lrn@chromium.org
e9bc76c499
Avoid infinite recursion for unterminated non-ASCII JSON string literals.
...
BUG=91787
TEST=mjsunit/regress/regress-91787
Review URL: http://codereview.chromium.org/7569008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8847 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-08-05 12:55:29 +00:00
keuchel@chromium.org
c14b08658e
Fix DebugEvaluate crash within a catch in a function without local context.
...
BUG=v8:1586
TEST=mjsunit/regress/regress-1586.js
Review URL: http://codereview.chromium.org/7491053
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8844 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-08-05 12:00:57 +00:00
lrn@chromium.org
61ae1be609
Fix bug in scanner.
...
Checking for end-of-comment truncated to byte before comparing to '*'.
BUG=v8:1546
TEST=mjsunit/regress/regress-1546
Review URL: http://codereview.chromium.org/7585004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8842 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-08-05 11:21:04 +00:00
kmillikin@chromium.org
3e28347d55
Revert "Fix a bug in scope analysis."
...
This reverts commit revision 8838.
TBR=ricow@chromium.org
BUG=
TEST=
Review URL: http://codereview.chromium.org/7584005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8839 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-08-05 09:20:08 +00:00
kmillikin@chromium.org
b625ce2b6b
Fix a bug in scope analysis.
...
When recompiling code (e.g., when optimizing) we could incorrectly hoist
some function expressions. This leads to incorrect results or a crash. The
root cause was that functions were not correctly categorized as expression
or declaration at parse time.
This requires some extra hoops to prevent the print name "anonymous" for
functions created by 'new Function' from establishing a binding.
R=vegorov@chromium.org ,kasperl@chromium.org
BUG=1583
TEST=regress-1583
Review URL: http://codereview.chromium.org/7572019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8838 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-08-05 08:28:11 +00:00
danno@chromium.org
861c895a34
Add regression test for 91517
...
R=vegorov@chromium.org
BUG=91517
TEST=regress-91517.js
Review URL: http://codereview.chromium.org/7575007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8824 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-08-04 11:00:32 +00:00
ricow@chromium.org
9721eddc1f
Ensure that the length property of bound functions are actual unique
...
for the individually bound functions.
Our existing code will generate a new function on every call to bind,
but it will use the same shared function. When setting the lenght this
will be set on the shared function, i.e., the length of all bound
functions will be that of the last bound function.
Review URL: http://codereview.chromium.org/7475002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8816 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-08-03 12:44:17 +00:00
kmillikin@chromium.org
4487f8c050
Revert "Revert "Fix a bug in scope analysis.""
...
Reapply r8783 with an additional fix.
Because the preparser and parser do not use the same scope analysis to
determine if a function can be lazily compiled, the parser can have false
positives. Rather than treating this as a parse error, treat the preparser
as authoritative and eagerly compile the function.
R=lrn@chromium.org
BUG=
TEST=
Review URL: http://codereview.chromium.org/7565003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8797 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-08-03 09:10:35 +00:00
kmillikin@chromium.org
a129c95a54
Revert "Fix a bug in scope analysis."
...
This reverts r8783.
R=vegorov@chromium.org
BUG=
TEST=
Review URL: http://codereview.chromium.org/7550013
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8794 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-08-02 17:02:24 +00:00
kmillikin@chromium.org
f37f6e88ca
Fix a bug in scope analysis.
...
Function declarations inside catch are hoisted to the nearest enclosing
function scope, but we compiled their bodies as if occurring inside the
catch scope.
BUG=chrome:91120
TEST=regress/regress-91120 attached
Review URL: http://codereview.chromium.org/7548011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8783 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-08-02 15:04:31 +00:00
danno@chromium.org
b333719607
Properly handle FixedDoubleArrays in sort()
...
R=jkummerow@chromium.org
BUG=91008
TEST=regress-91008.js
Review URL: http://codereview.chromium.org/7542008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8782 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-08-02 14:05:11 +00:00
vegorov@chromium.org
9226cfe5b7
Ensure that GenerateStoreFastDoubleElement returns stored value on all paths.
...
BUG=chromium:91013
TEST=test/mjsunit/regress/regress-91013.js
Review URL: http://codereview.chromium.org/7551009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8781 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-08-02 13:36:38 +00:00
vegorov@chromium.org
a547d333f0
Check for phi-uses of arguments object before eliminating dead phi's.
...
