AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
11,442 Commits 1 Branch 0 Tags 839 MiB
ecb6bd2718
Commit Graph

671 Commits

Author SHA1 Message Date
mstarzinger@chromium.org
4b0395cc23 Harden Function()'s parsing of function literals. 
R=rossberg@chromium.org
BUG=v8:2470
TEST=mjsunit/regress/regress-2470

Review URL: https://codereview.chromium.org/12613007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13867 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-03-07 15:46:14 +00:00
yangguo@chromium.org
3a497dfd51 Insert missing type cast in JSON.stringify. 
R=dcarney@chromium.org
BUG=v8:2570

Review URL: https://chromiumcodereview.appspot.com/12599003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13853 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-03-07 09:58:27 +00:00
yangguo@chromium.org
a62cfd1db0 Fix Array.length, String.length and Function.prototype LoadICs on x64. 
R=jkummerow@chromium.org
BUG=v8:2568

Review URL: https://chromiumcodereview.appspot.com/12545004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13847 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-03-06 18:19:35 +00:00
adamk@chromium.org
7fe9bd5a09 Properly handle misses for StoreArrayLengthStub on ia32 and x64 
Both failed to generate a miss if the key wasn't "length".
ARM and MIPS were already correct.

BUG=v8:2566

Review URL: https://codereview.chromium.org/12378085

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13828 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-03-05 16:31:11 +00:00
mstarzinger@chromium.org
2aabf6257d Add workaround for redefinition of __proto__ property. 
This is a temporary workaround when the __proto__ property is being
redefined (e.g. by Object.freeze()) to not loose the foreign callback.
Once the __proto__ property is a real JavaScript accessor this hack is
no longer necessary. This change also makes __proto__ configurable.

R=rossberg@chromium.org
BUG=v8:2565
TEST=mjsunit/regress/regress-2565

Review URL: https://codereview.chromium.org/12398010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13817 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-03-04 17:53:40 +00:00
yangguo@chromium.org
358311e8ec Limit EatAtLeast recursion by a budget. 
BUG=178790

Review URL: https://chromiumcodereview.appspot.com/12380026

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13788 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-03-01 14:50:14 +00:00
yangguo@chromium.org
2a3063a7c3 Handle negative input in inlined Math.round on Intel CPUs. 
R=jkummerow@chromium.org
BUG=v8:2451

Review URL: https://chromiumcodereview.appspot.com/12342037

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13764 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-02-27 14:44:57 +00:00
mstarzinger@chromium.org
ea5e9edac4 Fix materialization of arguments objects with unknown values. 
This fixes the deoptimizer to materialize arguments objects of correct
length even in cases where the actual argument values are unknown and
were optimized away by Crankshaft. This can happen if only the length
property or the identity of an arguments object is used.

R=svenpanne@chromium.org
BUG=chromium:163530
TEST=mjsunit/regress/regress-crbug-163530

Review URL: https://codereview.chromium.org/12335132

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13763 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-02-27 14:37:51 +00:00
dcarney@chromium.org
52a015b1af Fix overflow in WriteQuoteJsonString and SlowQuoteJsonString 
R=yangguo@chromium.org
BUG=

Review URL: https://codereview.chromium.org/12326120

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13730 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-02-26 11:02:39 +00:00
mstarzinger@chromium.org
ce1e10f5fc Make __proto__ a foreign callback on Object.prototype. 
This moves the __proto__ property to Object.prototype and turns it into
a callback property actually present in the descriptor array as opposed
to a hack in the properties lookup. For now it still is a "magic" data
property using foreign callbacks and not an accessor property visible to
JavaScript.

The second effect of this change is that JSON.parse() no longer treats
the __proto__ property specially, it will be defined as any other data
property. Note that object literals still have their special handling.

