Version 3.26.8 (based on bleeding_edge revision r20532)
Yet another regression test for range analysis (issue 3204).
Performance and stability improvements on all platforms.
git-svn-id: http://v8.googlecode.com/svn/trunk@20554 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
diff --git a/ChangeLog b/ChangeLog
index 35d152b..eb44bcc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2014-04-08: Version 3.26.8
+
+ Yet another regression test for range analysis (issue 3204).
+
+ Performance and stability improvements on all platforms.
+
+
2014-04-07: Version 3.26.7
Performance and stability improvements on all platforms.
diff --git a/include/v8.h b/include/v8.h
index b1ec504..fb91be3 100644
--- a/include/v8.h
+++ b/include/v8.h
@@ -5599,7 +5599,7 @@
static const int kNullValueRootIndex = 7;
static const int kTrueValueRootIndex = 8;
static const int kFalseValueRootIndex = 9;
- static const int kEmptyStringRootIndex = 152;
+ static const int kEmptyStringRootIndex = 159;
static const int kNodeClassIdOffset = 1 * kApiPointerSize;
static const int kNodeFlagsOffset = 1 * kApiPointerSize + 3;
diff --git a/src/api.cc b/src/api.cc
index 75c67e0..538bf8c 100644
--- a/src/api.cc
+++ b/src/api.cc
@@ -6075,6 +6075,7 @@
ASSERT(byte_offset % sizeof(ElementType) == 0);
CHECK(length <= (std::numeric_limits<size_t>::max() / sizeof(ElementType)));
+ CHECK(length <= static_cast<size_t>(i::Smi::kMaxValue));
size_t byte_length = length * sizeof(ElementType);
SetupArrayBufferView(
isolate, obj, buffer, byte_offset, byte_length);
@@ -6103,6 +6104,11 @@
LOG_API(isolate, \
"v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t, size_t)"); \
ENTER_V8(isolate); \
+ if (!Utils::ApiCheck(length <= static_cast<size_t>(i::Smi::kMaxValue), \
+ "v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t, size_t)", \
+ "length exceeds max allowed value")) { \
+ return Local<Type##Array>(); \
+ } \
i::Handle<i::JSTypedArray> obj = \
NewTypedArray<ctype, v8::kExternal##Type##Array, \
i::EXTERNAL_##TYPE##_ELEMENTS>( \
diff --git a/src/code-stubs.h b/src/code-stubs.h
index 5a88942..6a04f67 100644
--- a/src/code-stubs.h
+++ b/src/code-stubs.h
@@ -1201,7 +1201,7 @@
Handle<Code> GetCodeCopyFromTemplate(Isolate* isolate,
Handle<AllocationSite> allocation_site) {
Code::FindAndReplacePattern pattern;
- pattern.Add(isolate->factory()->oddball_map(), allocation_site);
+ pattern.Add(isolate->factory()->undefined_map(), allocation_site);
return CodeStub::GetCodeCopy(isolate, pattern);
}
diff --git a/src/compiler.cc b/src/compiler.cc
index a012d81..5967a44 100644
--- a/src/compiler.cc
+++ b/src/compiler.cc
@@ -956,14 +956,7 @@
}
if (result.is_null()) {
- // No cache entry found. Do pre-parsing, if it makes sense, and compile
- // the script.
- // Building preparse data that is only used immediately after is only a
- // saving if we might skip building the AST for lazily compiled functions.
- // I.e., preparse data isn't relevant when the lazy flag is off, and
- // for small sources, odds are that there aren't many functions
- // that would be compiled lazily anyway, so we skip the preparse step
- // in that case too.
+ // No cache entry found. Compile the script.
// Create a script object describing the script to be compiled.
Handle<Script> script = isolate->factory()->NewScript(source);
diff --git a/src/elements.cc b/src/elements.cc
index f0375ac..b15a515 100644
--- a/src/elements.cc
+++ b/src/elements.cc
@@ -610,8 +610,9 @@
ElementsAccessorSubclass::ValidateContents(holder, length);
}
- virtual void Validate(JSObject* holder) V8_FINAL V8_OVERRIDE {
- ElementsAccessorSubclass::ValidateImpl(holder);
+ virtual void Validate(Handle<JSObject> holder) V8_FINAL V8_OVERRIDE {
+ DisallowHeapAllocation no_gc;
+ ElementsAccessorSubclass::ValidateImpl(*holder);
}
static bool HasElementImpl(Object* receiver,
@@ -732,24 +733,21 @@
? NONEXISTENT : FIELD;
}
- MUST_USE_RESULT virtual AccessorPair* GetAccessorPair(
- Object* receiver,
- JSObject* holder,
+ MUST_USE_RESULT virtual MaybeHandle<AccessorPair> GetAccessorPair(
+ Handle<Object> receiver,
+ Handle<JSObject> holder,
uint32_t key,
- FixedArrayBase* backing_store) V8_FINAL V8_OVERRIDE {
- if (backing_store == NULL) {
- backing_store = holder->elements();
- }
+ Handle<FixedArrayBase> backing_store) V8_FINAL V8_OVERRIDE {
return ElementsAccessorSubclass::GetAccessorPairImpl(
receiver, holder, key, backing_store);
}
- MUST_USE_RESULT static AccessorPair* GetAccessorPairImpl(
- Object* receiver,
- JSObject* obj,
- uint32_t key,
- FixedArrayBase* backing_store) {
- return NULL;
+ MUST_USE_RESULT static MaybeHandle<AccessorPair> GetAccessorPairImpl(
+ Handle<Object> receiver,
+ Handle<JSObject> obj,
+ uint32_t key,
+ Handle<FixedArrayBase> backing_store) {
+ return MaybeHandle<AccessorPair>();
}
