Commit Graph

2271 Commits

Author SHA1 Message Date
dslomov@chromium.org
91eb5f8d25 DataView implementation.
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/17153011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15269 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-21 13:02:38 +00:00
yangguo@chromium.org
b7b92bd9ac Short-circuit embedded cons strings.
R=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/17418003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15263 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-21 09:24:30 +00:00
yangguo@chromium.org
928cbcdc8d Skip parallel recompilation tests if parallel recompilation is disabled.
Parallel recompilation is usually disabled on single-core systems.

R=jkummerow@chromium.org
BUG=v8:2733

Review URL: https://codereview.chromium.org/17261021

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15231 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-20 11:01:33 +00:00
wingo@igalia.com
f7ba3a7bb1 Fix stack frame reconstruction for generators with formal arguments
The formal parameter count was always being treated as an untagged
integer, but it is actually a Smi on ia32 and arm.

R=mstarzinger@chromium.org
BUG=v8:2355
TEST=mjsunit/harmony/generators-iteration

Review URL: https://codereview.chromium.org/17485002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15230 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-20 10:48:34 +00:00
verwaest@chromium.org
2ca5c6cd03 Fix using monomorphic store instruction for polymorphic stores.
R=jkummerow@chromium.org

Review URL: https://chromiumcodereview.appspot.com/16875008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15214 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-19 18:07:35 +00:00
mvstanton@chromium.org
7f0f022792 Bugfix in hydrogen array literal code generation.
If an array literal contains some non-constant elements, is of type SMI, and
then the boilerplate transitions to double or fast sometime after we've
crankshafted the code, then we could incorrectly store smis in double arrays.

BUG=
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/17334004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15207 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-19 13:48:50 +00:00
svenpanne@chromium.org
010d9aba16 Avoid relying on monkey-patchable things in String.prototype.split.
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/17391016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15206 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-19 12:25:40 +00:00
yangguo@chromium.org
1be45275c6 Fix test for bots that force --parallel-recompilation as shell flag.
R=jkummerow@chromium.org
BUG=

Review URL: https://codereview.chromium.org/16914006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15202 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-19 09:32:05 +00:00
mvstanton@chromium.org
c70b41684d Use type feedback for Array (non-constructor) call sites.
BUG=
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/17155010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15201 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-19 09:25:24 +00:00
yangguo@chromium.org
627872ec67 Do not modify FLAG_parallel_recompilation after start up.
R=jkummerow@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/17202006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15195 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-18 14:25:24 +00:00
mstarzinger@chromium.org
0524263a27 Remove obsolete elements kind check for array literals.
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/17378005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15194 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-18 13:32:06 +00:00
svenpanne@chromium.org
fb7310b1fd Fixed read-only attribute of Function.length in strict mode.
R=cira@chromium.org

Review URL: https://codereview.chromium.org/17006006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15189 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-18 07:51:50 +00:00
palfia@homejinni.com
f8fc5c443e Allow running mjsunit/manual-parallel-recompile on single-core systems.
- Add an %IsParallelSupported() builtin function to  make possible to check support of parallel processing from JavaScripts.
- Change the test script that if parallel recompilation is forced on a single core CPU, expect that it won't be recompiled in parallel.
- Change the  JSFunction::MarkForParallelRecompilation() to fall back gracefully if parallel recompilation is not supported.

BUG=v8:2733
TEST=mjsunit/manual-parallel-recompile

Review URL: https://codereview.chromium.org/17277002
Patch from Balazs Kilvady <kilvadyb@homejinni.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15184 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-17 16:27:18 +00:00
palfia@homejinni.com
93609033e1 MIPS: Optimise Math.floor(x/y) to use integer division for MIPS.
Use div instruction if some divisors do not have magic number.

Based on commit r11427 (318a9598).

This commit also ports commit r15161 (554d45c1).

BUG=

Review URL: https://codereview.chromium.org/16951016
Patch from Dusan Milosavljevic <Dusan.Milosavljevic@rt-rk.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15181 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-17 15:06:41 +00:00
mvstanton@chromium.org
5b2c1a50d9 HCheckFunction is needed to protect new array constructors in
crankshafted code.

BUG=
R=danno@chromium.org

Review URL: https://codereview.chromium.org/16944006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15118 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-13 14:29:01 +00:00
wingo@igalia.com
d73dace0f5 Delegating yield does not re-box result objects
Delegating yield (yield*) should just pass on the iterator results it
receives instead of re-boxing them.

R=rossberg@chromium.org
TEST=mjsunit/harmony/generators-iteration
BUG=

Review URL: https://codereview.chromium.org/16695006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15113 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-13 10:57:11 +00:00
wingo@igalia.com
09fcac5e39 Use keyed-call inline caches in delegating yield
Since we can't assume anything about the shape of the iterator in a
yield* (delegating yield), use an IC to do the next() and throw()
iterator method calls.

BUG=v8:2691
R=rossberg@chromium.org
TEST=mjsunit/regress/regress-2691

Review URL: https://codereview.chromium.org/15455002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15111 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-13 10:18:28 +00:00
mvstanton@chromium.org
75afb8ce79 Fix for bug 245480. Calling new Array(a) with a single argument could result in creating a holey array with a packed elements kind.
BUG=245480
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/16341004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15095 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-12 18:04:16 +00:00
mstarzinger@chromium.org
93ab1864ea Allow the deoptimizer translation to track de-materialized objects.
This allows the deoptimizer to materialize objects (e.g. the arguments
object) while deopting without having a consective stack area holding
the object values. The LEnvironment explicitly tracks locations for
these values and preserves them in the translation.

R=svenpanne@chromium.org
TEST=mjsunit/compiler/inline-arguments

Review URL: https://codereview.chromium.org/16779004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15087 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-12 14:22:49 +00:00
wingo@igalia.com
cc27c4c41b GeneratorFunction() makes generator instances
The current specification has GeneratorFunction() be like Function(),
except that it makes generator instances.  This commit implements that
behavior.  It also fills in a piece of the implementation where
otherwise calling GeneratorFunction or GeneratorFunctionPrototype would
cause an abort because they have no code.

R=mstarzinger@chromium.org
TEST=mjsunit/harmony/generators-iteration
TEST=mjsunit/harmony/generators-runtime
BUG=v8:2355,v8:2680

Review URL: https://codereview.chromium.org/15218004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15084 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-12 12:52:16 +00:00
wingo@igalia.com
1fb2f4b358 For-of statements do not permit initializers.
R=rossberg@chromium.org
BUG=v8:2720

Review URL: https://codereview.chromium.org/16739008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15082 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-12 12:37:44 +00:00
wingo@igalia.com
418ddc800a Allocate generator result objects before unwinding try handlers
When a generator suspends, it saves its state out to the heap and
unwinds try handlers but doesn't pop anything off the stack.  Instead it
relies on no GC happening between the suspend and the return from the
generator.  However this was not the case: boxing the result object
could cause GC, which would try to traverse the stack but would
misinterpret words from unwound try handlers as heap objects.

This CL changes to allocate the result objects before the suspend.  It
also removes the generators-iteration skip introduced in r15065.

R=mstarzinger@chromium.org
TEST=mjsunit/harmony/generators-iteration
BUG=

Review URL: https://codereview.chromium.org/16801006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15079 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-12 11:02:51 +00:00
yangguo@chromium.org
74556569d1 Reland "Enable map dependency to in-flight compilation info."
BUG=248076
R=ulan@chromium.org

Review URL: https://chromiumcodereview.appspot.com/16782004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15077 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-12 09:43:22 +00:00
wingo@igalia.com
5760c7b598 Disable --harmony -> --harmony-generators implication
A GC-related bug has started showing up after r15060 that unfortunately
I haven't been able to reproduce.  Disable generators by default for the
Canary push.

R=danno@chromium.org
BUG=

Review URL: https://codereview.chromium.org/16638011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15065 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-11 14:45:17 +00:00
yangguo@chromium.org
6da97b1d4a Revert "Enable map dependency to in-flight compilation info."
This includes r15032, r15030 and r15005.

R=ulan@chromium.org
BUG=248076

Review URL: https://chromiumcodereview.appspot.com/16482004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15061 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-11 11:55:56 +00:00
jkummerow@chromium.org
9447014780 Skip some conditional deopts for Div/Mul when all uses are truncating.
- set "can be minus zero" flag properly so minus-zero checks are skipped
- skip "integer result?" check in division code when uses are truncating
- drive-by cleanup: consolidated computation of kCanOverflow flag for Add/Sub into range inference phase

BUG=v8:2132
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/16741002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15060 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-11 11:43:57 +00:00
wingo@igalia.com
f68d6a10f8 Fix crasher when checking for "of", but next token has no literal buffer
Also fix a typo in an assertion in scanner.h.

