Commit Graph

1822 Commits

Author SHA1 Message Date
ricow@chromium.org
34eeb88ee4 Use ForceSetObjectProperty in DefineOrRedefineDataProperty (fixes crbug 72736).
The current version uses SetObjectProperty which will not set the
value in case this is a readonly property. The spec explictly says
that a configurable but non writable property can have its value
changed with Object.defineProperty (because the same thing can be
accomplished by doing 3 calls (set writable to true, update the value,
set writable to false).


Review URL: http://codereview.chromium.org/6518004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6766 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-14 10:43:21 +00:00
ricow@chromium.org
6d9fde492c Do not allow calls to SetProtoType on functions that should not have a prototype (fixes issue 1151)
Review URL: http://codereview.chromium.org/6518003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6765 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-14 09:37:56 +00:00
ricow@chromium.org
46bde305b5 Add support for the global object in Object.keys (fixes issue 1150)
We do not currently handle the case where the JSGlobalProxy is passed
as argument to LocalKeys in runtime.cc.

Review URL: http://codereview.chromium.org/6516008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6762 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-14 07:49:13 +00:00
mmaly@chromium.org
e0be3072b5 Implement assignment to undefined reference in ES5 Strict Mode.
Strict mode assignment to undefined reference.
Simple assignments (x = <value>) use CODE_TARGET_CONTEXT.
StoreIC stores its own strictness in extra_ic_state.
The strcitness is propagated as further ic stubs are generated.

Details:
* ReferenceError on assignment to non-resolvable reference in strict mode.
* Fix es5conform test expectation file.
* Add es5conform test suite into .gitignore.
* Fix Xcode project.
* Change implemented in virtual frame code generator, as well as full-codegen
  for all architectures.
* Fix debugger test.
* Fix comment for CODE_TARGET_CONTEXT
* Implement remaining StoreIC stubs to be strict mode aware.
* Trace extra_ic_state() for ic code stubs.

Code Review URL: http://codereview.chromium.org/6474026/

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6760 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-13 16:19:53 +00:00
mmaly@chromium.org
3f4701df7f Revert r6756. Check failed on V8 arm - debug - crankshaft.
Need to investigate.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6757 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-11 23:25:07 +00:00
mmaly@chromium.org
fd6338bdda Implement assignment to undefined reference in ES5 Strict Mode.
Strict mode assignment to undefined reference.
Simple assignments (x = <value>) use CODE_TARGET_CONTEXT.
StoreIC stores its own strictness in extra_ic_state.
The strcitness is propagated as further ic stubs are generated.

Details:
* ReferenceError on assignment to non-resolvable reference in strict mode.
* Fix es5conform test expectation file.
* Add es5conform test suite into .gitignore.
* Fix Xcode project.
* Change implemented in virtual frame code generator, as well as full-codegen
  for all architectures.
* Fix debugger test.
* Fix comment for CODE_TARGET_CONTEXT
* Implement remaining StoreIC stubs to be strict mode aware.
* Trace extra_ic_state() for ic code stubs.

Code Review URL: http://codereview.chromium.org/6474026/

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6756 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-11 21:39:59 +00:00
antonm@chromium.org
e96c24bf03 Properly treat exceptions thrown while compiling.
BUG=v8:1132
TEST=test/mjsunit/regress/regress-1132.js

Review URL: http://codereview.chromium.org/6487021

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6754 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-11 14:26:56 +00:00
lrn@chromium.org
fdfbdfbcf5 Fix typo in ASSERT in object-verifier for RegExp.
BUG=v8::1129
TEST=test/mjsunit/regress/regress-1129.js

Review URL: http://codereview.chromium.org/6476027

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6735 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-10 16:43:01 +00:00
ricow@chromium.org
512a02764f X64: Add DoCallNamed, DoContext, DoCallGlobal, and DoLoadFunctionPrototype lithium instructions.
Review URL: http://codereview.chromium.org/6471025

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6734 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-10 16:33:01 +00:00
antonm@chromium.org
ab24485760 Bypass JS accessors when building error array.
In the presence of JS accessors for elements on Object.prototype JSArray::SetFastElement
may throw or its behaviour can be altered.  Instead operate on plain FixedArrays and
turn them into JSArry later.

