Zapping is required since transition arrays contain weak references to maps: At the end of a GC cycle, ClearNonLiveTransitions removes references to dead maps from transition arrays. If a marked transition array with weak (dead) references is replaced by another transition array before the end of the GC cycle, dead references are not removed from the replaced transition array. If the replaced transition array is kept alive by a handle, marking will crash when trying to mark the first reference to a dead map.
Review URL: https://codereview.chromium.org/12987013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14063 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
If we find a property in the prototype-chain that we can overwrite, and
we have a transition, keep the holder in the lookup-result as the actual
holder. We will need it for the consistency-check in GenerateStoreField.
By directly checking the entire chain we avoid having to lazily bail out
to a copy of the miss stub while generating the Field Store IC.
Currently this CL disallows a normal non-receiver holder, given that
that would require a positive lookup + details verification to ensure
the property did not become read-only. This fixes the regressions in the
attached tests.
Review URL: https://chromiumcodereview.appspot.com/12810006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14061 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Port r14051 (e9140a92)
Original commit message:
(qua last week's TC39)
Specifically:
- Install Symbol constructor function on the global object.
- Adjust code generation for typeof.
- Remove IsSymbol built-in, IS_SYMBOL macro now defined using typeof.
- Remove hack that allowed symbols as constructor results, and some other special cases.
- Remove symbol_delegate and GetDelegate function.
- Extend ToBoolean stub to handle symbols.
- Extend ToNumber to return NaN on symbols.
- Poison symbol's toString function, and thereby ToString on symbols.
BUG=
Review URL: https://codereview.chromium.org/13007003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14058 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This is one step in the direction of fixing a range of small bugs in the array methods when dealing with non-standard element attributes.
Added tests exercising this behavior for shift and unshift.
For Proxies and Interceptors, the behavior of %GetArrayKeys is now to just return an interval, rather than trying to list all their indexed properties. In the Proxy case, this seems like the only way to avoid an observable difference between smart and non-smart array methods. For Interceptors, the usual case (in WebKit, anyway) is for them to have all indices in [0, length), so enumerating them won't be any better than simply iterating over that range.
Review URL: https://codereview.chromium.org/12653010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14057 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
(qua last week's TC39)
Specifically:
- Install Symbol constructor function on the global object.
- Adjust code generation for typeof.
- Remove IsSymbol built-in, IS_SYMBOL macro now defined using typeof.
- Remove hack that allowed symbols as constructor results, and some other special cases.
- Remove symbol_delegate and GetDelegate function.
- Extend ToBoolean stub to handle symbols.
- Extend ToNumber to return NaN on symbols.
- Poison symbol's toString function, and thereby ToString on symbols.
R=mstarzinger@chromium.org
BUG=v8:2158
Review URL: https://codereview.chromium.org/12957004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14051 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Previously we would only mark the slot that was added specifically for
this map, if there was a backpointer and the descriptor array was shared
via the backpointer. However, ConvertTransitionToMapTransition may break
this link after we marked the transitioned map, before we marked the
transitioning map. So the descriptor slots of the parent map won't get
recorded, and we potentially point to an old address of an already
relocated function.
BUG=chromium:196331
Review URL: https://chromiumcodereview.appspot.com/12836005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14027 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Two new methods are added to allow embedders to determine that execution
should be resumed at a particular point in the stack without being forced
to unwind all JS frames.
* V8::CancelTerminateExecution() -- When execution is terminated via a call
to V8::TerminateExecution(), this method can be called to clear the
termination exception so that the engine can continue to be used.
* TryCatch::HasTerminated() -- When a TryCatch has caught a termination
exception, HasTerminated() will return true to indicate it is valid to
call V8::ResumeExecution() if desired.
A test case is added to cctest/test-thread-termination.cc.
BUG=v8:2361
Patch from Andrew Paprocki <andrew@ishiboo.com>.
Review URL: https://chromiumcodereview.appspot.com/11142013
Patch from Andrew Paprocki <andrew@ishiboo.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14022 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Port r14001 (28443693)
Original commit message:
- Addition of a compiled hydrogen stub for KeyedStores.
- Inlining of "grow" stubs into OPTIMIZED_FUNCTIONs
- Addition of new "ignore OOB" ic stub that silently swallows out-of-bounds stores to external typed arrays.
- Addition of new "copy-on-write" ic stub that inlines allocation and copying operations for cow array
- New stub are generated with Crankshaft, so they are automatically inlined into OPTIMIZED_FUNCTIONs
BUG=
Review URL: https://codereview.chromium.org/12702012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14018 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
