot.com/10963010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12568 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-20 13:41:00 +00:00
jkummerow@chromium.org
a8e502fe60
Fix LBoundsCheck on x64 to handle (stack slot + constant) correctly
...
BUG=150729
Review URL: https://codereview.chromium.org/10959009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12562 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-20 09:56:24 +00:00
jkummerow@chromium.org
83da019a46
Move regress-2286.js where it belongs
...
Review URL: https://codereview.chromium.org/10957013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12561 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-20 09:55:19 +00:00
mstarzinger@chromium.org
c012afb6d4
Fix setting array length to zero for slow elements.
...
R=verwaest@chromium.org
BUG=chromium:146910
TEST=mjsunit/regress/regress-crbug-146910
Review URL: https://codereview.chromium.org/10937026
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12547 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-19 11:52:33 +00:00
mstarzinger@chromium.org
f0dcaf9a19
Fix lost arguments dropping in HLeaveInlined.
...
This fixes HleaveInlined to correctly drop pushed arguments on all code
paths and addresses a corner case where the arguments stack height
mismatched at an OSR entry point.
R=jkummerow@chromium.org
BUG=chromium:150545
TEST=mjsunit/regress/regress-crbug-150545
Review URL: https://codereview.chromium.org/10938016
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12543 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-19 08:13:46 +00:00
yangguo@chromium.org
73462594ea
Change regress-2318 to trigger more quickly and reliably.
...
BUG=v8:2336
Review URL: https://chromiumcodereview.appspot.com/10913294
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12529 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-17 13:21:59 +00:00
erik.corry@gmail.com
bafcfe5427
Fix misplaced assert in heap.cc.
...
Bug=2336
Review URL: https://chromiumcodereview.appspot.com/10911334
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12528 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-17 11:38:24 +00:00
yangguo@chromium.org
cb72bf5735
Fix debugger's eval when close to stack overflow.
...
R=verwaest@chromium.org
BUG=v8:2318
Review URL: https://chromiumcodereview.appspot.com/10914290
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12518 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-14 13:40:32 +00:00
verwaest@chromium.org
ad4746c8a3
CNLT with descriptors but no valid enum fields has to clear the EnumCache.
...
Review URL: https://chromiumcodereview.appspot.com/10928204
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12512 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-14 13:15:43 +00:00
mstarzinger@chromium.org
77a7d9f539
Fix caching of optimized code for OSR.
...
This makes sure we do not share optimized code across closures that were
optimized using OSR (for a particular OSR entry AST id) even if caching
of optimized code kicks in.
R=danno@chromium.org
BUG=v8:2326
TEST=mjsunit/regress/regress-2326
Review URL: https://codereview.chromium.org/10933088
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12504 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-14 10:41:31 +00:00
verwaest@chromium.org
1d1adaf9d3
Ensure correct enumeration indices in the dict
...
BUG=chromium:148376
Review URL: https://chromiumcodereview.appspot.com/10908216
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12494 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-13 08:52:55 +00:00
yangguo@chromium.org
67d0506622
Correctly initialize regexp global cache.
...
R=ulan@chromium.org
BUG=148378
Review URL: https://chromiumcodereview.appspot.com/10905239
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12491 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-12 15:26:43 +00:00
mstarzinger@chromium.org
f37f504de5
Fix arguments object materialization during deopt.
...
This fixes materialization of arguments objects for strict mode functions during
deoptimization. We materialize arguments from the stack area where optimized
code pushes the arguments when entering the inlined environment. For adapted
invocations we use the arguments adaptor frame for materialization.
R=svenpanne@chromium.org
BUG=v8:2261
TEST=mjsunit/regress/regress-2261,mjsunit/compiler/inline-arguments
Review URL: https://chromiumcodereview.appspot.com/10908194
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12489 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-12 12:28:42 +00:00
mstarzinger@chromium.org
f6cd2403e3
Fix deoptimizer for shared optimized code.
...
The deoptimizer searched the stack for activations of the same function to
determine whether to trigger lazy deopting. Since we share optimized code we
actually need to search for activations of the same code (but potentially
different functions).
R=jkummerow@chromium.org
BUG=chromium:147475
TEST=mjsunit/regress/regress-crbug-147475
Review URL: https://chromiumcodereview.appspot.com/10917162
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12473 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-10 11:05:17 +00:00
svenpanne@chromium.org
7af6883098
Fixed deoptimization of inlined getters.
...
It is necessary to explicitly handle the internal frame lying between the caller
of the getter and the getter itself in the deoptimizer: When the getter is
inlined, leaving the internal frame restores the correct context.
BUG=http://crbug/134609
TEST=mjsunit/regress/regress-crbug-134609
Review URL: https://chromiumcodereview.appspot.com/10910110
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12470 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-07 09:01:54 +00:00
erik.corry@gmail.com
e5df02834b
Fix some corner cases in skipping native methods using caller.
...
Review URL: https://chromiumcodereview.appspot.com/10911063
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12439 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-05 08:19:49 +00:00
verwaest@chromium.org
0c24942be7
Fixed test expectation.
...
Review URL: https://chromiumcodereview.appspot.com/10913062
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12435 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-04 09:54:36 +00:00
verwaest@chromium.org
a8638c1570
Support register as right operand in min/max support.
...
R=jkummerow@chromium.org
BUG=chromium:145961
TEST=mjsunit/regress/regress-crbug-145961.js
Review URL: https://chromiumcodereview.appspot.com/10914072
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12434 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-09-04 09:35:43 +00:00
verwaest@chromium.org
90db487390
Elements load depends on the type of the receiver.
...
R=jkummerow@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10918005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12413 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-08-30 17:31:32 +00:00
danno@chromium.org
3544e2e875
Disable speculative LICM when it may lead to unnecessary deopts
...
BUG=v8:2250
R=vegorov@chromium.org
TEST=tests/mjsunit/regress/regress-2250.js
Review URL: https://chromiumcodereview.appspot.com/10867033
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12375 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-08-23 21:08:58 +00:00
ulan@chromium.org
efc26f9b2b
Fix rounding in Uint8ClampedArray setter.
...
According to Web IDL spec, we should round to
the nearest integer, choosing the even integer
if it lies halfway between two.
R=yangguo@chromium.org ,kbr@chromium.org
BUG=v8:2294
Review URL: https://chromiumcodereview.appspot.com/10831409
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12364 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-08-22 14:27:11 +00:00
verwaest@chromium.org
5df5eea066
Check that index and length are Smi in bounds check.