BUG=v8:1130
TEST=test/mjsunit/regress/regress-1130.js

Review URL: http://codereview.chromium.org/6481001

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6730 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-10 15:02:13 +00:00
antonm@chromium.org
5d3430a509 Fix forging of object's identity hashes.
Do not do standard property lookup on hidden properties object as it might
reach Object.prototype which can be altered to forge identity hashes.
Instead do only local lookup.

Review URL: http://codereview.chromium.org/6472001

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6728 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-10 14:09:52 +00:00
fschneider@chromium.org
5b753cecb6 Check holder before optimizing calls to global functions.
In the case where the function is not found in the global object,
we have to generate a generic call.

BUG=v8:1106
TEST=mjsunit/regress/regress-1106.js

Review URL: http://codereview.chromium.org/6483010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6727 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-10 12:33:51 +00:00
vegorov@chromium.org
49adfd0f0a Bailout from PrepareSlowElementsForSort when hiting a key outside of smi-range.
BUG=v8:1131
TEST=test/mjsunit/regress/regress-1131.js

Review URL: http://codereview.chromium.org/6469006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6726 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-10 12:33:34 +00:00
danno@chromium.org
1bd9f602be Implement crankshaft support for pixel array loads.
Review URL: http://codereview.chromium.org/6410112

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6725 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-10 12:02:36 +00:00
mikhail.naganov@gmail.com
12e62e7154 Shorten constructor names in JS tickprocessor.
As they are no more used in DevTools profiler, there is no
need to prefix them with "devtools.profiler" namespace.

Review URL: http://codereview.chromium.org/6456025

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6712 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-10 07:47:28 +00:00
antonm@chromium.org
2f17f3e5d7 Do not invoke any setters when forming stack trace JS object.
Review URL: http://codereview.chromium.org/6463022

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6709 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 19:34:04 +00:00
antonm@chromium.org
47a22dcecd Reapply http://code.google.com/p/v8/source/detail?r=6555
Compare JSObjects by identity immediately.

When invoking EQUALS JS builtin, 1st argument is passed as a receiver and
if it's a global object, it gets overwritten with global proxy object and
thus one gets incorrect results.

BUG=v8:1082

TBR=ricow@chromium.org

Review URL: http://codereview.chromium.org/6461028

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6708 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 19:09:26 +00:00
kmillikin@chromium.org
dc91c4218b Make optimized Function.prototype.apply safe for non-JSObject first arguments.
If we have a property access of the form this.x, where the access site sees
the global object, we can specialize the IC stub so that it performs a map
check without first performing a heap object check.

Ensure that we do not get in JS code with a non-JSObject this value by
deoptimizing at Function.prototype.apply if the first argument is not a
JSObject.

BUG=v8:1128

Review URL: http://codereview.chromium.org/6463025

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6707 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 16:43:23 +00:00
whesse@chromium.org
0fb5a1fd1a Add a regression test for issue 1106, optimized access to the prototype chain of the global object.
Review URL: http://codereview.chromium.org/6459023

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6705 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 15:50:39 +00:00
lrn@chromium.org
d358e2ecd3 Fix incorrect asserts in scanner.
BUG=v8::1126
TEST=test/mjsunit/regress/regress-1126.js

Review URL: http://codereview.chromium.org/6459021

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6701 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 14:16:25 +00:00
floitschV8@gmail.com
96c4f62b73 Add two tests to strtod.
Review URL: http://codereview.chromium.org/6461018

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6700 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 14:12:31 +00:00
whesse@chromium.org
afec61e870 Fix typo in r6697: Use assertThrows correctly in the added test regress-1122.js.
Review URL: http://codereview.chromium.org/6460030

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6698 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 13:16:40 +00:00
whesse@chromium.org
602d5cf427 Fix a bug that occurs when functions are defined with more than 16,382 parameters.
Review URL: http://codereview.chromium.org/6447007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6697 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 12:46:22 +00:00
fschneider@chromium.org
eec7bc8e60 Change the code for materializing double constants on ia32.
Instead of using the stack, use a temporary integer register
and avoid memory access.