R=mstarzinger@chromium.org
BUG=248025
TEST=mjsunit/regress/regress-crbug-248025.js

Review URL: https://codereview.chromium.org/16549003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15059 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-11 11:30:03 +00:00
wingo@igalia.com
29a1044409 Keep native fuzzing blacklists in sync
R=yangguo@chromium.org
BUG=

Review URL: https://codereview.chromium.org/16436005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15036 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-10 12:25:31 +00:00
wingo@igalia.com
093492f01c Don't fuzz _GeneratorNext
The previous patch that renamed _GeneratorSend to _GeneratorNext missed
the blacklist in fuzz-natives-part4.

R=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/16339008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15035 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-10 12:06:13 +00:00
mstarzinger@chromium.org
ecc41e30c0 Fix re-initialization of existing double field.
R=verwaest@chromium.org
BUG=v8:2717
TEST=mjsunit/regress/regress-2717

Review URL: https://codereview.chromium.org/16735003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15033 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-10 11:55:47 +00:00
yangguo@chromium.org
b0afb77731 Fix parallel recompilation wrt transition maps dependency.
R=ulan@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/15896038

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15032 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-10 11:33:23 +00:00
yangguo@chromium.org
1594eca8ed Fix parallel recompilation wrt initial object/array map dependency.
R=ulan@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/16641002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15030 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-10 11:17:48 +00:00
wingo@igalia.com
f88bca9576 Generator object "next" method takes optional send value
Update the generators implementation to make "next" also do the job of
what was previously called "send" by taking an optional argument.
Remove send, and do a bunch of renamings.

R=rossberg@chromium.org
BUG=v8:2355, v8:2715

Review URL: https://codereview.chromium.org/16136011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15028 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-10 09:26:18 +00:00
verwaest@chromium.org
3588aa45cd Take all uses into account to clear int32 truncation.
R=jkummerow@chromium.org

Review URL: https://chromiumcodereview.appspot.com/16656002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15017 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-07 17:28:46 +00:00
yangguo@chromium.org
17cfe68015 Enable map dependency to in-flight compilation info.
R=ulan@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/16542003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15005 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-07 13:27:03 +00:00
wingo@igalia.com
b29a78fb02 Baseline for-of implementation
Add full-codegen support for the ES6 for-of iteration statement.

R=mstarzinger@chromium.org, rossberg@chromium.org
TEST=mjsunit/harmony/iteration-semantics
BUG=v8:2214

Review URL: https://codereview.chromium.org/15288011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15002 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-07 11:12:21 +00:00
wingo@igalia.com
cb0d146862 Add initial parser support for harmony iteration
This commit adds initial parser support for harmony iteration.
Specifically, it will parse:

  for (x of y) {}
  for (let x of y) {}
  for (var x of y) {}

The semantics are still unimplemented.

TEST=mjsunit/harmony/for-of-syntax
BUG=v8:2214
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/15300018

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14984 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-06 14:38:26 +00:00
verwaest@chromium.org
16199c63d8 Initialized representations of computed values to None.
R=danno@chromium.org

Review URL: https://chromiumcodereview.appspot.com/14721009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14982 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-06 14:21:35 +00:00
mvstanton@chromium.org
701f356bac Move runtime array constructor functions from builtins.cc to runtime.cc.
Not only is runtime.cc a better location, but situations arise soon where we'll
want to make runtime calls to these functions.

BUG=
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/16399007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14977 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-06 13:22:42 +00:00
mvstanton@chromium.org
a9a80fb422 Allocation type info advice consumed in bailout path leads to assert failure.
If the runtime is taken for a constructor like "new Array(100000)", where
allocation site info already led to an elements kind of DOUBLE, then the runtime
would fail to transition the array to dictionary mode. Better to recognize this
case and avoid wasting time by following the advice. Furthermore, it offers a
way to recognize that the array should be in dictionary mode (though a future
checkin will capitalize on that).

BUG=
R=danno@chromium.org

Review URL: https://codereview.chromium.org/15993012

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14966 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-06 09:26:30 +00:00
verwaest@chromium.org
5e8679beea Remove the optimized construct stub.
R=mstarzinger@chromium.org

Review URL: https://chromiumcodereview.appspot.com/15993016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14946 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-05 08:43:25 +00:00
adamk@chromium.org
de92d0b0e0 Array.observe emit splices for array length change and update index >= length
R=adamk@chromium.org, rossberg@chromium.org

Review URL: https://codereview.chromium.org/15504002

Patch from Rafael Weinstein <rafaelw@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14944 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-04 23:58:49 +00:00
jkummerow@chromium.org
20cedf9a4b Liveness analysis for environment slots in Hydrogen
R=titzer@chromium.org

Review URL: https://codereview.chromium.org/15533004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14938 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-04 16:41:24 +00:00
mvstanton@chromium.org
3d3c6b1599 Special Array constructor type feedback erroneously recorded when Array
was called as a function. Issue was found with optimize_constructed_array
turned on. This patch makes the fix, and turns the flag back on.

BUG=244461
R=danno@chromium.org

Review URL: https://codereview.chromium.org/16057005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14917 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-03 14:46:23 +00:00
jkummerow@chromium.org
b4058a3bd4 Fast literals: fixed initialization of non-copied in-object property fields
BUG=chromium:245424
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/16190008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14906 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-31 15:50:19 +00:00
verwaest@chromium.org
5b08a1a119 Fix DeferredTaggedToINoSSE2 to not unconditionally untag undefined to 0.
R=danno@chromium.org

Review URL: https://chromiumcodereview.appspot.com/16228002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14896 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-31 08:37:34 +00:00
verwaest@chromium.org
1a4a904bef Replace DeoptimizeOnUndefined with whitelisting AllowUndefinedAsNan
R=danno@chromium.org

Review URL: https://chromiumcodereview.appspot.com/15952007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14894 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-30 09:11:06 +00:00
adamk@chromium.org
09c489ea93 Re-land: Implement ObservedArrayPop, ObservedArrayShift, ObservedArrayUnshift & ObservedArraySplice
Original issue: https://codereview.chromium.org/15331002/

Broke mozilla/js1_5/Array/regress-451483.js, which ends up attempting to call %IsObserved() on a non-object.

IsObserved now checks for JSReceiver and returns false rather than crashing.

R=adamk@chromium.org, rossberg@chromium.org

Review URL: https://codereview.chromium.org/15777007

Patch from Rafael Weinstein <rafaelw@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14888 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-29 17:26:05 +00:00
yurys@chromium.org
09959efe41 Add support for //# sourceURL similar to deprecated //@ sourceURL one.
BUG=v8:2702
R=yangguo@chromium.org, yurys@chromium.org

Review URL: https://codereview.chromium.org/15859010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14883 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-29 12:40:21 +00:00
mstarzinger@chromium.org
26e7936e27 Re-enable allocation-site-info test case.
R=svenpanne@chromium.org
TEST=mjsunit/allocation-site-info

Review URL: https://codereview.chromium.org/16192002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14867 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-29 08:29:25 +00:00
svenpanne@chromium.org
116fe61f5e Disabled broken test
TBR=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/15951006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14866 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-29 07:32:10 +00:00
mstarzinger@chromium.org
3b114cdd64 Fix IfBuilder::Deopt to clear the current block.
R=jkummerow@chromium.org
BUG=chromium:243868
TEST=mjsunit/regress/regress-crbug-243868

Review URL: https://codereview.chromium.org/16155003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14854 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-28 15:30:49 +00:00
rossberg@chromium.org
ecb6bd2718 Revert "Implement ObservedArrayPop, ObservedArrayShift, ObservedArrayUnshift & ObservedArraySplice"
This reverts commit r14846.