MUST_USE_RESULT virtual Handle<Object> SetLength(
@@ -1014,7 +1012,7 @@
if (!array->ShouldConvertToSlowElements(new_capacity)) {
FastElementsAccessorSubclass::
SetFastElementsCapacityAndLength(array, new_capacity, length);
- array->ValidateElements();
+ JSObject::ValidateElements(array);
return length_object;
}
@@ -1655,19 +1653,20 @@
return NONEXISTENT;
}
- MUST_USE_RESULT static AccessorPair* GetAccessorPairImpl(
- Object* receiver,
- JSObject* obj,
+ MUST_USE_RESULT static MaybeHandle<AccessorPair> GetAccessorPairImpl(
+ Handle<Object> receiver,
+ Handle<JSObject> obj,
uint32_t key,
- FixedArrayBase* store) {
- SeededNumberDictionary* backing_store = SeededNumberDictionary::cast(store);
+ Handle<FixedArrayBase> store) {
+ Handle<SeededNumberDictionary> backing_store =
+ Handle<SeededNumberDictionary>::cast(store);
int entry = backing_store->FindEntry(key);
if (entry != SeededNumberDictionary::kNotFound &&
backing_store->DetailsAt(entry).type() == CALLBACKS &&
backing_store->ValueAt(entry)->IsAccessorPair()) {
- return AccessorPair::cast(backing_store->ValueAt(entry));
+ return handle(AccessorPair::cast(backing_store->ValueAt(entry)));
}
- return NULL;
+ return MaybeHandle<AccessorPair>();
}
static bool HasElementImpl(Object* receiver,
@@ -1766,18 +1765,18 @@
}
}
- MUST_USE_RESULT static AccessorPair* GetAccessorPairImpl(
- Object* receiver,
- JSObject* obj,
+ MUST_USE_RESULT static MaybeHandle<AccessorPair> GetAccessorPairImpl(
+ Handle<Object> receiver,
+ Handle<JSObject> obj,
uint32_t key,
- FixedArrayBase* parameters) {
- FixedArray* parameter_map = FixedArray::cast(parameters);
- Object* probe = GetParameterMapArg(obj, parameter_map, key);
+ Handle<FixedArrayBase> parameters) {
+ Handle<FixedArray> parameter_map = Handle<FixedArray>::cast(parameters);
+ Handle<Object> probe = GetParameterMapArg(obj, parameter_map, key);
if (!probe->IsTheHole()) {
- return NULL;
+ return MaybeHandle<AccessorPair>();
} else {
// If not aliased, check the arguments.
- FixedArray* arguments = FixedArray::cast(parameter_map->get(1));
+ Handle<FixedArray> arguments(FixedArray::cast(parameter_map->get(1)));
return ElementsAccessor::ForArray(arguments)->GetAccessorPair(
receiver, obj, key, arguments);
}
diff --git a/src/elements.h b/src/elements.h
index ef20898..5963c9f 100644
--- a/src/elements.h
+++ b/src/elements.h
@@ -48,7 +48,7 @@
// Checks the elements of an object for consistency, asserting when a problem
// is found.
- virtual void Validate(JSObject* obj) = 0;
+ virtual void Validate(Handle<JSObject> obj) = 0;
// Returns true if a holder contains an element with the specified key
// without iterating up the prototype chain. The caller can optionally pass
@@ -127,11 +127,18 @@
// can optionally pass in the backing store to use for the check, which must
// be compatible with the ElementsKind of the ElementsAccessor. If
// backing_store is NULL, the holder->elements() is used as the backing store.
- MUST_USE_RESULT virtual AccessorPair* GetAccessorPair(
- Object* receiver,
- JSObject* holder,
+ MUST_USE_RESULT virtual MaybeHandle<AccessorPair> GetAccessorPair(
+ Handle<Object> receiver,
+ Handle<JSObject> holder,
uint32_t key,
- FixedArrayBase* backing_store = NULL) = 0;
+ Handle<FixedArrayBase> backing_store) = 0;
+
+ MUST_USE_RESULT inline MaybeHandle<AccessorPair> GetAccessorPair(
+ Handle<Object> receiver,
+ Handle<JSObject> holder,
+ uint32_t key) {
+ return GetAccessorPair(receiver, holder, key, handle(holder->elements()));
+ }
// Modifies the length data property as specified for JSArrays and resizes the
// underlying backing store accordingly. The method honors the semantics of
diff --git a/src/factory.cc b/src/factory.cc
index 08c3a8b..7588536 100644
--- a/src/factory.cc
+++ b/src/factory.cc
@@ -1380,6 +1380,15 @@
Handle<JSArray> Factory::NewJSArray(ElementsKind elements_kind,
+ PretenureFlag pretenure) {
+ CALL_HEAP_FUNCTION(isolate(),
+ isolate()->heap()->AllocateJSArray(elements_kind,
+ pretenure),
+ JSArray);
+}
+
+
+Handle<JSArray> Factory::NewJSArray(ElementsKind elements_kind,
int length,
int capacity,
ArrayStorageAllocationMode mode,
@@ -1400,13 +1409,13 @@
int length,
PretenureFlag pretenure) {
ASSERT(length <= elements->length());
- CALL_HEAP_FUNCTION(
- isolate(),
- isolate()->heap()->AllocateJSArrayWithElements(*elements,
- elements_kind,
- length,
- pretenure),
- JSArray);
+ Handle<JSArray> array =
+ isolate()->factory()->NewJSArray(elements_kind, pretenure);
+
+ array->set_elements(*elements);
+ array->set_length(Smi::FromInt(length));
+ JSObject::ValidateElements(array);
+ return array;
}
diff --git a/src/factory.h b/src/factory.h
index c72faae..7f56bce 100644
--- a/src/factory.h
+++ b/src/factory.h
@@ -328,6 +328,11 @@
Handle<ScopeInfo> scope_info);
// JS arrays are pretenured when allocated by the parser.