Review URL: http://codereview.chromium.org/6452002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6696 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 12:39:15 +00:00
kmillikin@chromium.org
991a1cae12 Fix an assertion failure in stack trace construction.
When constructing stack traces we interpret the deoptimization data for
optimized frames to find the receiver value.  This value could sometimes be
eliminated from the deoptimization data if we though it was unused.

BUG=v8:1118

Review URL: http://codereview.chromium.org/6465023

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6694 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 11:45:50 +00:00
antonm@chromium.org
d724993138 Use GC-safe version when setting elements.
BUG=1125
TEST=test/mjsunit/regress/regress-1125.js

Review URL: http://codereview.chromium.org/6463001

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6693 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-09 11:38:10 +00:00
antonm@chromium.org
cf30cefda7 Check if Array.prototype.__proto__ has been reset to null.
BUG=v8:1121
TEST=test/mjsunit/regress/regress-1121.js

Review URL: http://codereview.chromium.org/6454004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6691 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 19:56:44 +00:00
antonm@chromium.org
0273e8185b Propagate exceptions thrown when setting elements.
Plus use more robust path when formatting messages---work
directly with fixed arrays.

BUG=v8:1107
TEST=test/mjsunit/getter-in-prototype.js,test/mjsunit/regress/regress-1107.js

Review URL: http://codereview.chromium.org/6451004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6689 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 19:42:14 +00:00
antonm@chromium.org
da8b72f2b8 1) Return failure if any of property sets failed;
2) We cannot assert the declared property will go to the extension in the presence of callbacks and interceptors.

BUG=1119
TEST=test/mjsunit/regress/regress-1119.js

Review URL: http://codereview.chromium.org/6454011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6687 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 19:04:17 +00:00
ager@chromium.org
096c21522b Fix wrong assumption in parser that parsing a function literal cannot throw an exception.
Review URL: http://codereview.chromium.org/6453009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6686 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 18:46:13 +00:00
ager@chromium.org
8c6c273236 Fix issues with using defineProperty on the global proxy object.
Review URL: http://codereview.chromium.org/6452004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6683 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 16:31:58 +00:00
ricow@chromium.org
f64966085e x64: Add MulI and DivI to lithium instructions.
Review URL: http://codereview.chromium.org/6448001

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6681 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 14:37:50 +00:00
lrn@chromium.org
2f32f27e8f Correct propagation of exceptions from setters.
BUG=v8:1105
TEST=test/mjsunit/regress/regress-1105.js

Review URL: http://codereview.chromium.org/6451003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6680 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 14:04:27 +00:00
kmillikin@chromium.org
bf3c3eb9cb Fix a possible duplicate AST ID for deoptimization.
For redeclarations of variables that alias the parameters in functions
using arguments, we need to avoid re-visiting the shared variable
rewrite.

BUG=v8:1104

Review URL: http://codereview.chromium.org/6453004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6679 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 14:00:22 +00:00
ricow@chromium.org
20f2c1c98a Make sure that we do not call is_extensible on the global proxy.
When calling Object.isExtensible we did not do a check for the global
js proxy. This caused the check on the extensible bit on the map to
return true, even when the bit was set to false on the global js
object.


Review URL: http://codereview.chromium.org/6450003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6677 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 13:09:07 +00:00
ricow@chromium.org
81787f986b Make sure that we never call prevent extension on the global proxy,
but instead call this on the global object.

BUG: 1103

Review URL: http://codereview.chromium.org/6454001

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6675 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 12:41:16 +00:00
lrn@chromium.org
48fadffcc4 Fix bug in JSON.parse for objects containing "__proto__" as key.
It added the __proto__ key as a normal key, which made it visible
in enumeration, while reading still hit the hard-coded accessor.

