This happens when a map A with no descriptors in fast_holey_elements
mode first gets some properties, making it share descriptor arrays with
a map B to which it transitions. Then map A transitions elements kind to
dictionary_elements in map C. C stores the empty_descriptor_array in its
own transition array. When adding a property to C, C transitions to D
and shares the descriptors. If D dies, a CNLT clears the transition
array of C, making the descriptor array of A (and thus also of B) shine
through. If a property is now added to an object in state C, it'll inherit
all the properties of A (and B). If those properties had high field indices,
we do not have a large enough backing store for the single newly added
property, and we'll write out of bounds.
BUG=chromium:151749
Review URL: https://chromiumcodereview.appspot.com/11017054
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12687 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This CL adds multiple things:
Transition arrays do not directly point at their descriptor array anymore, but rather do so via an indirect pointer (a JSGlobalPropertyCell).
An ownership bit is added to maps indicating whether it owns its own descriptor array or not.
Maps owning a descriptor array can pass on ownership if a transition from that map is generated; but only if the descriptor array stays exactly the same; or if a descriptor is added.
Maps that don't have ownership get ownership back if their direct child to which ownership was passed is cleared in ClearNonLiveTransitions.
To detect which descriptors in an array are valid, each map knows its own NumberOfOwnDescriptors. Since the descriptors are sorted in order of addition, if we search and find a descriptor with index bigger than this number, it is not valid for the given map.
We currently still build up an enumeration cache (although this may disappear). The enumeration cache is always built for the entire descriptor array, even if not all descriptors are owned by the map. Once a descriptor array has an enumeration cache for a given map; this invariant will always be true, even if the descriptor array was extended. The extended array will inherit the enumeration cache from the smaller descriptor array. If a map with more descriptors needs an enumeration cache, it's EnumLength will still be set to invalid, so it will have to recompute the enumeration cache. This new cache will also be valid for smaller maps since they have their own enumlength; and use this to loop over the cache. If the EnumLength is still invalid, but there is already a cache present that is big enough; we just initialize the EnumLength field for the map.
When we apply ClearNonLiveTransitions and descriptor ownership is passed back to a parent map, the descriptor array is trimmed in-place and resorted. At the same time, the enumeration cache is trimmed in-place.
Only transition arrays contain descriptor arrays. If we transition to a map and pass ownership of the descriptor array along, the child map will not store the descriptor array it owns. Rather its parent will keep the pointer. So for every leaf-map, we find the descriptor array by following the back pointer, reading out the transition array, and fetching the descriptor array from the JSGlobalPropertyCell. If a map has a transition array, we fetch it from there. If a map has undefined as its back-pointer and has no transition array; it is considered to have an empty descriptor array.
When we modify properties, we cannot share the descriptor array. To accommodate this, the child map will get its own transition array; even if there are not necessarily any transitions leaving from the child map. This is necessary since it's the only way to store its own descriptor array.
Review URL: https://chromiumcodereview.appspot.com/10909007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12492 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This implies that the return value of native getters is checked. The nice part
is that one can even see the name of the property in question in the abort
output when the check failed.
Under some circumstances even the return value of interceptors gets checked, but
I'm not 100% sure about this, because the interceptor code is basically tuned to
death.
The change seems to have very low overhead, so it might be feasible to keep this
check enabled unconditionally.
Review URL: https://chromiumcodereview.appspot.com/10918071
Patch from Sven Panne <svenpanne@chromium.org>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12446 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
- The global object has a reference to the current global scope chain.
Running a script adds to the chain if it contains global lexical declarations.
- Scripts are executed relative to a global, not a native context.
- Harmony let and const bindings are allocated to the innermost global context;
var and function still live on the global object.
(Lexical bindings are not reflected on the global object at all,
but that will probably change later using accessors, as for modules.)
- Compilation of scripts now needs a (global) context (previously only eval did).
- The global scope chain represents one logical scope, so collision tests take
the chain into account.
R=svenpanne@chromium.org
BUG=
Review URL: https://chromiumcodereview.appspot.com/10872084
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12398 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The order by name is maintained as secondary order by using unused bits in the property details.
This is preliminary work towards sharing descriptors arrays.