R=rossberg@chromium.org
BUG=v8:621,v8:1949,v8:2441
TEST=mjsunit,cctest,test262

Review URL: https://codereview.chromium.org/12212011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13728 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-02-26 10:46:00 +00:00
mstarzinger@chromium.org
300413b5a9 Fix f.apply() optimization when declared arguments are mutated. 
R=verwaest@chromium.org
BUG=v8:2539
TEST=mjsunit/regress/regress-2539

Review URL: https://codereview.chromium.org/12255033

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13673 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-02-14 15:12:49 +00:00
jkummerow@chromium.org
19dab057b4 Fix NegateCompareOp and InvertCompareOp 
BUG=v8:2537

Review URL: https://codereview.chromium.org/12217136

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13658 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-02-13 14:36:19 +00:00
jkummerow@chromium.org
e83ff197bf Add regression test for r13617 
Many thanks to Vyacheslav Egorov for coming up with this test!

BUG=173907

Review URL: https://codereview.chromium.org/12212066

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13622 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-02-07 15:38:24 +00:00
mstarzinger@chromium.org
79607d20e6 Make the GC stress builder go green. 
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/12218034

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13608 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-02-06 13:21:28 +00:00
verwaest@chromium.org
aca87c2fcd Tag stubs that rely on instance types as MEGAMORPHIC. 
BUG=chromium:173974

Review URL: https://chromiumcodereview.appspot.com/12178017

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13586 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-02-04 13:12:03 +00:00
verwaest@chromium.org
c8636a2809 Do not try to collect the map if the monomorphic IC stub has no map. 
This is necessary for monomorphic stubs that rely on instance types,
such as ArrayLength, StringLength and FunctionPrototype.

BUG=chromium:172345

Review URL: https://chromiumcodereview.appspot.com/12082023

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13526 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-01-28 13:19:53 +00:00
yangguo@chromium.org
24ec13cbd2 Fix additional spec violations wrt RegExp.lastIndex. 
R=svenpanne@chromium.org
BUG=v8:2437

Review URL: https://chromiumcodereview.appspot.com/12033099

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13504 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-01-25 10:53:26 +00:00
ulan@chromium.org
e6224d275f Make embedded maps in optimized code weak. 
Each map has a weak array of dependent codes, where the map tracks all the optimized codes that embed it.
Old space GC either clears the dead dependent codes from the array if the corresponding map is alive or deoptimizes the live dependent codes if the map is dead.

BUG=v8:2073
R=mstarzinger@chromium.org

Review URL: https://chromiumcodereview.appspot.com/11575007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13490 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-01-24 11:55:05 +00:00
ulan@chromium.org
d29826544e Correctly set kCanBeDivByZero flag for HMathFloorOfDiv. 
After r13289 the divisor can be non-constant, so we should check for zero.

BUG=171641
R=yangguo@chromium.org

Review URL: https://chromiumcodereview.appspot.com/12047050

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13479 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-01-23 15:58:49 +00:00
yangguo@chromium.org
9296975c04 Correctly reset lastIndex in an RegExp object. 
R=svenpanne@chromium.org
BUG=170856

Review URL: https://chromiumcodereview.appspot.com/11896060

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13471 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-01-23 12:28:16 +00:00
ulan@chromium.org
79a0e3b017 Fix pattern detection for replacing shifts by rotation. 
BUG=2499
R=svenpanne@chromium.org

Review URL: https://chromiumcodereview.appspot.com/12047015
Patch from Hirofumi Mako <mkhrfm@gmail.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13464 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-01-22 13:55:22 +00:00
mvstanton@chromium.org
c3746b4388 allocation-site-info.js broken on arm with new changes. Reverting to previous version until diagnosed. 
Regress-2185.js test takes too long on slow path when allocation site info is discovered.

BUG=

Review URL: https://codereview.chromium.org/12049003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13456 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-01-21 16:15:08 +00:00
yangguo@chromium.org
0c822b21cb Fix some latin-1 webkit units tests 
R=yangguo@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/11962035
Patch from Dan Carney <dcarney@google.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13455 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-01-21 16:11:31 +00:00
mstarzinger@chromium.org
0484ddcf50 Fix arguments materialization for inlined apply(). 
This fixes materialization of the arguments object in case the constant
function check if TryCallApply() inside an inlined frame fails.

