Browse Source

Upgrade V8 to 3.1.8.25

v0.7.4-release
Ryan Dahl 14 years ago
parent
commit
61553ccdda
  1. 3
      deps/v8/src/arm/codegen-arm.cc
  2. 4
      deps/v8/src/arm/lithium-arm.cc
  3. 3
      deps/v8/src/builtins.cc
  4. 10
      deps/v8/src/compiler.cc
  5. 22
      deps/v8/src/hydrogen-instructions.h
  6. 23
      deps/v8/src/hydrogen.cc
  7. 5
      deps/v8/src/hydrogen.h
  8. 4
      deps/v8/src/ia32/lithium-ia32.cc
  9. 3
      deps/v8/src/lithium.h
  10. 1
      deps/v8/src/messages.js
  11. 6
      deps/v8/src/parser.cc
  12. 5
      deps/v8/src/platform-solaris.cc
  13. 14
      deps/v8/src/v8natives.js
  14. 2
      deps/v8/src/version.cc
  15. 12
      deps/v8/src/x64/full-codegen-x64.cc
  16. 4
      deps/v8/src/x64/lithium-x64.cc
  17. 2
      deps/v8/test/mjsunit/function-names.js
  18. 33
      deps/v8/test/mjsunit/regress/regress-1122.js
  19. 58
      deps/v8/test/mjsunit/regress/regress-1257.js
  20. 24
      deps/v8/test/mjsunit/regress/regress-1401.js
  21. 14
      deps/v8/test/mjsunit/regress/regress-1403.js
  22. 56
      deps/v8/test/mjsunit/regress/splice-missing-wb.js

3
deps/v8/src/arm/codegen-arm.cc

@ -7233,6 +7233,9 @@ void CodeGenerator::EmitKeyedStore(StaticType* key_type,
ASSERT(we_remembered_the_write_barrier);
// Make sure that r0 holds the value which is the result of the expression.
__ Move(r0, value);
deferred->BindExit();
} else {
frame()->CallKeyedStoreIC(strict_mode_flag());

4
deps/v8/src/arm/lithium-arm.cc

@ -1936,6 +1936,10 @@ LInstruction* LChunkBuilder::DoParameter(HParameter* instr) {
LInstruction* LChunkBuilder::DoUnknownOSRValue(HUnknownOSRValue* instr) {
int spill_index = chunk()->GetNextSpillIndex(false); // Not double-width.
if (spill_index > LUnallocated::kMaxFixedIndex) {
Abort("Too many spill slots needed for OSR");
spill_index = 0;
}
return DefineAsSpilled(new LUnknownOSRValue, spill_index);
}

3
deps/v8/src/builtins.cc

@ -373,8 +373,7 @@ static bool ArrayPrototypeHasNoElements(Context* global_context,
array_proto = JSObject::cast(proto);
if (array_proto != global_context->initial_object_prototype()) return false;
if (array_proto->elements() != Heap::empty_fixed_array()) return false;
ASSERT(array_proto->GetPrototype()->IsNull());
return true;
return array_proto->GetPrototype()->IsNull();
}

10
deps/v8/src/compiler.cc

@ -1,4 +1,4 @@
// Copyright 2010 the V8 project authors. All rights reserved.
// Copyright 2011 the V8 project authors. All rights reserved.
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
@ -223,10 +223,12 @@ static bool MakeCrankshaftCode(CompilationInfo* info) {
//
// The encoding is as a signed value, with parameters and receiver using
// the negative indices and locals the non-negative ones.
const int limit = LUnallocated::kMaxFixedIndices / 2;
const int parameter_limit = -LUnallocated::kMinFixedIndex;
const int locals_limit = LUnallocated::kMaxFixedIndex;
Scope* scope = info->scope();
if ((scope->num_parameters() + 1) > limit ||
scope->num_stack_slots() > limit) {
if ((scope->num_parameters() + 1) > parameter_limit ||
(info->osr_ast_id() != AstNode::kNoNumber &&
scope->num_parameters() + 1 + scope->num_stack_slots() > locals_limit)) {
AbortAndDisable(info);
// True indicates the compilation pipeline is still going, not
// necessarily that we optimized the code.