...
BUG=chromium:142218
R=danno@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10829456
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12362 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-08-21 16:46:25 +00:00
yangguo@chromium.org
3a1c290b2c
Add input check to %DebugSetScriptSource.
...
R=verwaest@chromium.org
BUG=v8:2296
Review URL: https://chromiumcodereview.appspot.com/10837308
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12338 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-08-17 15:21:15 +00:00
erik.corry@gmail.com
ee3a66b273
Fix bug in compare IC. BUG=2291
...
Review URL: https://chromiumcodereview.appspot.com/10830334
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12313 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-08-15 15:08:42 +00:00
yangguo@chromium.org
28c892938e
Ensure capacity when adding parts in String.replace.
...
R=ulan@chromium.org
BUG=v8:2289
TEST=regress-2289.js
Review URL: https://chromiumcodereview.appspot.com/10830304
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12307 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-08-14 11:33:12 +00:00
yangguo@chromium.org
3605fcbe63
Fix indexing bug in regexp, part 2.
...
The previous fix initialized the start index incorrectly.
BUG=
Review URL: https://chromiumcodereview.appspot.com/10834291
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12302 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-08-13 15:53:40 +00:00
mstarzinger@chromium.org
e77f24f44e
Remove prototype of global builtins object.
...
R=yangguo@chromium.org
BUG=v8:2284
TEST=mjsunit/regress/regress-2284
Review URL: https://chromiumcodereview.appspot.com/10854116
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12301 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-08-13 15:34:49 +00:00
yangguo@chromium.org
960b1af12f
Fix wrong indexing in global regexp.
...
R=ulan@chromium.org
BUG=142087
Review URL: https://chromiumcodereview.appspot.com/10824278
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12300 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-08-13 15:26:46 +00:00
yangguo@chromium.org
f30099dacf
Check for function in %_CallFunction.
...
R=mstarzinger@chromium.org
BUG=v8:2285
Review URL: https://chromiumcodereview.appspot.com/10854115
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12299 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-08-13 12:11:26 +00:00
yangguo@chromium.org
cd5ee62692
Allow multiple lines of custom flags in javascript tests.
...
R=ulan@chromium.org
BUG=
Review URL: https://chromiumcodereview.appspot.com/10855099
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12289 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-08-10 12:26:33 +00:00
svenpanne@chromium.org
83fc4205f6
Fixed compound/count operations with getter-only accessor properties.
...
The underlying problem is that for compound/count operations we use the *load*
type feedback for storing, too. For normal properties this doesn't matter, but
for accessor properties we should better use the *store* type feedback, which
would be available, too. This consistent feedback usage could be guaranteed if
we removed the heavy copy-n-paste in the crankshaft code generation for
compound/count operations and assignments/property loads.
To be on the safe side, we postpone this refactoring and do a quick and easily
mergeable fix.
BUG=140083
TEST=mjsunit/regress/regress-crbug-140083.js
Review URL: https://chromiumcodereview.appspot.com/10828146
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12252 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-08-03 09:45:08 +00:00
erik.corry@gmail.com
b3e2440580
Speed up quicksort test to avoid timeouts on simulators.
...
Review URL: https://chromiumcodereview.appspot.com/10830093
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12237 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-07-31 13:36:24 +00:00
jkummerow@chromium.org
80c35c6522
Always set the callee's context when calling a function from optimized code.
...
This is necessary even for recursive calls because we're sharing optimized code among closures, which could call each other and have distinct contexts.
BUG=138887
TEST=mjsunit/regress/regress-crbug-138887
Review URL: https://chromiumcodereview.appspot.com/10834031
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12201 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-07-26 12:49:08 +00:00
mstarzinger@chromium.org
806fb8be96
Fix bootstrapping without snapshot and low GC interval.
...
R=yangguo@chromium.org
BUG=v8:2249
TEST=mjsunit/regress/regress-2249 (snapshot=off)
Review URL: https://chromiumcodereview.appspot.com/10818005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12177 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-07-23 16:18:25 +00:00
danno@chromium.org
3667f92cbb
Add dependency to HLoadKeyed* instructions to prevent invalid hoisting
...
BUG=chromium:137768
TEST=test/mjsunit/regress/regress-137768.js
Review URL: https://chromiumcodereview.appspot.com/10802038
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12173 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-07-23 13:59:24 +00:00
sanjoy@chromium.org
693c7643d2
Optimize functions on a second thread.
...
BUG=
TEST=
Review URL: https://chromiumcodereview.appspot.com/10807024
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12148 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-07-19 18:58:23 +00:00
verwaest@chromium.org
90c7cb1397
When following an accessor transition for an already existing accessor, don't load the last added descriptor but the same descriptor as we already found previously.
...
BUG=137689
TEST=test/mjsunit/regress/regress-crbug-137689.js
Review URL: https://chromiumcodereview.appspot.com/10808005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12115 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-07-18 09:20:57 +00:00
yangguo@chromium.org
022ba0588a
Fix transcendental cache on ARM in optimized code.
...
R=jkummerow@chromium.org
BUG=v8:2234
TEST=regress-2234.js
Review URL: https://chromiumcodereview.appspot.com/10695205
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12086 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-07-16 09:44:59 +00:00
svenpanne@chromium.org
43e87a65e1
Added Crankshaft support for setters.
...
Refactored ComputeLoadStoreField a bit on the way to clarify a bit what it
actually does.
Review URL: https://chromiumcodereview.appspot.com/10692187
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12072 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-07-13 07:14:28 +00:00
svenpanne@chromium.org
b8a7abd1fc
Perform HasFastProperties check on prototypes when computing call targets in Crankshaft, part 2.
...
The previous fix was for "real" calls, this one is for getters. It is a bit
unfortunate that this has to be fixed twice: We should really break up
Call::ComputeTarget into a predicate and 1 or 2 getters, so code can be reused.
The regression test has been modified a bit to make things more uniform.
Review URL: https://chromiumcodereview.appspot.com/10702164
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12053 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-07-12 09:32:26 +00:00
jkummerow@chromium.org
0c4cc038e6
Add missing --allow-natives-syntax flag to test case
...
R=rossberg@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10698152
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12046 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-07-11 14:45:47 +00:00
jkummerow@chromium.org
432576b7c8
Perform HasFastProperties check on prototypes when computing call targets in Crankshaft.