HGraphBuilder::TryArgumentsAccess does not emit any uses for receiver and will generate incorrect code when receiver for a property access is defined by a phi that returns either arguments object or something else.
BUG=v8:1582
TEST=test/mjsunit/regress/regress-1582.js
Review URL: http://codereview.chromium.org/7553006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8774 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-08-02 09:32:28 +00:00
danno@chromium.org
008f834117
Properly handle FastDoubleArrays in Runtime_MoveArrayContents
...
BUG=91013
TEST=regress91013.js
Review URL: http://codereview.chromium.org/7551004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8773 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-08-02 09:28:55 +00:00
danno@chromium.org
1f9801bb9e
Fix bug in ARM pixel array clamping
...
Properly handle undefined conversion to zero in Crankshaft.
R=yangguo@chromium.org
BUG=none
TEST=regress-1563.js
Review URL: http://codereview.chromium.org/7461028
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8723 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-07-22 16:01:53 +00:00
jkummerow@chromium.org
9de5255b60
Revert "Make window.undefined, window.NaN, window.Infinitiy read-only (ES5 section 15.1.1)"
...
This reverts r8691.
Review URL: http://codereview.chromium.org/7457020
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8692 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-07-20 10:51:11 +00:00
jkummerow@chromium.org
6768c5e24e
Make window.undefined, window.NaN, window.Infinitiy read-only (ES5 section 15.1.1)
...
BUG=89490
TEST=manual: "Infinity = 42;" doesn't change the value of "Infinity"
Review URL: http://codereview.chromium.org/7457019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8691 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-07-20 10:06:53 +00:00
ager@chromium.org
85f5afb717
Correctly mark functions from our natives files during compilation.
...
When creating a CompilationInfo we always have the script and can
determine if it is a natives script.
Now that all natives functions are recognized as such, many of them
are called with undefined as the receiver. We have to use different
filtering for builtins functions when printing stack traces.
Also, fixed one call of CALL_NON_FUNCTION to be correctly marked as a
method call (with fixed receiver). Now that CALL_NON_FUNCTION is
marked as a native function this caused the receiver to be undefined.
R=svenpanne@chromium.org
BUG=
TEST=
Review URL: http://codereview.chromium.org/7395030
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8680 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-07-19 08:19:31 +00:00
jkummerow@chromium.org
d4779286b6
Add map check for COW elements to crankshaft array handling code.
...
BUG=1560
TEST=mjsunit/regress/regress-1560.js
Review URL: http://codereview.chromium.org/7366008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8656 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-07-14 14:45:20 +00:00
kmillikin@chromium.org
890bc1607a
Fix a potential crash in const declaration.
...
Declaration of const lookup slots would trigger an assertion if there was a
setter somewhere in the prototype chain, and that setter was shadowed by a
non-readonly data property also in the prototype chain.
R=ager@chromium.org
BUG=
TEST=
Review URL: http://codereview.chromium.org/7324048
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8602 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-07-11 14:07:12 +00:00
kmillikin@chromium.org
cbaf1bc98b
Allow JSObject::PreventExtensions to work for arguments objects.
...
R=karlklose@chromium.org
Review URL: http://codereview.chromium.org/7335002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8587 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-07-11 06:48:19 +00:00
kmillikin@chromium.org
fe23339bdd
Fix a bug in for/in iteration of arguments objects.
...
We did not properly combine the property names from the parameter map
and the arguments backing store. They could overwrite each other and
be unsorted.
Also fix an unrelated bug: deleting from a dictionary-mode arguments
backing store could corrupt the parameter map.
R=rossberg@chromium.org
BUG=1531
TEST=mjsunit/regress/regress-1531.js
Review URL: http://codereview.chromium.org/7278033
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8571 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-07-08 07:31:48 +00:00
ricow@chromium.org
82e53270dc
Ensure that regexps always have code object, even if GC happened while running multiple times in runtime.
...
Review URL: http://codereview.chromium.org/7316018
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8560 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-07-07 10:04:56 +00:00
sgjesse@chromium.org
ca3787f395
Fix debug break on binary boolean operators
...
The syntax checker finding breakable statements did not take into account that the right hand side of a boolean binary opration might never get evaluated.
R=svenpanne@chromium.org
BUG=v8:1523
TEST=test/mjsunit/regress/regress-1523.js
Review URL: http://codereview.chromium.org//7212027
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8544 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-07-06 10:16:57 +00:00
vitalyr@chromium.org
8f60208324
Fix bug 1529: check for NULL handle in v8::TryCatch::StackTrace.