22
deps/v8/src/hydrogen-instructions.h

@ -789,15 +789,33 @@ class HBlockEntry: public HTemplateInstruction<0> {
};
class HDeoptimize: public HTemplateControlInstruction<0> {
class HDeoptimize: public HControlInstruction {
public:
HDeoptimize() : HTemplateControlInstruction<0>(NULL, NULL) { }
explicit HDeoptimize(int environment_length)
: HControlInstruction(NULL, NULL),
values_(environment_length) { }
virtual Representation RequiredInputRepresentation(int index) const {
return Representation::None();
}
virtual int OperandCount() { return values_.length(); }
virtual HValue* OperandAt(int index) { return values_[index]; }
void AddEnvironmentValue(HValue* value) {
values_.Add(NULL);
SetOperandAt(values_.length() - 1, value);
}
DECLARE_CONCRETE_INSTRUCTION(Deoptimize, "deoptimize")
protected:
virtual void InternalSetOperandAt(int index, HValue* value) {
values_[index] = value;
}
private:
ZoneList<HValue*> values_;
};

23
deps/v8/src/hydrogen.cc

@ -113,6 +113,21 @@ void HBasicBlock::AddInstruction(HInstruction* instr) {
}
HDeoptimize* HBasicBlock::CreateDeoptimize() {
ASSERT(HasEnvironment());
HEnvironment* environment = last_environment();
HDeoptimize* instr = new HDeoptimize(environment->length());
for (int i = 0; i < environment->length(); i++) {
HValue* val = environment->values()->at(i);
instr->AddEnvironmentValue(val);
}
return instr;
}
HSimulate* HBasicBlock::CreateSimulate(int id) {
ASSERT(HasEnvironment());
HEnvironment* environment = last_environment();
@ -2560,7 +2575,7 @@ void HGraphBuilder::VisitSwitchStatement(SwitchStatement* stmt) {
// If we have a non-smi compare clause, we deoptimize after trying
// all the previous compares.
if (num_smi_clauses < num_clauses) {
last_false_block->Finish(new HDeoptimize);
last_false_block->FinishExitWithDeoptimization();
}
// Build statement blocks, connect them to their comparison block and
@ -3230,7 +3245,7 @@ void HGraphBuilder::HandlePolymorphicStoreNamedField(Assignment* expr,
HSubgraph* default_graph = CreateBranchSubgraph(environment());
{ SubgraphScope scope(this, default_graph);
if (!needs_generic && FLAG_deoptimize_uncommon_cases) {
default_graph->exit_block()->FinishExit(new HDeoptimize());
default_graph->exit_block()->FinishExitWithDeoptimization();
default_graph->set_exit_block(NULL);
} else {
HInstruction* instr = BuildStoreNamedGeneric(object, name, value);
@ -3567,7 +3582,7 @@ void HGraphBuilder::HandlePolymorphicLoadNamedField(Property* expr,
HSubgraph* default_graph = CreateBranchSubgraph(environment());
{ SubgraphScope scope(this, default_graph);
if (!needs_generic && FLAG_deoptimize_uncommon_cases) {
default_graph->exit_block()->FinishExit(new HDeoptimize());
default_graph->exit_block()->FinishExitWithDeoptimization();
default_graph->set_exit_block(NULL);
} else {
HInstruction* instr = BuildLoadNamedGeneric(object, expr);
@ -3928,7 +3943,7 @@ void HGraphBuilder::HandlePolymorphicCallNamed(Call* expr,
HSubgraph* default_graph = CreateBranchSubgraph(environment());
{ SubgraphScope scope(this, default_graph);
if (!needs_generic && FLAG_deoptimize_uncommon_cases) {
default_graph->exit_block()->FinishExit(new HDeoptimize());
default_graph->exit_block()->FinishExitWithDeoptimization();
default_graph->set_exit_block(NULL);
} else {
HContext* context = new HContext;