R=svenpanne@chromium.org
BUG=v8:2489
TEST=mjsunit/regress/regress-2489

Review URL: https://codereview.chromium.org/11931012

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13386 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-01-16 09:25:45 +00:00
yangguo@chromium.org
f15f294127 Sync laziness between BuildFunctionInfo and MakeFunctionInfo. 
BuildFunctionInfo compiles the function eagerly when there are debug
break points. However, the AST may have been parsed lazily since
MakeFunctionInfo does not check for debug break points.

This fixes a regression introduced in r11866.

BUG=147497

Review URL: https://chromiumcodereview.appspot.com/11661008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13382 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-01-15 10:16:52 +00:00
mstarzinger@chromium.org
c5cff2c75a Make recent regression test resilient against GC stress. 
R=danno@chromium.org
TEST=mjsunit/regress/regress-165637

Review URL: https://codereview.chromium.org/11824062

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13353 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-01-10 14:21:27 +00:00
mstarzinger@chromium.org
1079642c97 Fix missing exception check in typed array constructor (2). 
This fixes another crash when the the typed array constructor accesses
an array that has a throwing accessor defined on one of it's elements.

R=verwaest@chromium.org
BUG=chromium:168545
TEST=mjsunit/regress/regress-crbug-168545.js

Review URL: https://codereview.chromium.org/11791052

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13351 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-01-10 11:45:29 +00:00
yangguo@chromium.org
e41c17084f Continues Latin-1 support. All tests pass with ENABLE_LATIN_1 flag. 
R=yangguo@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/11818025
Patch from Dan Carney <dcarney@google.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13344 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-01-09 15:47:53 +00:00
yangguo@chromium.org
45f20e366a Introduce ENABLE_LATIN_1 compile flag 
Mostly a bunch of renaming when flag is disabled.

R=yangguo@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/11759008
Patch from Dan Carney <dcarney@google.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13340 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-01-09 10:30:54 +00:00
svenpanne@chromium.org
0aacbf9619 Added %FlattenString and use it to speed up a regression test. 
Flattening strings is relatively costly and by doing it after every duplication
we avoid combinatorial explosion.

Note that flattening could have been done by e.g. using a regular expression,
too, but this is just another implementation detail and %FlattenString seems
general enough to be useful in other tests, too.

Review URL: https://codereview.chromium.org/11828014

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13337 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-01-09 09:32:12 +00:00
mstarzinger@chromium.org
0e46919c32 Fix missing exception check in typed array constructor. 
The typed array constructor might fail if the first argument is an
object with a length property. Accessing the property can cause an
exception to be thrown and an explicit check needs to be performed.

R=verwaest@chromium.org
BUG=chromium:168545
TEST=mjsunit/regress/regress-crbug-168545.js

Review URL: https://codereview.chromium.org/11777014

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13325 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-01-07 14:01:04 +00:00
yangguo@chromium.org
4ee20d857b Check for read-only-ness when preparing for array sort. 
R=verwaest@chromium.org
BUG=v8:2419

Review URL: https://chromiumcodereview.appspot.com/11759022

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13313 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2013-01-04 15:24:47 +00:00
ulan@chromium.org
b64f834383 Fix x64 MathMinMax for negative untagged int32 arguments. 
An untagged int32 has zeros in the upper half even if it is negative.
Using cmpq to compare such numbers will incorrectly ignore the sign.

BUG=164442
R=mvstanton@chromium.org

Review URL: https://chromiumcodereview.appspot.com/11665007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13273 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-12-21 17:52:00 +00:00
yangguo@chromium.org
362218a037 Deopt on overflow in integer mod. 
R=ulan@chromium.org
BUG=166379

Review URL: https://chromiumcodereview.appspot.com/11618017

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13241 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-12-19 12:01:22 +00:00
ulan@chromium.org
8574054b59 Correctly handle negative codes in String.fromCharCode() 
BUG=166553

R=yangguo@chromium.org

Review URL: https://chromiumcodereview.appspot.com/11576069

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13235 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-12-18 12:37:57 +00:00
rossberg@chromium.org
c6bb497437 Simplify implementation of assignment-to-const checks. 
Also, add test that assignment to function name is a syntax error with harmony scoping.

