From 81c278d58d8154980d49b9c2713ec37f5017c2d3 Mon Sep 17 00:00:00 2001 From: isaacs Date: Wed, 6 Mar 2013 12:57:49 -0800 Subject: [PATCH] V8: Upgrade to 3.14.5.8 --- deps/v8/AUTHORS | 1 + deps/v8/build/common.gypi | 11 ++- deps/v8/include/v8.h | 6 +- deps/v8/src/api.cc | 11 ++- deps/v8/src/arm/stub-cache-arm.cc | 7 +- deps/v8/src/contexts.h | 6 +- deps/v8/src/hydrogen-instructions.cc | 7 ++ deps/v8/src/hydrogen-instructions.h | 3 + deps/v8/src/hydrogen.cc | 5 +- deps/v8/src/ia32/code-stubs-ia32.cc | 2 +- deps/v8/src/ia32/stub-cache-ia32.cc | 14 ++-- deps/v8/src/json-parser.h | 81 ++++++++++++------- deps/v8/src/lithium.h | 4 +- deps/v8/src/messages.cc | 10 ++- deps/v8/src/mips/lithium-codegen-mips.cc | 2 +- deps/v8/src/mips/stub-cache-mips.cc | 9 ++- deps/v8/src/objects-inl.h | 36 --------- deps/v8/src/objects.cc | 56 +++++++++++-- deps/v8/src/objects.h | 2 - deps/v8/src/parser.cc | 14 ++-- deps/v8/src/platform-posix.cc | 17 +--- deps/v8/src/preparser.h | 4 +- deps/v8/src/scopes.cc | 11 +-- deps/v8/src/v8utils.h | 2 - deps/v8/src/version.cc | 2 +- deps/v8/src/x64/code-stubs-x64.cc | 2 +- deps/v8/src/x64/stub-cache-x64.cc | 14 ++-- deps/v8/test/cctest/test-api.cc | 3 +- deps/v8/test/mjsunit/regress/regress-2315.js | 40 +++++++++ deps/v8/test/mjsunit/regress/regress-2489.js | 50 ++++++++++++ deps/v8/test/mjsunit/regress/regress-492.js | 40 ++++++++- .../mjsunit/regress/regress-crbug-135066.js | 14 ++-- .../mjsunit/regress/regress-crbug-157019.js | 54 +++++++++++++ .../mjsunit/regress/regress-crbug-157520.js | 38 +++++++++ .../mjsunit/regress/regress-crbug-158185.js | 38 +++++++++ deps/v8/tools/gen-postmortem-metadata.py | 15 +--- deps/v8/tools/run-tests.py | 2 +- 37 files changed, 479 insertions(+), 154 deletions(-) create mode 100644 deps/v8/test/mjsunit/regress/regress-2315.js create mode 100644 deps/v8/test/mjsunit/regress/regress-2489.js create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-157019.js create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-157520.js create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-158185.js diff --git a/deps/v8/AUTHORS b/deps/v8/AUTHORS index 1156d94958..9c43bb525b 100644 --- a/deps/v8/AUTHORS +++ b/deps/v8/AUTHORS @@ -20,6 +20,7 @@ Burcu Dogan Craig Schlenter Daniel Andersson Daniel James +Derek J Conrod Dineel D Sule Erich Ocean Fedor Indutny diff --git a/deps/v8/build/common.gypi b/deps/v8/build/common.gypi index 6e0ef0c997..78888b8d7c 100644 --- a/deps/v8/build/common.gypi +++ b/deps/v8/build/common.gypi @@ -157,7 +157,7 @@ [ 'v8_use_arm_eabi_hardfloat=="true"', { 'defines': [ 'USE_EABI_HARDFLOAT=1', - 'CAN_USE_VFP2_INSTRUCTIONS', + 'CAN_USE_VFP3_INSTRUCTIONS', ], 'target_conditions': [ ['_toolset=="target"', { @@ -378,6 +378,15 @@ 'conditions': [ ['OS=="linux" or OS=="freebsd" or OS=="openbsd" or OS=="netbsd" \ or OS=="android"', { + 'cflags!': [ + '-O2', + '-Os', + ], + 'cflags': [ + '-fdata-sections', + '-ffunction-sections', + '-O3', + ], 'conditions': [ [ 'gcc_version==44 and clang==0', { 'cflags': [ diff --git a/deps/v8/include/v8.h b/deps/v8/include/v8.h index 245dc5a826..470661e10d 100644 --- a/deps/v8/include/v8.h +++ b/deps/v8/include/v8.h @@ -3102,8 +3102,12 @@ class V8EXPORT V8 { * * The same message listener can be added more than once and in that * case it will be called more than once for each message. + * + * If data is specified, it will be passed to the callback when it is called. + * Otherwise, the exception object will be passed to the callback instead. */ - static bool AddMessageListener(MessageCallback that); + static bool AddMessageListener(MessageCallback that, + Handle data = Handle()); /** * Remove all message listeners from the specified callback function. diff --git a/deps/v8/src/api.cc b/deps/v8/src/api.cc index e0ad29b834..f1683984e1 100644 --- a/deps/v8/src/api.cc +++ b/deps/v8/src/api.cc @@ -5270,14 +5270,18 @@ void V8::IgnoreOutOfMemoryException() { } -bool V8::AddMessageListener(MessageCallback that) { +bool V8::AddMessageListener(MessageCallback that, Handle data) { i::Isolate* isolate = i::Isolate::Current(); EnsureInitializedForIsolate(isolate, "v8::V8::AddMessageListener()"); ON_BAILOUT(isolate, "v8::V8::AddMessageListener()", return false); ENTER_V8(isolate); i::HandleScope scope(isolate); NeanderArray listeners(isolate->factory()->message_listeners()); - listeners.add(isolate->factory()->NewForeign(FUNCTION_ADDR(that))); + NeanderObject obj(2); + obj.set(0, *isolate->factory()->NewForeign(FUNCTION_ADDR(that))); + obj.set(1, data.IsEmpty() ? isolate->heap()->undefined_value() + : *Utils::OpenHandle(*data)); + listeners.add(obj.value()); return true; } @@ -5292,7 +5296,8 @@ void V8::RemoveMessageListeners(MessageCallback that) { for (int i = 0; i < listeners.length(); i++) { if (listeners.get(i)->IsUndefined()) continue; // skip deleted ones - i::Handle callback_obj(i::Foreign::cast(listeners.get(i))); + NeanderObject listener(i::JSObject::cast(listeners.get(i))); + i::Handle callback_obj(i::Foreign::cast(listener.get(0))); if (callback_obj->foreign_address() == FUNCTION_ADDR(that)) { listeners.set(i, isolate->heap()->undefined_value()); } diff --git a/deps/v8/src/arm/stub-cache-arm.cc b/deps/v8/src/arm/stub-cache-arm.cc index d3b58624c8..9fc39d4ad8 100644 --- a/deps/v8/src/arm/stub-cache-arm.cc +++ b/deps/v8/src/arm/stub-cache-arm.cc @@ -3467,7 +3467,13 @@ Handle ConstructStubCompiler::CompileConstructStub( // r1: constructor function // r2: initial map // r7: undefined + ASSERT(function->has_initial_map()); __ ldrb(r3, FieldMemOperand(r2, Map::kInstanceSizeOffset)); +#ifdef DEBUG + int instance_size = function->initial_map()->instance_size(); + __ cmp(r3, Operand(instance_size >> kPointerSizeLog2)); + __ Check(eq, "Instance size of initial map changed."); +#endif __ AllocateInNewSpace(r3, r4, r5, r6, &generic_stub_call, SIZE_IN_WORDS); // Allocated the JSObject, now initialize the fields. Map is set to initial @@ -3525,7 +3531,6 @@ Handle ConstructStubCompiler::CompileConstructStub( } // Fill the unused in-object property fields with undefined. - ASSERT(function->has_initial_map()); for (int i = shared->this_property_assignments_count(); i < function->initial_map()->inobject_properties(); i++) { diff --git a/deps/v8/src/contexts.h b/deps/v8/src/contexts.h index 28e4af5368..378185f947 100644 --- a/deps/v8/src/contexts.h +++ b/deps/v8/src/contexts.h @@ -344,9 +344,13 @@ class Context: public FixedArray { // Compute the native context by traversing the context chain. Context* native_context(); - // Predicates for context types. IsNativeContext is defined on Object + // Predicates for context types. IsNativeContext is also defined on Object // because we frequently have to know if arbitrary objects are natives // contexts. + bool IsNativeContext() { + Map* map = this->map(); + return map == map->GetHeap()->native_context_map(); + } bool IsFunctionContext() { Map* map = this->map(); return map == map->GetHeap()->function_context_map(); diff --git a/deps/v8/src/hydrogen-instructions.cc b/deps/v8/src/hydrogen-instructions.cc index 939b4f4974..79550f3eac 100644 --- a/deps/v8/src/hydrogen-instructions.cc +++ b/deps/v8/src/hydrogen-instructions.cc @@ -725,6 +725,13 @@ void HClassOfTestAndBranch::PrintDataTo(StringStream* stream) { } +void HWrapReceiver::PrintDataTo(StringStream* stream) { + receiver()->PrintNameTo(stream); + stream->Add(" "); + function()->PrintNameTo(stream); +} + + void HAccessArgumentsAt::PrintDataTo(StringStream* stream) { arguments()->PrintNameTo(stream); stream->Add("["); diff --git a/deps/v8/src/hydrogen-instructions.h b/deps/v8/src/hydrogen-instructions.h index 9e6344cd5f..015212dd7b 100644 --- a/deps/v8/src/hydrogen-instructions.h +++ b/deps/v8/src/hydrogen-instructions.h @@ -2760,6 +2760,8 @@ class HWrapReceiver: public HTemplateInstruction<2> { virtual HValue* Canonicalize(); + virtual void PrintDataTo(StringStream* stream); + DECLARE_CONCRETE_INSTRUCTION(WrapReceiver) }; @@ -4805,6 +4807,7 @@ class HStringAdd: public HBinaryOperation { set_representation(Representation::Tagged()); SetFlag(kUseGVN); SetGVNFlag(kDependsOnMaps); + SetGVNFlag(kChangesNewSpacePromotion); } virtual Representation RequiredInputRepresentation(int index) { diff --git a/deps/v8/src/hydrogen.cc b/deps/v8/src/hydrogen.cc index 374e54c973..8393e51f9e 100644 --- a/deps/v8/src/hydrogen.cc +++ b/deps/v8/src/hydrogen.cc @@ -7502,7 +7502,10 @@ bool HGraphBuilder::TryCallApply(Call* expr) { return true; } else { // We are inside inlined function and we know exactly what is inside - // arguments object. + // arguments object. But we need to be able to materialize at deopt. + // TODO(mstarzinger): For now we just ensure arguments are pushed + // right after HEnterInlined, but we could be smarter about this. + EnsureArgumentsArePushedForAccess(); HValue* context = environment()->LookupContext(); HValue* wrapped_receiver = diff --git a/deps/v8/src/ia32/code-stubs-ia32.cc b/deps/v8/src/ia32/code-stubs-ia32.cc index 3b6987e6f4..1d23c7e5d2 100644 --- a/deps/v8/src/ia32/code-stubs-ia32.cc +++ b/deps/v8/src/ia32/code-stubs-ia32.cc @@ -3593,7 +3593,7 @@ void ArgumentsAccessStub::GenerateNewNonStrictFast(MacroAssembler* masm) { __ bind(&runtime); __ pop(eax); // Remove saved parameter count. __ mov(Operand(esp, 1 * kPointerSize), ecx); // Patch argument count. - __ TailCallRuntime(Runtime::kNewStrictArgumentsFast, 3, 1); + __ TailCallRuntime(Runtime::kNewArgumentsFast, 3, 1); } diff --git a/deps/v8/src/ia32/stub-cache-ia32.cc b/deps/v8/src/ia32/stub-cache-ia32.cc index f5e2d05892..11efb72bb6 100644 --- a/deps/v8/src/ia32/stub-cache-ia32.cc +++ b/deps/v8/src/ia32/stub-cache-ia32.cc @@ -3421,6 +3421,7 @@ Handle ConstructStubCompiler::CompileConstructStub( #endif // Load the initial map and verify that it is in fact a map. + // edi: constructor __ mov(ebx, FieldOperand(edi, JSFunction::kPrototypeOrInitialMapOffset)); // Will both indicate a NULL and a Smi. __ JumpIfSmi(ebx, &generic_stub_call); @@ -3429,19 +3430,23 @@ Handle ConstructStubCompiler::CompileConstructStub( #ifdef DEBUG // Cannot construct functions this way. - // edi: constructor // ebx: initial map __ CmpInstanceType(ebx, JS_FUNCTION_TYPE); - __ Assert(not_equal, "Function constructed by construct stub."); + __ Check(not_equal, "Function constructed by construct stub."); #endif // Now allocate the JSObject on the heap by moving the new space allocation // top forward. - // edi: constructor // ebx: initial map + ASSERT(function->has_initial_map()); + int instance_size = function->initial_map()->instance_size(); +#ifdef DEBUG __ movzx_b(ecx, FieldOperand(ebx, Map::kInstanceSizeOffset)); __ shl(ecx, kPointerSizeLog2); - __ AllocateInNewSpace(ecx, edx, ecx, no_reg, + __ cmp(ecx, Immediate(instance_size)); + __ Check(equal, "Instance size of initial map changed."); +#endif + __ AllocateInNewSpace(instance_size, edx, ecx, no_reg, &generic_stub_call, NO_ALLOCATION_FLAGS); // Allocated the JSObject, now initialize the fields and add the heap tag. @@ -3501,7 +3506,6 @@ Handle ConstructStubCompiler::CompileConstructStub( } // Fill the unused in-object property fields with undefined. - ASSERT(function->has_initial_map()); for (int i = shared->this_property_assignments_count(); i < function->initial_map()->inobject_properties(); i++) { diff --git a/deps/v8/src/json-parser.h b/deps/v8/src/json-parser.h index 40116fa59a..03ed22d70e 100644 --- a/deps/v8/src/json-parser.h +++ b/deps/v8/src/json-parser.h @@ -192,8 +192,10 @@ Handle JsonParser::ParseJson(Handle source, AdvanceSkipWhitespace(); Handle result = ParseJsonValue(); if (result.is_null() || c0_ != kEndOfString) { - // Parse failed. Current character is the unexpected token. + // Some exception (for example stack overflow) is already pending. + if (isolate_->has_pending_exception()) return Handle::null(); + // Parse failed. Current character is the unexpected token. const char* message; Factory* factory = this->factory(); Handle array; @@ -244,6 +246,12 @@ Handle JsonParser::ParseJson(Handle source, // Parse any JSON value. template Handle JsonParser::ParseJsonValue() { + StackLimitCheck stack_check(isolate_); + if (stack_check.HasOverflowed()) { + isolate_->StackOverflow(); + return Handle::null(); + } + if (c0_ == '"') return ParseJsonString(); if ((c0_ >= '0' && c0_ <= '9') || c0_ == '-') return ParseJsonNumber(); if (c0_ == '{') return ParseJsonObject(); @@ -293,45 +301,56 @@ Handle JsonParser::ParseJsonObject() { Advance(); uint32_t index = 0; - while (c0_ >= '0' && c0_ <= '9') { - int d = c0_ - '0'; - if (index > 429496729U - ((d > 5) ? 1 : 0)) break; - index = (index * 10) + d; - Advance(); - } + if (c0_ >= '0' && c0_ <= '9') { + // Maybe an array index, try to parse it. + if (c0_ == '0') { + // With a leading zero, the string has to be "0" only to be an index. + Advance(); + } else { + do { + int d = c0_ - '0'; + if (index > 429496729U - ((d > 5) ? 1 : 0)) break; + index = (index * 10) + d; + Advance(); + } while (c0_ >= '0' && c0_ <= '9'); + } - if (position_ != start_position + 1 && c0_ == '"') { - AdvanceSkipWhitespace(); + if (c0_ == '"') { + // Successfully parsed index, parse and store element. + AdvanceSkipWhitespace(); - if (c0_ != ':') return ReportUnexpectedCharacter(); - AdvanceSkipWhitespace(); - Handle value = ParseJsonValue(); - if (value.is_null()) return ReportUnexpectedCharacter(); + if (c0_ != ':') return ReportUnexpectedCharacter(); + AdvanceSkipWhitespace(); + Handle value = ParseJsonValue(); + if (value.is_null()) return ReportUnexpectedCharacter(); - JSObject::SetOwnElement(json_object, index, value, kNonStrictMode); - } else { - position_ = start_position; + JSObject::SetOwnElement(json_object, index, value, kNonStrictMode); + continue; + } + // Not an index, fallback to the slow path. + } + + position_ = start_position; #ifdef DEBUG - c0_ = '"'; + c0_ = '"'; #endif - Handle key = ParseJsonSymbol(); - if (key.is_null() || c0_ != ':') return ReportUnexpectedCharacter(); + Handle key = ParseJsonSymbol(); + if (key.is_null() || c0_ != ':') return ReportUnexpectedCharacter(); - AdvanceSkipWhitespace(); - Handle value = ParseJsonValue(); - if (value.is_null()) return ReportUnexpectedCharacter(); + AdvanceSkipWhitespace(); + Handle value = ParseJsonValue(); + if (value.is_null()) return ReportUnexpectedCharacter(); - if (key->Equals(isolate()->heap()->Proto_symbol())) { - prototype = value; + if (key->Equals(isolate()->heap()->Proto_symbol())) { + prototype = value; + } else { + if (JSObject::TryTransitionToField(json_object, key)) { + int index = json_object->LastAddedFieldIndex(); + json_object->FastPropertyAtPut(index, *value); } else { - if (JSObject::TryTransitionToField(json_object, key)) { - int index = json_object->LastAddedFieldIndex(); - json_object->FastPropertyAtPut(index, *value); - } else { - JSObject::SetLocalPropertyIgnoreAttributes( - json_object, key, value, NONE); - } + JSObject::SetLocalPropertyIgnoreAttributes( + json_object, key, value, NONE); } } } while (MatchSkipWhiteSpace(',')); diff --git a/deps/v8/src/lithium.h b/deps/v8/src/lithium.h index b4eb2bb2d0..089926e71a 100644 --- a/deps/v8/src/lithium.h +++ b/deps/v8/src/lithium.h @@ -156,8 +156,8 @@ class LUnallocated: public LOperand { }; static const int kMaxVirtualRegisters = 1 << kVirtualRegisterWidth; - static const int kMaxFixedIndex = (1 << kFixedIndexWidth) - 1; - static const int kMinFixedIndex = -(1 << kFixedIndexWidth); + static const int kMaxFixedIndex = (1 << (kFixedIndexWidth - 1)) - 1; + static const int kMinFixedIndex = -(1 << (kFixedIndexWidth - 1)); bool HasAnyPolicy() const { return policy() == ANY; diff --git a/deps/v8/src/messages.cc b/deps/v8/src/messages.cc index 23fd4fd5d8..a041770d12 100644 --- a/deps/v8/src/messages.cc +++ b/deps/v8/src/messages.cc @@ -130,15 +130,19 @@ void MessageHandler::ReportMessage(Isolate* isolate, } } else { for (int i = 0; i < global_length; i++) { - HandleScope scope; + HandleScope scope(isolate); if (global_listeners.get(i)->IsUndefined()) continue; - Handle callback_obj(Foreign::cast(global_listeners.get(i))); + v8::NeanderObject listener(JSObject::cast(global_listeners.get(i))); + Handle callback_obj(Foreign::cast(listener.get(0))); v8::MessageCallback callback = FUNCTION_CAST(callback_obj->foreign_address()); + Handle callback_data(listener.get(1), isolate); { // Do not allow exceptions to propagate. v8::TryCatch try_catch; - callback(api_message_obj, api_exception_obj); + callback(api_message_obj, callback_data->IsUndefined() + ? api_exception_obj + : v8::Utils::ToLocal(callback_data)); } if (isolate->has_scheduled_exception()) { isolate->clear_scheduled_exception(); diff --git a/deps/v8/src/mips/lithium-codegen-mips.cc b/deps/v8/src/mips/lithium-codegen-mips.cc index 4c2182bdb0..21fd2ce481 100644 --- a/deps/v8/src/mips/lithium-codegen-mips.cc +++ b/deps/v8/src/mips/lithium-codegen-mips.cc @@ -3938,7 +3938,7 @@ void LCodeGen::DoTransitionElementsKind(LTransitionElementsKind* instr) { __ Branch(¬_applicable, ne, scratch, Operand(from_map)); __ li(new_map_reg, Operand(to_map)); - if (IsFastSmiElementsKind(from_kind) && IsFastObjectElementsKind(to_kind)) { + if (IsSimpleMapChangeTransition(from_kind, to_kind)) { __ sw(new_map_reg, FieldMemOperand(object_reg, HeapObject::kMapOffset)); // Write barrier. __ RecordWriteField(object_reg, HeapObject::kMapOffset, new_map_reg, diff --git a/deps/v8/src/mips/stub-cache-mips.cc b/deps/v8/src/mips/stub-cache-mips.cc index ba1d17722d..bd15775d4b 100644 --- a/deps/v8/src/mips/stub-cache-mips.cc +++ b/deps/v8/src/mips/stub-cache-mips.cc @@ -3453,7 +3453,7 @@ Handle ConstructStubCompiler::CompileConstructStub( // t7: undefined __ lbu(a3, FieldMemOperand(a2, Map::kInstanceTypeOffset)); __ Check(ne, "Function constructed by construct stub.", - a3, Operand(JS_FUNCTION_TYPE)); + a3, Operand(JS_FUNCTION_TYPE)); #endif // Now allocate the JSObject in new space. @@ -3461,7 +3461,13 @@ Handle ConstructStubCompiler::CompileConstructStub( // a1: constructor function // a2: initial map // t7: undefined + ASSERT(function->has_initial_map()); __ lbu(a3, FieldMemOperand(a2, Map::kInstanceSizeOffset)); +#ifdef DEBUG + int instance_size = function->initial_map()->instance_size(); + __ Check(eq, "Instance size of initial map changed.", + a3, Operand(instance_size >> kPointerSizeLog2)); +#endif __ AllocateInNewSpace(a3, t4, t5, t6, &generic_stub_call, SIZE_IN_WORDS); // Allocated the JSObject, now initialize the fields. Map is set to initial @@ -3524,7 +3530,6 @@ Handle ConstructStubCompiler::CompileConstructStub( } // Fill the unused in-object property fields with undefined. - ASSERT(function->has_initial_map()); for (int i = shared->this_property_assignments_count(); i < function->initial_map()->inobject_properties(); i++) { diff --git a/deps/v8/src/objects-inl.h b/deps/v8/src/objects-inl.h index d2f996bae6..ea5a93f16b 100644 --- a/deps/v8/src/objects-inl.h +++ b/deps/v8/src/objects-inl.h @@ -4412,42 +4412,6 @@ void JSFunction::set_initial_map(Map* value) { } -MaybeObject* JSFunction::set_initial_map_and_cache_transitions( - Map* initial_map) { - Context* native_context = context()->native_context(); - Object* array_function = - native_context->get(Context::ARRAY_FUNCTION_INDEX); - if (array_function->IsJSFunction() && - this == JSFunction::cast(array_function)) { - // Replace all of the cached initial array maps in the native context with - // the appropriate transitioned elements kind maps. - Heap* heap = GetHeap(); - MaybeObject* maybe_maps = - heap->AllocateFixedArrayWithHoles(kElementsKindCount); - FixedArray* maps; - if (!maybe_maps->To(&maps)) return maybe_maps; - - Map* current_map = initial_map; - ElementsKind kind = current_map->elements_kind(); - ASSERT(kind == GetInitialFastElementsKind()); - maps->set(kind, current_map); - for (int i = GetSequenceIndexFromFastElementsKind(kind) + 1; - i < kFastElementsKindCount; ++i) { - Map* new_map; - ElementsKind next_kind = GetFastElementsKindFromSequenceIndex(i); - MaybeObject* maybe_new_map = - current_map->CopyAsElementsKind(next_kind, INSERT_TRANSITION); - if (!maybe_new_map->To(&new_map)) return maybe_new_map; - maps->set(next_kind, new_map); - current_map = new_map; - } - native_context->set_js_array_maps(maps); - } - set_initial_map(initial_map); - return this; -} - - bool JSFunction::has_initial_map() { return prototype_or_initial_map()->IsMap(); } diff --git a/deps/v8/src/objects.cc b/deps/v8/src/objects.cc index 792b6d9843..37f8361d8f 100644 --- a/deps/v8/src/objects.cc +++ b/deps/v8/src/objects.cc @@ -7699,6 +7699,35 @@ MaybeObject* JSObject::OptimizeAsPrototype() { } +MUST_USE_RESULT static MaybeObject* CacheInitialJSArrayMaps( + Context* native_context, Map* initial_map) { + // Replace all of the cached initial array maps in the native context with + // the appropriate transitioned elements kind maps. + Heap* heap = native_context->GetHeap(); + MaybeObject* maybe_maps = + heap->AllocateFixedArrayWithHoles(kElementsKindCount); + FixedArray* maps; + if (!maybe_maps->To(&maps)) return maybe_maps; + + Map* current_map = initial_map; + ElementsKind kind = current_map->elements_kind(); + ASSERT(kind == GetInitialFastElementsKind()); + maps->set(kind, current_map); + for (int i = GetSequenceIndexFromFastElementsKind(kind) + 1; + i < kFastElementsKindCount; ++i) { + Map* new_map; + ElementsKind next_kind = GetFastElementsKindFromSequenceIndex(i); + MaybeObject* maybe_new_map = + current_map->CopyAsElementsKind(next_kind, INSERT_TRANSITION); + if (!maybe_new_map->To(&new_map)) return maybe_new_map; + maps->set(next_kind, new_map); + current_map = new_map; + } + native_context->set_js_array_maps(maps); + return initial_map; +} + + MaybeObject* JSFunction::SetInstancePrototype(Object* value) { ASSERT(value->IsJSReceiver()); Heap* heap = GetHeap(); @@ -7713,14 +7742,29 @@ MaybeObject* JSFunction::SetInstancePrototype(Object* value) { // Now some logic for the maps of the objects that are created by using this // function as a constructor. if (has_initial_map()) { - // If the function has allocated the initial map - // replace it with a copy containing the new prototype. + // If the function has allocated the initial map replace it with a + // copy containing the new prototype. Also complete any in-object + // slack tracking that is in progress at this point because it is + // still tracking the old copy. + if (shared()->IsInobjectSlackTrackingInProgress()) { + shared()->CompleteInobjectSlackTracking(); + } Map* new_map; - MaybeObject* maybe_new_map = initial_map()->Copy(); - if (!maybe_new_map->To(&new_map)) return maybe_new_map; + MaybeObject* maybe_object = initial_map()->Copy(); + if (!maybe_object->To(&new_map)) return maybe_object; new_map->set_prototype(value); - MaybeObject* maybe_object = set_initial_map_and_cache_transitions(new_map); - if (maybe_object->IsFailure()) return maybe_object; + + // If the function is used as the global Array function, cache the + // initial map (and transitioned versions) in the native context. + Context* native_context = context()->native_context(); + Object* array_function = native_context->get(Context::ARRAY_FUNCTION_INDEX); + if (array_function->IsJSFunction() && + this == JSFunction::cast(array_function)) { + MaybeObject* ok = CacheInitialJSArrayMaps(native_context, new_map); + if (ok->IsFailure()) return ok; + } + + set_initial_map(new_map); } else { // Put the value in the initial map field until an initial map is // needed. At that point, a new initial map is created and the diff --git a/deps/v8/src/objects.h b/deps/v8/src/objects.h index 0d1a69cb98..755dd42d9e 100644 --- a/deps/v8/src/objects.h +++ b/deps/v8/src/objects.h @@ -6111,8 +6111,6 @@ class JSFunction: public JSObject { // The initial map for an object created by this constructor. inline Map* initial_map(); inline void set_initial_map(Map* value); - MUST_USE_RESULT inline MaybeObject* set_initial_map_and_cache_transitions( - Map* value); inline bool has_initial_map(); // Get and set the prototype property on a JSFunction. If the diff --git a/deps/v8/src/parser.cc b/deps/v8/src/parser.cc index 129bd95466..03e4b039cc 100644 --- a/deps/v8/src/parser.cc +++ b/deps/v8/src/parser.cc @@ -614,11 +614,6 @@ FunctionLiteral* Parser::DoParseProgram(CompilationInfo* info, ASSERT(target_stack_ == NULL); if (pre_data_ != NULL) pre_data_->Initialize(); - // Compute the parsing mode. - Mode mode = (FLAG_lazy && allow_lazy_) ? PARSE_LAZILY : PARSE_EAGERLY; - if (allow_natives_syntax_ || extension_ != NULL) mode = PARSE_EAGERLY; - ParsingModeScope parsing_mode(this, mode); - Handle no_name = isolate()->factory()->empty_symbol(); FunctionLiteral* result = NULL; @@ -637,6 +632,13 @@ FunctionLiteral* Parser::DoParseProgram(CompilationInfo* info, scope->set_start_position(0); scope->set_end_position(source->length()); + // Compute the parsing mode. + Mode mode = (FLAG_lazy && allow_lazy_) ? PARSE_LAZILY : PARSE_EAGERLY; + if (allow_natives_syntax_ || extension_ != NULL || scope->is_eval_scope()) { + mode = PARSE_EAGERLY; + } + ParsingModeScope parsing_mode(this, mode); + FunctionState function_state(this, scope, isolate()); // Enters 'scope'. top_scope_->SetLanguageMode(info->language_mode()); ZoneList* body = new(zone()) ZoneList(16, zone()); @@ -1059,12 +1061,14 @@ void* Parser::ParseSourceElements(ZoneList* processor, // as specified in ES5 10.4.2(3). The correct fix would be to always // add this scope in DoParseProgram(), but that requires