5
deps/v8/src/hydrogen.h

@ -124,6 +124,10 @@ class HBasicBlock: public ZoneObject {
void AddSimulate(int id) { AddInstruction(CreateSimulate(id)); }
void AssignCommonDominator(HBasicBlock* other);
void FinishExitWithDeoptimization() {
FinishExit(CreateDeoptimize());
}
// Add the inlined function exit sequence, adding an HLeaveInlined
// instruction and updating the bailout environment.
void AddLeaveInlined(HValue* return_value, HBasicBlock* target);
@ -146,6 +150,7 @@ class HBasicBlock: public ZoneObject {
void AddDominatedBlock(HBasicBlock* block);
HSimulate* CreateSimulate(int id);
HDeoptimize* CreateDeoptimize();
int block_id_;
HGraph* graph_;

4
deps/v8/src/ia32/lithium-ia32.cc

@ -1986,6 +1986,10 @@ LInstruction* LChunkBuilder::DoParameter(HParameter* instr) {
LInstruction* LChunkBuilder::DoUnknownOSRValue(HUnknownOSRValue* instr) {
int spill_index = chunk()->GetNextSpillIndex(false); // Not double-width.
if (spill_index > LUnallocated::kMaxFixedIndex) {
Abort("Too many spill slots needed for OSR");
spill_index = 0;
}
return DefineAsSpilled(new LUnknownOSRValue, spill_index);
}

3
deps/v8/src/lithium.h

@ -143,7 +143,8 @@ class LUnallocated: public LOperand {
};
static const int kMaxVirtualRegisters = 1 << (kVirtualRegisterWidth + 1);
static const int kMaxFixedIndices = 128;
static const int kMaxFixedIndex = 63;
static const int kMinFixedIndex = -64;
bool HasIgnorePolicy() const { return policy() == IGNORE; }
bool HasNoPolicy() const { return policy() == NONE; }

1
deps/v8/src/messages.js

@ -211,6 +211,7 @@ function FormatMessage(message) {
invalid_preparser_data: ["Invalid preparser data for function ", "%0"],
strict_mode_with: ["Strict mode code may not include a with statement"],
strict_catch_variable: ["Catch variable may not be eval or arguments in strict mode"],
too_many_arguments: ["Too many arguments in function call (only 32766 allowed)"],
too_many_parameters: ["Too many parameters in function definition"],
strict_param_name: ["Parameter name eval or arguments is not allowed in strict mode"],
strict_param_dupe: ["Strict mode function may not have duplicate parameter names"],

6
deps/v8/src/parser.cc

@ -3490,6 +3490,12 @@ ZoneList<Expression*>* Parser::ParseArguments(bool* ok) {
while (!done) {
Expression* argument = ParseAssignmentExpression(true, CHECK_OK);
result->Add(argument);
if (result->length() > kMaxNumFunctionParameters) {
ReportMessageAt(scanner().location(), "too_many_arguments",
Vector<const char*>::empty());
*ok = false;
return NULL;
}
done = (peek() == Token::RPAREN);
if (!done) Expect(Token::COMMA, CHECK_OK);
}

5
deps/v8/src/platform-solaris.cc

@ -1,4 +1,4 @@
// Copyright 2006-2009 the V8 project authors. All rights reserved.
// Copyright 2011 the V8 project authors. All rights reserved.
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
@ -105,7 +105,8 @@ uint64_t OS::CpuFeaturesImpliedByPlatform() {
int OS::ActivationFrameAlignment() {
return STACK_ALIGN;
// GCC generates code that requires 16 byte alignment such as movdqa.
return Max(STACK_ALIGN, 16);
}

14
deps/v8/src/v8natives.js

@ -147,17 +147,6 @@ function GlobalEval(x) {
}
// execScript for IE compatibility.
function GlobalExecScript(expr, lang) {
// NOTE: We don't care about the character casing.
if (!lang || /javascript/i.test(lang)) {
var f = %CompileString(ToString(expr));
f.call(%GlobalReceiver(global));
}
return null;
}
// ----------------------------------------------------------------------------
@ -177,8 +166,7 @@ function SetupGlobal() {
"isFinite", GlobalIsFinite,
"parseInt", GlobalParseInt,
"parseFloat", GlobalParseFloat,
"eval", GlobalEval,
"execScript", GlobalExecScript
"eval", GlobalEval
));
}