Review URL: http://codereview.chromium.org/6451002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6674 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-08 11:38:15 +00:00
mmaly@chromium.org
2926151fdc Clean up es5conform.status per feedback.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6668 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-07 16:51:47 +00:00
ricow@chromium.org
7d530e1950 Re-insert exception for mozilla/ecma/Date/15.9.5.10-2 in release mode on arm
The last change to mozilla.status made the assumption that this test always finish on time when in release mode, but that is not the case on arm. This change just skips the test completely on arm.


Review URL: http://codereview.chromium.org/6250193

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6660 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-07 12:07:21 +00:00
ricow@chromium.org
0c52785f1e Remove exceptions for Function.prototype.bind from es5conform.status.
These exceptions are no longer valid since we do implement bind.

Review URL: http://codereview.chromium.org/6410116

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6657 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-07 08:34:42 +00:00
ricow@chromium.org
75df563bb8 Simplify exceptions for ecma/Date/15.9.5.10-2 in mozilla.status
We had a large number of different exceptions for this test in the
mozilla.status file - changing this to only one exception where we
allow fail and timeout in debug mode.

Review URL: http://codereview.chromium.org/6286143

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6656 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-07 08:34:33 +00:00
mmaly@chromium.org
6d5e9c88ba Fix es5conform.status expectation file.
The strict mode tests were disabled until now.
The propagation of strict mode flag into eval enabled them but there are
failures due to unimplemented features of strict mode, as well as some
incorrect tests in the suite.

TBR=ager@chromium.org, lrn@chromium.org

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6654 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-04 22:07:10 +00:00
peterhal@chromium.org
39957aa741 Issue 117 - strict mode and future reserved words
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6653 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-04 18:36:37 +00:00
mmaly@chromium.org
87233c49c8 Pass strict mode to eval.
Code review feedback.

Code Review URL: http://codereview.chromium.org/6286043/

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6652 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-04 18:15:49 +00:00
vegorov@chromium.org
10f715e3ff Restore context after LApplyArguments.
BUG=v8:1099
TEST=test/mjsunit/regress/regress-1099.js

Review URL: http://codereview.chromium.org/6246106

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6649 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-04 15:42:02 +00:00
whesse@chromium.org
47f425b490 Disable Mozilla date test that times out on X64 crankshaft.
BUG=1100
TEST=ecma/Date/15.9.5.10-2.js
Review URL: http://codereview.chromium.org/6246104

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6648 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-04 14:40:23 +00:00
lrn@chromium.org
19b734fd82 Fix potential overwriting of debug jumps of following code.
Add JSArrayLength, CallKnownFunction, and InstanceType operations.
Remove LadGlobal and StoreGlobal again (they fail).

Review URL: http://codereview.chromium.org/6347067

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6645 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-04 14:09:03 +00:00
antonm@chromium.org
aecb05354b Landing for Zaheer Ahmad.
Direct call api functions (arm implementation)

See: http://codereview.chromium.org/6170001/

Review URL: http://codereview.chromium.org/6286078

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6639 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-04 13:43:38 +00:00
sgjesse@chromium.org
84de496896 Implements DoubleToI on ARM. Refactor some VFP code at the same time and
fix the simulator behaviour.

BUG=none
TEST=added to cctest/test-assembler-arm.cc

Patch by Rodolph Perfetta from ARM Ltd.

Review URL: http://codereview.chromium.org/6368053


git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6629 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-04 07:08:50 +00:00
peterhal@chromium.org
c894b1f317 Fix bugs 992, 1083 and 1092
My previous patch added an assert which uncovered 1092 in the sputnik tests.
This patch adds the fix for 1092, which is to ensure that NormalizeProperties
does not get called for a JSGlobalProxy along all code paths.

Add sputnik tests to .gitignore.