+
+ Handle<JSArray> NewJSArray(
+ ElementsKind elements_kind,
+ PretenureFlag pretenure = NOT_TENURED);
+
Handle<JSArray> NewJSArray(
ElementsKind elements_kind,
int length,
@@ -346,6 +351,7 @@
INITIALIZE_ARRAY_ELEMENTS_WITH_HOLE, pretenure);
}
+ // Allocate a JSArray with no elements
Handle<JSArray> NewJSArrayWithElements(
Handle<FixedArrayBase> elements,
ElementsKind elements_kind,
diff --git a/src/heap.cc b/src/heap.cc
index f06b8be..a16a19e 100644
--- a/src/heap.cc
+++ b/src/heap.cc
@@ -2757,22 +2757,21 @@
set_meta_map(new_meta_map);
new_meta_map->set_map(new_meta_map);
- { MaybeObject* maybe_obj =
- AllocatePartialMap(FIXED_ARRAY_TYPE, kVariableSizeSentinel);
- if (!maybe_obj->ToObject(&obj)) return false;
- }
- set_fixed_array_map(Map::cast(obj));
+ { // Partial map allocation
+#define ALLOCATE_PARTIAL_MAP(instance_type, size, field_name) \
+ { Map* map; \
+ if (!AllocatePartialMap((instance_type), (size))->To(&map)) return false;\
+ set_##field_name##_map(map); \
+ }
- { MaybeObject* maybe_obj = AllocatePartialMap(ODDBALL_TYPE, Oddball::kSize);
- if (!maybe_obj->ToObject(&obj)) return false;
- }
- set_oddball_map(Map::cast(obj));
+ ALLOCATE_PARTIAL_MAP(FIXED_ARRAY_TYPE, kVariableSizeSentinel, fixed_array);
+ ALLOCATE_PARTIAL_MAP(ODDBALL_TYPE, Oddball::kSize, undefined);
+ ALLOCATE_PARTIAL_MAP(ODDBALL_TYPE, Oddball::kSize, null);
+ ALLOCATE_PARTIAL_MAP(CONSTANT_POOL_ARRAY_TYPE, kVariableSizeSentinel,
+ constant_pool_array);
- { MaybeObject* maybe_obj =
- AllocatePartialMap(CONSTANT_POOL_ARRAY_TYPE, kVariableSizeSentinel);
- if (!maybe_obj->ToObject(&obj)) return false;
+#undef ALLOCATE_PARTIAL_MAP
}
- set_constant_pool_array_map(Map::cast(obj));
// Allocate the empty array.
{ MaybeObject* maybe_obj = AllocateEmptyFixedArray();
@@ -2780,13 +2779,13 @@
}
set_empty_fixed_array(FixedArray::cast(obj));
- { MaybeObject* maybe_obj = Allocate(oddball_map(), OLD_POINTER_SPACE);
+ { MaybeObject* maybe_obj = Allocate(null_map(), OLD_POINTER_SPACE);
if (!maybe_obj->ToObject(&obj)) return false;
}
set_null_value(Oddball::cast(obj));
Oddball::cast(obj)->set_kind(Oddball::kNull);
- { MaybeObject* maybe_obj = Allocate(oddball_map(), OLD_POINTER_SPACE);
+ { MaybeObject* maybe_obj = Allocate(undefined_map(), OLD_POINTER_SPACE);
if (!maybe_obj->ToObject(&obj)) return false;
}
set_undefined_value(Oddball::cast(obj));
@@ -2817,10 +2816,15 @@
fixed_array_map()->init_back_pointer(undefined_value());
fixed_array_map()->set_instance_descriptors(empty_descriptor_array());
- oddball_map()->set_code_cache(empty_fixed_array());
- oddball_map()->set_dependent_code(DependentCode::cast(empty_fixed_array()));
- oddball_map()->init_back_pointer(undefined_value());
- oddball_map()->set_instance_descriptors(empty_descriptor_array());
+ undefined_map()->set_code_cache(empty_fixed_array());
+ undefined_map()->set_dependent_code(DependentCode::cast(empty_fixed_array()));
+ undefined_map()->init_back_pointer(undefined_value());
+ undefined_map()->set_instance_descriptors(empty_descriptor_array());
+
+ null_map()->set_code_cache(empty_fixed_array());
+ null_map()->set_dependent_code(DependentCode::cast(empty_fixed_array()));
+ null_map()->init_back_pointer(undefined_value());
+ null_map()->set_instance_descriptors(empty_descriptor_array());
constant_pool_array_map()->set_code_cache(empty_fixed_array());
constant_pool_array_map()->set_dependent_code(
@@ -2835,8 +2839,11 @@
fixed_array_map()->set_prototype(null_value());
fixed_array_map()->set_constructor(null_value());
- oddball_map()->set_prototype(null_value());
- oddball_map()->set_constructor(null_value());
+ undefined_map()->set_prototype(null_value());
+ undefined_map()->set_constructor(null_value());
+
+ null_map()->set_prototype(null_value());
+ null_map()->set_constructor(null_value());
constant_pool_array_map()->set_prototype(null_value());
constant_pool_array_map()->set_constructor(null_value());
@@ -2859,6 +2866,13 @@
ALLOCATE_MAP(SYMBOL_TYPE, Symbol::kSize, symbol)
ALLOCATE_MAP(FOREIGN_TYPE, Foreign::kSize, foreign)
+ ALLOCATE_MAP(ODDBALL_TYPE, Oddball::kSize, the_hole);
+ ALLOCATE_MAP(ODDBALL_TYPE, Oddball::kSize, boolean);
+ ALLOCATE_MAP(ODDBALL_TYPE, Oddball::kSize, uninitialized);
+ ALLOCATE_MAP(ODDBALL_TYPE, Oddball::kSize, arguments_marker);
+ ALLOCATE_MAP(ODDBALL_TYPE, Oddball::kSize, no_interceptor_result_sentinel);
+ ALLOCATE_MAP(ODDBALL_TYPE, Oddball::kSize, termination_exception);
+
for (unsigned i = 0; i < ARRAY_SIZE(string_type_table); i++) {
const StringTypeTable& entry = string_type_table[i];
{ MaybeObject* maybe_obj = AllocateMap(entry.type, entry.size);
@@ -3042,11 +3056,12 @@
}
-MaybeObject* Heap::CreateOddball(const char* to_string,
+MaybeObject* Heap::CreateOddball(Map* map,
+ const char* to_string,
Object* to_number,
byte kind) {
Object* result;
- { MaybeObject* maybe_result = Allocate(oddball_map(), OLD_POINTER_SPACE);
+ { MaybeObject* maybe_result = Allocate(map, OLD_POINTER_SPACE);
if (!maybe_result->ToObject(&result)) return maybe_result;
}
return Oddball::cast(result)->Initialize(this, to_string, to_number, kind);
@@ -3171,54 +3186,61 @@