The change allows us
- to get rid of the LastAdded bits in the map, binding it to the number of valid descriptors for the given map
- to avoid resorting by enumeration index to create the cache
- (maybe in the future, depending on performance) to get rid of the enumeration cache altogether.
Although generally the number_of_descriptors equals the NumberOfOwnDescriptors in the current version, this is preliminary work towards sharing descriptors, where maps may have more descriptors than are valid for the map.
Review URL: https://chromiumcodereview.appspot.com/10879013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12385 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Safe operations are those that either do not observe unsignedness or have special support for uint32 values:
- all binary bitwise operations: they perform ToInt32 on inputs;
- >> and << shifts: they perform ToInt32 on left hand side and ToUint32 on right hand side;
- >>> shift: it performs ToUint32 on both inputs;
- stores to integer external arrays (not pixel, float or double ones): these stores are "bitwise";
- HChange: special support added for conversions of uint32 values to double and tagged values;
- HSimulate: special support added for deoptimization with uint32 values in registers and stack slots;
- HPhi: phis that have only safe uses and only uint32 operands are uint32 themselves.
BUG=v8:2097
TEST=test/mjsunit/compiler/uint32.js
Review URL: https://chromiumcodereview.appspot.com/10778029
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12367 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Highlights of this CL:
* Introduced a new opcode in the deoptimizer for a setter stub frame.
* Added a global setter stub for returning after deoptimizing a setter.
* We do not need special deopt support for getters, although the getter stub creates an internal frame. The normal machinery works just right for this case, although we generate a stack that can never occur during normal fullcode execution. If this hurts us one day, we can parameterize and reuse the setter deopt machinery.
Review URL: https://chromiumcodereview.appspot.com/10855098
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12328 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
in anticipation of the upcoming lexical global scope.
Mostly automatised as:
for FILE in `egrep -ril "global[ _]?context" src test/cctest`
do
echo $FILE
sed "s/Global context/Native context/g" <$FILE >$FILE.0
sed "s/global context/native context/g" <$FILE.0 >$FILE.1
sed "s/global_context/native_context/g" <$FILE.1 >$FILE.2
sed "s/GLOBAL_CONTEXT/NATIVE_CONTEXT/g" <$FILE.2 >$FILE.3
sed "s/GlobalContext/NativeContext/g" <$FILE.3 >$FILE
rm $FILE.[0-9]
done
R=mstarzinger@chromium.org
BUG=
TEST=
Review URL: https://chromiumcodereview.appspot.com/10832342
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12325 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Now a map points to a transition array which contains the descriptor array. The descriptor array is now immutable. The next step is to share the descriptor array with all back-pointed maps as long as there is a single line of extension. Maps that require a descriptor array but don't need transitions will still need a pseudo-empty transition array to contain the descriptor array.
Review URL: https://chromiumcodereview.appspot.com/10816005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12298 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Using insertion-sort won't have too much of an overhead for the short arrays for bootstrapping (which are probably snapshot anyway).
CopyAppendCallbackDescriptors was extending and sorting the array in a loop. By using an append that inserts at the right position we do not need to resort in each iteration.
Additionally remove Sort and rename SortUnchecked to Sort. The IsSortedNoDuplicates check is moved into InitializeDescriptor.
Review URL: https://chromiumcodereview.appspot.com/10808011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12136 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
AccessorPair related transitions are now also stored as single map links, simplifying the code that handles transitions. AccessorPairs can now be shared between descriptor arrays, since they can only be mutated after another transition anyway; during which the pair is copied before writing.
Review URL: https://chromiumcodereview.appspot.com/10784014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12097 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The LastAdded points to the descriptor that was last added to the array. From the descriptor we can deduce the NextEnumerationIndex. This allows us to quickly find the property that we are transitioning to, which is necessary for transition-intensive code, eg JSON parsing.
Review URL: https://chromiumcodereview.appspot.com/10695120
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12042 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
In this design maps contain descriptor arrays, which in turn can contain transition arrays. If transitions are needed when no descriptor array is present, a descriptor array without real descriptors is inserted just so it can point at the transition array.