...
Internal HandleScope::CloseAndEscape crashes on NULL handles.
R=kmillikin@chromium.org
BUG=v8:1529
TEST=mjsunit/regress/regress-1529
Review URL: http://codereview.chromium.org/7309004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8527 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-07-04 13:29:56 +00:00
kmillikin@chromium.org
57c29c1f29
Fix a bug in with and catch context allocation.
...
We were only looking one level up the scope chain to decide which
closure to use in the fresh context. Instead, we should look to the
first non-catch scope.
R=vegorov@chromium.org
BUG=1528
TEST=regress-1528
Review URL: http://codereview.chromium.org/7309002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8523 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-07-04 09:34:47 +00:00
kmillikin@chromium.org
a48c03bb2a
Fix an issue with optimization of functions inside catch.
...
When optimizing a function defined inside a catch, we did not count
the catch context as part of the context chain.
R=vegorov@chromium.org
BUG=1521
TEST=regress-1521
Review URL: http://codereview.chromium.org/7285032
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8518 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-07-01 14:05:46 +00:00
karlklose@chromium.org
c0e2268c8c
Fix problem with arguments object ICs not checking for dictionary mode elements.
...
R=kmillikin@chromium.org
BUG=1514
TEST=mjsunit/regress/regress-1513.js
Review URL: http://codereview.chromium.org/7282029
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8497 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-30 14:56:06 +00:00
ager@chromium.org
0d8c343c90
Do not pass the global object as the receiver to strict-mode and
...
builtin replace and sort functions.
R=ricow@chromium.org
BUG=v8:1360
TEST=mjsunit/regress/regress-1360.js
Review URL: http://codereview.chromium.org/7283006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8488 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-30 12:29:19 +00:00
kmillikin@chromium.org
6543526a9d
Remove failing test while working on a fix.
...
TBR=ricow@chromium.org
Review URL: http://codereview.chromium.org/7283040
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8486 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-30 12:07:33 +00:00
kmillikin@chromium.org
3f84fcf6c9
Fix a bug in Object.defineProperty.
...
There was a bug in Object.defineProperty when used to add an indexed
property to an arguments object. When converting the elements backing
store to dictionary mode, the parameter map in front of the backing
store does not change.
R=ager@chromium.org ,karlklose@chromium.org
Review URL: http://codereview.chromium.org/7289011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8481 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-30 11:11:19 +00:00
keuchel@chromium.org
3f70c456eb
Fix "illegal access" when calling parseInt with a radix that is not a smi.
...
BUG=v8:1246
TEST=regress-1246.js
Review URL: http://codereview.chromium.org/7206019
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8444 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-28 12:31:42 +00:00
ager@chromium.org
89cc886ba7
Fix receiver check in arguments ICs.
...
The receiver needs to be checked in the same way as all other KeyedLoadICs to take non-JSObject and objects that require access checks or has interceptors into account.
R=sgjesse@chromium.org
BUG=87478
TEST=mjsunit/regress/regress-crbug-87478.js
Review URL: http://codereview.chromium.org/7259015
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8429 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-27 13:02:51 +00:00
fschneider@chromium.org
4bc671c2b0
Add missing write barrier for arguments store ICs.
...
Review URL: http://codereview.chromium.org/7207006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8390 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-23 09:20:07 +00:00
ager@chromium.org
a96b9156a3
Correctly handle non-array receivers in Array length setter.
...
BUG=v8:1491
TEST=mjsunit/regress/regress-1491.js
Review URL: http://codereview.chromium.org/7206038
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8343 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-21 08:07:45 +00:00
erik.corry@gmail.com
c95ecb1fcd
Refix issue 1472. The previous fix worked for the example in the bug
...
report, but was not general enough to catch all cases. This is a new
approach. Includes regression test!
Review URL: http://codereview.chromium.org/7193007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8318 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-17 08:01:12 +00:00
lrn@chromium.org
ee59eff127
Make line-terminators inside multi-line comments count.
...
Now follows the specification. Follows WebKit change in revision 89100.
BUG=86431
TEST=regress-892742
Review URL: http://codereview.chromium.org/7184034
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8317 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-17 07:23:07 +00:00
karlklose@chromium.org
f4e4bc43a8
Merge arguments branch to bleeding edge (second try).