Does not fix issue 2243 directly, but with ES6, the required behaviour will change to what is implemented already anyway.

R=yangguo@chromium.org
BUG=v8:2243

Review URL: https://codereview.chromium.org/11607016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13234 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-12-18 12:00:50 +00:00
danno@chromium.org
facad070e9 Remove over-zealous hole checking in Array.slice() 
R=jkummerow@chromium.org
BUG=chromium:165637
TEST=regress-165637.js

Review URL: https://codereview.chromium.org/11442054

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13211 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-12-12 15:20:45 +00:00
rossberg@chromium.org
76375de29d Object.observe: prevent observed objects from using fast elements. 
This is necessary because polymorphic stores generally
do not perform a map check but only an instance type check,
which misses out on changes in the observation status.
Unfortunately, there currently is no efficient way in V8
to maintain that optimisation in the presence of Object.observe.

R=mstarzinger@chromium.org
BUG=v8:2409

Review URL: https://codereview.chromium.org/11477006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13205 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-12-12 11:38:24 +00:00
rossberg@chromium.org
3348b5c2b4 Allow lazy compilation (and thus optimisation) of functions inside eval. 
For strict-mode eval, this requires _disabling_ lazy parsing of inner functions,
because we need to collect their free variables to do allocation for the
eval scope properly.

R=mstarzinger@chromium.org
BUG=v8:2315

Review URL: https://codereview.chromium.org/11438042

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13161 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-12-07 10:35:50 +00:00
yangguo@chromium.org
3388f92e63 Fix spec violations in methods of Number.prototype. 
R=svenpanne@chromium.org
BUG=v8:2443

Review URL: https://chromiumcodereview.appspot.com/11465005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13160 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-12-07 10:20:35 +00:00
yangguo@chromium.org
276c790c61 Iterate through all arguments for side effects in Math.min/max. 
R=svenpanne@chromium.org
BUG=v8:2444

Review URL: https://chromiumcodereview.appspot.com/11444030

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13150 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-12-06 13:13:38 +00:00
yangguo@chromium.org
c75ca45000 Improve array to string conversion. 
BUG=v8:2435

Review URL: https://chromiumcodereview.appspot.com/11348349

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13144 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-12-05 15:49:22 +00:00
yangguo@chromium.org
6c92aba643 Fix spec violations related to regexp.lastIndex 
BUG=v8:2437, v8:2438

Review URL: https://chromiumcodereview.appspot.com/11451005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13143 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-12-05 12:32:25 +00:00
verwaest@chromium.org
7553f0d68e CopyPackedSmiToDoubleElements should fill the FixedDoubleArray with holes 
BUG=v8:2433

Review URL: https://chromiumcodereview.appspot.com/11280223
Patch from Adam Klein <adamk@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13082 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-11-29 08:34:19 +00:00
verwaest@chromium.org
09b1574baa Make ElementsAccessors more tolerant of varying backing store types 
This avoids bogus calls to Fixed*Array::cast() when FastElements-backed objects are empty (and thus backed by empty_fixed_array).

Review URL: https://chromiumcodereview.appspot.com/11299190
Patch from Adam Klein <adamk@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13071 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-11-28 08:41:45 +00:00
verwaest@chromium.org
1b0e373f09 Avoid double initialization of arrays. 
Review URL: https://chromiumcodereview.appspot.com/11413179

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13064 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-11-27 12:01:14 +00:00
verwaest@chromium.org
beeb751278 Ensure we do not clobber the register holding the elements backing store. 
Review URL: https://chromiumcodereview.appspot.com/11316168