Broke Mozilla test (see http://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20shared/builds/3608/steps/Mozilla/logs/stdio), e.g.:

=== mozilla/js1_5/Array/regress-451483 ===
--- stdout ---
BUGNUMBER: 451483
STATUS: [].splice.call(0) == []
/mnt/data/b/build/slave/v8-linux-shared/build/v8/test/mozilla/data/js1_5/Array/regress-451483.js:57: illegal access
  var result = [].splice.call(0);
                         ^
Command: /mnt/data/b/build/slave/v8-linux-shared/build/v8/out/Release/d8 --test --nobreak-on-abort --nodead-code-elimination --nofold-constants --expose-gc /mnt/data/b/build/slave/v8-linux-shared/build/v8/test/mozilla/mozilla-shell-emulation.js /mnt/data/b/build/slave/v8-linux-shared/build/v8/test/mozilla/data/shell.js /mnt/data/b/build/slave/v8-linux-shared/build/v8/test/mozilla/data/js1_5/shell.js /mnt/data/b/build/slave/v8-linux-shared/build/v8/test/mozilla/data/js1_5/Array/shell.js /mnt/data/b/build/slave/v8-linux-shared/build/v8/test/mozilla/data/js1_5/Array/regress-451483.js

TBR=rafaelw@chromium.org
BUG=

Review URL: https://codereview.chromium.org/16150003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14851 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-28 13:00:53 +00:00
rossberg@chromium.org
6fa987193e Make (Object.)observed Arrays use SafeRemoveArrayHoles during sort
R=adamk,rossberg
BUG=

Review URL: https://codereview.chromium.org/15837006

Patch from Rafael Weinstein <rafaelw@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14847 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-28 11:23:59 +00:00
rossberg@chromium.org
c06dc9d010 Implement ObservedArrayPop, ObservedArrayShift, ObservedArrayUnshift & ObservedArraySplice
R=rossberg,adamk,arv
BUG=

Review URL: https://codereview.chromium.org/15331002

Patch from Rafael Weinstein <rafaelw@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14846 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-28 11:16:02 +00:00
verwaest@chromium.org
aa2444269b Fix the hole loading optimization.
- Holes are only ever loaded as double or tagged.
- Change to tagged has to deoptimize on undefined (no implicit
  conversions from double the hole NaN -> tagged undefined).

BUG=
R=jkummerow@chromium.org

Review URL: https://chromiumcodereview.appspot.com/16099006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14829 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-27 17:33:14 +00:00
verwaest@chromium.org
9d3e7e5b81 Fix Object.freeze for objects with mixed accessors and data properties
The bug in the existing code was that it modified the |attributes|
local variable on its way through the loop in CopyUpToAddAttributes.
But that affected any properties updated after an accessor property.
The code now sets up a mask each time and applies that instead of
mutating |attributes|.

R=verwaest@chromium.org

Review URL: https://chromiumcodereview.appspot.com/16051002

Patch from Adam Klein <adamk@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14818 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-27 10:56:27 +00:00
yangguo@chromium.org
3e41834721 Regexp parser: reset flag after scanning ahead for capture groups.
When the regexp pattern parser encounters an unbound reference to a
capturing group, it needs to scan ahead to decide whether it really
is a reference.  The scan advances to the end of the pattern string
and sets has_more_ to false, but fails to reset it to true so that
later on, parsing a character class wrongly fails.

R=ulan@chromium.org
BUG=v8:2690

Review URL: https://chromiumcodereview.appspot.com/15712006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14817 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-27 10:53:37 +00:00
yangguo@chromium.org
7c2a1346d6 Fix edge case in stack trace formatting.
Bug description: in strict mode, null as receiver is not implicitly converted
to the global object, so that when formatting the stack trace, the receiver of
the stack frame is null. The IS_OBJECT check returns true for null, but
%GetDataProperty expected a JSObject, which results in a failed RUNTIME_ASSERT.

R=mvstanton@chromium.org
BUG=237617

Review URL: https://chromiumcodereview.appspot.com/15670003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14797 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-24 11:33:46 +00:00
yangguo@chromium.org
1d39355405 Add belated test for the SeqStringSetChar bug.
R=titzer@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/15849003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14790 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-24 08:37:27 +00:00
mstarzinger@chromium.org
8fb2086847 Fix embedded new-space pointer in LCmpObjectEqAndBranch.
R=mvstanton@chromium.org
BUG=chromium:240032
TEST=mjsunit/regress/regress-crbug-240032

Review URL: https://codereview.chromium.org/15779004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14777 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-23 14:06:28 +00:00
mvstanton@chromium.org
1a4482ab3f Missing type cell on ia32 from bindings.
Javascript constructors called from C++ code didn't have a type cell
properly filled in on ia32. This showed up as a bug in webkit bindings.
Re-enabled flag optimize-constructed-arrays.

BUG=
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/15870002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14775 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-23 13:45:33 +00:00
yangguo@chromium.org
a1e18bdf3c Improve SeqStringSetChar implementation.
R=jkummerow@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/15743006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14769 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-23 09:51:06 +00:00
verwaest@chromium.org
308e69755b Implement HChange support for Smis and use it in Load/StoreNameField
BUG=
R=verwaest@chromium.org

Review URL: https://chromiumcodereview.appspot.com/15303004

Patch from Daniel Clifford <danno@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14765 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-23 08:32:07 +00:00
verwaest@chromium.org
36e91242fd Make Object.freeze fast
This patch both speeds up the freeze operation itself, but also
allows properties to remain in fast mode. Objects with non-empty
elements backing stores still end up with slow elements.

Relanding r14758 and r14759 with fix for Test262: only mark properties
and elements READ_ONLY if they are not JS setter/getters. Tightened up
tests to assert frozen-ness, and added targeted tests for the new code
(covering accessors).

BUG=v8:1858, 115960
R=verwaest@chromium.org

Review URL: https://chromiumcodereview.appspot.com/15691007

Patch from Adam Klein <adamk@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14762 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-23 07:05:58 +00:00
adamk@chromium.org
4d48bb832f Revert "Make Object.freeze fast"
and "Fix Object.freeze on dictionary-backed arrays to properly freeze elements"

This reverts r14758 and r14759 due to introducing failures in Test262

TBR=verwaest@chromium.org

Review URL: https://codereview.chromium.org/15681004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14760 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 21:27:00 +00:00
adamk@chromium.org
3ebccb7aae Fix Object.freeze on dictionary-backed arrays to properly freeze elements
Follow-up to r14758: slightly rearranges JSObject::Freeze() to avoid duplicating
code while still retaining proper dictionary elements storage behavior.

Also fix a lint error.

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/15737018

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14759 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 20:40:04 +00:00
adamk@chromium.org
648e99e308 Make Object.freeze fast
This patch both speeds up the freeze operation itself, but also
allows properties to remain in fast mode. Objects with non-empty
elements backing stores still end up with slow elements.

BUG=v8:1858, 115960
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/14888005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14758 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 18:53:58 +00:00
mstarzinger@chromium.org
b704cb9139 Fix bogus deopt in BuildEmitDeepCopy for holey arrays.
R=verwaest@chromium.org
BUG=chromium:242924
TEST=mjsunit/regress/regress-crbug-242924

Review URL: https://codereview.chromium.org/15735012

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14757 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 17:58:21 +00:00
verwaest@chromium.org
b353b1d131 Don't allow copying holes to fields.
R=jkummerow@chromium.org

Review URL: https://chromiumcodereview.appspot.com/15745006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14753 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 15:33:53 +00:00
mstarzinger@chromium.org
bf413b5122 Fix VisitLogicalExpression for empty blocks on RHS.
R=jkummerow@chromium.org
BUG=chromium:242870
TEST=mjsunit/regress/regress-crbug-242870

Review URL: https://codereview.chromium.org/15744002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14747 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 13:27:00 +00:00
yangguo@chromium.org
9960b24694 Fix unexpected elements transition in JSON.parse
R=verwaest@chromium.org
BUG=241344

Review URL: https://chromiumcodereview.appspot.com/15739003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14746 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 13:24:18 +00:00
verwaest@chromium.org
8db3014974 Keep representations while overwriting transitions.
BUG=chromium:241477
R=jkummerow@chromium.org

Review URL: https://chromiumcodereview.appspot.com/15718002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14745 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 10:46:33 +00:00
mstarzinger@chromium.org
d696f7b3c1 Use explicit type feedback clearing in some tests.
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/15711004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14744 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 09:17:27 +00:00
hpayer@chromium.org
9c3c28646b Force GC before executing unbox double arrays test to avoid timeouts.
BUG=

Review URL: https://codereview.chromium.org/15292002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14743 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-22 09:05:22 +00:00
mstarzinger@chromium.org
db4a770c3f Add regression test for fix from r14732.
R=verwaest@chromium.org
BUG=chromium:242502
TEST=mjsunit/regress/regress-crbug-242502

Review URL: https://codereview.chromium.org/15288008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14734 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-21 14:20:42 +00:00
mvstanton@chromium.org
239b2830cc Turning off optimize-constructed-arrays to investigate a WebKit/bindings issue.
BUG=
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/15303002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14718 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-17 12:33:48 +00:00
hpayer@chromium.org
d7427aa938 Fix transition test to support allocation site info.
BUG=

Review URL: https://codereview.chromium.org/15270002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14716 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-17 08:56:45 +00:00
verwaest@chromium.org
73d084fad3 Fix bugs in rewriting combined with attributes and accessors
R=danno@chromium.org

Review URL: https://chromiumcodereview.appspot.com/14843023

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14713 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-17 03:16:20 +00:00
titzer@chromium.org
5746d38351 Fix code gen bug on arm and mips; SeqStringSetChar overwrites a register; Add better default PrintDataTo for HInstruction
BUG=

Review URL: https://codereview.chromium.org/14895019

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14710 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-16 14:27:39 +00:00
rossberg@chromium.org
8ce0718763 Implement Array.observe and emit splice change records for ArrayPush
Review URL: https://codereview.chromium.org/14978007

Patch from Rafael Weinstein <rafaelw@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14705 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-16 11:19:37 +00:00
adamk@chromium.org
0ed681905c Re-land Notifier.prototype.performChange + tests
Fixes the debug check failure on sorting an object with an array __proto__.