adaptations // all over the code base, so we go with a quick-fix for now. + // In the same manner, we have to patch the parsing mode. if (is_eval && !top_scope_->is_eval_scope()) { ASSERT(top_scope_->is_global_scope()); Scope* scope = NewScope(top_scope_, EVAL_SCOPE); scope->set_start_position(top_scope_->start_position()); scope->set_end_position(top_scope_->end_position()); top_scope_ = scope; + mode_ = PARSE_EAGERLY; } // TODO(ES6): Fix entering extended mode, once it is specified. top_scope_->SetLanguageMode(FLAG_harmony_scoping diff --git a/deps/v8/src/platform-posix.cc b/deps/v8/src/platform-posix.cc index 2b80015161..3bc83733ca 100644 --- a/deps/v8/src/platform-posix.cc +++ b/deps/v8/src/platform-posix.cc @@ -109,20 +109,11 @@ void* OS::GetRandomMmapAddr() { raw_addr &= V8_UINT64_C(0x3ffffffff000); #else uint32_t raw_addr = V8::RandomPrivate(isolate); - - // For our 32-bit mmap() hint, we pick a random address in the bottom - // half of the top half of the address space (that is, the third quarter). - // Because we do not MAP_FIXED, this will be treated only as a hint -- the - // system will not fail to mmap() because something else happens to already - // be mapped at our random address. We deliberately set the hint high enough - // to get well above the system's break (that is, the heap); systems will - // either try the hint and if that fails move higher (MacOS and other BSD - // derivatives) or try the hint and if that fails allocate as if there were - // no hint at all (Linux, Solaris, illumos and derivatives). The high hint - // prevents the break from getting hemmed in at low values, ceding half of - // the address space to the system heap. + // The range 0x20000000 - 0x60000000 is relatively unpopulated across a + // variety of ASLR modes (PAE kernel, NX compat mode, etc) and on macos + // 10.6 and 10.7. raw_addr &= 0x3ffff000; - raw_addr += 0x80000000; + raw_addr += 0x20000000; #endif return reinterpret_cast(raw_addr); } diff --git a/deps/v8/src/preparser.h b/deps/v8/src/preparser.h index 13261f7a5b..ad52d74bbd 100644 --- a/deps/v8/src/preparser.h +++ b/deps/v8/src/preparser.h @@ -150,11 +150,11 @@ class PreParser { // Parses a single function literal, from the opening parentheses before // parameters to the closing brace after the body. - // Returns a FunctionEntry describing the body of the funciton in enough + // Returns a FunctionEntry describing the body of the function in enough // detail that it can be lazily compiled. // The scanner is expected to have matched the "function" keyword and // parameters, and have consumed the initial '{'. - // At return, unless an error occured, the scanner is positioned before the + // At return, unless an error occurred, the scanner is positioned before the // the final '}'. PreParseResult PreParseLazyFunction(i::LanguageMode mode, i::ParserRecorder* log); diff --git a/deps/v8/src/scopes.cc b/deps/v8/src/scopes.cc index c9612577af..434479ca5d 100644 --- a/deps/v8/src/scopes.cc +++ b/deps/v8/src/scopes.cc @@ -702,17 +702,12 @@ bool Scope::HasTrivialOuterContext() const { bool Scope::HasLazyCompilableOuterContext() const { Scope* outer = outer_scope_; if (outer == NULL) return true; - // There are several reasons that prevent lazy compilation: - // - This scope is inside a with scope and all declaration scopes between - // them have empty contexts. Such declaration scopes become invisible - // during scope info deserialization. - // - This scope is inside a strict eval scope with variables that are - // potentially context allocated in an artificial function scope that - // is not deserialized correctly. + // We have to prevent lazy compilation if this scope is inside a with scope + // and all declaration scopes between them have empty contexts. Such + // declaration scopes may become invisible during scope info deserialization. outer = outer->DeclarationScope(); bool found_non_trivial_declarations = false; for (const Scope* scope = outer; scope != NULL; scope = scope->outer_scope_) { - if (scope->is_eval_scope()) return false; if (scope->is_with_scope() && !found_non_trivial_declarations) return false; if (scope->is_declaration_scope() && scope->num_heap_slots() > 0) { found_non_trivial_declarations = true; diff --git a/deps/v8/src/v8utils.h b/deps/v8/src/v8utils.h index 111abdf8b8..9072b4e285 100644 --- a/deps/v8/src/v8utils.h +++ b/deps/v8/src/v8utils.h @@ -209,8 +209,6 @@ INLINE(void CopyChars(sinkchar* dest, const sourcechar* src, int chars)); template void CopyChars(sinkchar* dest, const sourcechar* src, int chars) { - ASSERT(chars >= 0); - if (chars == 0) return; sinkchar* limit = dest + chars; #ifdef V8_HOST_CAN_READ_UNALIGNED if (sizeof(*dest) == sizeof(*src)) { diff --git a/deps/v8/src/version.cc b/deps/v8/src/version.cc index 213259f5f3..715c2e5393 100644 --- a/deps/v8/src/version.cc +++ b/deps/v8/src/version.cc @@ -35,7 +35,7 @@ #define MAJOR_VERSION 3 #define MINOR_VERSION 14 #define BUILD_NUMBER 5 -#define PATCH_LEVEL 0 +#define PATCH_LEVEL 8 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) #define IS_CANDIDATE_VERSION 