2
deps/v8/src/version.cc

@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 1
#define BUILD_NUMBER 8
#define PATCH_LEVEL 16
#define PATCH_LEVEL 25
#define CANDIDATE_VERSION false
// Define SONAME to have the SCons build the put a specific SONAME into the

12
deps/v8/src/x64/full-codegen-x64.cc

@ -1383,13 +1383,17 @@ void FullCodeGenerator::VisitObjectLiteral(ObjectLiteral* expr) {
// Fall through.
case ObjectLiteral::Property::COMPUTED:
if (key->handle()->IsSymbol()) {
VisitForAccumulatorValue(value);
__ Move(rcx, key->handle());
__ movq(rdx, Operand(rsp, 0));
if (property->emit_store()) {
Handle<Code> ic(Builtins::builtin(Builtins::StoreIC_Initialize));
VisitForAccumulatorValue(value);
__ Move(rcx, key->handle());
__ movq(rdx, Operand(rsp, 0));
Handle<Code> ic(Builtins::builtin(
is_strict() ? Builtins::StoreIC_Initialize_Strict
: Builtins::StoreIC_Initialize));
EmitCallIC(ic, RelocInfo::CODE_TARGET);
PrepareForBailoutForId(key->id(), NO_REGISTERS);
} else {
VisitForEffect(value);
}
break;
}

4
deps/v8/src/x64/lithium-x64.cc

@ -1939,6 +1939,10 @@ LInstruction* LChunkBuilder::DoParameter(HParameter* instr) {
LInstruction* LChunkBuilder::DoUnknownOSRValue(HUnknownOSRValue* instr) {
int spill_index = chunk()->GetNextSpillIndex(false); // Not double-width.
if (spill_index > LUnallocated::kMaxFixedIndex) {
Abort("Too many spill slots needed for OSR");
spill_index = 0;
}
return DefineAsSpilled(new LUnknownOSRValue, spill_index);
}

2
deps/v8/test/mjsunit/function-names.js

@ -128,6 +128,6 @@ var globalFunctions = [
"encodeURI", "encodeURIComponent", "Error", "TypeError",
"RangeError", "SyntaxError", "ReferenceError", "EvalError",
"URIError", "isNaN", "isFinite", "parseInt", "parseFloat",
"eval", "execScript"];
"eval"];
TestFunctionNames(this, globalFunctions);

33
deps/v8/test/mjsunit/regress/regress-1122.js

@ -25,12 +25,14 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Test that we can handle functions with up to 32766 arguments, and that
// functions with more arguments throw an exception.
// Test that we can handle function calls with up to 32766 arguments, and
// that function calls with more arguments throw an exception. Apply a
// similar limit to the number of function parameters.
// See http://code.google.com/p/v8/issues/detail?id=1122.
// See http://code.google.com/p/v8/issues/detail?id=1122 and
// http://code.google.com/p/v8/issues/detail?id=1413.
function function_with_n_args(n) {
function function_with_n_params_and_m_args(n, m) {
test_prefix = 'prefix ';
test_suffix = ' suffix';
var source = 'test_prefix + (function f(';
@ -39,7 +41,7 @@ function function_with_n_args(n) {
source += 'arg' + arg;
}
source += ') { return arg' + (n - n % 2) / 2 + '; })(';
for (var arg = 0; arg < n ; arg++) {
for (var arg = 0; arg < m ; arg++) {
if (arg != 0) source += ',';
source += arg;
}
@ -47,9 +49,20 @@ function function_with_n_args(n) {
return eval(source);
}
assertEquals('prefix 4000 suffix', function_with_n_args(8000));
assertEquals('prefix 9000 suffix', function_with_n_args(18000));
assertEquals('prefix 16000 suffix', function_with_n_args(32000));
assertEquals('prefix 4000 suffix',
function_with_n_params_and_m_args(8000, 8000));
assertEquals('prefix 3000 suffix',
function_with_n_params_and_m_args(6000, 8000));
assertEquals('prefix 5000 suffix',
function_with_n_params_and_m_args(10000, 8000));
assertEquals('prefix 9000 suffix',
function_with_n_params_and_m_args(18000, 18000));
assertEquals('prefix 16000 suffix',
function_with_n_params_and_m_args(32000, 32000));
assertEquals('prefix undefined suffix',
function_with_n_params_and_m_args(32000, 10000));
assertThrows("function_with_n_args(35000)");
assertThrows("function_with_n_args(100000)");
assertThrows("function_with_n_params_and_m_args(35000, 35000)");
assertThrows("function_with_n_params_and_m_args(100000, 100000)");
assertThrows("function_with_n_params_and_m_args(35000, 30000)");
assertThrows("function_with_n_params_and_m_args(30000, 35000)");