Original Issue: https://codereview.chromium.org/14779011/

TBR=adamk@chromium.org

Review URL: https://codereview.chromium.org/14977015

Patch from Rafael Weinstein <rafaelw@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14698 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-15 22:09:40 +00:00
adamk@chromium.org
91daa127c9 Revert "Implement Object.getNotifier(obj).performChange()" (r14696)
Reverts r14696 because it caused debug assertion failures when running
test/mjsunit/harmony/object-observe.js

TBR=rossberg

Review URL: https://codereview.chromium.org/15203002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14697 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-15 18:47:48 +00:00
adamk@chromium.org
07a54cd06d Implement Object.getNotifier(obj).performChange()
R=rossberg,adamk,arv
BUG=

Review URL: https://codereview.chromium.org/14779011
Patch from Rafael Weinstein <rafaelw@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14696 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-15 17:44:45 +00:00
wingo@igalia.com
55f6281281 Revert "GeneratorFunction() makes generator instances"
This reverts r14684 because of blink LayoutTest failures in
inspector/debugger/debugger-pause-in-internal.html.

R=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/14619040

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14694 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-15 15:57:58 +00:00
mvstanton@chromium.org
31b8fc19c3 With flag optimize-constructed-arrays on, ARM and MIPS suffered a performance degrade due to incorrect code in GenerateRecordCallTarget().
The CL also enables flag optimize-constructed-arrays.

BUG=
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/14772043

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14692 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-15 15:17:01 +00:00
wingo@igalia.com
e24cc32011 GeneratorFunction() makes generator instances
The current specification has GeneratorFunction() be like Function(),
except that it makes generator instances.  This commit implements that
behavior.  It also fills in a piece of the implementation where
otherwise calling GeneratorFunction or GeneratorFunctionPrototype would
cause an abort because they have no code.

R=mstarzinger@chromium.org, rossberg@chromium.org
TEST=mjsunit/harmony/generators-iteration
TEST=mjsunit/harmony/generators-runtime
BUG=v8:2355
BUG=v8:2680

Review URL: https://codereview.chromium.org/14857009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14684 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-15 13:22:05 +00:00
wingo@igalia.com
d6fa1d8ad9 Function constructor should avoid String.prototype methods
Replace a use of .indexOf with a call to StringIndexOf.  As always,
lexical scoping to the rescue.

R=mstarzinger@chromium.org
TEST=mjsunit/regress/regress-2686
BUG=v8:2686

Review URL: https://codereview.chromium.org/14668013

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14678 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-15 10:52:06 +00:00
wingo@igalia.com
8f602260d3 Implement yield* (delegating yield)
Ideally this would have been implemented via desugaring at parse-time,
but yield* is an expression, and its desugaring includes statements like
while and try/catch.  We'd have to have BlockExpression in the AST to
support that, and it's not worth it for this feature.

So instead we implement all of the logic in
FullCodeGenerator::VisitYield.  Delegating yield AST nodes now have a
try handler index, for the try/catch.  Otherwise the implementation is
straightforward.

R=rossberg@chromium.org
BUG=v8:2355
TEST=mjsunit/harmony/generators-iteration

Review URL: https://codereview.chromium.org/14582007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14669 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-14 16:26:56 +00:00
wingo@igalia.com
b7ecb8cb8d Revert mistakenly committed r14667 and r14666.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14668 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-14 16:17:26 +00:00
wingo@igalia.com
25c1d78e3d Implement yield* (delegating yield)
Ideally this would have been implemented via desugaring at parse-time,
but yield* is an expression, and its desugaring includes statements like
while and try/catch.  We'd have to have BlockExpression in the AST to
support that, and it's not worth it for this feature.

So instead we implement all of the logic in
FullCodeGenerator::VisitYield.  Delegating yield AST nodes now have a
try handler index, for the try/catch.  Otherwise the implementation is
straightforward.

R=mstarzinger@chromium.org
BUG=v8:2355
TEST=mjsunit/harmony/generators-iteration

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14666 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-14 15:59:25 +00:00
titzer@chromium.org
68eb1e50ca Improve dead code elimination by transitively marking live code and removing all dead code. Replace unreachable phi removal algorithm with the new dead code elimination pass, which is more thorough.
Review URL: https://codereview.chromium.org/14676011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14661 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-14 13:10:52 +00:00
wingo@igalia.com
1634369af7 Don't flush code for generator functions.
R=mstarzinger@chromium.org
BUG=v8:2681
TEST=mjsunit/regress/regress-2681

Review URL: https://codereview.chromium.org/14731023

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14649 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-13 17:36:26 +00:00
dslomov@chromium.org
5777f3fb48 Enable native implementation of array buffer and typed arrays in d8 and tests.
R=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/15059009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14646 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-13 14:18:43 +00:00
jkummerow@chromium.org
7636fdec27 Fix missing hole check for loads from Smi arrays when all uses are changes
BUG=chromium:233737

Review URL: https://codereview.chromium.org/14978004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14638 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-13 11:58:10 +00:00
danno@chromium.org
05e8e0e7b4 Elide hole checks on KeyedLoads of holey double arrays
Improves NavierStokes by about 5%

R=ulan@chromium.org

Review URL: https://codereview.chromium.org/15014020

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14630 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-13 07:35:26 +00:00
svenpanne@chromium.org
f853b08ad0 Fixed constant folding in HMod.
We have to check for overflow before attempting to do a modulo operation,
otherwise Crankshaft itself segfaults on some platforms, e.g. ia32. Added tests
even for division, where the problem doesn't show up, just to be sure...

R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/14617014

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14629 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-13 07:32:38 +00:00
verwaest@chromium.org
df57747fc4 Track heap objects.
R=danno@chromium.org

Review URL: https://chromiumcodereview.appspot.com/14996004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14625 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-10 17:17:50 +00:00
wingo@igalia.com
3f09e0a3d8 Remove separate maps for function instances
ES3 specified that functions created via Function() would have
enumerable prototypes, unlike function literals.  For this reason, V8
has always had two prototypes for functions: "function_map" for
literals, and "function_instance_map" for "function instances": those
functions created by Function().

However, since 2009 or so, both maps have been the same!  Both have had
writable, non-enumerable prototypes.  Moreover, ES5 changed to specify
that function instances would have non-enumerable prototypes.

This patch removes the separate maps for function instances in sloppy
and strict mode.

R=mstarzinger@chromium.org
TEST=mjsunit/function-prototype
BUG=

Review URL: https://codereview.chromium.org/14829005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14619 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-10 12:59:20 +00:00
mstarzinger@chromium.org
eb18db3ab4 Skip flaky regress-crbug-160010 regression test.
R=ulan@chromium.org
BUG=chromium:160010
TEST=mjsunit/regress/regress-crbug-160010

Review URL: https://codereview.chromium.org/14908006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14614 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-10 10:39:16 +00:00
verwaest@chromium.org
52008429b7 Use mutable heapnumbers to store doubles in fields.
R=danno@chromium.org

Review URL: https://chromiumcodereview.appspot.com/14850006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14597 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-08 15:02:08 +00:00
ulan@chromium.org
cd4e9866b7 Fix environment in HOptimizedGraphBuilder::VisitCountOperation. Follow-up for r14584.
R=danno@chromium.org
BUG=v8:2671
TEST=mjsunit/regress/regress-2671-1.js

Review URL: https://chromiumcodereview.appspot.com/14972009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14596 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-08 14:58:06 +00:00
mvstanton@chromium.org
f5ad8e4469 Turn off optimize-constructed-arrays flag to investigate ARM perf issue
BUG=
R=danno@chromium.org

Review URL: https://codereview.chromium.org/14753007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14588 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-08 08:49:29 +00:00
danno@chromium.org
bd9274436c Bias commutative single-use register inputs and support lea adds
This improves register allocation for many common add and multiply patterns on ia32 and x64 by reducing register pressure.