0 diff --git a/deps/v8/src/x64/code-stubs-x64.cc b/deps/v8/src/x64/code-stubs-x64.cc index 675d404b9d..f0f9c5d272 100644 --- a/deps/v8/src/x64/code-stubs-x64.cc +++ b/deps/v8/src/x64/code-stubs-x64.cc @@ -2604,7 +2604,7 @@ void ArgumentsAccessStub::GenerateNewNonStrictFast(MacroAssembler* masm) { __ bind(&runtime); __ Integer32ToSmi(rcx, rcx); __ movq(Operand(rsp, 1 * kPointerSize), rcx); // Patch argument count. - __ TailCallRuntime(Runtime::kNewStrictArgumentsFast, 3, 1); + __ TailCallRuntime(Runtime::kNewArgumentsFast, 3, 1); } diff --git a/deps/v8/src/x64/stub-cache-x64.cc b/deps/v8/src/x64/stub-cache-x64.cc index cd71086eec..b120efb376 100644 --- a/deps/v8/src/x64/stub-cache-x64.cc +++ b/deps/v8/src/x64/stub-cache-x64.cc @@ -3240,6 +3240,7 @@ Handle ConstructStubCompiler::CompileConstructStub( #endif // Load the initial map and verify that it is in fact a map. + // rdi: constructor __ movq(rbx, FieldOperand(rdi, JSFunction::kPrototypeOrInitialMapOffset)); // Will both indicate a NULL and a Smi. STATIC_ASSERT(kSmiTag == 0); @@ -3249,18 +3250,22 @@ Handle ConstructStubCompiler::CompileConstructStub( #ifdef DEBUG // Cannot construct functions this way. - // rdi: constructor // rbx: initial map __ CmpInstanceType(rbx, JS_FUNCTION_TYPE); - __ Assert(not_equal, "Function constructed by construct stub."); + __ Check(not_equal, "Function constructed by construct stub."); #endif // Now allocate the JSObject in new space. - // rdi: constructor // rbx: initial map + ASSERT(function->has_initial_map()); + int instance_size = function->initial_map()->instance_size(); +#ifdef DEBUG __ movzxbq(rcx, FieldOperand(rbx, Map::kInstanceSizeOffset)); __ shl(rcx, Immediate(kPointerSizeLog2)); - __ AllocateInNewSpace(rcx, rdx, rcx, no_reg, + __ cmpq(rcx, Immediate(instance_size)); + __ Check(equal, "Instance size of initial map changed."); +#endif + __ AllocateInNewSpace(instance_size, rdx, rcx, no_reg, &generic_stub_call, NO_ALLOCATION_FLAGS); // Allocated the JSObject, now initialize the fields and add the heap tag. @@ -3306,7 +3311,6 @@ Handle ConstructStubCompiler::CompileConstructStub( } // Fill the unused in-object property fields with undefined. - ASSERT(function->has_initial_map()); for (int i = shared->this_property_assignments_count(); i < function->initial_map()->inobject_properties(); i++) { diff --git a/deps/v8/test/cctest/test-api.cc b/deps/v8/test/cctest/test-api.cc index 3be068009e..728a8f7b42 100644 --- a/deps/v8/test/cctest/test-api.cc +++ b/deps/v8/test/cctest/test-api.cc @@ -2457,6 +2457,7 @@ bool message_received; static void check_message_0(v8::Handle message, v8::Handle data) { + CHECK_EQ(5.76, data->NumberValue()); CHECK_EQ(6.75, message->GetScriptResourceName()->NumberValue()); CHECK_EQ(7.56, message->GetScriptData()->NumberValue()); message_received = true; @@ -2467,7 +2468,7 @@ THREADED_TEST(MessageHandler0) { message_received = false; v8::HandleScope scope; CHECK(!message_received); - v8::V8::AddMessageListener(check_message_0); + v8::V8::AddMessageListener(check_message_0, v8_num(5.76)); LocalContext context; v8::ScriptOrigin origin = v8::ScriptOrigin(v8_str("6.75")); diff --git a/deps/v8/test/mjsunit/regress/regress-2315.js b/deps/v8/test/mjsunit/regress/regress-2315.js new file mode 100644 index 0000000000..a3f9182c95 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-2315.js @@ -0,0 +1,40 @@ +// Copyright 2012 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Flags: --allow-natives-syntax + +var foo = (function() { + return eval("(function bar() { return 1; })"); +})(); + +foo(); +foo(); +%OptimizeFunctionOnNextCall(foo); +foo(); + +// Function should be optimized now. +assertTrue(%GetOptimizationStatus(foo) != 2); diff --git a/deps/v8/test/mjsunit/regress/regress-2489.js b/deps/v8/test/mjsunit/regress/regress-2489.js new file mode 100644 index 0000000000..882c4f794a --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-2489.js @@ -0,0 +1,50 @@ +// Copyright 2013 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Flags: --allow-natives-syntax + +"use strict"; + +function f(a, b) { + return g("c", "d"); +} + +function g(a, b) { + g.constructor.apply(this, arguments); +} + +g.constructor = function(a, b) { + assertEquals("c", a); + assertEquals("d", b); +} + +f("a", "b"); +f("a", "b"); +%OptimizeFunctionOnNextCall(f); +f("a", "b"); +g.x = "deopt"; +f("a", "b"); diff --git a/deps/v8/test/mjsunit/regress/regress-492.js b/deps/v8/test/mjsunit/regress/regress-492.js index a8b783b301..53b3195cfe 100644 --- a/deps/v8/test/mjsunit/regress/regress-492.js +++ b/deps/v8/test/mjsunit/regress/regress-492.js @@ -29,7 +29,7 @@ // This should not hit any asserts in debug mode on ARM. function function_with_n_args(n) { - var source = '(function f('; + var source = '(function f' + n + '('; for (var arg = 0; arg < n; arg++) { if (arg != 0) source += ','; source += 'arg' + arg; @@ -50,3 +50,41 @@ for (args = 500; args < 520; args++) { for (args = 1019; args < 1041; args++) { function_with_n_args(args); } + + +function foo( + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, + x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x +) {} + +for (var i = 0; i < 10000; ++i) foo(); diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-135066.js b/deps/v8/test/mjsunit/regress/regress-crbug-135066.js index 1aeca8b1a3..35e9ff8c87 100644 --- a/deps/v8/test/mjsunit/regress/regress-crbug-135066.js +++ b/deps/v8/test/mjsunit/regress/regress-crbug-135066.js @@ -29,25 +29,27 @@ var filler = "//" + new Array(1024).join('x'); // Test strict eval in global context. -eval( +assertEquals(23, eval( "'use strict';" + "var x = 23;" + "var f = function bozo1() {" + " return x;" + "};" + "assertSame(23, f());" + + "f;" + filler -); +)()); // Test default eval in strict context. -(function() { +assertEquals(42, (function() { "use strict"; - eval( + return eval( "var y = 42;" + "var g = function bozo2() {" + " return y;" + "};" + "assertSame(42, g());" + + "g;" + filler - ); -})(); + )(); +})()); diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-157019.js b/deps/v8/test/mjsunit/regress/regress-crbug-157019.js new file mode 100644 index 0000000000..1c54089ff9 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-157019.js @@ -0,0 +1,54 @@ +// Copyright 2012 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Flags: --allow-natives-syntax --nocrankshaft + +function makeConstructor() { + return function() { + this.a = 1; + this.b = 2; + }; +} + +var c1 = makeConstructor(); +var o1 = new c1(); + +c1.prototype = {}; + +for (var i = 0; i < 10; i++) { + var o = new c1(); + for (var j = 0; j < 8; j++) { + o["x" + j] = 0; + } +} + +var c2 = makeConstructor(); +var o2 = new c2(); + +for (var i = 0; i < 50000; i++) { + new c2(); +} diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-157520.js b/deps/v8/test/mjsunit/regress/regress-crbug-157520.js new file mode 100644 index 0000000000..17081dfa52 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-157520.js @@ -0,0 +1,38 @@ +// Copyright 2012 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Flags: --nocrankshaft + +(function(){ + var f = function(arg) { + arg = 2; + return arguments[0]; + }; + for (var i = 0; i < 50000; i++) { + assertSame(2, f(1)); + } +})(); diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-158185.js b/deps/v8/test/mjsunit/regress/regress-crbug-158185.js new file mode 100644 index 0000000000..5cb5900c8a --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-158185.js @@ -0,0 +1,38 @@ +// Copyright 2012 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +assertEquals("0023456", + Object.keys(JSON.parse('{"0023456": 1}'))[0]); +assertEquals("1234567890123", + Object.keys(JSON.parse('{"1234567890123": 1}'))[0]); +assertEquals("123456789ABCD", + Object.keys(JSON.parse('{"123456789ABCD": 1}'))[0]); +assertEquals("12A", + Object.keys(JSON.parse('{"12A": 1}'))[0]); + +assertEquals(1, JSON.parse('{"0":1}')[0]); +assertEquals(undefined, JSON.parse('{"00":1}')[0]); diff --git a/deps/v8/tools/gen-postmortem-metadata.py b/deps/v8/tools/gen-postmortem-metadata.py index 7bee763bc9..f59cfd3033 100644 --- a/deps/v8/tools/gen-postmortem-metadata.py +++ b/deps/v8/tools/gen-postmortem-metadata.py @@ -76,23 +76,16 @@ consts_misc = [ { 'name': 'SmiTag', 'value': 'kSmiTag' }, { 'name': 'SmiTagMask', 'value': 'kSmiTagMask' }, { 'name': 'SmiValueShift', 'value': 'kSmiTagSize' }, - { 'name': 'SmiShiftSize', 'value': 'kSmiShiftSize' }, { 'name': 'PointerSizeLog2', 'value': 'kPointerSizeLog2' }, - { 'name': 'prop_desc_key', - 'value': 'DescriptorArray::kDescriptorKey' }, - { 'name': 'prop_desc_details', - 'value': 'DescriptorArray::kDescriptorDetails' }, - { 'name': 'prop_desc_value', - 'value': 'DescriptorArray::kDescriptorValue' }, - { 'name': 'prop_desc_size', - 'value': 'DescriptorArray::kDescriptorSize' }, + { 'name': 'prop_idx_transitions', + 'value': 'DescriptorArray::kTransitionsIndex' }, { 'name': 'prop_idx_first', 'value': 'DescriptorArray::kFirstIndex' }, { 'name': 'prop_type_field', 'value': 'FIELD' }, { 'name': 'prop_type_first_phantom', - 'value': 'Code::MAP_TRANSITION' }, + 'value': 'MAP_TRANSITION' }, { 'name': 'prop_type_mask', 'value': 'PropertyDetails::TypeField::kMask' }, @@ -114,7 +107,7 @@ extras_accessors = [ 'JSObject, elements, Object, kElementsOffset', 'FixedArray, data, uintptr_t, kHeaderSize', 'Map, instance_attributes, int, kInstanceAttributesOffset', - 'Map, transitions, uintptr_t, kTransitionsOrBackPointerOffset', + 'Map, instance_descriptors, int, kInstanceDescriptorsOrBitField3Offset', 'Map, inobject_properties, int, kInObjectPropertiesOffset', 'Map, instance_size, int, kInstanceSizeOffset', 'HeapNumber, value, double, kValueOffset', diff --git a/deps/v8/tools/run-tests.py b/deps/v8/tools/run-tests.py index a49f6560a6..a1de3dc0b9 100755 --- a/deps/v8/tools/run-tests.py +++ b/deps/v8/tools/run-tests.py @@ -150,7 +150,7 @@ def ProcessOptions(options): options.mode = tokens[1] options.mode = options.mode.split(",") for mode in options.mode: - if not mode in ["debug", "release"]: + if not mode.lower() in ["debug", "release"]: print "Unknown mode %s" % mode return False if options.arch in ["auto", "native"]: