Just give internal ones an ArrayBuffer with a NULL backing store. This
simplifies the access checks a lot.
BUG=v8:3996
R=hpayer@chromium.org,verwaest@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1109353003
Cr-Commit-Position: refs/heads/master@{#28168}
An initial 'code age' state that will turn into a 'pre-aging' code age only after it was executed the first time.
BUG=470930
LOG=Y
Review URL: https://codereview.chromium.org/1107233004
Cr-Commit-Position: refs/heads/master@{#28162}
Implements the strong mode proposal's restrictions on
implicit conversions for binary arithmetic operations, not
including the + special case. Adds some infrastructure
for future implementation of the restrictions for other
operators.
BUG=v8:3956
LOG=N
Review URL: https://codereview.chromium.org/1092353002
Cr-Commit-Position: refs/heads/master@{#28045}
Port 13459c1ae3
Original commit message:
Calling new Array(JSObject::kInitialMaxFastElementArray) in optimized code
makes a stub call that bails out due to the length. Currently, the bailout
code a) doesn't have the allocation site, and b) wouldn't use it if it did
because the length is perceived to be too high.
This CL passes the allocation site to the stub call (rather than undefined),
and alters the bailout code to utilize the feedback.
R=mvstanton@chromium.org, michael_dawson@ca.ibm.com, dstence@us.ibm.com
BUG=
Review URL: https://codereview.chromium.org/1089913002
Cr-Commit-Position: refs/heads/master@{#27895}
This adds a missing bailout id to a ForInStatement for when retrieving
and filtering a property name deoptimizes. This can happen with proxies
that have a getPropertyDescriptor trap.
R=jarin@chromium.org
TEST=mjsunit/for-in-opt
Review URL: https://codereview.chromium.org/1086083002
Cr-Commit-Position: refs/heads/master@{#27846}
This avoids both a mysterious boolean argument ("insert") and lets
non-mutating lookups skip passing an allocator (in one such case,
we were passing a scary-looking ZoneAllocationPolicy(NULL)!).
Review URL: https://codereview.chromium.org/1074943002
Cr-Commit-Position: refs/heads/master@{#27799}
Use fsub rather than fadd to avoid stripping the sign from minus zero.
Fixes mjsunit/result-table-min and mjsunit/result-table-max test failures.
R=michael_dawson@ca.ibm.com
BUG=
Review URL: https://codereview.chromium.org/1084583003
Cr-Commit-Position: refs/heads/master@{#27794}
Port 35a67b745d
Original commit message:
Thanks to some careful assumptions, we can examine the object found at
vector[slot] and trust it's a heap object where the second field is
either a map if it's a WeakCell, or definitely not a map if it's a
Symbol, String or FixedArray. Use this to save a memory read.
R=mbrandy@us.ibm.com
BUG=
Review URL: https://codereview.chromium.org/1059133005
Cr-Commit-Position: refs/heads/master@{#27728}
Port 2d281e71ac
Original commit message:
This enables eager optimization of top-level code with TurboFan and
extends test coverage by triggering it with the --always-opt flag.
Script contexts are now also properly allocated in TurboFan.
R=titzer@chromium.org, mstarzinger@chromium.org,mbrandy@us.ibm.com
BUG=
Review URL: https://codereview.chromium.org/1052123005
Cr-Commit-Position: refs/heads/master@{#27726}
Port 146598f44a
Original commit message:
Optimistically pushing a lot of arguments can run into the stack limit of the process, at least on operating systems where this limit is close to the limit that V8 sets for itself.
R=mbrandy@us.ibm.com
BUG=
Review URL: https://codereview.chromium.org/1073893002
Cr-Commit-Position: refs/heads/master@{#27719}
Previously, the only optimized code path for Maps and Sets was for String keys.
This was achieved through an implementation of various complex operations
in Hydrogen. This approach was neither scalable nor forward-compatible.
This patch adds the necessary intrinsics to implement Maps and Sets almost entirely
in JS. The added intrinsics are:
%_FixedArrayGet
%_FixedArraySet
%_TheHole
%_JSCollectionGetTable
%_StringGetRawHashField
With these additions, as well as a few changes to what's exposed as runtime functions,
most of the C++ code backing Maps and Sets is gone (including both runtime code in
objects.cc and Crankshaft in hydrogen.cc).
Review URL: https://codereview.chromium.org/947683002
Cr-Commit-Position: refs/heads/master@{#27605}
This fixes simulated debug-mode failures in the following tests:
mjsunit/regexp-stack-overflow
mjsunit/regress/regress-crbug-467047
R=mbrandy@us.ibm.com
BUG=
Review URL: https://codereview.chromium.org/1035003002
Cr-Commit-Position: refs/heads/master@{#27500}
Port 38a719f965
Original commit message:
This switches full-codegen to no longer push and pop StackHandler
markers onto the operand stack, but relies on a range-based handler
table instead. We only use StackHandlers in JSEntryStubs to mark the
transition from C to JS code.
Note that this makes deoptimization and OSR from within any try-block
work out of the box, makes the non-exception paths faster and should
overall be neutral on the memory footprint (pros).
On the other hand it makes the exception paths slower and actually
throwing and exception more expensive (cons).
TEST=cctest/test-run-jsexceptions/DeoptTry
R=yangguo@chromium.org, R=mbrandy@us.ibm.com
BUG=
Review URL: https://codereview.chromium.org/1035533004
Cr-Commit-Position: refs/heads/master@{#27453}
Port 6689cc27eb
Original commit message:
Handlers should be in charge of this work. The change uncovered a bug in
vector-ics related to keyed loads into strings. It's important for
StringCharCodeAtGenerator, a helper used in full code and in
LoadIndexedStringStub (a handler) to protect the vector and slot registers
when it makes a runtime call to convert a HeapNumber to a Smi.
It's still possible for the handler to MISS after this call, perhaps due
to out of bounds access. In that case, the vector and slot registers need
to be delivered safely to the MISS handler.
R=mbrandy@us.ibm.com, svenpanne@chromium.org
BUG=
Review URL: https://codereview.chromium.org/1029413002
Cr-Commit-Position: refs/heads/master@{#27430}
Port 15f8213809
Original commit message:
This relands commit 96f79568a9.
This makes the Isolate::Throw logic not depend on a prediction of
whether an exception is caught or uncaught. Such a prediction is
inherently undecidable because a finally block can decide between
consuming or re-throwing an exception depending on arbitray control
flow.
There still is a conservative prediction mechanism in place that
components like the debugger or tracing can use for reporting.
With this change we can get rid of the StackHandler::kind field, a
pre-requisite to do table-based lookups of exception handlers.
R=mbrandy@us.ibm.com, yangguo@chromium.org, svenpanne@chromium.org
BUG=
Review URL: https://codereview.chromium.org/1016333002
Cr-Commit-Position: refs/heads/master@{#27381}
Port 34a1a76ddf
Original commit message:
A hydrogen code stub is not the best approach because it builds a frame
and doesn't have the technology to discard roots at tail call exits.
Platform-specific stubs provide much better performance at this point.
R=verwaest@chromium.org, mbrandy@us.ibm.com
BUG=
Review URL: https://codereview.chromium.org/1019003002
Cr-Commit-Position: refs/heads/master@{#27365}
