diff options
| author | Ryan Dahl <ry@tinyclouds.org> | 2012-01-03 11:46:53 -0800 |
|---|---|---|
| committer | Ryan Dahl <ry@tinyclouds.org> | 2012-01-03 11:46:53 -0800 |
| commit | 557fc396b4f5c165de90fbf9eaecb4370b46c057 (patch) | |
| tree | effdb5494f7e290a80de2f9ca45b5e4be264494d /deps | |
| parent | c123ac05dc37311d3dfb37ed6f22baef58280379 (diff) | |
| download | node-new-557fc396b4f5c165de90fbf9eaecb4370b46c057.tar.gz | |
Upgrade V8 to 3.8.4
Diffstat (limited to 'deps')
| -rw-r--r-- | deps/v8/ChangeLog | 7 | ||||
| -rw-r--r-- | deps/v8/src/arm/builtins-arm.cc | 50 | ||||
| -rw-r--r-- | deps/v8/src/ast.cc | 3 | ||||
| -rw-r--r-- | deps/v8/src/bootstrapper.cc | 7 | ||||
| -rw-r--r-- | deps/v8/src/builtins.cc | 45 | ||||
| -rw-r--r-- | deps/v8/src/builtins.h | 4 | ||||
| -rw-r--r-- | deps/v8/src/contexts.h | 2 | ||||
| -rw-r--r-- | deps/v8/src/ia32/builtins-ia32.cc | 34 | ||||
| -rw-r--r-- | deps/v8/src/objects-inl.h | 27 | ||||
| -rw-r--r-- | deps/v8/src/objects.cc | 42 | ||||
| -rw-r--r-- | deps/v8/src/objects.h | 11 | ||||
| -rw-r--r-- | deps/v8/src/runtime.cc | 16 | ||||
| -rw-r--r-- | deps/v8/src/runtime.h | 1 | ||||
| -rw-r--r-- | deps/v8/src/version.cc | 2 | ||||
| -rw-r--r-- | deps/v8/src/x64/builtins-x64.cc | 35 | ||||
| -rw-r--r-- | deps/v8/test/mjsunit/regress/regress-1849.js | 39 | ||||
| -rw-r--r-- | deps/v8/test/mjsunit/regress/regress-1878.js | 34 | ||||
| -rw-r--r-- | deps/v8/test/mjsunit/regress/regress-95113.js | 2 |
18 files changed, 301 insertions, 60 deletions
diff --git a/deps/v8/ChangeLog b/deps/v8/ChangeLog index 1992b50e47..5eb4b26780 100644 --- a/deps/v8/ChangeLog +++ b/deps/v8/ChangeLog @@ -1,3 +1,10 @@ +2012-01-02: Version 3.8.4 + + Performance improvements for large Smi-only arrays. + + Fixed InternalArrays construction. (issue 1878) + + 2011-12-27: Version 3.8.3 Avoid embedding new space objects into code objects in the lithium gap diff --git a/deps/v8/src/arm/builtins-arm.cc b/deps/v8/src/arm/builtins-arm.cc index 0e28241b54..c452821ff6 100644 --- a/deps/v8/src/arm/builtins-arm.cc +++ b/deps/v8/src/arm/builtins-arm.cc @@ -72,6 +72,22 @@ void Builtins::Generate_Adaptor(MacroAssembler* masm, } +// Load the built-in InternalArray function from the current context. +static void GenerateLoadInternalArrayFunction(MacroAssembler* masm, + Register result) { + // Load the global context. + + __ ldr(result, MemOperand(cp, Context::SlotOffset(Context::GLOBAL_INDEX))); + __ ldr(result, + FieldMemOperand(result, GlobalObject::kGlobalContextOffset)); + // Load the InternalArray function from the global context. + __ ldr(result, + MemOperand(result, + Context::SlotOffset( + Context::INTERNAL_ARRAY_FUNCTION_INDEX))); +} + + // Load the built-in Array function from the current context. static void GenerateLoadArrayFunction(MacroAssembler* masm, Register result) { // Load the global context. @@ -418,6 +434,40 @@ static void ArrayNativeCode(MacroAssembler* masm, } +void Builtins::Generate_InternalArrayCode(MacroAssembler* masm) { + // ----------- S t a t e ------------- + // -- r0 : number of arguments + // -- lr : return address + // -- sp[...]: constructor arguments + // ----------------------------------- + Label