...
BUG=125148
TEST=mjsunit/regress/regress-crbug-125148
Review URL: https://chromiumcodereview.appspot.com/10735054
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12043 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-07-11 14:27:53 +00:00
yangguo@chromium.org
2a819667c1
Do not use user-defined __lookupGetter__ when generating stack trace.
...
BUG=v8:1591
TEST=regress-1591.js
Review URL: https://chromiumcodereview.appspot.com/10736030
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12040 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-07-11 11:35:19 +00:00
mstarzinger@chromium.org
09bfdabd2a
Fix inline constructors for Harmony Proxy prototypes.
...
R=rossberg@chromium.org
BUG=v8:2225
TEST=mjsunit/regress/regress-2225
Review URL: https://chromiumcodereview.appspot.com/10736009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12028 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-07-10 11:28:33 +00:00
verwaest@chromium.org
1007696cdb
After transitioning to constant function, return the constant function as result of the assignment.
...
BUG=v8:2226
TEST=test/mjsunit/regress/regress-2226.js
Review URL: https://chromiumcodereview.appspot.com/10700137
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12024 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-07-10 09:31:30 +00:00
yangguo@chromium.org
3e3160b08c
Correctly advance the scanner when scanning unicode regexp flag.
...
R=rossberg@chromium.org
BUG=136084
TEST=regress-136084.js
Review URL: https://chromiumcodereview.appspot.com/10703106
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12002 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-07-06 14:04:15 +00:00
mstarzinger@chromium.org
026f179b34
Fix unhandlified code calling Harmony Proxy traps.
...
R=rossberg@chromium.org
BUG=v8:2219
TEST=mjsunit/regress/regress-2219
Review URL: https://chromiumcodereview.appspot.com/10703103
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12001 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-07-06 11:34:22 +00:00
mstarzinger@chromium.org
7da6d2b023
Fix lazy compilation for strict eval scopes.
...
This prevents lazy compilation of functions that have an outer context
containing a strict eval scope. Such a scope potentially contains
context allocated variables in an artificial function scope that is not
deserialized correctly.
R=ulan@chromium.org
BUG=chromium:135066
TEST=mjsunit/regress/regress-crbug-135066
Review URL: https://chromiumcodereview.appspot.com/10704058
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11976 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-07-03 08:41:13 +00:00
rossberg@chromium.org
680797234c
Further extend TypedArray support in d8:
...
- Add copy constructors.
- Add subarray methods.
- Make instanceof and constructor property work.
- Rename PixelArray to Uint8ClampedArray.
Also fix broken definition of assertInstanceof in MJSUnit test harness.
R=mstarzinger@chromium.org
BUG=
TEST=
Review URL: https://chromiumcodereview.appspot.com/10558005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11949 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-28 16:29:53 +00:00
mstarzinger@chromium.org
a691c693fb
Fix lazy parsing heuristics to respect outer scope.
...
This makes sure that a function literal is only parsed lazily when the
outer scope actually allows lazy compilation. Otherwise compilation will
crash due to a missing function body.
R=ulan@chromium.org
BUG=chromium:135008
TEST=mjsunit/regress/regress-crbug-135008
Review URL: https://chromiumcodereview.appspot.com/10698032
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11945 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-28 14:56:28 +00:00
yangguo@chromium.org
99a58e36ad
Correctly throw reference error in strict mode with ICs disabled.
...
R=jkummerow@chromium.org
BUG=v8:2119
TEST=regress/regress-2119.js
Review URL: https://chromiumcodereview.appspot.com/10659011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11923 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-25 13:28:11 +00:00
mstarzinger@chromium.org
84b866b2d9
Fix sharing of literal boilerplates for optimized code.
...
This makes sure the literal boilerplates array is correctly shared
together with optimized code when caching of optimized code is enabled.
It also enabled said caching by default again.
R=ulan@chromium.org
BUG=v8:2193
TEST=mjsunit/regress/regress-2193
Review URL: https://chromiumcodereview.appspot.com/10649008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11911 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-22 13:55:15 +00:00
jkummerow@chromium.org
9ce4133017
Make near-jump check more strict in LoadNamedFieldPolymorphic on ia32/x64
...
BUG=134055
TEST=mjsunit/regress/regress-crbug-134055
Review URL: https://chromiumcodereview.appspot.com/10630027
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11907 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-22 13:38:39 +00:00
erik.corry@gmail.com
423e5b8906
Make a test run faster that is timing out on the ARM simulator.
...
Review URL: https://chromiumcodereview.appspot.com/10577032
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11884 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-20 13:31:07 +00:00
erikcorry
f4f9e2c1e0
Quicksort: Choose pivot with recursive sort of pivot candidates on large arrays to avoid patholgical cases.
...
Review URL: http://codereview.chromium.org/10532193
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11873 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-20 07:52:47 +00:00
rossberg@chromium.org
3e6b01df18
Fix crash bug in Hydrogen occurring with empty prototype chain.
...
(Thanks for diagnosing this.)
R=vegorov@chromium.org
BUG=115100
TEST=
Review URL: https://chromiumcodereview.appspot.com/10576013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11861 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-19 13:44:07 +00:00
verwaest@chromium.org
30b335157f
Fixing ClearNonLiveTransition bug in combination with AccessorPairs.
...
BUG=133211
TEST=test/mjsunit/regress/regress-133211b.js
Review URL: https://chromiumcodereview.appspot.com/10575018
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11860 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-19 13:16:39 +00:00
yangguo@chromium.org
0a60da717b
Correctly resolve local var shadowing a context-allocated var in debugger.
...
R=ulan@chromium.org
BUG=131994
TEST=regress/regress-131994.js
Review URL: https://chromiumcodereview.appspot.com/10585002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11855 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-19 11:25:49 +00:00
verwaest@chromium.org
8b7b7f466f
Make sure we don't leak map transitions from AccessorPairs to the Javascript world.
...
BUG=133211
TEST=test/mjsunit/regress/regress-133211.js
Review URL: https://chromiumcodereview.appspot.com/10559062
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11854 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-19 10:58:15 +00:00
mstarzinger@chromium.org
928a1bff32
Fix handling of numbers in SameValue method.
...