...
Review URL: http://codereview.chromium.org/7187007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8315 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-16 14:12:58 +00:00
karlklose@chromium.org
cc19d1e278
Revert "Merge arguments branch to bleeding merge."
...
This reverts commit ceb31498b9d69edca3260820fb4047045891ce6d.
TBR=kmillikin@chromium.org
Review URL: http://codereview.chromium.org/7172030
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8308 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-16 06:37:49 +00:00
vegorov@chromium.org
14bf246dfa
Add missing branches in code generated for LModI with power-of-2 divisor.
...
BUG=v8:1476
TEST=test/mjsunit/regress/regress-1476.js
Review URL: http://codereview.chromium.org/7097015
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8301 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-15 19:57:39 +00:00
karlklose@chromium.org
6cfeb2d400
Merge arguments branch to bleeding merge.
...
Review URL: http://codereview.chromium.org/7167006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8300 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-15 15:09:28 +00:00
ricow@chromium.org
23d0aa614b
Ensure that bound functions does not have a prototype (fixes issue 794)
...
Review URL: http://codereview.chromium.org/7148014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8293 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-15 10:47:37 +00:00
ager@chromium.org
aa7ad8ee9d
Fix issue 1447 by not redefining properties unneccesarily in seal and freeze.
...
This avoids attempting to redefine function.arguments with a different
value than the current one. function.arguments returns a new copy on
each invocation.
R=lrn@chromium.org
BUG=v8:1447
TEST=mjsunit/regress/regress-1447.js
Review URL: http://codereview.chromium.org/7044104
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8258 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-10 09:45:02 +00:00
whesse@chromium.org
c40aa827bf
Add boolean flag to HChange and LNumberUntagD to not convert undefined to NaN.
...
This is needed so that HCompare, optimized for double inputs, works correctly on undefined inputs.
BUG=v8:1434
TEST=mjsunit/bugs/bug-1434.js
Review URL: http://codereview.chromium.org/7044049
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8237 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-09 12:27:28 +00:00
fschneider@chromium.org
68eab4a8d8
Fix bug with GVN on array loads.
...
This fixes a bug where an array load was incorrectly hoisted by GVN.
BUG=85177
TEST=mjsunit/regress/regress-85177.js
Review URL: http://codereview.chromium.org/7003054
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8230 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-09 11:15:03 +00:00
ager@chromium.org
626cdffaef
Fix Array.prototype.{reduce,reduceRight} to pass undefined as receiver for strict mode callbacks.
...
Propagate strict mode information from pre-parser to parser for lazily compiled functions.
R=lrn@chromium.org
BUG=v8:1436
TEST=mjsunit/regress/regress-1436.js
Review URL: http://codereview.chromium.org/7044054
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8227 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-09 09:05:15 +00:00
whesse@chromium.org
1ea14c2041
Limit the number of arguments in a function call to 32766.
...
Limit the number of arguments in a function call to 32766. This is identical
to the limit on the number of parameters to a function.
BUG=v8:1413
TEST=
Review URL: http://codereview.chromium.org/7054074
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8194 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-07 08:15:47 +00:00
fschneider@chromium.org
7c9cf0b3a1
Re-land r8140: Deoptimize on never-executed code-paths.
...
Original cl: http://codereview.chromium.org/7105015
I'm removing the test GlobalLoadICGC test that was introduced for testing
inlined global cell loads (in the classic backend) and has an invalid assumption
about the number of global objects referenced from a v8 context. We don't have
this feature with Crankshaft anymore.
Review URL: http://codereview.chromium.org/7112032
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8185 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-06 14:57:25 +00:00
kmillikin@chromium.org
6a81642f31
Fix a bug in Lithium environment iteration.
...
The Advance() function of the class responsible for iterating
environment uses didn't always advance as far as it could (relying on
the HasNext predicate to finish advancing). This is brittle.
The HasNext predicate also didn't advance as far as it could when it
was at the end of an environment level. This is a bug.
R=jkummerow@chromium.org
BUG=
TEST=
Review URL: http://codereview.chromium.org/6993023
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8181 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-06 11:30:17 +00:00
erik.corry@gmail.com
0023cacc22
Fix traversal of the map transition tree to take the prototype
...
transitions into account.
Review URL: http://codereview.chromium.org/7074052
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8165 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-06-03 14:48:09 +00:00