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13061 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-11-26 15:58:27 +00:00
verwaest@chromium.org
ebeaad6cb5 Ensure double arrays are filled with holes when extended from variations of empty arrays. 
BUG=162085

Review URL: https://chromiumcodereview.appspot.com/11414155

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13056 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-11-26 14:29:21 +00:00
jkummerow@chromium.org
a956594fc2 Fix corner case in x64 compare stubs. 
BUG=v8:2416

Review URL: https://codereview.chromium.org/11413087

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13019 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-11-20 15:57:10 +00:00
rossberg@chromium.org
8d79ff46d0 Clean-up refactoring to eliminate GetLocalElementKind. 
Eliminates substantial amounts of fragile code duplication and special casing.

Also fixes "a".propertyIsEnumerable(0) to correctly return true.

R=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/11420011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12990 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-11-16 13:28:34 +00:00
mstarzinger@chromium.org
3d1582c474 Fix Array.prototype.join evaluation order. 
R=yangguo@chromium.org
BUG=v8:2263
TEST=mjsunit/regress/regress-2263

Review URL: https://codereview.chromium.org/11280025

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12989 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-11-16 12:45:23 +00:00
rossberg@chromium.org
af824eab8f When using an Object as a set in Object.getOwnPropertyNames, null out the proto 
Also apply the same fix elsewhere in v8natives.js

BUG=v8:2410

Review URL: https://codereview.chromium.org/11364237
Patch from Adam Klein <adamk@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12982 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-11-16 09:32:39 +00:00
yangguo@chromium.org
4783d3c31b Remove 'type' and 'arguments' properties from Error object. 
R=svenpanne@chromium.org
BUG=v8:2397

Review URL: https://chromiumcodereview.appspot.com/11358214

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12956 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-11-14 09:14:47 +00:00
yangguo@chromium.org
4cca6c6081 Make formatting error message side-effect-free. 
BUG=v8:2398

Review URL: https://chromiumcodereview.appspot.com/11359130

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12926 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-11-12 10:33:20 +00:00
yangguo@chromium.org
ef1b3d3a76 Fix length check in JSON.stringify. 
R=verwaest@chromium.org
BUG=160010

Review URL: https://chromiumcodereview.appspot.com/11410031

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12925 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-11-12 10:20:07 +00:00
mstarzinger@chromium.org
a31889e2de Fix slack tracking when instance prototype changes. 
This fixes a corner case when the instance prototype of a function is
changed while inobject slack tracking is still in progress. This caused
the intial map to be unrelated for functions with the same shared info
and hence the shared construct stub is no longer generic enough to work
for all those functions.

R=danno@chromium.org
BUG=chromium:157019
TEST=mjsunit/regress/regress-crbug-157019

Review URL: https://codereview.chromium.org/11293059

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12896 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-11-08 11:56:44 +00:00
yangguo@chromium.org
e8d91b424c Handle edge cases in basic JSON.stringify. 
BUG=

Review URL: https://chromiumcodereview.appspot.com/11315009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12842 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-11-02 14:46:57 +00:00
verwaest@chromium.org
14abf05bd5 Ensure reducing the length of an array doesn't make it go holey. 
Also only transition and/or change anything to the backing store if we are
actually going to delete anything.

BUG=

Review URL: https://chromiumcodereview.appspot.com/11358011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12840 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-11-02 10:24:56 +00:00
yangguo@chromium.org
8ed2e560ea Treat leading zeros in JSON.parse correctly. 
R=verwaest@chromium.org
BUG=158185

Review URL: https://chromiumcodereview.appspot.com/11273075

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12830 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-10-29 12:01:29 +00:00
mstarzinger@chromium.org
e363cd3425 Fix ugly typo in GenerateNewNonStrictFast. 
R=svenpanne@chromium.org
BUG=chromium:157520
TEST=mjsunit/regress/regress-crbug-157520

Review URL: https://codereview.chromium.org/11300008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12826 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-10-26 10:55:25 +00:00
yangguo@chromium.org
e50ee08ad6 Reland JSON.stringify reimplementation. 
BUG=