R=vegorov@chromium.org
BUG=v8:2186
TEST=mjsunit/regress/regress-2186
Review URL: https://chromiumcodereview.appspot.com/10532198
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11853 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-18 14:21:29 +00:00
erikcorry
45c4cd26be
Avoid arbitrarily deep recursion in Array.sort.
...
BUG=v8:2185
Review URL: http://codereview.chromium.org/10561017
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11839 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-18 09:23:05 +00:00
yangguo@chromium.org
675d9b8a04
Add missing string length check in regexp engine.
...
R=erik.corry@gmail.com
BUG=v8:2172
TEST=regress-2172.js
Review URL: https://chromiumcodereview.appspot.com/10536170
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11816 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-14 13:59:48 +00:00
mstarzinger@chromium.org
74ab92e0ac
Fix performance regression caused by r11202.
...
R=erik.corry@gmail.com
BUG=v8:2156,v8:2034
TEST=mjsunit/regress/regress-2156,mjsunit/regress/regress-2034
Review URL: https://chromiumcodereview.appspot.com/10539131
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11800 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-13 11:58:18 +00:00
erikcorry
5eb4baed65
Fix r11780 to avoid bugs where near branches are used to labels that are out of range.
...
Review URL: http://codereview.chromium.org/10542137
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11792 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-13 09:54:34 +00:00
erikcorry
afc9b8e9a9
Fix optimization of Unicode regexp with ASCII subject to respect repeat counts.
...
bug=131923
Review URL: http://codereview.chromium.org/10544093
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11754 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-11 11:18:04 +00:00
danno@chromium.org
a1d9aca22f
Fix EnsureCanContainElements to properly handle double values.
...
R=jkummerow@chromium.org
BUG=v8:2170
TEST=test/mjsunit/regress/regress-2170.js
Review URL: https://chromiumcodereview.appspot.com/10542084
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11751 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-11 08:41:48 +00:00
verwaest@chromium.org
a85f4e4226
ClearNonLiveTransitions has to hold on to non-map values.
...
This ensures that we don't accidentally throw away getters and/or setters that are still needed. To make sure the bug gets triggered, we have to construct a situation where the map is on the live side of a live->non-live transition. This ensures that the map is passed to ClearNonLiveTransitions.
BUG=v8:2163
TEST=test/mjsunit/regress/regress-2163.js
Review URL: https://chromiumcodereview.appspot.com/10535004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11713 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-05 11:36:57 +00:00
erik.corry@gmail.com
0a856e0bd7
Fix bug in __proto__ assignment transition cache where we forget the next enumeration index resulting in wrong iteration order.
...
Review URL: https://chromiumcodereview.appspot.com/10515006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11706 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-04 12:07:46 +00:00
rossberg@chromium.org
e4c472a7af
Implement correct checking for inherited readonliness on assignment.
...
Removes 6 out of 8 of our remaining unintentional failures on test262.
Also fixes treatment of inherited setters added after the fact.
Specifically:
- In the runtime, when looking for setter callbacks in the prototype chain,
also look for read-only properties. If one is found, reject (exception in
strict mode). If a proxy is found, invoke proper trap.
Note: this folds in the CanPut function from the spec and avoids an extra
lookup over the prototype chain.
- In generated code for stores, insert a test for the maps from the prototype
chain, but only up to the object where the property already exists (which
may be the object itself).
In Hydrogen, if the found property is read-only or not cacheable (e.g. a
proxy), bail out; in a stub, generate an unconditional miss (to get an
exception in strict mode).
- Add test cases and adapt existing test expectations.
R=mstarzinger@chromium.org
BUG=
TEST=
Review URL: https://chromiumcodereview.appspot.com/10388047
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11694 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-01 10:51:36 +00:00
svenpanne@chromium.org
39f88f1b26
Fixed JSObject::SetPropertyForResult (issue 2153)
...
AccessorPairs containing only holes are maps were handled incorrectly.
BUG=v8:2153
TEST=mjsunit/regress/regress-2153.js
Review URL: https://chromiumcodereview.appspot.com/10453054
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11672 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-05-29 12:42:22 +00:00
svenpanne@chromium.org
ff216c9cea
Re-land: Use map transitions when defining accessor properties.
...
This is basically r11496, with the following changes:
* Set back pointers in maps (cherry-picked from r11528)
* Fixed size calculation in CopyInsert, as proposed by mstarzinger/rossberg
* DefineFastAccessor uses GetCallbackObject instead of GetValue (for __proto__)
* Put the code under a new flag, which is disabled by default
* Cut down the corresponding regression test
* Adapted bootup memory test, we actually only need a bit more memory on 64bit without snapshots, which can easily explained by more live maps lying around. Note that the snapshot variants are back to their previous limits.
Next steps: Investigate any performance degradationswith the flag enabled, and finally remove the flag when things are OK. Furthermore, GetCallbackObject should be merged into GetValue, the distinction is confusing and error-prone.
Review URL: https://chromiumcodereview.appspot.com/10445009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11651 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-05-24 10:40:24 +00:00
danno@chromium.org
9910edbb9a
Implement tracking and optimizations of packed arrays
...
R=jkummerow@chromium.org
TEST=jkummerow@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10170030
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11636 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-05-23 14:24:29 +00:00
ulan@chromium.org
15b796bec8
Disable optimization for functions that have scopes that cannot be reconstructed from the context chain.
...
BUG=v8:2071
TEST=mjsunit/regress/regress-2071.js
Review URL: https://chromiumcodereview.appspot.com/10388164
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11592 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-05-18 13:06:16 +00:00
yangguo@chromium.org
81720ffe84
Amend regression test.
...
R=rossberg@chromium.org
BUG=128146
TEST=
Review URL: https://chromiumcodereview.appspot.com/10382196
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11580 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-05-16 12:26:11 +00:00
yangguo@chromium.org
62b35e2174
Add missing test for transcendental functions.
...
BUG=
TEST=
Review URL: https://chromiumcodereview.appspot.com/10389169
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11579 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-05-16 11:15:30 +00:00
yangguo@chromium.org
ec1fc618ff
Revert r11496.
...
CL being reverted: https://chromiumcodereview.appspot.com/10238005
BUG=128146
TEST=regress-128146
Review URL: https://chromiumcodereview.appspot.com/10386166
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11578 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-05-16 11:07:54 +00:00
danno@chromium.org
7966fb3d8c
Always transition empty FAST_DOUBLE_ARRAYs on push
...