if (!maybe_obj->ToObject(&obj)) return false;
}
- { MaybeObject* maybe_obj = CreateOddball("true",
+ { MaybeObject* maybe_obj = CreateOddball(boolean_map(),
+ "true",
Smi::FromInt(1),
Oddball::kTrue);
if (!maybe_obj->ToObject(&obj)) return false;
}
set_true_value(Oddball::cast(obj));
- { MaybeObject* maybe_obj = CreateOddball("false",
+ { MaybeObject* maybe_obj = CreateOddball(boolean_map(),
+ "false",
Smi::FromInt(0),
Oddball::kFalse);
if (!maybe_obj->ToObject(&obj)) return false;
}
set_false_value(Oddball::cast(obj));
- { MaybeObject* maybe_obj = CreateOddball("hole",
+ { MaybeObject* maybe_obj = CreateOddball(the_hole_map(),
+ "hole",
Smi::FromInt(-1),
Oddball::kTheHole);
if (!maybe_obj->ToObject(&obj)) return false;
}
set_the_hole_value(Oddball::cast(obj));
- { MaybeObject* maybe_obj = CreateOddball("uninitialized",
+ { MaybeObject* maybe_obj = CreateOddball(uninitialized_map(),
+ "uninitialized",
Smi::FromInt(-1),
Oddball::kUninitialized);
if (!maybe_obj->ToObject(&obj)) return false;
}
set_uninitialized_value(Oddball::cast(obj));
- { MaybeObject* maybe_obj = CreateOddball("arguments_marker",
+ { MaybeObject* maybe_obj = CreateOddball(arguments_marker_map(),
+ "arguments_marker",
Smi::FromInt(-4),
Oddball::kArgumentMarker);
if (!maybe_obj->ToObject(&obj)) return false;
}
set_arguments_marker(Oddball::cast(obj));
- { MaybeObject* maybe_obj = CreateOddball("no_interceptor_result_sentinel",
+ { MaybeObject* maybe_obj = CreateOddball(no_interceptor_result_sentinel_map(),
+ "no_interceptor_result_sentinel",
Smi::FromInt(-2),
Oddball::kOther);
if (!maybe_obj->ToObject(&obj)) return false;
}
- set_no_interceptor_result_sentinel(obj);
+ set_no_interceptor_result_sentinel(Oddball::cast(obj));
- { MaybeObject* maybe_obj = CreateOddball("termination_exception",
+ { MaybeObject* maybe_obj = CreateOddball(termination_exception_map(),
+ "termination_exception",
Smi::FromInt(-3),
Oddball::kOther);
if (!maybe_obj->ToObject(&obj)) return false;
}
- set_termination_exception(obj);
+ set_termination_exception(Oddball::cast(obj));
for (unsigned i = 0; i < ARRAY_SIZE(constant_string_table); i++) {
{ MaybeObject* maybe_obj =
@@ -4647,22 +4669,6 @@
}
-MaybeObject* Heap::AllocateJSArrayWithElements(
- FixedArrayBase* elements,
- ElementsKind elements_kind,
- int length,
- PretenureFlag pretenure) {
- MaybeObject* maybe_array = AllocateJSArray(elements_kind, pretenure);
- JSArray* array;
- if (!maybe_array->To(&array)) return maybe_array;
-
- array->set_elements(elements);
- array->set_length(Smi::FromInt(length));
- array->ValidateElements();
- return array;
-}
-
-
MaybeObject* Heap::AllocateJSProxy(Object* handler, Object* prototype) {
// Allocate map.
// TODO(rossberg): Once we optimize proxies, think about a scheme to share
diff --git a/src/heap.h b/src/heap.h
index b811092..b56a891 100644
--- a/src/heap.h
+++ b/src/heap.h
@@ -72,7 +72,7 @@
V(Map, fixed_cow_array_map, FixedCOWArrayMap) \
V(Map, fixed_double_array_map, FixedDoubleArrayMap) \
V(Map, constant_pool_array_map, ConstantPoolArrayMap) \
- V(Object, no_interceptor_result_sentinel, NoInterceptorResultSentinel) \
+ V(Oddball, no_interceptor_result_sentinel, NoInterceptorResultSentinel) \
V(Map, hash_table_map, HashTableMap) \
V(FixedArray, empty_fixed_array, EmptyFixedArray) \
V(ByteArray, empty_byte_array, EmptyByteArray) \
@@ -89,7 +89,7 @@
V(FixedArray, single_character_string_cache, SingleCharacterStringCache) \
V(FixedArray, string_split_cache, StringSplitCache) \
V(FixedArray, regexp_multiple_cache, RegExpMultipleCache) \
- V(Object, termination_exception, TerminationException) \
+ V(Oddball, termination_exception, TerminationException) \
V(Smi, hash_seed, HashSeed) \
V(Map, symbol_map, SymbolMap) \
V(Map, string_map, StringMap) \
@@ -179,7 +179,14 @@
V(Map, block_context_map, BlockContextMap) \
V(Map, module_context_map, ModuleContextMap) \
V(Map, global_context_map, GlobalContextMap) \
- V(Map, oddball_map, OddballMap) \
+ V(Map, undefined_map, UndefinedMap) \
+ V(Map, the_hole_map, TheHoleMap) \
+ V(Map, null_map, NullMap) \
+ V(Map, boolean_map, BooleanMap) \
+ V(Map, uninitialized_map, UninitializedMap) \
+ V(Map, arguments_marker_map, ArgumentsMarkerMap) \
+ V(Map, no_interceptor_result_sentinel_map, NoInterceptorResultSentinelMap) \
+ V(Map, termination_exception_map, TerminationExceptionMap) \
V(Map, message_object_map, JSMessageObjectMap) \
V(Map, foreign_map, ForeignMap) \
V(HeapNumber, nan_value, NanValue) \
@@ -266,7 +273,11 @@
V(block_context_map) \
V(module_context_map) \
V(global_context_map) \
- V(oddball_map) \
+ V(undefined_map) \
+ V(the_hole_map) \
+ V(null_map) \
+ V(boolean_map) \
+ V(uninitialized_map) \
V(message_object_map) \
V(foreign_map) \
V(neander_map)
@@ -729,13 +740,6 @@
int capacity,
ArrayStorageAllocationMode mode = DONT_INITIALIZE_ARRAY_ELEMENTS);
- // Allocate a JSArray with no elements
- MUST_USE_RESULT MaybeObject* AllocateJSArrayWithElements(
- FixedArrayBase* array_base,
- ElementsKind elements_kind,
- int length,
- PretenureFlag pretenure = NOT_TENURED);
-
// Returns a deep copy of the JavaScript object.