Review URL: https://chromiumcodereview.appspot.com/11189112

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12790 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-10-22 14:22:58 +00:00
yangguo@chromium.org
f910052543 Always invoke the default Array.sort functions from builtin functions, part 2. 
R=vegorov@chromium.org
BUG=v8:2372

Review URL: https://chromiumcodereview.appspot.com/11175007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12774 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-10-19 12:30:18 +00:00
verwaest@chromium.org
fa53250dd2 Fixed json regression 
BUG=v8:2374

Review URL: https://chromiumcodereview.appspot.com/11186059

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12766 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-10-19 08:23:45 +00:00
verwaest@chromium.org
7bc94a92c5 Fixed error introduced in r12761. 
BUG=2373

Review URL: https://chromiumcodereview.appspot.com/11198068

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12765 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-10-18 18:43:19 +00:00
fschneider@chromium.org
971e834a8d Always invoke the default Array.sort functions from builtin functions. 
TEST=mjsunit/regress/regress-builtin-array-op.js
BUG=v8:2372
Review URL: https://chromiumcodereview.appspot.com/10559005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12752 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-10-18 11:18:08 +00:00
verwaest@chromium.org
7c28995e5d Invalidate the enum cache when converting a transition across which the descriptors are shared. 
Review URL: https://chromiumcodereview.appspot.com/11145017

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12722 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-10-15 08:38:51 +00:00
verwaest@chromium.org
b75705f07b Don't clear EnumLength but rather copy the enum cache. Added regression test for crashes from chromecrash. 
Review URL: https://chromiumcodereview.appspot.com/11103036

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12704 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-10-11 15:33:34 +00:00
verwaest@chromium.org
dde1cdfb8e Fix transition conversion from CONSTANT_FUNCTION to FIELD. 
Review URL: https://chromiumcodereview.appspot.com/11094044

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12688 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-10-10 12:31:50 +00:00
verwaest@chromium.org
55e924c595 Fix CNLT regression. 
This happens when a map A with no descriptors in fast_holey_elements
mode first gets some properties, making it share descriptor arrays with
a map B to which it transitions. Then map A transitions elements kind to
dictionary_elements in map C. C stores the empty_descriptor_array in its
own transition array. When adding a property to C, C transitions to D
and shares the descriptors. If D dies, a CNLT clears the transition
array of C, making the descriptor array of A (and thus also of B) shine
through. If a property is now added to an object in state C, it'll inherit
all the properties of A (and B). If those properties had high field indices,
we do not have a large enough backing store for the single newly added
property, and we'll write out of bounds.

BUG=chromium:151749

Review URL: https://chromiumcodereview.appspot.com/11017054

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12687 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-10-10 12:29:44 +00:00
svenpanne@chromium.org
5d11c5ee69 Fixed Accessors::FunctionGetPrototype's proto chain traversal. 
Actually it didn't traverse that far... ;-) Did some cleanup on the way.

R=rossberg@chromium.org
BUG=chrome:143967
TEST=regress/regress-143967.js

Review URL: https://codereview.chromium.org/11087004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12677 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-10-08 12:58:46 +00:00
rossberg@chromium.org
329cf12363 Make sure that names of temporaries do not clash with real variables. 
R=mstarzinger@chromium.org
BUG=v8:2322

Review URL: https://codereview.chromium.org/11035054

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12668 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-10-05 12:47:34 +00:00
rossberg@chromium.org
3f7b5c338a Reject uses of lexical for-loop variable on the RHS. 
R=mstarzinger@chromium.org
BUG=v8:2322

Review URL: https://codereview.chromium.org/11031045

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12664 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-10-05 09:07:53 +00:00
mmassi@chromium.org
8fbfad63cd Avoid wrong imul deopt on ia32 and x64 (fixes v8 bug 2339). 
BUG=v8:2339

Review URL: https://chromiumcodereview.appspot.com/10963032

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12614 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-26 09:57:30 +00:00
erik.corry@gmail.com
72e9f1bea1 x64 and ARM: Fix issue 2346 (order of operations in keyed store 
on arrays) and turn get-own-property-descriptor.js test into
a regression test.
Review URL: https://chromiumcodereview.appspot.com/10985017

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12604 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-25 13:35:42 +00:00
jkummerow@chromium.org
8a3ec89824 Delete test/mjsunit/regress-1969. 
It was flaky, and its usefulness was doubtful.