R=mstarzinger@chromium.org
BUG=chromium:128018
TEST=test/mjsunit/regress/regress-128018.js
Review URL: https://chromiumcodereview.appspot.com/10387130
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11570 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-05-15 16:17:53 +00:00
danno@chromium.org
159ee25bbf
Properly set ElementsKind of empty FAST_DOUBLE_ELEMENTS arrays when transitioning.
...
R=jkummerow@chromium.org
BUG=chromium:117409
TEST=test/mjsunit/regress/regress-117409.js
Review URL: https://chromiumcodereview.appspot.com/10386045
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11533 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-05-09 15:18:50 +00:00
erik.corry@gmail.com
681f2951c6
Regexp: Fix overflow in min-match-length calculation. Crbug=126412.
...
Review URL: https://chromiumcodereview.appspot.com/10384053
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11525 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-05-08 12:18:08 +00:00
jkummerow@chromium.org
63263a9aa9
Fix unsigned-Smi check in MappedArgumentsLookup
...
BUG=126414
TEST=mjsunit/regress/regress-crbug-126414
Review URL: https://chromiumcodereview.appspot.com/10375033
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11518 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-05-07 10:05:39 +00:00
yangguo@chromium.org
b42ab19d2e
Modify two regression tests to actually fail when failing.
...
BUG=
TEST=regress-1639, regress-1639-2
Review URL: https://chromiumcodereview.appspot.com/10315009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11493 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-05-03 11:52:56 +00:00
danno@chromium.org
908e77a53a
Ensure reload of elements pointer in StoreFastDoubleElement stub.
...
R=mstarzinger@chromium.org
TEST=test/mjsunit/regress/regress-125515.js
BUG=chromium:125515
Review URL: https://chromiumcodereview.appspot.com/10260014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11479 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-05-02 09:58:42 +00:00
jkummerow@chromium.org
f6dacfe83a
Fixed corner cases in truncation behavior when storing to TypedArrays.
...
Also simplified ia32 KeyedStoreStubCompiler::GenerateStoreExternalArray a bit.
BUG=v8:2110
TEST=mjsunit/regress/regress-2110
Review URL: https://chromiumcodereview.appspot.com/10260011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11472 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-30 15:17:59 +00:00
mstarzinger@chromium.org
b54ca31fb2
Fix LFastLiteral to check boilerplate elements kind.
...
Adds a missing check that the elements kind of the boilerplate object
still has the expected elements kind, unoptimized code can transition
the boilerplate. Corner cases might cause the optimized code to be
reentered again.
R=danno@chromium.org
TEST=mjsunit/regress/regress-fast-literal-transition
Review URL: https://chromiumcodereview.appspot.com/10254006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11470 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-30 14:59:13 +00:00
mstarzinger@chromium.org
21fc0fef6a
Fix deopted construct stub frame to contain code object.
...
R=danno@chromium.org
BUG=chromium:124594
TEST=mjsunit/regress/regress-124594
Review URL: https://chromiumcodereview.appspot.com/10155024
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11436 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-25 13:22:04 +00:00
mstarzinger@chromium.org
e3be59512a
Fix source property of empty RegExp objects.
...
R=rossberg@chromium.org
BUG=v8:1982
TEST=test262/15.10.4.1-5
Review URL: https://chromiumcodereview.appspot.com/10134010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11416 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-23 13:59:43 +00:00
rossberg@chromium.org
c8aea7a184
Put new global var semantics behind a flag until WebKit tests are cleaned up.
...
R=mstarzinger@chromium.org
BUG=
TEST=
Review URL: https://chromiumcodereview.appspot.com/10163003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11402 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-20 13:35:09 +00:00
mstarzinger@chromium.org
57739100f3
Fix missing GVN flag for new-space promotion.
...
R=vegorov@chromium.org
BUG=chromium:123919
TEST=mjsunit/regress/regress-123919
Review URL: https://chromiumcodereview.appspot.com/10119016
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11382 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-19 07:49:11 +00:00
mstarzinger@chromium.org
47d07b8a7b
Fix fast array literals to ignore prototype chain.
...
This makes sure that boilerplate objects for array literals with
non-constant elements (which will contain the hole at non-constant
positions) will not cause prototype chain lookups when generating
optimized code.
R=erik.corry@gmail.com
BUG=chromium:123512
TEST=mjsunit/regress/regress-123512
Review URL: https://chromiumcodereview.appspot.com/10105025
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11350 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-17 11:12:37 +00:00
rossberg@chromium.org
62945585fd
Implement ES5 erratum: global declarations shadow inherited properties.
...
I also discovered that our treatment of const declarations is inconsistent
when inside a global eval under 'with' (i.e., when created by
DeclareContextSlots). That is,
var x;
eval("const x = 9")
and
var x;
eval("with({}) const x = 9")
differ (the former assigns 9, the latter throws). This appears to be an
oversight from earlier changes to our const semantics (the latter shouldn't
throw either). Fixing this is a separate issue, though (and one that doesn't
seem quite worthwhile).
R=mstarzinger@chromium.org
BUG=v8:1991,80591
TEST=
Review URL: https://chromiumcodereview.appspot.com/10067010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11333 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-16 13:20:50 +00:00
vegorov@chromium.org
69952d78af
Untabify test/mjsunit/regress/regress-119609.js.
...
TBR=kmillikin@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10067017
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11299 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-12 20:29:48 +00:00
vegorov@chromium.org
ec4c772746
Return LOOKUP variable instead of CONTEXT for non-context allocated outer scope parameters.
...
R=kmillikin@chromium.org
BUG=chromium:119609
TEST=test/mjsunit/regress/regress-119609.js
Review URL: https://chromiumcodereview.appspot.com/10010046
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11298 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-12 19:32:29 +00:00
jkummerow@chromium.org
14e181709b
Fix regular and ElementsKind transitions interfering with each other
...
R=danno@chromium.org
BUG=122271
TEST=mjsunit/regress/regress-crbug-122271
Review URL: https://chromiumcodereview.appspot.com/10038010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11286 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-12 12:30:32 +00:00
erikcorry
f90e665e9a
Ensure that a call to String.prototype.match with a
...
global regexp after a call to String.prototype.replace
with a function argument sets the last match info
correctly. Bug=2058
Review URL: http://codereview.chromium.org/10029009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11249 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-10 10:42:25 +00:00
danno@chromium.org
ed5d288ac1
Adjust stack limit again to avoid overflow on 64 bit windows
...