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/14856015

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14587 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-08 08:37:24 +00:00
wingo@igalia.com
75d939aceb Generators save and restore stack handlers
This CL adds machinery to unwind stack handlers from the stack and store
them into a generator's operand array.  It also includes routines to
reinstate them.  Together this allows generators to yield within
try/catch and try/finally blocks.

BUG=v8:2355
R=mstarzinger@chromium.org
TEST=mjsunit/harmony/generators-iteration

Review URL: https://codereview.chromium.org/14031028

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14586 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-08 08:08:23 +00:00
ulan@chromium.org
e5a29e8ff9 Do not change environment between simulate and scope with no observable side-effects in HandlePropertyAssignment.
LChunkBuilder reconstructs the environment by applying simulates. A scope with no observable side-effects has no simulates. If the scope deoptimizes, then LChunkBuilder would miss the changes to the environment between the last simulate and the scope.

R=danno@chromium.org
BUG=v8:2671
TEST=mjsunit/regress/regress-2671.js

Review URL: https://chromiumcodereview.appspot.com/14793009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14584 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-08 07:40:28 +00:00
mvstanton@chromium.org
d7b013de57 Becuase of cross-context calls, hydrogen-based Array constructor needs to ensure
the array constructor pointer passed in matches that of the current context.

BUG=
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/14846017

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14581 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-07 21:01:53 +00:00
dslomov@chromium.org
b15bbfbe39 Implement TypedArray.set function.
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/14581005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-07 14:42:17 +00:00
dslomov@chromium.org
e45abf08cc Update mjsunit tests to be complaian with ES6 implementation of typed arrays
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/14580012

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14575 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-07 14:03:50 +00:00
verwaest@chromium.org
46d39cabd6 Fix polymorphic to monomorphic load to take representation into account.
Review URL: https://chromiumcodereview.appspot.com/14966005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14565 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-07 10:32:23 +00:00
wingo@igalia.com
3cd73ebc2f Generators return boxed values
Generators now box their return values in object literals of the form

  { value: VAL, done: DONE }

where DONE is false for yield expressions, and true for return
statements.

BUG=v8:2355
TEST=mjsunit/harmony/generators-iteration
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/13870007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14563 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-07 08:46:42 +00:00
wingo@igalia.com
19e5f6cbf0 toString() on generator functions prints with function*
This CL adds a %FunctionIsGenerator runtime function, and uses it in the
function toString() implementation.

R=mstarzinger@chromium.org
BUG=v8:2355
TEST=mjsunit/harmony/generators-runtime

Review URL: https://codereview.chromium.org/14912002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14544 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-03 13:01:28 +00:00
dslomov@chromium.org
02889cafb8 Add type checks to typed array property getters.
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/14650014

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14538 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-03 09:59:50 +00:00
dslomov@chromium.org
18d02d06f0 Implement TypedArray.subarray method.
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/14740017

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14537 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-03 09:43:44 +00:00
dslomov@chromium.org
8b1f81fa24 Allow pathological zero-length typed arrays.
R=rossberg@chromium.org
BUG=

Review URL: https://codereview.chromium.org/14857002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14520 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-02 13:51:03 +00:00
dslomov@chromium.org
343bf33918 Range checking bug in typed array constructor.
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/14850011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14519 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-02 13:30:57 +00:00
dslomov@chromium.org
2751eeb361 More typed array constructors.
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/14845012

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14518 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-02 12:27:03 +00:00
dslomov@chromium.org
6e86141916 Implementation of Uint8ClampedArray.
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/14657003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14517 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-02 11:36:48 +00:00
dslomov@chromium.org
1da21f1868 Revert "Flag optimize-constructed-arrays turned on."
This reverts commit r14491.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14492 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-30 11:23:34 +00:00
mvstanton@chromium.org
ff57a1062b Flag optimize-constructed-arrays turned on.
This routes array construction through a hydrogen stub, and enables use of
allocation site info tracking.

BUG=

Review URL: https://codereview.chromium.org/14616010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14490 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-30 08:22:05 +00:00
dslomov@chromium.org
9e2c046f5c TypedArray(length) constructor
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/14460008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14486 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-29 16:16:31 +00:00
danno@chromium.org
e6570d43ba Fix bug in CompareNil IC
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/13863022

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14483 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-29 15:09:22 +00:00
danno@chromium.org
528792e39b Fix beyond-heap load on x64 Crankshafted StringCharFromCode
BUG=chromium:235311
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/14387008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14481 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-29 14:34:24 +00:00
dslomov@chromium.org
7b1e7463f2 Remove __ prefix from Harmony typed arrays implementation
R=rossberg@chromium.org
BUG=

Review URL: https://codereview.chromium.org/14402026

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14477 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-29 11:18:27 +00:00
verwaest@chromium.org
99e17bb12a Track storage types of instance variables.
Review URL: https://chromiumcodereview.appspot.com/14146005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14464 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-26 15:30:41 +00:00
mstarzinger@chromium.org
1706fe657e Add support for yield expressions
This CL extends the generator suspend and resume implementation to
capture values on the operand stack.

It factors out some helpers to measure and access the operand stack into
the JavaScriptFrame class.  It also refactors the suspend and resume
helpers to avoid handle allocation.

BUG=v8:2355
TEST=mjsunit/harmony/generators-iteration

Review URL: https://codereview.chromium.org/14348003

Patch from Andy Wingo <wingo@igalia.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14458 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-26 12:09:32 +00:00
mstarzinger@chromium.org
885fd2f4b2 Fix yield inside with
This patch makes it so that suspending generators always saves the
context.  Previously we erroneously assumed that if the operand stack
was empty, that the context would be unchanged, but that is not the case
with "with".

Fixing this brought out an interesting bug in the variable allocator.
Yield inside with will reference a context-allocated temporary holding
the generator object.  Before the fix, this object was looked up in the
with context instead of the function context, because with contexts were
not being simulated during full-codegen.  Previously this was OK as all
variables would be given LOOKUP allocation instead of CONTEXT, but the
context-allocated temporary invalidated this assumption.  The fix is to
simulate the context chain more accurately in full-codegen.

R=mstarzinger@chromium.org
BUG=v8:2355
TEST=mjsunit/harmony/generators-iteration

Review URL: https://codereview.chromium.org/14416011

Patch from Andy Wingo <wingo@igalia.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14454 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-26 11:55:22 +00:00
mstarzinger@chromium.org
bb2d8a51da Implement support for Math.imul in Crankshaft.
R=jkummerow@chromium.org
TEST=mjsunit/math-imul

Review URL: https://codereview.chromium.org/14471041

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14450 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-26 08:52:35 +00:00
mvstanton@chromium.org
e751ad06d9 Constructed arrays can be created with Hydrogen code stubs. The feature is still off by default (--optimize-constructed-arrays).
BUG=

Review URL: https://codereview.chromium.org/12385014

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14441 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-25 16:00:32 +00:00
mstarzinger@chromium.org
8f1fc88f8c Relax --debug-code checks that runtime returns are not the hole
ia32, unlike the other architectures, includes a --debug-code check that
asserts that runtime functions do not return the hole.  However the new
SuspendJSGeneratorObject runtime does return the hole at times.

This CL adds a wee hack that only signals an error if the callee was not
SuspendJSGeneratorObject.

R=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/13856011

Patch from Andy Wingo <wingo@igalia.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14437 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-25 12:00:07 +00:00
mstarzinger@chromium.org
71dc9e165f Capture receiver in generator object
Previously there has been no reason to context-allocate the receiver, so
access to the receiver always goes through the stack.  This was failing
with generators, which assumed that forcing context allocation would
relieve the need of storing anything but the context and the function on
the stack.

This CL adds a slot in generator objects to capture the receiver, and
restores it when resuming a generator.