Review URL: https://codereview.chromium.org/10961075

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12595 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-24 10:48:14 +00:00
jkummerow@chromium.org
cc6fe90b2b Remove trailing whitespace 
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/10969064

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12594 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-24 10:44:04 +00:00
jkummerow@chromium.org
cf0cae7eb1 Speed up test/mjsunit/regress/regress-crbug-119926 
Review URL: https://codereview.chromium.org/10958063

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12584 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-24 09:56:11 +00:00
verwaest@chromium.org
083ee63a83 Fix CNLT for enum indices. 
Review URL: https://chromiumcodereview.appspot.com/10958015

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12569 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-20 15:18:00 +00:00
verwaest@chromium.org
ea31f868e8 Deopt on storing undefined into double elements. 
Review URL: https://chromiumcodereview.appspot.com/10963010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12568 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-20 13:41:00 +00:00
jkummerow@chromium.org
a8e502fe60 Fix LBoundsCheck on x64 to handle (stack slot + constant) correctly 
BUG=150729

Review URL: https://codereview.chromium.org/10959009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12562 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-20 09:56:24 +00:00
jkummerow@chromium.org
83da019a46 Move regress-2286.js where it belongs 
Review URL: https://codereview.chromium.org/10957013

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12561 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-20 09:55:19 +00:00
mstarzinger@chromium.org
c012afb6d4 Fix setting array length to zero for slow elements. 
R=verwaest@chromium.org
BUG=chromium:146910
TEST=mjsunit/regress/regress-crbug-146910

Review URL: https://codereview.chromium.org/10937026

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12547 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-19 11:52:33 +00:00
mstarzinger@chromium.org
f0dcaf9a19 Fix lost arguments dropping in HLeaveInlined. 
This fixes HleaveInlined to correctly drop pushed arguments on all code
paths and addresses a corner case where the arguments stack height
mismatched at an OSR entry point.

R=jkummerow@chromium.org
BUG=chromium:150545
TEST=mjsunit/regress/regress-crbug-150545

Review URL: https://codereview.chromium.org/10938016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12543 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-19 08:13:46 +00:00
yangguo@chromium.org
73462594ea Change regress-2318 to trigger more quickly and reliably. 
BUG=v8:2336

Review URL: https://chromiumcodereview.appspot.com/10913294

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12529 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-17 13:21:59 +00:00
erik.corry@gmail.com
bafcfe5427 Fix misplaced assert in heap.cc. 
Bug=2336
Review URL: https://chromiumcodereview.appspot.com/10911334

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12528 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-17 11:38:24 +00:00
yangguo@chromium.org
cb72bf5735 Fix debugger's eval when close to stack overflow. 
R=verwaest@chromium.org
BUG=v8:2318

Review URL: https://chromiumcodereview.appspot.com/10914290

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12518 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-14 13:40:32 +00:00
verwaest@chromium.org
ad4746c8a3 CNLT with descriptors but no valid enum fields has to clear the EnumCache. 
Review URL: https://chromiumcodereview.appspot.com/10928204

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12512 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-14 13:15:43 +00:00
mstarzinger@chromium.org
77a7d9f539 Fix caching of optimized code for OSR. 
This makes sure we do not share optimized code across closures that were
optimized using OSR (for a particular OSR entry AST id) even if caching
of optimized code kicks in.