// Properties and elements are copied too.
// Returns failure if allocation failed.
@@ -2213,7 +2217,8 @@
void CreateFixedStubs();
- MUST_USE_RESULT MaybeObject* CreateOddball(const char* to_string,
+ MUST_USE_RESULT MaybeObject* CreateOddball(Map* map,
+ const char* to_string,
Object* to_number,
byte kind);
diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h
index a6a1f86..e558ac7 100644
--- a/src/hydrogen-instructions.h
+++ b/src/hydrogen-instructions.h
@@ -3378,8 +3378,6 @@
set_representation(Representation::Tagged());
SetFlag(kIsArguments);
}
-
- virtual bool IsDeletable() const V8_FINAL V8_OVERRIDE { return true; }
};
diff --git a/src/ic.cc b/src/ic.cc
index 8e2d589..e8c453f 100644
--- a/src/ic.cc
+++ b/src/ic.cc
@@ -692,7 +692,7 @@
Handle<Map> IC::TypeToMap(HeapType* type, Isolate* isolate) {
if (type->Is(HeapType::Number()))
return isolate->factory()->heap_number_map();
- if (type->Is(HeapType::Boolean())) return isolate->factory()->oddball_map();
+ if (type->Is(HeapType::Boolean())) return isolate->factory()->boolean_map();
if (type->IsConstant()) {
return handle(Handle<JSGlobalObject>::cast(type->AsConstant())->map());
}
@@ -1690,6 +1690,7 @@
if (maybe_object->IsFailure()) return maybe_object;
} else {
bool use_ic = FLAG_use_ic &&
+ !object->IsStringWrapper() &&
!object->IsAccessCheckNeeded() &&
!object->IsJSGlobalProxy() &&
!(object->IsJSObject() &&
diff --git a/src/objects-debug.cc b/src/objects-debug.cc
index ba9ff65..87383c7 100644
--- a/src/objects-debug.cc
+++ b/src/objects-debug.cc
@@ -596,10 +596,11 @@
void Oddball::OddballVerify() {
CHECK(IsOddball());
+ Heap* heap = GetHeap();
VerifyHeapPointer(to_string());
Object* number = to_number();
if (number->IsHeapObject()) {
- CHECK(number == HeapObject::cast(number)->GetHeap()->nan_value());
+ CHECK(number == heap->nan_value());
} else {
CHECK(number->IsSmi());
int value = Smi::cast(number)->value();
@@ -608,6 +609,26 @@
CHECK_LE(value, 1);
CHECK(value >= kLeastHiddenOddballNumber);
}
+ if (map() == heap->undefined_map()) {
+ CHECK(this == heap->undefined_value());
+ } else if (map() == heap->the_hole_map()) {
+ CHECK(this == heap->the_hole_value());
+ } else if (map() == heap->null_map()) {
+ CHECK(this == heap->null_value());
+ } else if (map() == heap->boolean_map()) {
+ CHECK(this == heap->true_value() ||
+ this == heap->false_value());
+ } else if (map() == heap->uninitialized_map()) {
+ CHECK(this == heap->uninitialized_value());
+ } else if (map() == heap->no_interceptor_result_sentinel_map()) {
+ CHECK(this == heap->no_interceptor_result_sentinel());
+ } else if (map() == heap->arguments_marker_map()) {
+ CHECK(this == heap->arguments_marker());
+ } else if (map() == heap->termination_exception_map()) {
+ CHECK(this == heap->termination_exception());
+ } else {
+ UNREACHABLE();
+ }
}
diff --git a/src/objects-inl.h b/src/objects-inl.h
index 978704a..3939921 100644
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -1496,11 +1496,11 @@
}
-void JSObject::ValidateElements() {
+void JSObject::ValidateElements(Handle<JSObject> object) {
#ifdef ENABLE_SLOW_ASSERTS
if (FLAG_enable_slow_asserts) {
- ElementsAccessor* accessor = GetElementsAccessor();
- accessor->Validate(this);
+ ElementsAccessor* accessor = object->GetElementsAccessor();
+ accessor->Validate(object);
}
#endif
}
@@ -1640,7 +1640,7 @@
void JSObject::EnsureCanContainHeapObjectElements(Handle<JSObject> object) {
- object->ValidateElements();
+ JSObject::ValidateElements(object);
ElementsKind elements_kind = object->map()->elements_kind();
if (!IsFastObjectElementsKind(elements_kind)) {
if (IsFastHoleyElementsKind(elements_kind)) {
diff --git a/src/objects.cc b/src/objects.cc
index ae24cd6..7404ee7 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -5192,7 +5192,7 @@
if (object->map()->is_observed()) {
should_enqueue_change_record = HasLocalElement(object, index);
if (should_enqueue_change_record) {
- if (object->GetLocalElementAccessorPair(index) != NULL) {
+ if (!GetLocalElementAccessorPair(object, index).is_null()) {
old_value = Handle<Object>::cast(factory->the_hole_value());
} else {
old_value = Object::GetElementNoExceptionThrown(isolate, object, index);
@@ -6371,7 +6371,7 @@
if (is_observed) {
if (is_element) {
preexists = HasLocalElement(object, index);
- if (preexists && object->GetLocalElementAccessorPair(index) == NULL) {
+ if (preexists && GetLocalElementAccessorPair(object, index).is_null()) {
old_value = Object::GetElementNoExceptionThrown(isolate, object, index);
}
} else {
@@ -11232,7 +11232,7 @@
Handle<Map> new_map = (new_elements_kind != elements_kind)
? GetElementsTransitionMap(object, new_elements_kind)
: handle(object->map());
- object->ValidateElements();
+ JSObject::ValidateElements(object);
JSObject::SetMapAndElements(object, new_map, new_elements);
// Transition through the allocation site as well if present.