Also add additional stack check.
R=mstarzinger@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10006010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11238 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-05 14:01:39 +00:00
ulan@chromium.org
3861063018
Check for NaN in inlined versions of Math.min, Math.max.
...
R=danno@chromium.org
BUG=V8:2056
TEST=mjsunit/regress/regress-2056.js
Review URL: https://chromiumcodereview.appspot.com/10006008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11237 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-05 13:24:52 +00:00
danno@chromium.org
3c6f5774d2
Fix stack overflows on Windows x64.
...
R=mstarzinger@chromium.org
TEST=win 64 not red anymore
Review URL: https://chromiumcodereview.appspot.com/10008005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11236 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-05 12:32:35 +00:00
danno@chromium.org
7bd1274baa
Rollback 11231: Add regression test case for issue 2025.
...
TBR=ulan@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10006006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11232 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-05 08:35:32 +00:00
danno@chromium.org
db34072379
Add regression test case for issue 2025.
...
R=ulan@chromium.org
BUG=v8:2056
TEST=test/mjsunit/regress/regress-2056.js
Review URL: https://chromiumcodereview.appspot.com/10006004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11231 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-05 08:08:05 +00:00
mstarzinger@chromium.org
47aa3254c2
Fix rewriter to not treat throw as an expression.
...
Now we can correctly optimize top level code that contains a throw (or
return) as it's last statement.
R=ulan@chromium.org
BUG=v8:2054
TEST=mjsunit/regress/regress-2054
Review URL: https://chromiumcodereview.appspot.com/9969146
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11224 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-04 13:41:05 +00:00
mstarzinger@chromium.org
7b59b1d5ac
Fix array boilerplate object transitioning.
...
Array literal boilerplate objects can be transitioned while existing
un-transitioned clones are still being populated. This adds a check that
prevents us from performing the same transition twice.
R=danno@chromium.org
BUG=v8:2055
TEST=mjsunit/regress/regress-2055
Review URL: https://chromiumcodereview.appspot.com/9950095
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11221 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-03 16:54:28 +00:00
danno@chromium.org
8dc9bc962f
Don't crash on stack overflow entering the debugger.
...
R=ager@chromium.org , sgjesse@chromium.org
BUG=chromium:119429
TEST= test/mjsunit/regress/regress-119429.js
Review URL: https://chromiumcodereview.appspot.com/9965101
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11219 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-03 13:45:56 +00:00
danno@chromium.org
d9437722da
Properly support shrinking arrays in CopyDictionaryToObjectElements.
...
R=mstarzinger@chromium.org
BUG=chromium:121407
TEST=test/mjsunit/regress/regress-121407.js
Review URL: https://chromiumcodereview.appspot.com/9968056
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11214 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-03 08:13:59 +00:00
mstarzinger@chromium.org
5798bc27aa
Fix hidden properties to ignore [[Extensible]].
...
The [[Extensible]] property prevented the very first hidden property
from being added. If any hidden property was added to the object before
preventing extension, adding subsequent hidden properties would have
succeed however.
R=svenpanne@chromium.org
BUG=v8:2034
TEST=mjsunit/regress/regress-2034
Review URL: https://chromiumcodereview.appspot.com/9844025
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11202 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-04-02 08:26:30 +00:00
vegorov@chromium.org
8360ec877e
Ensure that arguments object is materialized when deoptimizing from inlined function.
...
Lithium translation rebuilds hydrogen environments from scratch so we have to ensure that arguments object is correctly bound on function entry otherwise deoptimization will not materialize it.
This fix was implemented as part of r11109 and then reverted.
R=danno@chromium.org
BUG=v8:2045
TEST=test/mjsunit/regress/regress-2045.js
Review URL: https://chromiumcodereview.appspot.com/9963008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11194 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-03-30 13:22:39 +00:00
mstarzinger@chromium.org
552393c383
Add missing regression test for r11173.
...
R=svenpanne@chromium.org
BUG=chromium:12009
TEST=mjsunit/regress/regress-120099
Review URL: https://chromiumcodereview.appspot.com/9873027
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11180 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-03-28 15:17:14 +00:00
mstarzinger@chromium.org
057371da13
Fix polymorphic load on named fields.
...
This fixes polymorphic loads to correctly compare in-object offsets
instead of indices, because indices might coincide even though the
actual slot is different because of different instance sizes.
R=danno@chromium.org
BUG=v8:2030
TEST=mjsunit/regress/regress-2030,mjsunit/mirror-array
Review URL: https://chromiumcodereview.appspot.com/9864028
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11153 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-03-27 10:42:38 +00:00
erik.corry@gmail.com
6cb333cadf
Fix broken test.
...
Review URL: https://chromiumcodereview.appspot.com/9865019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11151 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-03-27 09:10:58 +00:00
erik.corry@gmail.com
bfb1e9e702
Fix edge case for case independent regexp character classes.
...
http://code.google.com/p/v8/issues/detail?id=2032
Review URL: https://chromiumcodereview.appspot.com/9860029
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11147 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-03-27 08:42:37 +00:00
ulan@chromium.org
a47d1c0714
Fix the return type of the date set methods.
...
Date set methods (setMinutes, setHours, etc.) should return the time value as a number instead of JSDate.
R=jkummerow@chromium.org
TEST=test/mjsunit/regress/regress-2027.js
Review URL: https://chromiumcodereview.appspot.com/9809010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11140 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-03-26 10:13:03 +00:00
jkummerow@chromium.org
4e405b6945
Fix missing write barrier in CopyObjectToObjectElements.
...
Passing the write barrier mode as a parameter does not make sense, as the elements kind specific copiers know best whether a write barrier is needed or not.
BUG=119926
TEST=mjsunit/regress/regress-crbug-119926
R=danno@chromium.org
Review URL: https://chromiumcodereview.appspot.com/9808111
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11134 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-03-25 15:16:06 +00:00
danno@chromium.org
8833c99552
Check double array bounds in HasElementImpl.
...
R=jkummerow@chromium.org
BUG=chromium:119925
TEST=test/mjsunit/regress/regress-119925.js
Review URL: https://chromiumcodereview.appspot.com/9808110
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11133 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-03-25 14:21:51 +00:00
mstarzinger@chromium.org
79a98de9f7
Fix declarations escaping global strict eval.