BUG=
TEST=

Review URL: http://codereview.chromium.org/6286060

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6627 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-03 19:29:10 +00:00
antonm@chromium.org
710fbd2cfb Do proper security checks when accessing elements with getOwnPropertyDescriptor.
This extends logic applied to regular properties to elements.

Review URL: http://codereview.chromium.org/6246055

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6626 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-03 18:09:51 +00:00
whesse@chromium.org
1853458a39 Fix X64 Windows compilation.
Review URL: http://codereview.chromium.org/6312120

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6621 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-03 15:14:46 +00:00
ricow@chromium.org
a2aa84873e Add regression test for the deoptimizer immediately followed by gc bug.
In addition to the regression test I changed the gc-extension to take
a boolean flag specifying if compaction should be used (default is
false, existing tests will not change behaviour)

The regression test is disabled on arm and x64 with crankshaft
enabled. I made a bug to track this:
http://code.google.com/p/v8/issues/detail?id=1094


Review URL: http://codereview.chromium.org/6312118

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6619 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-03 13:47:27 +00:00
antonm@chromium.org
73348e83ea Fix array boundary error.
It made value of allowed_access_type[v8::ACCESS_KEYS] be a wild value.  On most of
platforms it was 0 and tests passed.  But on ARM (and on ia32 if you alter test a bit)
it could become true and hence allow enumeration of properties.

Review URL: http://codereview.chromium.org/6334089

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6618 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-03 13:30:22 +00:00
whesse@chromium.org
3a52b68447 Fix compilation on 64-bit Windows, update Visual Studio projects.
Review URL: http://codereview.chromium.org/6312119

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6617 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-03 13:29:10 +00:00
danno@chromium.org
a2fb4a12bb Create specialized code stubs for PixelArray loads.
Review URL: http://codereview.chromium.org/6287030

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6614 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-03 12:50:50 +00:00
whesse@chromium.org
fe67b206ca Fix X64 compilation on Windows.
Review URL: http://codereview.chromium.org/6334086

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6613 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-03 11:13:04 +00:00
antonm@chromium.org
0da3dc3e43 Properly process getOwnPropertyDescriptor for elements on global proxy object.
We need to go down to actual global object to perform those operations.

Review URL: http://codereview.chromium.org/6246054

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6612 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-03 10:19:41 +00:00
antonm@chromium.org
fed5622671 Better security checks when accessing named properties via Object.getOwnPropertyDescriptor.
Current approach returns undefined descriptor if caller is not granted v8::HAS_ACCESS.
If the caller has v8::HAS_ACCESS, for no JS accessors regular v8::GET_ACCESS check is
performed and value property of the descriptor is set to undefined if caller doesn't
have proper access.  For JS accessors both v8::GET_ACCESS and v8::SET_ACCESS are checked
and affect if getter and setter would be stored in the descriptor.

Review URL: http://codereview.chromium.org/6286020

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6592 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 17:44:29 +00:00
kmillikin@chromium.org
ca936dae9e More of the fix for V8 issue 1079.
The arguments property of functions, if we find an optimized frame for
the function, is always a freshly allocated object.  We never try to
find an existing arguments object.

Review URL: http://codereview.chromium.org/6349050

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6581 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 15:08:29 +00:00
erik.corry@gmail.com
0097f005fd Fix code generation bug on ARM in classic codegen.
Review URL: http://codereview.chromium.org/6246045

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6579 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 14:14:55 +00:00
lrn@chromium.org
2d15eb9a90 Fix bug in object literals with large array indexes as strings.
Review URL: http://codereview.chromium.org/6410028

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6577 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 14:02:58 +00:00
kmillikin@chromium.org
f1149734fc Partial fix for V8 issue 1079.
Record a safepoint with a deoptimization id for throw in optimized code.  We
don't seem to much care what the AST ID is because we will not be using it
for lazy deoptimization (throw doesn't return to the point of throw).  For
hygiene we use the actual ID of the throw expression.  Throw is no longer a
control-flow instruction, but it's followed by an unconditional abnormal
exit.  This is required to insert a simulate between the throw and the exit.