BUG=v8:2355
TEST=mjsunit/harmony/generators-iteration

Review URL: https://codereview.chromium.org/14158006

Patch from Andy Wingo <wingo@igalia.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14434 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-25 10:59:09 +00:00
jkummerow@chromium.org
628875475e Fix overflow check in mul-i which was missing since r14322
Review URL: https://codereview.chromium.org/14471012

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14430 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-25 07:36:59 +00:00
mstarzinger@chromium.org
338f11850a Fix generator suspend and resume on ARM
This CL fixes a number of rookie mistakes in
FullCodeGenerator::VisitYield and
FullCodeGenerator::EmitGeneratorResume, and re-enables the
generators-iteration test on ARM.

R=mstarzinger@chromium.org
BUG=v8:2355
TEST=mjsunit/harmony/generators-iteration

Review URL: https://codereview.chromium.org/13843022

Patch from Andy Wingo <wingo@igalia.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14424 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-24 16:07:44 +00:00
mstarzinger@chromium.org
23f39546b9 Generators can resume
The generator object methods "next", "send", and "throw" now
include some inline assembly to set up a resumed stack frame.  In some
common cases, we can just jump back into the frame to resume it.
Otherwise the resume code calls out to a runtime to fill in the operand
stack, rewind the handlers, and possibly to throw an exception.

BUG=v8:2355
TESTS=mjsunit/harmony/generators-iteration

Review URL: https://codereview.chromium.org/14066016

Patch from Andy Wingo <wingo@igalia.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14415 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-24 13:00:16 +00:00
dslomov@chromium.org
852f90339a Adds EXTERNAL_DOUBLE_ARRAY to a list of instance types
BUG=v8:2646

Patch by Andrei Kashcha <anvaka@gmail.com>

Review URL: https://codereview.chromium.org/14042008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14398 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-23 17:02:09 +00:00
ulan@chromium.org
bc4d7878e6 Do not emit Simulates in HandlePolymorphicElementAccess.
BUG=v8:2653
R=jkummerow@chromium.org
TEST=mjsunit/regress/regress-2653.js

Review URL: https://chromiumcodereview.appspot.com/14081025

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14396 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-23 15:28:44 +00:00
svenpanne@chromium.org
cd34acdae3 Do not emit double values at their use sites.
Revert part of r14179. From the regression test's comment:

Currently, the gap resolver doesn't handle moves from a ConstantOperand to a
DoubleRegister, but these kind of moves appeared when HConstant::EmitAtUses
was changed to allow special double values (-0, NaN, hole). So we should
either enhance the gap resolver or make sure that such moves don't happen.

BUG=chrome:234101

Review URL: https://codereview.chromium.org/14429002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14394 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-23 13:08:10 +00:00
rossberg@chromium.org
3cd9f6a40e Add d8 functionality for switching between realms (a.k.a. contexts), 2nd try
The only difference to the previous implementation (https://codereview.chromium.org/14295011/) is in patch set 2.

R=yangguo@chromium.org
BUG=

Review URL: https://codereview.chromium.org/14404005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14373 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-22 11:29:52 +00:00
mstarzinger@chromium.org
8fa1186258 Skip one generators test because of no-snap failures.
R=rossberg@chromium.org
BUG=v8:2355
TEST=mjsunit/harmony/generators-objects

Review URL: https://codereview.chromium.org/13956023

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14366 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-22 08:46:02 +00:00
mstarzinger@chromium.org
0f348e5592 Generator objects can suspend
* src/ast.h:
* src/parser.cc: Differentiate between the different kinds of yields, in
  anticipation of boxing return values.  Parse `return' into `yield' in
  a generator.

* src/runtime.h:
* src/runtime.cc (Runtime_SuspendJSGeneratorObject): New horrible
  runtime function: saves continuation, context, and operands into the
  generator object.

* src/arm/full-codegen-arm.cc (VisitYield):
* src/ia32/full-codegen-ia32.cc (VisitYield):
* src/x64/full-codegen-x64.cc (VisitYield): Arrange to call
  SuspendJSGeneratorObject.  If the call returns the hole, we suspend.
  Otherwise we resume.

BUG=v8:2355
TEST=These codepaths are tested when the generator is first invoked, and so
are covered by mjsunit/harmony/generators-objects.js.

Review URL: https://codereview.chromium.org/13704010

Patch from Andy Wingo <wingo@igalia.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14353 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-19 14:11:23 +00:00
yurys@chromium.org
c0fca4e8c8 Revert r14252 as it broke --prof for some cases
R=jkummerow
BUG=v8:2642

Review URL: https://codereview.chromium.org/14367020

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14348 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-19 11:55:01 +00:00
yangguo@chromium.org
72a05845ec Revert r14310 due to isolate tests failure.
R=mstarzinger@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/14021004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14334 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-18 14:41:24 +00:00
mstarzinger@chromium.org
adf9afc09e Fix missing Smi check in grow mode keyed stores.
R=danno@chromium.org
TEST=mjsunit/regress/regress-grow-store-smi-check

Review URL: https://codereview.chromium.org/14352011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14332 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-18 14:18:27 +00:00
jkummerow@chromium.org
5eadc1a428 Remove SCons related files
Review URL: https://codereview.chromium.org/14348002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14328 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-18 11:01:14 +00:00
dslomov@chromium.org
3e31a67bf8 Disable the test due to Win64 build problems.
The large allocation actually succeeds on Win64, but it looks like
subsequent memory adjustment fails. Disabling the test for now, will
investigate further.

TBR=rossberg

Review URL: https://codereview.chromium.org/14330006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14320 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-17 18:13:44 +00:00
yangguo@chromium.org
b3707c17d6 Inline String.fromCharCode in hydrogen.
BUG=

Review URL: https://chromiumcodereview.appspot.com/14296009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14315 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-17 16:37:11 +00:00
rossberg@chromium.org
2458a801f7 Add d8 functionality for switching between realms (a.k.a. contexts)
R=mstarzinger@chromium.org,yangguo@chromium.org
BUG=

Review URL: https://codereview.chromium.org/14295011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14310 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-17 15:07:31 +00:00
mstarzinger@chromium.org
57a7714e06 Generator objects have [[Class]] === "Generator"
Generator object maps now link to their constructors, which are created
with a "Generator" class name.  This does not cause a per-generator
constructor property to be set.

BUG=v8:2355
TEST=mjsunit/harmony/generators-objects

Review URL: https://codereview.chromium.org/14262004

Patch from Andy Wingo <wingo@igalia.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14309 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-17 15:01:25 +00:00
dslomov@chromium.org
c1a19275d3 First cut at impementing ES6 TypedArrays in V8.
BUG=

Review URL: https://codereview.chromium.org/13975012

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14285 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-16 14:16:30 +00:00
yangguo@chromium.org
d7b78dc230 Fix OOB write in --print-code.
R=jkummerow@chromium.org
BUG=v8:2624

Review URL: https://chromiumcodereview.appspot.com/14018010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14267 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-15 15:19:51 +00:00
mstarzinger@chromium.org
591a8ec86c Calling a generator function returns a generator object
* src/heap.h:
* src/heap.cc:
* src/objects-debug.cc:
* src/objects-inl.h:
* src/objects-printer.cc:
* src/objects-visiting.cc:
* src/objects.cc:
* src/objects.h: Define a new object type, JSGeneratorObject.

* src/factory.h:
* src/factory.cc (NewFunctionFromSharedFunctionInfo): Generator function
  inital maps construct the new JS_GENERATOR_OBJECT_TYPE objects, not
  generic JSObjects.

* src/runtime.h:
* src/runtime.cc (Runtime_CreateJSGeneratorObject):
* src/arm/full-codegen-arm.cc (Generate):
* src/ia32/full-codegen-ia32.cc (Generate):
* src/x64/full-codegen-x64.cc (Generate): Before visiting generator
  bodies, arrange to construct and return a generator object.

* test/mjsunit/harmony/generators-objects.js: Add tests for the
  properties and prototype of generator objects.

BUG=v8:2355
TEST=mjsunit/harmony/generators-objects

Review URL: https://codereview.chromium.org/13542002

Patch from Andy Wingo <wingo@igalia.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14264 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-15 12:29:44 +00:00
yurys@chromium.org
5206b08451 Remove code that analyzes tos values from tickprocessor
Assuming that the value on top of stack is return address for a frameless invocation is error-prone. Corresponding logic was removed from profile-generator.cc in r14205 (see https://code.google.com/p/v8/source/diff?spec=svn14205&r=14205&format=side&path=/branches/bleeding_edge/src/profile-generator.cc) and now it is time to remove it from the tick processor.