...
According to ES5 10.4.2(3), eval calls of strict code always require
their own lexical and variable environment. For now we just add a new
scope when we parse the strict mode directive. The clean solution would
be to always have this sope present (even for global eval calls) and
adapt variable binding to cope with that.
R=rossberg@chromium.org
BUG=v8:1624
TEST=mjsunit/regress/regress-1624,test262/S10.4.2.1_A1
Review URL: https://chromiumcodereview.appspot.com/9703021
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11057 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-03-15 13:02:21 +00:00
mstarzinger@chromium.org
2c7f0edd48
Fix wrapping of receiver for non-strict callbacks.
...
R=rossberg@chromium.org
BUG=v8:1973
TEST=mjsunit/regress/regress-1973
Review URL: https://chromiumcodereview.appspot.com/9705020
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11050 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-03-14 17:42:19 +00:00
rossberg@chromium.org
46001aa54c
Function declarations shall not overwrite read-only global properties.
...
R=mstarzinger@chromium.org
BUG=115452
TEST=mjsunit/regress/regress-115452
Review URL: https://chromiumcodereview.appspot.com/9696035
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11043 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-03-14 13:51:00 +00:00
kmillikin@chromium.org
7d6fd56fd5
Ensure there is a smi check of the receiver for global load and call ICs.
...
There was a comment that, for such ICs specialized to the global object,
they were always contextual loads. This is very brittle. It is a
micro-optimization that relies too much on the way that things happen to
work today.
Instead, never omit the smi check because it's safer.
R=vegorov@chromium.org
BUG=117794
TEST=regress-117794.js
Review URL: https://chromiumcodereview.appspot.com/9691038
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11022 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-03-13 11:39:30 +00:00
yangguo@chromium.org
7659beafb1
Ensure consistency of Math.sqrt on Intel platforms.
...
BUG=
TEST=regress-sqrt.js
Review URL: https://chromiumcodereview.appspot.com/9690010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11012 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-03-12 14:56:04 +00:00
yangguo@chromium.org
13689a4f13
Set debug break slot at init of loop variable in a for loop.
...
BUG=102153
TEST=regress-102153.js
Review URL: https://chromiumcodereview.appspot.com/9625011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10963 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-03-08 10:21:43 +00:00
yangguo@chromium.org
67540abe08
Fix compile with debuggersupport=off.
...
BUG=
TEST=
Review URL: https://chromiumcodereview.appspot.com/9546051
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10952 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-03-07 10:57:36 +00:00
mstarzinger@chromium.org
8c2708de6d
Fix Error.prototype.toString to throw TypeError.
...
R=rossberg@chromium.org
BUG=v8:1980
TEST=mjsunit/function-call,mjsunit/regress/regress-1980
Review URL: https://chromiumcodereview.appspot.com/9568005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10922 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-03-05 13:57:48 +00:00
yangguo@chromium.org
f2699b66cf
Revert r10908 due to flakiness and crashes.
...
BUG=
TEST=
Review URL: https://chromiumcodereview.appspot.com/9580007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10909 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-03-02 15:00:52 +00:00
yangguo@chromium.org
12f2099993
Ensure consistent result of transcendental functions.
...
BUG=
TEST=regress-transcendental.js
Review URL: https://chromiumcodereview.appspot.com/9572009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10908 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-03-02 14:33:15 +00:00
mstarzinger@chromium.org
fb8eb04bfd
Implement inlining of constructor calls.
...
R=vegorov@chromium.org ,kmillikin@chromium.org
Review URL: https://chromiumcodereview.appspot.com/9304001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10849 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-02-28 09:05:55 +00:00
yangguo@chromium.org
32e2b0319e
Update break points set with partial file name after compile.
...
BUG=v8:1853
Review URL: https://chromiumcodereview.appspot.com/9460059
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10842 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-02-27 11:52:08 +00:00
yangguo@chromium.org
baabb87dae
Fix HConstant's hash function for smis on x64.
...
BUG=
TEST=
Review URL: https://chromiumcodereview.appspot.com/9466003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10820 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-02-24 10:59:12 +00:00
yangguo@chromium.org
671084074d
Lazy removal of dead HValues in GVN from use lists.
...
BUG=v8:1969
TEST=regress/regress-1969
Review URL: https://chromiumcodereview.appspot.com/9455011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10812 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-02-23 13:59:35 +00:00
vegorov@chromium.org
f5c8ac9839
On ia32 LFunctionLiteral instruction should get context from esi register instead of stack slot.
...
This makes LFunctionLiteral safe even when it is used from inside inlined function.
All other architectures were implementing LFunctionLiteral correctly.
R=mstarzinger@chromium.org
TEST=test/mjsunit/regress/regress-inlining-function-literal-context.js
Review URL: https://chromiumcodereview.appspot.com/9425061
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10778 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-02-21 12:10:04 +00:00
mstarzinger@chromium.org
e423637898
Fix sequence of element access in array builtins.
...
R=rossberg@chromium.org
BUG=v8:1790
TEST=mjsunit/regress/regress-1790,test262/15.4.4.22-9-9
Review URL: https://chromiumcodereview.appspot.com/9419044
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10737 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-02-17 10:06:26 +00:00
yangguo@chromium.org
cc2780403a
Ensure using byte registers for byte instructions on ia32 and x64.
...
BUG=v8:1945
TEST=regress-1945.js
Review URL: https://chromiumcodereview.appspot.com/9418005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10719 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-02-16 12:48:02 +00:00
yangguo@chromium.org
01e46b955f
Initialize internal arrays with the correct map.
...
BUG=v8:1878
TEST=regress-1878.js
Review URL: https://chromiumcodereview.appspot.com/9402009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10712 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-02-15 13:45:42 +00:00
danno@chromium.org
71cd77e22c
Fix crashing bugs in store-and-grow IC for double values.
...
R=jkummerow@chromium.org
BUG=chromium:113924
TEST=test/mjsunit/regress/regress-113924.js
Review URL: https://chromiumcodereview.appspot.com/9365055
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10706 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-02-14 15:09:49 +00:00
yangguo@chromium.org
3e58827710
Fix elements transition bug related to array.concat.
...
BUG=
TEST=
Review URL: https://chromiumcodereview.appspot.com/9358018
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10629 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-02-08 09:50:13 +00:00
lrn@chromium.org
f0a87d7c34
Fix handling of 'c: if (0) break c; else ()' where a parser optimization
...
leaves a trailing ";" after removing the break.