Make our optimized treatment of Function.prototype.apply act like a call and
have side effects.  This ensures that it will get a lazy deoptimization
environment.  Use that deoptimization ID in the safepoint for the call.

Deleting a property was also missing a deoptimization ID, though there was a
deoptimization environment assigned to the instruction.  Record the
environment and use the deoptimization ID at the safepoint.

Review URL: http://codereview.chromium.org/6250105

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 13:55:29 +00:00
ager@chromium.org
73a4ecfae1 A MessageObject is a purely internal object to hold information about
an error message that needs to be generated and reported. This change
hides all of the error information from JavaScript code so user
callbacks cannot get hold of it.

Review URL: http://codereview.chromium.org/6368051

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6574 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 13:31:52 +00:00
whesse@chromium.org
a5f94a4862 Fix Math.pow(-0, 0.5) and Math.pow(-0, -0.5). These are not equal to sqrt(-0) and 1/sqrt(-0). Add tests for these cases. Fixes V8 issue 1088.
BUG=1088
TEST=test/mjsunit/math-pow.js

Review URL: http://codereview.chromium.org/6368050

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6573 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 12:54:58 +00:00
vegorov@chromium.org
6751627615 Require typed input representation for HTypeof hydrogen instruction.
BUG=http://code.google.com/p/chromium/issues/detail?id=71647
TEST=test/mjsunit/regress/regress-71647.js

Review URL: http://codereview.chromium.org/6410025

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6566 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 09:52:57 +00:00
ricow@chromium.org
0dd951ee84 Revert revision 6555 as it causes win32 debug to fail.
Review URL: http://codereview.chromium.org/6349044

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6564 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-02 08:14:06 +00:00
peterhal@chromium.org
5ca89179d7 Revert "Fix bugs 992 and 1083"
This reverts commit 6561 as the new assert caused failures in sputnik.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6562 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-01 20:08:01 +00:00
peterhal@chromium.org
9c89aa6dd9 Fix bugs 992 and 1083
Fixes JS portion of DefineOwnProperty when there is
an existing property and the new descriptor is generic.

Makes code follow spec steps more closely.

Fixes typo for check for unchanged enumerable in step 6.

Adds regression tests.
Fixes errors in object-define-property test

Don't normalize the JSGlobalProxy. Gets webkit http/tests/security/xss-DENIED-defineProperty.html working.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6561 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-01 17:08:14 +00:00
antonm@chromium.org
32a631d8bc Compare JSObjects by identity immediately.
When invoking EQUALS JS builtin, 1st argument is passed as a receiver and
if it's a global object, it gets overwritten with global proxy object and
thus one gets incorrect results.

BUG=v8::1082

Review URL: http://codereview.chromium.org/6287018

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6555 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-01 13:29:37 +00:00
antonm@chromium.org
93f8e3d821 Temporary disable comparison of optimizability of code objects in some cases.
With crankshaft, a code object can change its optimizability: it can start as
optimizable code object, but later we can find out it was a bad idea to
optimize it.  Alas, currently we don't have a proper event to communicate
this back to logger.  Hence we temporary allow a code object to be viewed
as optimizable judging from logs while being unoptimizable judging from
heap traversal.

Review URL: http://codereview.chromium.org/6250054

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6553 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-01 12:39:02 +00:00
ager@chromium.org
471c0d2983 Avoid callbacks to user code during error formatting in a couple of
other situations.

Do not use overwritten Object.prototype.hasOwnProperty and
Array.prototype.pop. Do not use split and join in the error formatting
implementation. They are too big to control and their generality is
not needed.