@@ -11278,7 +11278,7 @@
ElementsAccessor* accessor = ElementsAccessor::ForKind(FAST_DOUBLE_ELEMENTS);
accessor->CopyElements(object, elems, elements_kind);
- object->ValidateElements();
+ JSObject::ValidateElements(object);
JSObject::SetMapAndElements(object, new_map, elems);
if (FLAG_trace_elements_transitions) {
@@ -11319,7 +11319,7 @@
ASSERT(attributes != ABSENT);
if (attributes == DONT_DELETE) return false;
Handle<Object> value;
- if (object->GetLocalElementAccessorPair(index) != NULL) {
+ if (!JSObject::GetLocalElementAccessorPair(object, index).is_null()) {
value = Handle<Object>::cast(isolate->factory()->the_hole_value());
} else {
value = Object::GetElementNoExceptionThrown(isolate, object, index);
@@ -11858,35 +11858,40 @@
}
-AccessorPair* JSObject::GetLocalPropertyAccessorPair(Name* name) {
+MaybeHandle<AccessorPair> JSObject::GetLocalPropertyAccessorPair(
+ Handle<JSObject> object,
+ Handle<Name> name) {
uint32_t index = 0;
if (name->AsArrayIndex(&index)) {
- return GetLocalElementAccessorPair(index);
+ return GetLocalElementAccessorPair(object, index);
}
- LookupResult lookup(GetIsolate());
- LocalLookupRealNamedProperty(name, &lookup);
+ Isolate* isolate = object->GetIsolate();
+ LookupResult lookup(isolate);
+ object->LocalLookupRealNamedProperty(*name, &lookup);
if (lookup.IsPropertyCallbacks() &&
lookup.GetCallbackObject()->IsAccessorPair()) {
- return AccessorPair::cast(lookup.GetCallbackObject());
+ return handle(AccessorPair::cast(lookup.GetCallbackObject()), isolate);
}
- return NULL;
+ return MaybeHandle<AccessorPair>();
}
-AccessorPair* JSObject::GetLocalElementAccessorPair(uint32_t index) {
- if (IsJSGlobalProxy()) {
- Object* proto = GetPrototype();
- if (proto->IsNull()) return NULL;
+MaybeHandle<AccessorPair> JSObject::GetLocalElementAccessorPair(
+ Handle<JSObject> object,
+ uint32_t index) {
+ if (object->IsJSGlobalProxy()) {
+ Handle<Object> proto(object->GetPrototype(), object->GetIsolate());
+ if (proto->IsNull()) return MaybeHandle<AccessorPair>();
ASSERT(proto->IsJSGlobalObject());
- return JSObject::cast(proto)->GetLocalElementAccessorPair(index);
+ return GetLocalElementAccessorPair(Handle<JSObject>::cast(proto), index);
}
// Check for lookup interceptor.
- if (HasIndexedInterceptor()) return NULL;
+ if (object->HasIndexedInterceptor()) return MaybeHandle<AccessorPair>();
- return GetElementsAccessor()->GetAccessorPair(this, this, index);
+ return object->GetElementsAccessor()->GetAccessorPair(object, object, index);
}
@@ -12157,7 +12162,7 @@
SetFastDoubleElementsCapacityAndLength(object, new_capacity, array_length);
FixedDoubleArray::cast(object->elements())->set(index, value->Number());
- object->ValidateElements();
+ JSObject::ValidateElements(object);
return value;
}
// Change elements kind from Smi-only to generic FAST if necessary.
@@ -12181,7 +12186,7 @@
SetFastElementsCapacityAndLength(object, new_capacity, array_length,
smi_mode);
new_elements->set(index, *value);
- object->ValidateElements();
+ JSObject::ValidateElements(object);
return value;
}
@@ -12327,7 +12332,7 @@
SetFastElementsCapacityAndLength(object, new_length, new_length,
smi_mode);
}
- object->ValidateElements();
+ JSObject::ValidateElements(object);
#ifdef DEBUG
if (FLAG_trace_normalization) {
PrintF("Object elements are fast case again:\n");
@@ -12379,7 +12384,7 @@
check_prototype);
RETURN_IF_EMPTY_HANDLE_VALUE(object->GetIsolate(), result,
Handle<Object>());
- object->ValidateElements();
+ JSObject::ValidateElements(object);
return result;
}
@@ -12419,7 +12424,7 @@
ASSERT(static_cast<uint32_t>(new_capacity) > index);
SetFastDoubleElementsCapacityAndLength(object, new_capacity, index + 1);
FixedDoubleArray::cast(object->elements())->set(index, double_value);
- object->ValidateElements();
+ JSObject::ValidateElements(object);
return value;
}
}
@@ -12535,7 +12540,7 @@
Handle<Object> new_length_handle;
if (old_attributes != ABSENT) {
- if (object->GetLocalElementAccessorPair(index) == NULL) {
+ if (GetLocalElementAccessorPair(object, index).is_null()) {
old_value = Object::GetElementNoExceptionThrown(isolate, object, index);
}
} else if (object->IsJSArray()) {
@@ -12878,7 +12883,7 @@
if (IsFastSmiElementsKind(from_kind) &&
IsFastDoubleElementsKind(to_kind)) {
SetFastDoubleElementsCapacityAndLength(object, capacity, length);
- object->ValidateElements();
+ JSObject::ValidateElements(object);
return;
}
@@ -12886,7 +12891,7 @@
IsFastObjectElementsKind(to_kind)) {
SetFastElementsCapacityAndLength(object, capacity, length,
kDontAllowSmiElements);
- object->ValidateElements();
+ JSObject::ValidateElements(object);
return;
}
@@ -14412,7 +14417,7 @@
Handle<FixedArray> fast_elements =
isolate->factory()->NewFixedArray(dict->NumberOfElements(), tenure);
dict->CopyValuesTo(*fast_elements);
- object->ValidateElements();
+ JSObject::ValidateElements(object);
JSObject::SetMapAndElements(object, new_map, fast_elements);
} else if (object->HasExternalArrayElements() ||
diff --git a/src/objects.h b/src/objects.h
index ff9f457..89267e5 100644
--- a/src/objects.h
+++ b/src/objects.h
@@ -2423,7 +2423,7 @@
static void SetIdentityHash(Handle<JSObject> object, Handle<Smi> hash);
- inline void ValidateElements();
+ static inline void ValidateElements(Handle<JSObject> object);
// Makes sure that this object can contain HeapObject as elements.
static inline void EnsureCanContainHeapObjectElements(Handle<JSObject> obj);
@@ -2469,8 +2469,12 @@
}
// These methods do not perform access checks!