Since the tos is not used anymore by profiler it is also removed from TickSample.

BUG=None

Review URL: https://codereview.chromium.org/13873009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14252 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-12 11:20:22 +00:00
mstarzinger@chromium.org
75c388e691 Fix detection of indexed properties in Object.defineProperty()
When defining an indexed property on an Array object, the object's
length property should (perhaps) be updated.  This was done for any
property for which

  ToUInt32(name) == ToNumber(name)

was true, meaning any property name that, when converted to a number,
was an integer in the range [0, 2^32).  The detection should be more
strict; an indexed property is one for which

  ToString(ToUInt32(name)) == name

is true only.

Review URL: https://codereview.chromium.org/13914003

Patch from Jens Lindström <jl@opera.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14242 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-12 08:45:14 +00:00
rossberg@chromium.org
8e8bbc0e6c * src/generator.js: Add methods and intialization for generator meta-objects.
* src/contexts.h:
* src/bootstrapper.cc (InitializeExperimentalGlobal): Make generator
  meta-objects, and store maps for constructing generator functions
  and their prototypes.

* src/factory.h:
* src/factory.cc (MapForNewFunction): New helper.
  (NewFunctionFromSharedFunctionInfo): Use the new helper.

* src/heap.cc (AllocateFunctionPrototype, AllocateInitialMap): For
   generators, allocate appropriate prototypes and maps.

* src/code-stubs.h:
* src/arm/code-stubs-arm.h:
* src/arm/full-codegen-arm.h:
* src/ia32/code-stubs-ia32.h:
* src/ia32/full-codegen-ia32.h:
* src/x64/code-stubs-x64.h:
* src/x64/full-codegen-x64.h: Allow fast closure creation for generators,
using the appropriate map.

* test/mjsunit/harmony/builtins.js: Add a special case for
  GeneratorFunctionPrototype.prototype.__proto__.

BUG=
TEST=mjsunit/harmony/generators-runtime

Review URL: https://codereview.chromium.org/13192004

Patch from Andy Wingo <wingo@igalia.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14236 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-11 16:28:19 +00:00
mstarzinger@chromium.org
d311208e12 Move creation of collection prototypes into JavaScript.
R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/14165004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14234 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-11 13:31:51 +00:00
rossberg@chromium.org
723cd9887f Fix set-up of intrinsic's 'constructor' properties
Looks so easy...

R=mstarzinger@chromium.org
BUG=229445

Review URL: https://codereview.chromium.org/13880007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14229 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-11 12:27:55 +00:00
yangguo@chromium.org
da5c11a44a Fix JSON.stringify's slow path wrt sliced strings.
R=mvstanton@chromium.org
BUG=229923

Review URL: https://chromiumcodereview.appspot.com/14107004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14224 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-11 09:53:00 +00:00
hpayer@chromium.org
2db9e62fc8 Build fast literals in hydrogen.
BUG=

Review URL: https://codereview.chromium.org/12880017

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14211 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-10 13:52:08 +00:00
yangguo@chromium.org
996a80df45 Fix OSR for nested loops.
R=jkummerow@chromium.org
BUG=v8:2618

Review URL: https://chromiumcodereview.appspot.com/13811014

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14202 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-10 09:24:31 +00:00
verwaest@chromium.org
79d18ea332 Let ComputeTarget fail if it skips over NORMAL objects.
BUG=v8:2595

Review URL: https://chromiumcodereview.appspot.com/13862008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14190 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-09 16:38:51 +00:00
mvstanton@chromium.org
b7022fd2be Improvements for x87 stack handling
BUG=

Review URL: https://codereview.chromium.org/13426006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14179 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-09 08:42:57 +00:00
ulan@chromium.org
74839e86d7 Modifications to tests and test tools for Native Client V8.
BUG=2614

Review URL: https://chromiumcodereview.appspot.com/13638013
Patch from Brad Chen <bradchen@google.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14178 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-09 08:39:01 +00:00
yangguo@chromium.org
fe6fc554b0 Fix slow path of JSON.stringifier when GC strikes.
FlatContent is not GC-safe.

R=verwaest@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/13782002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14175 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-09 08:12:59 +00:00
verwaest@chromium.org
c569d31ff5 Adding standard-compliance tests for array functions.
BUG=v8:2615

Review URL: https://chromiumcodereview.appspot.com/13601009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14174 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-09 08:09:52 +00:00
verwaest@chromium.org
98d8c9e452 Always check global property cells for readonliness before storing.
Add check when the global object is the last in the chain.

Review URL: https://chromiumcodereview.appspot.com/13730002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14173 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-09 08:09:05 +00:00
yangguo@chromium.org
9559181b0e Fix worst-case behavior of MergeRemovableSimulates().
Currently, when a long series of removable simulates are merged, we do
this by merging them one by one as we find them.  As we merge the value
value lists of the simulates, those lists snowball so that we get a
quadratic complexity wrt runtime and memory consumption.

Instead, we gather simulates that need to be merged, and merge them
backwards starting from the last simulate.

R=jkummerow@chromium.org
BUG=v8:2612

Review URL: https://chromiumcodereview.appspot.com/13649003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14169 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-08 17:37:22 +00:00
yangguo@chromium.org
e33b68817b Fix Array.prototype.concat when exceeding array size limit.
R=verwaest@chromium.org
BUG=v8:581

Review URL: https://chromiumcodereview.appspot.com/13465008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14154 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-05 15:12:59 +00:00
mstarzinger@chromium.org
b6efbd79de Force context allocation for variables in generator scopes.
* src/scopes.h (ForceContextAllocation, has_forced_context_allocation):
  New interface to force context allocation for an entire function's
  scope.

* src/scopes.cc: Unless a new scope is a function scope, if its outer
  scope has forced context allocation, it should also force context
  allocation.
  (MustAllocateInContext): Return true if the scope as a whole has
  forced context allocation.
  (CollectStackAndContextLocals): Allow temporaries to be
  context-allocated.

* src/parser.cc (ParseFunctionLiteral): Force context allocation for
  generator scopes.

* src/v8globals.h (VariableMode): Update comment on TEMPORARY.

* src/arm/full-codegen-arm.cc (Generate):
* src/ia32/full-codegen-ia32.cc (Generate):
* src/x64/full-codegen-x64.cc (Generate): Assert that generators have no
  stack slots.

* test/mjsunit/harmony/generators-instantiation.js: New test.

BUG=v8:2355
TEST=mjsunit/harmony/generators-instantiation

Review URL: https://codereview.chromium.org/13408005
Patch from Andy Wingo <wingo@igalia.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14152 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-05 13:19:31 +00:00
yangguo@chromium.org
deecbb2e01 Do not implicitly convert non-object receivers for strict mode functions.
This was still the case for Array.prototype.* builtin functions.

R=rossberg@chromium.org
BUG=v8:2273

Review URL: https://chromiumcodereview.appspot.com/13473009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14149 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-05 11:57:02 +00:00
mstarzinger@chromium.org
48635f7d58 Fix minor typo in generator parsing test.
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/13575010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14148 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-05 08:38:40 +00:00
mstarzinger@chromium.org
9fd5eb52d4 Skip long running regression test from r14078.
R=yangguo@chromium.org
BUG=chromium:217858
TEST=mjsunit/regress/regress-crbug-217858

Review URL: https://codereview.chromium.org/13640004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14141 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-04 14:46:18 +00:00
mstarzinger@chromium.org
9e757a604c Make __proto__ a real JavaScript accessor property.
This turns the __proto__ callback from a foreign callback into a real
JavaScript accessor. It makes the accessor behavior of this property
explicit.

R=rossberg@chromium.org
BUG=v8:1949,v8:2606
TEST=mjsunit/regress/regress-2606

Review URL: https://codereview.chromium.org/13533004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14139 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-04 12:10:23 +00:00
dslomov@chromium.org
370caca72c Test behavior of qNaN and sNaN
BUG=v8:2607

Review URL: https://codereview.chromium.org/13470002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14133 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-04 09:31:24 +00:00
ulan@chromium.org
eee5884f8d Add extra flag for load-ic stubs in code cache.
This allows to distinguish between stubs compiled for the current object from
stubs compiled for objects that have the current object as a prototype.