R=danno@chromium.org
BUG=v8:2326
TEST=mjsunit/regress/regress-2326

Review URL: https://codereview.chromium.org/10933088

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12504 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-14 10:41:31 +00:00
verwaest@chromium.org
1d1adaf9d3 Ensure correct enumeration indices in the dict 
BUG=chromium:148376

Review URL: https://chromiumcodereview.appspot.com/10908216

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12494 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-13 08:52:55 +00:00
yangguo@chromium.org
67d0506622 Correctly initialize regexp global cache. 
R=ulan@chromium.org
BUG=148378

Review URL: https://chromiumcodereview.appspot.com/10905239

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12491 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-12 15:26:43 +00:00
mstarzinger@chromium.org
f37f504de5 Fix arguments object materialization during deopt. 
This fixes materialization of arguments objects for strict mode functions during
deoptimization. We materialize arguments from the stack area where optimized
code pushes the arguments when entering the inlined environment. For adapted
invocations we use the arguments adaptor frame for materialization.

R=svenpanne@chromium.org
BUG=v8:2261
TEST=mjsunit/regress/regress-2261,mjsunit/compiler/inline-arguments

Review URL: https://chromiumcodereview.appspot.com/10908194

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12489 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-12 12:28:42 +00:00
mstarzinger@chromium.org
f6cd2403e3 Fix deoptimizer for shared optimized code. 
The deoptimizer searched the stack for activations of the same function to
determine whether to trigger lazy deopting. Since we share optimized code we
actually need to search for activations of the same code (but potentially
different functions).

R=jkummerow@chromium.org
BUG=chromium:147475
TEST=mjsunit/regress/regress-crbug-147475

Review URL: https://chromiumcodereview.appspot.com/10917162

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12473 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-10 11:05:17 +00:00
svenpanne@chromium.org
7af6883098 Fixed deoptimization of inlined getters. 
It is necessary to explicitly handle the internal frame lying between the caller
of the getter and the getter itself in the deoptimizer: When the getter is
inlined, leaving the internal frame restores the correct context.

BUG=http://crbug/134609
TEST=mjsunit/regress/regress-crbug-134609

Review URL: https://chromiumcodereview.appspot.com/10910110

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12470 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-07 09:01:54 +00:00
erik.corry@gmail.com
e5df02834b Fix some corner cases in skipping native methods using caller. 
Review URL: https://chromiumcodereview.appspot.com/10911063

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12439 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-05 08:19:49 +00:00
verwaest@chromium.org
0c24942be7 Fixed test expectation. 
Review URL: https://chromiumcodereview.appspot.com/10913062

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12435 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-04 09:54:36 +00:00
verwaest@chromium.org
a8638c1570 Support register as right operand in min/max support. 
R=jkummerow@chromium.org
BUG=chromium:145961
TEST=mjsunit/regress/regress-crbug-145961.js

Review URL: https://chromiumcodereview.appspot.com/10914072

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12434 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-09-04 09:35:43 +00:00
verwaest@chromium.org
90db487390 Elements load depends on the type of the receiver. 
R=jkummerow@chromium.org

Review URL: https://chromiumcodereview.appspot.com/10918005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12413 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-08-30 17:31:32 +00:00
danno@chromium.org
3544e2e875 Disable speculative LICM when it may lead to unnecessary deopts 
BUG=v8:2250
R=vegorov@chromium.org
TEST=tests/mjsunit/regress/regress-2250.js

Review URL: https://chromiumcodereview.appspot.com/10867033

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12375 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-08-23 21:08:58 +00:00
ulan@chromium.org
efc26f9b2b Fix rounding in Uint8ClampedArray setter. 
According to Web IDL spec, we should round to
the nearest integer, choosing the even integer
if it lies halfway between two.

R=yangguo@chromium.org,kbr@chromium.org
BUG=v8:2294

Review URL: https://chromiumcodereview.appspot.com/10831409

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12364 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-08-22 14:27:11 +00:00
verwaest@chromium.org
5df5eea066 Check that index and length are Smi in bounds check. 
BUG=chromium:142218
R=danno@chromium.org

Review URL: https://chromiumcodereview.appspot.com/10829456

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12362 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
 2012-08-21 16:46:25 +00:00