- AccessorPair* GetLocalPropertyAccessorPair(Name* name);
- AccessorPair* GetLocalElementAccessorPair(uint32_t index);
+ MUST_USE_RESULT static MaybeHandle<AccessorPair> GetLocalPropertyAccessorPair(
+ Handle<JSObject> object,
+ Handle<Name> name);
+ MUST_USE_RESULT static MaybeHandle<AccessorPair> GetLocalElementAccessorPair(
+ Handle<JSObject> object,
+ uint32_t index);
static Handle<Object> SetFastElement(Handle<JSObject> object, uint32_t index,
Handle<Object> value,
diff --git a/src/runtime.cc b/src/runtime.cc
index 960d9b3..11df15a 100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -436,7 +436,7 @@
}
}
- object->ValidateElements();
+ JSObject::ValidateElements(object);
return object;
}
@@ -1926,14 +1926,15 @@
return factory->undefined_value();
}
ASSERT(!isolate->has_scheduled_exception());
- AccessorPair* raw_accessors = obj->GetLocalPropertyAccessorPair(*name);
- Handle<AccessorPair> accessors(raw_accessors, isolate);
+ Handle<AccessorPair> accessors;
+ bool has_accessors =
+ JSObject::GetLocalPropertyAccessorPair(obj, name).ToHandle(&accessors);
Handle<FixedArray> elms = isolate->factory()->NewFixedArray(DESCRIPTOR_SIZE);
elms->set(ENUMERABLE_INDEX, heap->ToBoolean((attrs & DONT_ENUM) == 0));
elms->set(CONFIGURABLE_INDEX, heap->ToBoolean((attrs & DONT_DELETE) == 0));
- elms->set(IS_ACCESSOR_INDEX, heap->ToBoolean(raw_accessors != NULL));
+ elms->set(IS_ACCESSOR_INDEX, heap->ToBoolean(has_accessors));
- if (raw_accessors == NULL) {
+ if (!has_accessors) {
elms->set(WRITABLE_INDEX, heap->ToBoolean((attrs & READ_ONLY) == 0));
// Runtime::GetObjectProperty does access check.
Handle<Object> value = Runtime::GetObjectProperty(isolate, obj, name);
@@ -5301,7 +5302,7 @@
return value;
}
- js_object->ValidateElements();
+ JSObject::ValidateElements(js_object);
if (js_object->HasExternalArrayElements() ||
js_object->HasFixedTypedArrayElements()) {
if (!value->IsNumber() && !value->IsUndefined()) {
@@ -5316,7 +5317,7 @@
strict_mode,
true,
set_mode);
- js_object->ValidateElements();
+ JSObject::ValidateElements(js_object);
return result.is_null() ? result : value;
}
@@ -10657,8 +10658,8 @@
ASSERT(args.length() == 2);
CONVERT_ARG_HANDLE_CHECKED(JSArray, from, 0);
CONVERT_ARG_HANDLE_CHECKED(JSArray, to, 1);
- from->ValidateElements();
- to->ValidateElements();
+ JSObject::ValidateElements(from);
+ JSObject::ValidateElements(to);
Handle<FixedArrayBase> new_elements(from->elements());
ElementsKind from_kind = from->GetElementsKind();
@@ -10669,7 +10670,7 @@
JSObject::ResetElements(from);
from->set_length(Smi::FromInt(0));
- to->ValidateElements();
+ JSObject::ValidateElements(to);
return *to;
}
diff --git a/src/types.cc b/src/types.cc
index 98592cf..29a2b99 100644
--- a/src/types.cc
+++ b/src/types.cc
@@ -140,14 +140,6 @@
value->ToInt32(&i) ? (Smi::IsValid(i) ? kSignedSmall : kOtherSigned32) :
value->ToUint32(&u) ? kUnsigned32 : kFloat);
}
- if (map->instance_type() == ODDBALL_TYPE) {
- if (value->IsUndefined()) return kUndefined;
- if (value->IsNull()) return kNull;
- if (value->IsBoolean()) return kBoolean;
- if (value->IsTheHole()) return kAny; // TODO(rossberg): kNone?
- if (value->IsUninitialized()) return kNone;
- UNREACHABLE();
- }
return LubBitset(map);
}
@@ -178,8 +170,18 @@
return kString;
case SYMBOL_TYPE:
return kSymbol;
- case ODDBALL_TYPE:
- return kOddball;
+ case ODDBALL_TYPE: {
+ Heap* heap = map->GetHeap();
+ if (map == heap->undefined_map()) return kUndefined;
+ if (map == heap->the_hole_map()) return kAny; // TODO(rossberg): kNone?