BUG=v8:2593
R=verwaest@chromium.org

Review URL: https://chromiumcodereview.appspot.com/13552003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14132 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-04 08:29:25 +00:00
rossberg@chromium.org
b449691db2 ES6 symbols: fix corner cases of equality operators
R=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/13552002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14128 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-03 17:06:22 +00:00
dslomov@chromium.org
a172a5e839 Remove (H|L)JSArrayLength instructions
BUG=

Review URL: https://codereview.chromium.org/12491023

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14127 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-03 16:25:24 +00:00
danno@chromium.org
98281c62f0 Ensure UseRegisterAtStart not used with fixed temp/return register
R=vegorov@chromium.org
BUG=chromium:201590

Review URL: https://codereview.chromium.org/13527007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14124 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-03 14:45:39 +00:00
mstarzinger@chromium.org
2816f19680 Add parser support for generators.
This patchset begins by adding support for "yield", which is unlike other tokens
in JS. In a generator, whether strict or classic, it is a syntactic keyword.
In classic mode it is an identifier. In strict mode it is reserved.

This patch adds YIELD as a token to the scanner, and adapts the preparser and
parser appropriately. It also parses "function*", indicating that a function is
actually a generator, for both eagerly and lazily parsed functions.

Currently "yield" just compiles as "return".

BUG=v8:2355
TEST=mjsunit/harmony/generators-parsing

Review URL: https://codereview.chromium.org/12646003
Patch from Andy Wingo <wingo@igalia.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14116 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-02 17:34:59 +00:00
yangguo@chromium.org
443f85eed9 Add test to check that Function.caller must not expose native functions.
R=svenpanne@chromium.org
BUG=v8:105

Review URL: https://chromiumcodereview.appspot.com/13166002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14096 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-28 14:31:48 +00:00
yangguo@chromium.org
a3f0f942a3 Always allocate symbols in old space.
Keys are expected to be tenured. This now not only includes internalized
strings, but also symbols.

R=rossberg@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/13158002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14095 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-28 13:52:31 +00:00
dslomov@chromium.org
47d8af7616 Canonicalize NaNs on store to Fast(Float|Double) arrays
Also treat holey NaN coming from external float/double arrays correctly

BUG=2596

Review URL: https://codereview.chromium.org/12918028

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14094 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-28 13:30:16 +00:00
dslomov@chromium.org
944c577c7b First steps towards implementing ArrayBuffer &co in V8
BUG=

Review URL: https://codereview.chromium.org/13064003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14091 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-28 12:50:18 +00:00
rossberg@chromium.org
15ab3a0612 ES6 symbols: symbol properties should not cause going into slow mode.
R=yangguo@chromium.org
BUG=

Review URL: https://codereview.chromium.org/13042013

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14089 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-28 12:01:46 +00:00
yangguo@chromium.org
9155d20282 Stack trace API: poison stack frames below the first strict mode frame.
Function and receiver objects are not accessible for poisoned frames.

R=rossberg@chromium.org
BUG=v8:2564

Review URL: https://chromiumcodereview.appspot.com/13150003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14085 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-28 10:40:07 +00:00
yangguo@chromium.org
a942fcd984 Add test case for missing deopt sequence after forced deopt.
R=danno@chromium.org
BUG=217858

Review URL: https://chromiumcodereview.appspot.com/13042005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14078 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-27 09:58:32 +00:00
yangguo@chromium.org
bb632dc49d Only copy with, block and catch scopes in DebugEvaluate.
R=ulan@chromium.org
BUG=171715

Review URL: https://chromiumcodereview.appspot.com/13093003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14077 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-26 17:46:16 +00:00
danno@chromium.org
c3486bc4eb Remove bogus test flags
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/12872007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14072 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-25 17:59:15 +00:00
danno@chromium.org
dfd9ea8087 Fix store_mode bug involving polymorphism with external and JS arrays.
Review URL: https://codereview.chromium.org/12987014

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14064 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-25 15:19:22 +00:00
verwaest@chromium.org
a8b3215afa Change LookupForWrite to always do a full lookup and check the result.
If we find a property in the prototype-chain that we can overwrite, and
we have a transition, keep the holder in the lookup-result as the actual
holder. We will need it for the consistency-check in GenerateStoreField.

By directly checking the entire chain we avoid having to lazily bail out
to a copy of the miss stub while generating the Field Store IC.

Currently this CL disallows a normal non-receiver holder, given that
that would require a positive lookup + details verification to ensure
the property did not become read-only. This fixes the regressions in the
attached tests.

Review URL: https://chromiumcodereview.appspot.com/12810006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14061 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-25 12:55:27 +00:00
yangguo@chromium.org
b347a0dcae Correctly materialize arguments object in Runtime_DebugEvaluate.
The problem was that if the # arguments specified in the function
declaration and the # arguments passed to the function are not
the same, we use an arguments adapter frame to make it work. This
confuses the existing implementation to materialize the arguments
object.

R=peter.rybin@gmail.com
BUG=222893

Review URL: https://chromiumcodereview.appspot.com/12674027

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14059 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-25 10:01:53 +00:00
adamk@chromium.org
9bebd23d5c Fix %GetArrayKeys to not skip non-enumerable indices
This is one step in the direction of fixing a range of small bugs in the array methods when dealing with non-standard element attributes.

Added tests exercising this behavior for shift and unshift.

For Proxies and Interceptors, the behavior of %GetArrayKeys is now to just return an interval, rather than trying to list all their indexed properties. In the Proxy case, this seems like the only way to avoid an observable difference between smart and non-smart array methods. For Interceptors, the usual case (in WebKit, anyway) is for them to have all indices in [0, length), so enumerating them won't be any better than simply iterating over that range.

Review URL: https://codereview.chromium.org/12653010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14057 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-22 18:04:32 +00:00
rossberg@chromium.org
52aec4722d ES6 symbols: prevent reflection, proxy, and observe APIs from leaking symbols
R=svenpanne@chromium.org
BUG=v8:2158

Review URL: https://codereview.chromium.org/12422019

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14056 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-22 17:27:44 +00:00
rossberg@chromium.org
2657e432e4 ES6 symbols: implement name property
Adds string-valued name property to symbols, and uses it for pretty-printing.

Requires allocating symbols in pointer space, with a custom iterator to skip the unboxed hash.

R=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/12459026

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14053 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-22 16:51:28 +00:00
rossberg@chromium.org
83d4a41dec ES6 symbols: turn symbols into a proper primitive type
(qua last week's TC39)

Specifically:
- Install Symbol constructor function on the global object.
- Adjust code generation for typeof.
- Remove IsSymbol built-in, IS_SYMBOL macro now defined using typeof.
- Remove hack that allowed symbols as constructor results, and some other special cases.
- Remove symbol_delegate and GetDelegate function.
- Extend ToBoolean stub to handle symbols.
- Extend ToNumber to return NaN on symbols.
- Poison symbol's toString function, and thereby ToString on symbols.

R=mstarzinger@chromium.org
BUG=v8:2158

Review URL: https://codereview.chromium.org/12957004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14051 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-22 16:33:50 +00:00
adamk@chromium.org
51a888ff48 Fix bogus left-shifts in Array tests
Review URL: https://codereview.chromium.org/12729014

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14050 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-22 15:08:30 +00:00
yangguo@chromium.org
27b0979347 Restore correct regression test for crbug/146910.
For some reason (rebase conflicts?) the regression test introduced
in r12547 was overwritten by r13340.

The test in question already exists in regress-latin-1

R=dcarney@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/13023003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14043 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-22 09:04:36 +00:00
yangguo@chromium.org
006b1a88a0 Fix JSON.stringifier's slow path wrt external strings.
R=verwaest@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/12825016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14042 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-22 08:42:38 +00:00
yangguo@chromium.org
5fcc52fcb9 Simplify debug evaluate.
R=peter.rybin@gmail.com
BUG=v8:2585, 173608

Review URL: https://chromiumcodereview.appspot.com/12953002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14019 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-21 08:50:29 +00:00
yangguo@chromium.org
b522319a98 Extend test coverage for JSON.stringify's slow path.
R=verwaest@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/12702009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14008 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-20 14:07:30 +00:00
danno@chromium.org
ffd0c712e8 Implement many KeyedStoreStubs using Crankshaft
- Addition of a compiled hydrogen stub for KeyedStores.
- Inlining of "grow" stubs into OPTIMIZED_FUNCTIONs
- Addition of new "ignore OOB" ic stub that silently swallows out-of-bounds stores to external typed arrays.
- Addition of new "copy-on-write" ic stub that inlines allocation and copying operations for cow array
- New stub are generated with Crankshaft, so they are automatically inlined into OPTIMIZED_FUNCTIONs

Review URL: https://codereview.chromium.org/12221064

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14001 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-20 10:37:13 +00:00