Review URL: http://codereview.chromium.org/6287041

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6552 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-02-01 12:31:16 +00:00
mmaly@chromium.org
aa779b3842 Fix V8 bug 1084: allow "\0" in strict mode as valid escape sequence.
http://code.google.com/p/v8/issues/detail?id=1084

Code Review URL: http://codereview.chromium.org/6386014/

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6550 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-31 22:35:27 +00:00
antonm@chromium.org
a38a8ffab0 ArraySplice builtin should return empty array and not alter receiver if invoked with no arguments.
Review URL: http://codereview.chromium.org/6357025

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6540 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-31 14:54:53 +00:00
antonm@chromium.org
1023f569b9 Perform security checks before fetching the value in Object.getOwnPropertyDescriptor.
Review URL: http://codereview.chromium.org/6386022

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6539 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-31 13:49:15 +00:00
fschneider@chromium.org
4e7ddab6dc Fix a bug in the placement of minus-zero checks and in GVN.
1. The placement of checks for negative zero has to be computed after
all conversion instructions have been inserted. I separated the code
into its own phase.

2. GVN need to take instruction flags into account when comparing
instructions for redundancy.

Review URL: http://codereview.chromium.org/6260035

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6534 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-31 12:36:54 +00:00
ager@chromium.org
8198db7934 ARM: Add support for DoMathAbs with double inputs.
Adds vabs instruction to simulator, assembler, disassembler and tests.

BUG=none
TEST=Added to cctest.

Review URL: http://codereview.chromium.org/6366016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6531 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-31 10:16:28 +00:00
kmillikin@chromium.org
78b9981b90 Revert "Add custom typed ICs for pixel array loads. "
This change caused failures in (out of bounds) keyed loads of strings.

TBR'd.

Review URL: http://codereview.chromium.org/6298019

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6528 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-28 15:07:04 +00:00
danno@chromium.org
afd0906204 Add custom typed ICs for pixel array loads.
Review URL: http://codereview.chromium.org/6323002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6526 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-28 14:06:20 +00:00
ager@chromium.org
f8b74a1541 Avoid using Function.prototype.call in a number of places in our
builtins files. We should always use %_CallFunction for a couple of
reasons: it cannot be overwritten and it does not wrap basic types in
wrapper objects.

Review URL: http://codereview.chromium.org/6349018

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6524 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-28 10:33:10 +00:00
sgjesse@chromium.org
579e711389 Fix test expectations from r6509
Review URL: http://codereview.chromium.org/6286011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6511 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-27 12:31:24 +00:00
sgjesse@chromium.org
3e811483f2 Change an invalid assert
BUG=v8:1079
Review URL: http://codereview.chromium.org/6332019

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6509 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-27 11:55:58 +00:00
ager@chromium.org
dc61921bbf Fix reintroduction of global variables that have been deleted.
Deletion of global properties puts 'the hole' in the global property
cell and updates the property details in the property dictionary with
the information that the property has been deleted. When setting
global properties that have been deleted in generated code we just
store the new value in the global property cell. This does not update
the property details in the property dictionary. Therefore, it looks
like the property is not there eventhough it was just reintroduced.

Perform 'the hole' checks in generated code for global property stores
and bail out of ICs and optimized code if storing to a property cell
that contains 'the hole'.

Review URL: http://codereview.chromium.org/6306014

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6508 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-27 08:35:39 +00:00
mmaly@chromium.org
d07f1d62ff Strict mode eval/arguments LHS.
Review URL: http://codereview.chromium.org/6335013/

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6503 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-26 19:21:46 +00:00
mmaly@chromium.org
55400c2454 Strict mode: function constructor tests.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6501 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-26 18:10:26 +00:00
ager@chromium.org
eb3970c822 Fix another message object leak.
Review URL: http://codereview.chromium.org/6269021

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6495 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-26 15:16:13 +00:00
sgjesse@chromium.org
17aa262ce5 ARM: Fix the test expectations
TBR=ager@chromium.org
Review URL: http://codereview.chromium.org/6253013

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6490 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-26 13:26:36 +00:00
sgjesse@chromium.org
26a8dc3818 ARM: Make the ARM hardware builder green
Fix a bug in the --debug-code alignment check in the C entry stub.

Don't force the --debug-code flag in the ARM disassembler tests. The framework does support passing flags and the test runner will when running tests in debug mode.