Review URL: https://chromiumcodereview.appspot.com/9159043
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10628 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-02-08 08:40:11 +00:00
ulan@chromium.org
8093e397e4
Do not ignore an empty context with extension when creating a scope object.
...
Runtime_DebugEvaluate creates an empty context which is not correctly handled in FullCodeGenerator::ContextSlotOperandCheckExtensions because the corresponding scope indicates that it has no context.
BUG=crbug.com/107996
TEST=test/mjsunit/regress/regress-crbug-107996.js
Review URL: https://chromiumcodereview.appspot.com/9310027
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10582 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-02-02 09:35:12 +00:00
mstarzinger@chromium.org
5dc4859fa4
Fix test case to correctly check expected result.
...
R=vegorov@chromium.org
TEST=mjsunit/regress/regress-1229
Review URL: https://chromiumcodereview.appspot.com/9303032
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10566 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-01-31 12:31:24 +00:00
vegorov@chromium.org
67d72eab45
When preparing heap for breakpoints make sure not to flush away non-optimized code for inlined functions.
...
Debug::PrepareForBreakPoints was not fully populating active_functions list.
R=erik.corry@gmail.com
TEST=test/mjsunit/regress/regress-debug-code-recompilation.js
Review URL: https://chromiumcodereview.appspot.com/9290013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10503 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-01-25 15:11:59 +00:00
vegorov@chromium.org
04289e8d17
Support inlining at call-sites with mismatched number of arguments.
...
Review URL: https://chromiumcodereview.appspot.com/9265004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10483 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-01-24 08:43:12 +00:00
vegorov@chromium.org
704c92ce95
Ensure that LRandom restores rsi after call to the C function on x64.
...
R=ulan@chromium.org
BUG=http://crbug.com/110509
TEST=test/mjsunit/regress/regress-110509.js
Review URL: https://chromiumcodereview.appspot.com/9265003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10434 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-01-19 08:43:34 +00:00
yangguo@chromium.org
ddc0144490
Fixing issue 1898 (using HChange outside the insert-representation-changes phase).
...
BUG=v8:1898
TEST=mjsunit/regress/regress-1898.js
Review URL: http://codereview.chromium.org/9190047
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10396 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-01-13 07:48:44 +00:00
vegorov@chromium.org
c4d3a110a2
Adjust position recorded for call expressions.
...
For calls of the form ident(...) record position of the identifier as the position of the call. For other calls record positions of the opening parenthesis.
This guarantees that for expressions of the form function(){}() call position will not intersect with positions recorded for function literal which is used by the debugger for scope chain resolution.
R=kmillikin@chromium.org
BUG=http://crbug.com/109195
TEST=test/mjsunit/regress/regress-109195.js
Review URL: http://codereview.chromium.org/9125001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10350 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-01-06 10:26:17 +00:00
danno@chromium.org
f648626eb9
Reland 10309: Ensure large Smi-only arrays don't transition to FAST_DOUBLE_ARRAY
...
TBR=jkummerow@chromium.org
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/9051014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10311 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-12-30 14:28:14 +00:00
danno@chromium.org
5d85a04472
Rollback 10309
...
TBR=jkummerow@chromium.org
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/8968042
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10310 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-12-30 13:42:21 +00:00
danno@chromium.org
dff0e36d2d
Ensure large Smi-only arrays don't transition to FAST_DOUBLE_ARRAY
...
BUG=v8:1849
TEST=test/mjsunit/regress/regress-1849.js
Review URL: http://codereview.chromium.org/8968028
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10309 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-12-30 12:54:23 +00:00
danno@chromium.org
aa38094bf0
Ensure that InternalArrays remain InternalArrays regardless of how they are constructed.
...
R=whesse@chromium.org
BUG=v8:1878
TEST=test/mjsunit/regress/regress-1878.js
Review URL: http://codereview.chromium.org/9016041
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10306 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-12-27 15:12:12 +00:00
vegorov@chromium.org
3947056c03
Avoid embedding new space objects into code objects in the lithium gap resolver.
...
R=danno@chromium.org
BUG=http://crbug.com/108296
TEST=test/mjsunit/regress/regress-108296.js
Review URL: http://codereview.chromium.org/8960004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10301 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-12-23 10:39:01 +00:00
mstarzinger@chromium.org
04f0e33229
Fix handling of foreign callbacks in DefineOwnProperty.
...
We use foreign callbacks to make some properties shadow internal values
but still behave as data properties from within JavaScript. This means
when a value is passed to Object.defineProperty() on such a property,
it should update the internal value instead of redefinind the property
and destroying the shadowing.
R=rossberg@chromium.org
BUG=v8:1530
TEST=mjsunit/regress/regress-1530,test262/S15.3.3.1_A4
Review URL: http://codereview.chromium.org/8996008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10279 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-12-20 08:49:51 +00:00
jkummerow@chromium.org
91efb313eb
Fix crash in d8 when external array ctor hits stack overflow
...
BUG=100859
TEST=mjsunit/regress/regress-crbug-100859
Review URL: http://codereview.chromium.org/8898021
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10242 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-12-13 13:51:58 +00:00
vegorov@chromium.org
a457040ca6
Ensure that non-optimized code objects are not flushed for inlined functions.
...
Collector was flushing them if optimized code was reachable only through the stack (not through the JSFunction object) which happens when you have a pending lazy deoptimization.
Also prevent v8::Script::New from leaking internal objects allocated by the compiler into outer HandleScope.
R=kmillikin@chromium.org
BUG=http://crbug.com/97116
TEST=test/mjsunit/regress/regress-97116.js
Review URL: http://codereview.chromium.org/8888011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10215 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-12-08 16:07:07 +00:00
yangguo@chromium.org
929c619101
Quickfix for DoMathPowHalf.
...
TEST=regress-397.js
Review URL: http://codereview.chromium.org/8769037
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10140 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-12-02 13:16:49 +00:00
lrn@chromium.org
ebccde15bc
Don't preparse large files to find boundaries of lazy functions.
...
Instead use the preparser inline to parse only the lazy function
bodies.
This is still disabled for small files.
More measurements are needed to determine if lazy-compiling small
sources is worth it.
Review URL: http://codereview.chromium.org/8662037
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10066 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-11-25 09:36:31 +00:00