The transition array does not contain details about the field it transitions to. In order to weed out transitions to FIELDs from CONSTANT_FUNCTION (what used to be MAP_TRANSITION vs CONSTANT_TRANSITION), the transition needs to be followed and the details need to be looked up in the target map. CALLBACKS transitions are still easy to recognize since the transition targets are stored as an AccessorPair containing the maps, rather than the maps directly.
Currently AccessorPairs containing a transition and an accessor are shared between the descriptor array and the transition array. This simplifies lookup since we only have to look in one of both arrays. This will change in subsequent revisions, when descriptor arrays will become shared between multiple maps, since transitions cannot be shared.
Review URL: https://chromiumcodereview.appspot.com/10697015
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11994 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Instead of overwriting non-live transitions with NULL_DESCRIPTORs, we remove them from the array by compacting the array (shifting live values to the left) and in-place trimming the array. If the final descriptor array contains no live values (only contained transitions which are now all cleared), we move bit_field3 back from the descriptor array to the map. The descriptor array itself will be collected in the next GC.
BUG=
TEST=
Review URL: https://chromiumcodereview.appspot.com/10575032
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11922 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
- Ensure that IsFound() is only used when not in combination with other
checks. To do so, the default type is NONEXISTENT rather than NORMAL;
and NotFound() also resets the type to NONEXISTENT.
- Use test methods rather than .type() == A_PROPERTY_TYPE.
Review URL: https://chromiumcodereview.appspot.com/10626004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11899 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The CompilationInfo record now saves a Zone, and the compiler pipeline
allocates memory from the Zone in the CompilationInfo. Before
compiling a function, we create a Zone on the stack and save a pointer
to that Zone to the CompilationInfo; which then gets picked up and
allocated from.
BUG=
TEST=
Review URL: https://chromiumcodereview.appspot.com/10534139
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11877 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This changes the compiler to be more aggressive about lazy compilation
of closures with non-trivial outer context. Compilation can only be
triggered with a valid outer context now. One exception is the debugger,
which can request compilation of arbitrary shared code, but it ensures
to trigger compilation only at points where no context is needed.
This relands r11782, r11783, r11790 and a minor fix.
R=ulan@chromium.org
TEST=mjsunit/debug-script-breakpoints-nested
Review URL: https://chromiumcodereview.appspot.com/10543141
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11866 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
- Fixed invalid memory access when reading enum-cache from descriptor array with elements transitions but 0 real descriptors.
- Fixed infinite recursion in the intrusive map iterator when visiting elements transitions.
- Properly cached non-fastmode elements transitions.
Review URL: https://chromiumcodereview.appspot.com/10565030
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11841 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This changes the compiler to be more aggressive about lazy compilation
of closures with non-trivial outer context. Compilation can only be
triggered with a valid outer context now. One exception is the debugger,
which can request compilation of arbitrary shared code, but it ensures
to trigger compilation only at points where no context is needed.
R=ulan@chromium.org
TEST=mjsunit/debug-script-breakpoints-nested
Review URL: https://chromiumcodereview.appspot.com/10538102
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11782 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This ensures that we don't accidentally throw away getters and/or setters that are still needed. To make sure the bug gets triggered, we have to construct a situation where the map is on the live side of a live->non-live transition. This ensures that the map is passed to ClearNonLiveTransitions.
BUG=v8:2163
TEST=test/mjsunit/regress/regress-2163.js
Review URL: https://chromiumcodereview.appspot.com/10535004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11713 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Removes 6 out of 8 of our remaining unintentional failures on test262.
Also fixes treatment of inherited setters added after the fact.
Specifically:
- In the runtime, when looking for setter callbacks in the prototype chain,
also look for read-only properties. If one is found, reject (exception in
strict mode). If a proxy is found, invoke proper trap.
Note: this folds in the CanPut function from the spec and avoids an extra
lookup over the prototype chain.
- In generated code for stores, insert a test for the maps from the prototype
chain, but only up to the object where the property already exists (which
may be the object itself).
In Hydrogen, if the found property is read-only or not cacheable (e.g. a
proxy), bail out; in a stub, generate an unconditional miss (to get an
exception in strict mode).
- Add test cases and adapt existing test expectations.