+ if (map == heap->null_map()) return kNull;
+ if (map == heap->boolean_map()) return kBoolean;
+ if (map == heap->uninitialized_map()) return kNone;
+ ASSERT(map == heap->no_interceptor_result_sentinel_map() ||
+ map == heap->termination_exception_map() ||
+ map == heap->arguments_marker_map());
+ return kInternal & kTaggedPtr;
+ }
case HEAP_NUMBER_TYPE:
return kFloat & kTaggedPtr;
case JS_VALUE_TYPE:
@@ -251,8 +253,7 @@
typename TypeImpl<Config>::TypeHandle TypeImpl<Config>::NowOf(
i::Object* value, Region* region) {
if (value->IsSmi() ||
- i::HeapObject::cast(value)->map()->instance_type() == HEAP_NUMBER_TYPE ||
- i::HeapObject::cast(value)->map()->instance_type() == ODDBALL_TYPE) {
+ i::HeapObject::cast(value)->map()->instance_type() == HEAP_NUMBER_TYPE) {
return Of(value, region);
}
return Class(i::handle(i::HeapObject::cast(value)->map()), region);
diff --git a/src/types.h b/src/types.h
index 0d172bd..7f4d706 100644
--- a/src/types.h
+++ b/src/types.h
@@ -24,7 +24,6 @@
// None <= T
// T <= Any
//
-// Oddball = Boolean \/ Null \/ Undefined
// Number = Signed32 \/ Unsigned32 \/ Double
// Smi <= Signed32
// Name = String \/ Symbol
@@ -142,7 +141,6 @@
V(Proxy, 1 << 15 | REPRESENTATION(kTaggedPtr)) \
V(Internal, 1 << 16 | REPRESENTATION(kTagged | kUntagged)) \
\
- V(Oddball, kBoolean | kNull | kUndefined) \
V(Signed32, kSignedSmall | kOtherSigned32) \
V(Number, kSigned32 | kUnsigned32 | kFloat) \
V(String, kInternalizedString | kOtherString) \
@@ -154,7 +152,8 @@
V(Detectable, kDetectableReceiver | kNumber | kName) \
V(Object, kDetectableObject | kUndetectable) \
V(Receiver, kObject | kProxy) \
- V(NonNumber, kOddball | kName | kReceiver | kInternal) \
+ V(NonNumber, kBoolean | kName | kNull | kReceiver | \
+ kUndefined | kInternal) \
V(Any, kNumber | kNonNumber)
#define BITSET_TYPE_LIST(V) \
diff --git a/src/version.cc b/src/version.cc
index 6c23b91..f3b4e22 100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -34,7 +34,7 @@
// system so their names cannot be changed without changing the scripts.
#define MAJOR_VERSION 3
#define MINOR_VERSION 26
-#define BUILD_NUMBER 7
+#define BUILD_NUMBER 8
#define PATCH_LEVEL 0
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
diff --git a/test/cctest/test-types.cc b/test/cctest/test-types.cc
index 326bd1b..cdaa95b 100644
--- a/test/cctest/test-types.cc
+++ b/test/cctest/test-types.cc
@@ -38,7 +38,6 @@
Semantic(Type::Semantic(region)),
None(Type::None(region)),
Any(Type::Any(region)),
- Oddball(Type::Oddball(region)),
Boolean(Type::Boolean(region)),
Null(Type::Null(region)),
Undefined(Type::Undefined(region)),
@@ -78,7 +77,6 @@
TypeHandle Semantic;
TypeHandle None;
TypeHandle Any;
- TypeHandle Oddball;
TypeHandle Boolean;
TypeHandle Null;
TypeHandle Undefined;
@@ -351,10 +349,6 @@
CheckSub(T.None, T.Number);
CheckSub(T.None, T.Any);
- CheckSub(T.Oddball, T.Any);
- CheckSub(T.Boolean, T.Oddball);
- CheckSub(T.Null, T.Oddball);
- CheckSub(T.Undefined, T.Oddball);
CheckUnordered(T.Boolean, T.Null);
CheckUnordered(T.Undefined, T.Null);
CheckUnordered(T.Boolean, T.Undefined);
@@ -420,10 +414,6 @@
CheckOverlap(T.Any, T.Any, T.Semantic);
CheckOverlap(T.Object, T.Object, T.Semantic);
- CheckOverlap(T.Oddball, T.Any, T.Semantic);
- CheckOverlap(T.Boolean, T.Oddball, T.Semantic);
- CheckOverlap(T.Null, T.Oddball, T.Semantic);
- CheckOverlap(T.Undefined, T.Oddball, T.Semantic);
CheckDisjoint(T.Boolean, T.Null, T.Semantic);
CheckDisjoint(T.Undefined, T.Null, T.Semantic);
CheckDisjoint(T.Boolean, T.Undefined, T.Semantic);
diff --git a/test/mjsunit/regress/regress-3204.js b/test/mjsunit/regress/regress-3204.js
index dc754ff..b3161be 100644
--- a/test/mjsunit/regress/regress-3204.js
+++ b/test/mjsunit/regress/regress-3204.js
@@ -4,6 +4,21 @@
// Flags: --allow-natives-syntax
+// -----------------------------------------------------------------------------
+
+function SmiTaggingCanOverflow(x) {
+ x = x | 0;
+ if (x == 0) return;
+ return x;
+}
+
+SmiTaggingCanOverflow(2147483647);
+SmiTaggingCanOverflow(2147483647);
+%OptimizeFunctionOnNextCall(SmiTaggingCanOverflow);
+assertEquals(2147483647, SmiTaggingCanOverflow(2147483647));
+
+// -----------------------------------------------------------------------------
+
function ModILeftCanBeNegative() {
var x = 0;
for (var i = -1; i < 0; ++i) x = i % 2;
@@ -14,6 +29,8 @@
%OptimizeFunctionOnNextCall(ModILeftCanBeNegative);
assertEquals(-1, ModILeftCanBeNegative());
+// -----------------------------------------------------------------------------
+
function ModIRightCanBeZero() {
var x = 0;
for (var i = -1; i <= 0; ++i) x = (2 % i) | 0;
diff --git a/test/mjsunit/regress/regress-3255.js b/test/mjsunit/regress/regress-3255.js
new file mode 100644
index 0000000..0e77435
--- /dev/null
+++ b/test/mjsunit/regress/regress-3255.js
@@ -0,0 +1,19 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --enable-slow-asserts
+
+var arr = [];
+var str = new String('x');
+
+function f(a,b) {
+ a[b] = 1;
+}
+
+f(arr, 0);
+f(str, 0);
+f(str, 0);
+
+// This is just to trigger elements validation, object already broken.
+%SetProperty(str, 1, 'y', 0);
diff --git a/test/mjsunit/regress/regress-355486.js b/test/mjsunit/regress/regress-355486.js
new file mode 100644
index 0000000..55362a1
--- /dev/null
+++ b/test/mjsunit/regress/regress-355486.js
@@ -0,0 +1,13 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() { var v = arguments[0]; }
+function g() { f(); }
+
+g();
+g();
+%OptimizeFunctionOnNextCall(g);
+g();