Skip some deserialization tests which crashes from time to time.
Review URL: http://codereview.chromium.org/6393007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6484 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-26 09:52:25 +00:00
mmaly@chromium.org
2b47762e3a Strict mode object property validation.
Review URL: http://codereview.chromium.org/6335010/

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6475 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-25 18:42:35 +00:00
mmaly@chromium.org
f5a2860534 Strict mode parameter validation.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6474 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-25 17:21:45 +00:00
kmillikin@chromium.org
9cfbb240a0 Update regression test.
With SVN r6465 (reverting changes to scopes), a regression test for
deleting parameter variables has to change to reflect a semantic
change.  It is now again possible to delete parameters from a function
that uses 'with' or 'try...catch'.

Review URL: http://codereview.chromium.org/6307014

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6466 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-25 13:32:36 +00:00
kmillikin@chromium.org
013860d42e Revert "Reapply change to with/arguments interaction."
Revert this change again.  Somewhat mysteriously we sometimes get empty
contexts that we do not expect in the context chain.

Review URL: http://codereview.chromium.org/6372013

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6465 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-25 13:01:45 +00:00
vitalyr@chromium.org
331b482332 Fix bug 1070: set correct holder for primitive checks.
Code generated for checks starting with primitive receivers skips one step
in the usual prototype checking algorithm, so the holder must always be set.

Not setting the holder did not cause an immediate failure because our
primitives have additional hidden prototypes before the real prototypes.
These extra objects in the chain usually contain no properties and so
allowed the right holders to be selected.

Review URL: http://codereview.chromium.org/6353014

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6459 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-25 12:21:03 +00:00
lrn@chromium.org
43d7951677 X64 Crankshaft: Added a bunch of operations.
Review URL: http://codereview.chromium.org/6366010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6455 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-25 11:30:47 +00:00
ager@chromium.org
d69ef26f7d Another fix for leaking error objects. User code can overwrite
ReferenceError.prototype.__proto__ which will make "error instanceof
Error" fail. However, the ReferenceError.prototype object itself
cannot be modified. Therefore, the error checks must check for
concrete error instances instead of only checking for Error.

Review URL: http://codereview.chromium.org/6388003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6450 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-25 08:48:59 +00:00
ricow@chromium.org
d5cab38a33 Add support for deoptimization on x64.
I did not take out the code relating to osr from the generate method
since this makes it easier to compare to ia32 (we will abort anyway when we hit the osr code so there should be no issues with having this in)
 

Review URL: http://codereview.chromium.org/6390001

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6449 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-25 07:57:56 +00:00
mmaly@chromium.org
8d79f3a788 Strict mode octal literals.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6446 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-24 18:13:18 +00:00
kmillikin@chromium.org
e01336c3dc Change conformance test expectations.
We now conform to ES5 by not deleting variables that occur in a scope
shadowed by with or eval.

Review URL: http://codereview.chromium.org/6376009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6445 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-24 15:18:49 +00:00
kmillikin@chromium.org
9c2d52eb0e Fix a bug in delete for lookup slots.
The function Runtime_LookupContext searches the context chain for a
LOOKUP slot and returns the object holding the slot.  It returned the
global context if the slot was not found or if it was found in a
function's context or arguments object.  This is not the correct
object to use for 'delete'.

Since this lookup function is only ever used when deleting LOOKUP
slots (those that have to go through a with or a scope with eval), it
is simply replaced with a Runtime_DeleteContextSlot function that does
the appropriate thing for all kinds of context lookups.

This fixes Chromium bug 70066.
http://code.google.com/p/chromium/issues/detail?id=70066

Review URL: http://codereview.chromium.org/6280013

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6442 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-24 14:03:30 +00:00
ager@chromium.org
b5151d118d Avoid calling overwritten toString methods for internal error
formatting. I missed a couple of places. Extracting the error object
check to a separate function.

Review URL: http://codereview.chromium.org/6304015

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6435 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-01-24 07:59:40 +00:00