58
deps/v8/test/mjsunit/regress/regress-1257.js

@ -0,0 +1,58 @@
// Copyright 2011 the V8 project authors. All rights reserved.
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
function g(y) { assertEquals(y, 12); }
var X = 0;
function foo () {
var cnt = 0;
var l = -1;
var x = 0;
while (1) switch (l) {
case -1:
var y = x + 12;
l = 0;
break;
case 0:
// Loop for to hit OSR.
if (cnt++ < 10000000) {
l = 0;
break;
} else {
l = 1;
break;
}
case 1:
// This case will contain deoptimization
// because it has no type feedback.
g(y);
return;
};
}
foo();

24
deps/v8/test/mjsunit/regress/regress-1341167.js → deps/v8/test/mjsunit/regress/regress-1401.js

@ -1,4 +1,4 @@
// Copyright 2008 the V8 project authors. All rights reserved.
// Copyright 2011 the V8 project authors. All rights reserved.
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
@ -25,9 +25,21 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Make sure that 'this' is bound to the global object when using
// execScript.
// See: http://code.google.com/p/v8/issues/detail?id=1401
var result;
execScript("result = this");
assertTrue(result === this);
var bottom = 0;
var sizes = new Array();
for (i = 0; i < 10; i++) {
sizes[i] = 0;
}
function foo() {
var size = bottom + 1 + 10;
var t = (sizes[++bottom] = size);
return t;
}
for (i = 0; i < 5; i++) {
assertEquals(i + 11, foo());
}

14
deps/v8/test/mjsunit/execScript-case-insensitive.js → deps/v8/test/mjsunit/regress/regress-1403.js

@ -1,4 +1,4 @@
// Copyright 2008 the V8 project authors. All rights reserved.
// Copyright 2011 the V8 project authors. All rights reserved.
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
@ -25,10 +25,12 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
var x = 0;
execScript('x = 1', 'javascript');
assertEquals(1, x);
// See: http://code.google.com/p/v8/issues/detail?id=1403
execScript('x = 2', 'JavaScript');
assertEquals(2, x);
a = [];
Object.prototype.__proto__ = { __proto__: null };
a.shift();
a = [];
Array.prototype.__proto__ = { __proto__: null };
a.shift();

56
deps/v8/test/mjsunit/regress/splice-missing-wb.js

@ -0,0 +1,56 @@
// Copyright 2011 the V8 project authors. All rights reserved.
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Flags: --expose-gc
// Create array large enough to span several page regions.
var a = new Array(500);
// Fill it with values.
for (var i = 0; i < a.length; i++) a[i] = {idx:i};
// Force it into oldspace.
gc();
gc();
// Array should be in old space now. Store young object into array.
// Region will be marked.
a[0] = {idx:0};
// Delete elements a[2] .. a[201]. Internally we will use
// trimming of backing store. a[0] a[1] will be moved to
// memory location previously occupied by a[200] a[201].
a.splice(2, 200);
// Force gc and heap verification.
gc();
// Try accessing a[0].idx. It will segfault if write-barrier was accidentally
// omitted.
assertEquals(0, a[0].idx);
assertEquals(1, a[1].idx);
assertEquals(202, a[2].idx);
Loading…
Cancel
Save