R=mstarzinger@chromium.org
BUG=
TEST=
Review URL: https://chromiumcodereview.appspot.com/10388047
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11694 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This is basically r11496, with the following changes:
* Set back pointers in maps (cherry-picked from r11528)
* Fixed size calculation in CopyInsert, as proposed by mstarzinger/rossberg
* DefineFastAccessor uses GetCallbackObject instead of GetValue (for __proto__)
* Put the code under a new flag, which is disabled by default
* Cut down the corresponding regression test
* Adapted bootup memory test, we actually only need a bit more memory on 64bit without snapshots, which can easily explained by more live maps lying around. Note that the snapshot variants are back to their previous limits.
Next steps: Investigate any performance degradationswith the flag enabled, and finally remove the flag when things are OK. Furthermore, GetCallbackObject should be merged into GetValue, the distinction is confusing and error-prone.
Review URL: https://chromiumcodereview.appspot.com/10445009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11651 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This makes back pointers in the map transition tree explicit by having
accurate back pointers throughout the lifetime of maps instead of
establishing and destroying back pointers before and after each marking
phase. This is a prerequisite for being able to clear map transitions
during incremental marking.
R=vegorov@chromium.org
BUG=v8:1465
Review URL: https://chromiumcodereview.appspot.com/10381053
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11528 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
AccessorPairs can now contain map transitions, which is similar to our current
handling of CONSTANT_FUNCTION/CONSTANT_TRANSITION, but generalized to a pair for
holding info about the getter and the setter. This way we can achieve map
sharing for objects with accessor properties, which is a prerequisite for making
them fast via inlining. We fall back to the previous way of handling accessor
properties when sharing is not possible or we don't handle a special case.
Note: When an exisiting accessor property is redefined we could in principle
move the AccessorPair out of the descriptor into the object itself (again just
like the way we do something similar for CONSTANT_FUNCTION/CONSTANT_TRANSITION),
but this would require a new property kind for holding a pair of values. Perhaps
we can implement this later, but for now this hopefully rare case is handled
like before, losing map sharing and potentially creating more maps than strictly
necessary.
Review URL: https://chromiumcodereview.appspot.com/10238005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11496 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Constructs the (generally cyclic) graph of module instance objects
and populates their exports. Any exports other than nested modules
are currently set to 'undefined' (but already present as properties).
Details:
- Added new type JSModule for instance objects: a JSObject carrying a context.
- Statically allocate instance objects for all module literals (in parser 8-}).
- Extend interfaces to record and unify concrete instance objects,
and to support iteration over members.
- Introduce new runtime function for pushing module contexts.
- Generate code for allocating, initializing, and setting module contexts,
and for populating instance objects from module literals.
Currently, all non-module exports are still initialized with 'undefined'.
- Module aliases are resolved statically, so no special code is required.
- Make sure that code containing module constructs is never optimized
(macrofy AST node construction flag setting while we're at it).
- Add test case checking linkage.
Baseline: http://codereview.chromium.org/9722043/R=svenpanne@chromium.org,mstarzinger@chromium.org
BUG=
TEST=
Review URL: https://chromiumcodereview.appspot.com/9844002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11336 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
I also discovered that our treatment of const declarations is inconsistent
when inside a global eval under 'with' (i.e., when created by
DeclareContextSlots). That is,
var x;
eval("const x = 9")
and
var x;
eval("with({}) const x = 9")
differ (the former assigns 9, the latter throws). This appears to be an
oversight from earlier changes to our const semantics (the latter shouldn't
throw either). Fixing this is a separate issue, though (and one that doesn't
seem quite worthwhile).
R=mstarzinger@chromium.org
BUG=v8:1991,80591
TEST=
Review URL: https://chromiumcodereview.appspot.com/10067010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11333 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Although things are currently OK here, in the future it won't be enough to check
for the existence of a CALLBACKS result, we must additionally check that it
actually contains an accessor. In a nutshell: 'sed s/IsFound/IsProperty/' once
again...
Additionally, the control flow in DefinePropertyAccessor has been simplified by
using a helper function.
Review URL: https://chromiumcodereview.appspot.com/10071009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11305 ce2b1a6d-e550-0410-aec6-3dcde31c8c00