generic_array_code, one_or_more_arguments, two_or_more_arguments; + + // Get the InternalArray function. + GenerateLoadInternalArrayFunction(masm, r1); + + if (FLAG_debug_code) { + // Initial map for the builtin InternalArray functions should be maps. + __ ldr(r2, FieldMemOperand(r1, JSFunction::kPrototypeOrInitialMapOffset)); + __ tst(r2, Operand(kSmiTagMask)); + __ Assert(ne, "Unexpected initial map for InternalArray function"); + __ CompareObjectType(r2, r3, r4, MAP_TYPE); + __ Assert(eq, "Unexpected initial map for InternalArray function"); + } + + // Run the native code for the InternalArray function called as a normal + // function. + ArrayNativeCode(masm, &generic_array_code); + + // Jump to the generic array code if the specialized code cannot handle the + // construction. + __ bind(&generic_array_code); + + Handle<Code> array_code = + masm->isolate()->builtins()->InternalArrayCodeGeneric(); + __ Jump(array_code, RelocInfo::CODE_TARGET); +} + + void Builtins::Generate_ArrayCode(MacroAssembler* masm) { // ----------- S t a t e ------------- // -- r0 : number of arguments diff --git a/deps/v8/src/ast.cc b/deps/v8/src/ast.cc index 079335622a..2e26999c8c 100644 --- a/deps/v8/src/ast.cc +++ b/deps/v8/src/ast.cc @@ -748,7 +748,8 @@ bool Call::ComputeTarget(Handle<Map> type, Handle<String> name) { type->LookupInDescriptors(NULL, *name, &lookup); // If the function wasn't found directly in the map, we start // looking upwards through the prototype chain. - if (!lookup.IsFound() && type->prototype()->IsJSObject()) { + if ((!lookup.IsFound() || IsTransitionType(lookup.type())) + && type->prototype()->IsJSObject()) { holder_ = Handle<JSObject>(JSObject::cast(type->prototype())); type = Handle<Map>(holder()->map()); } else if (lookup.IsProperty() && lookup.type() == CONSTANT_FUNCTION) { diff --git a/deps/v8/src/bootstrapper.cc b/deps/v8/src/bootstrapper.cc index 6d388a5680..d1bf975fb5 100644 --- a/deps/v8/src/bootstrapper.cc +++ b/deps/v8/src/bootstrapper.cc @@ -1613,16 +1613,13 @@ bool Genesis::InstallNatives() { // doesn't inherit from Object.prototype. // To be used only for internal work by builtins. Instances // must not be leaked to user code. - // Only works correctly when called as a constructor. The normal - // Array code uses Array.prototype as prototype when called as - // a function. Handle<JSFunction> array_function = InstallFunction(builtins, "InternalArray", JS_ARRAY_TYPE, JSArray::kSize, isolate()->initial_object_prototype(), - Builtins::kArrayCode, + Builtins::kInternalArrayCode, true); Handle<JSObject> prototype = factory()->NewJSObject(isolate()->object_function(), TENURED); @@ -1654,6 +1651,8 @@ bool Genesis::InstallNatives() { array_function->initial_map()->set_instance_descriptors( *array_descriptors); + + global_context()->set_internal_array_function(*array_function); } if (FLAG_disable_native_files) { diff --git a/deps/v8/src/builtins.cc b/deps/v8/src/builtins.cc index 4d874c54ff..916799499f 100644 --- a/deps/v8/src/builtins.cc +++ b/deps/v8/src/builtins.cc @@ -184,17 +184,17 @@ BUILTIN(EmptyFunction) { } -BUILTIN(ArrayCodeGeneric) { +static MaybeObject* ArrayCodeGenericCommon(Arguments* args, + Isolate* isolate, + JSFunction* constructor) { Heap* heap = isolate->heap(); isolate->counters()->array_function_runtime()->Increment(); JSArray* array; if (CalledAsConstructor(isolate)) { - array = JSArray::cast(*args.receiver()); + array = JSArray::cast((*args)[0]); } else { // Allocate the JS Array - JSFunction* constructor = - isolate->context()->global_context()->array_function(); Object* obj; { MaybeObject* maybe_obj = heap->AllocateJSObject(constructor); if (!maybe_obj->ToObject(&obj)) return maybe_obj; @@ -202,13 +202,10 @@ BUILTIN(ArrayCodeGeneric) { array = JSArray::cast(obj); } - // 'array' now contains the JSArray we should initialize. - ASSERT(array->HasFastTypeElements()); - // Optimize the case where there is one argument and the argument is a // small smi. - if (args.length() == 2) { - Object* obj = args[1]; + if (args->length() == 2) { + Object* obj = (*args)[1]; if (obj->IsSmi()) { int len = Smi::cast(obj)->value(); if (len >= 0 && len < JSObject::kInitialMaxFastElementArray) { @@ -225,18 +222,18 @@ BUILTIN(ArrayCodeGeneric) { { MaybeObject* maybe_obj = array->Initialize(0); if (!maybe_obj->ToObject(&obj)) return maybe_obj; } - return array->SetElementsLength(args[1]); + return array->SetElementsLength((*args)[1]); } // Optimize the case where there are no parameters passed. - if (args.length() == 1) { + if (args->length() == 1) { return array->Initialize(JSArray::kPreallocatedArrayElements); } // Set length and elements on the array. - int number_of_elements = args.length() - 1; + int number_of_elements = args->length() - 1; MaybeObject* maybe_object = - array->EnsureCanContainElements(&args, 1, number_of_elements, + array->EnsureCanContainElements(args, 1, number_of_elements, ALLOW_CONVERTED_DOUBLE_ELEMENTS); if (maybe_object->IsFailure()) return maybe_object; @@ -257,7 +254,7 @@ BUILTIN(ArrayCodeGeneric) { case FAST_SMI_ONLY_ELEMENTS: { FixedArray* smi_elms = FixedArray::cast(elms); for (int index = 0; index < number_of_elements; index++) { - smi_elms->set(index, args[index+1], SKIP_WRITE_BARRIER); + smi_elms->set(index, (*args)[index+1], SKIP_WRITE_BARRIER); } break; } @@ -266,14 +263,14 @@ BUILTIN(ArrayCodeGeneric) { WriteBarrierMode mode = elms->GetWriteBarrierMode(no_gc); FixedArray* object_elms = FixedArray::cast(elms); for (int index = 0; index < number_of_elements; index++) { - object_elms->set(index, args[index+1], mode); + object_elms->set(index, (*args)[index+1], mode); } break; } case FAST_DOUBLE_ELEMENTS: { FixedDoubleArray* double_elms = FixedDoubleArray::cast(elms); for (int index = 0; index < number_of_elements; index++) { - double_elms->set(index, args[index+1]->Number()); + double_elms->set(index, (*args)[index+1]->Number()); } break; } @@ -288,6 +285,22 @@ BUILTIN(ArrayCodeGeneric) { } +BUILTIN(InternalArrayCodeGeneric) { + return ArrayCodeGenericCommon( + &args, + isolate, + isolate->context()->global_context()->internal_array_function()); +} + + +BUILTIN(ArrayCodeGeneric) { + return ArrayCodeGenericCommon( + &args, + isolate, + isolate->context()->global_context()->array_function()); +} + + MUST_USE_RESULT static MaybeObject* AllocateJSArray(Heap* heap) { JSFunction* array_function = heap->isolate()->context()->global_context()->array_function(); diff --git a/deps/v8/src/builtins.h b/deps/v8/src/builtins.h index 3659f99126..6a84f2ddd1 100644 --- a/deps/v8/src/builtins.h +++ b/deps/v8/src/builtins.h @@ -44,6 +44,7 @@ enum BuiltinExtraArguments { \ V(EmptyFunction, NO_EXTRA_ARGUMENTS) \ \ + V(InternalArrayCodeGeneric, NO_EXTRA_ARGUMENTS) \ V(ArrayCodeGeneric, NO_EXTRA_ARGUMENTS) \ \ V(ArrayPush, NO_EXTRA_ARGUMENTS) \ @@ -178,6 +179,8 @@ enum BuiltinExtraArguments { V(FunctionApply, BUILTIN, UNINITIALIZED, \ Code::kNoExtraICState) \ \ + V(InternalArrayCode, BUILTIN, UNINITIALIZED, \ + Code::kNoExtraICState) \ V(ArrayCode, BUILTIN, UNINITIALIZED, \ Code::kNoExtraICState) \ V(ArrayConstructCode, BUILTIN, UNINITIALIZED, \ @@ -359,6 +362,7 @@ class Builtins { static void Generate_FunctionCall(MacroAssembler* masm); static void Generate_FunctionApply(MacroAssembler* masm); + static void Generate_InternalArrayCode(MacroAssembler* masm); static void Generate_ArrayCode(MacroAssembler* masm); static void Generate_ArrayConstructCode(MacroAssembler* masm); diff --git a/deps/v8/src/contexts.h b/deps/v8/src/contexts.h index 10ef33d1ac..eec86f125b 100644 --- a/deps/v8/src/contexts.h +++ b/deps/v8/src/contexts.h @@ -104,6 +104,7 @@ enum BindingFlags { V(STRING_FUNCTION_INDEX, JSFunction, string_function) \ V(STRING_FUNCTION_PROTOTYPE_MAP_INDEX, Map, string_function_prototype_map) \ V(OBJECT_FUNCTION_INDEX, JSFunction, object_function) \ + V(INTERNAL_ARRAY_FUNCTION_INDEX, JSFunction, internal_array_function) \ V(ARRAY_FUNCTION_INDEX, JSFunction, array_function) \ V(DATE_FUNCTION_INDEX, JSFunction, date_function) \ V(JSON_OBJECT_INDEX, JSObject, json_object) \ @@ -244,6 +245,7 @@ class Context: public FixedArray { STRING_FUNCTION_INDEX, STRING_FUNCTION_PROTOTYPE_MAP_INDEX, OBJECT_FUNCTION_INDEX, + INTERNAL_ARRAY_FUNCTION_INDEX, ARRAY_FUNCTION_INDEX, DATE_FUNCTION_INDEX, JSON_OBJECT_INDEX, diff --git a/deps/v8/src/ia32/builtins-ia32.cc b/deps/v8/src/ia32/builtins-ia32.cc index 28a9b0fadc..3d274f2e6b 100644 --- a/deps/v8/src/ia32/builtins-ia32.cc +++ b/deps/v8/src/ia32/builtins-ia32.cc @@ -1308,6 +1308,40 @@ static void ArrayNativeCode(MacroAssembler* masm, } +void Builtins::Generate_InternalArrayCode(MacroAssembler* masm) { + // ----------- S t a t e ------------- + // -- eax : argc + // -- esp[0] : return address + // -- esp[4] : last argument + // ----------------------------------- + Label generic_array_code; + + // Get the InternalArray function. + __ LoadGlobalFunction(Context::INTERNAL_ARRAY_FUNCTION_INDEX, edi); + + if (FLAG_debug_code) { + // Initial map for the builtin InternalArray function shoud be a map. + __ mov(ebx, FieldOperand(edi, JSFunction::kPrototypeOrInitialMapOffset)); + // Will both indicate a NULL and a Smi. + __ test(ebx, Immediate(kSmiTagMask)); + __ Assert(not_zero, "Unexpected initial map for InternalArray function"); + __ CmpObjectType(ebx, MAP_TYPE, ecx); + __ Assert(equal, "Unexpected initial map for InternalArray function"); + } + + // Run the native code for the InternalArray function called as a normal + // function. + ArrayNativeCode(masm, false, &generic_array_code); + + // Jump to the generic array code in case the specialized code cannot handle + // the construction. + __ bind(&generic_array_code); + Handle<Code> array_code = + masm->isolate()->builtins()->InternalArrayCodeGeneric(); + __ jmp(array_code, RelocInfo::CODE_TARGET); +} + + void Builtins::Generate_ArrayCode(MacroAssembler* masm) { // ----------- S t a t e ------------- // -- eax : argc diff --git a/deps/v8/src/objects-inl.h b/deps/v8/src/objects-inl.h index 7c7f094006..99a0bb08d2 100644 --- a/deps/v8/src/objects-inl.h +++ b/deps/v8/src/objects-inl.h @@ -1219,7 +1219,7 @@ void JSObject::ValidateSmiOnlyElements() { map != heap->free_space_map()) { for (int i = 0; i < fixed_array->length(); i++) { Object* current = fixed_array->get(i); - ASSERT(current->IsSmi() || current == heap->the_hole_value()); + ASSERT(current->IsSmi() || current->IsTheHole()); } } } @@ -1290,22 +1290,37 @@ MaybeObject* JSObject::EnsureCanContainElements(FixedArrayBase* elements, } -void JSObject::set_elements(FixedArrayBase* value, WriteBarrierMode mode) { +void JSObject::set_map_and_elements(Map* new_map, + FixedArrayBase* value, + WriteBarrierMode mode) { + ASSERT(value->HasValidElements()); +#ifdef DEBUG + ValidateSmiOnlyElements(); +#endif + if (new_map != NULL) { + if (mode == UPDATE_WRITE_BARRIER) { + set_map(new_map); + } else { + ASSERT(mode == SKIP_WRITE_BARRIER); + set_map_no_write_barrier(new_map); + } + } ASSERT((map()->has_fast_elements() || map()->has_fast_smi_only_elements()) == (value->map() == GetHeap()->fixed_array_map() || value->map() == GetHeap()->fixed_cow_array_map())); ASSERT(map()->has_fast_double_elements() == value->IsFixedDoubleArray()); - ASSERT(value->HasValidElements()); -#ifdef DEBUG - ValidateSmiOnlyElements(); -#endif WRITE_FIELD(this, kElementsOffset, value); CONDITIONAL_WRITE_BARRIER(GetHeap(), this, kElementsOffset, value, mode); } +void JSObject::set_elements(FixedArrayBase* value, WriteBarrierMode mode) { + set_map_and_elements(NULL, value, mode); +} + + void JSObject::initialize_properties() { ASSERT(!GetHeap()->InNewSpace(GetHeap()->empty_fixed_array())); WRITE_FIELD(this, kPropertiesOffset, GetHeap()->empty_fixed_array()); diff --git a/deps/v8/src/objects.cc b/deps/v8/src/objects.cc index ae5aa78cae..f3a543f077 100644 --- a/deps/v8/src/objects.cc +++ b/deps/v8/src/objects.cc @@ -8188,10 +8188,13 @@ MaybeObject* JSObject::SetFastElementsCapacityAndLength( Map* new_map = NULL; if (elements()->map() != heap->non_strict_arguments_elements_map()) { Object* object; + // The resized array has FAST_SMI_ONLY_ELEMENTS if the capacity mode forces + // it, or if it's allowed and the old elements array contained only SMIs. bool has_fast_smi_only_elements = - (set_capacity_mode == kAllowSmiOnlyElements) && - (elements()->map()->has_fast_smi_only_elements() || - elements() == heap->empty_fixed_array()); + (set_capacity_mode == kForceSmiOnlyElements) || + ((set_capacity_mode == kAllowSmiOnlyElements) && + (elements()->map()->has_fast_smi_only_elements() || + elements() == heap->empty_fixed_array())); ElementsKind elements_kind = has_fast_smi_only_elements ? FAST_SMI_ONLY_ELEMENTS : FAST_ELEMENTS; @@ -8209,8 +8212,7 @@ MaybeObject* JSObject::SetFastElementsCapacityAndLength( WriteBarrierMode mode(new_elements->GetWriteBarrierMode(no_gc)); CopyFastElementsToFast(FixedArray::cast(old_elements_raw), new_elements, mode); - set_map(new_map); - set_elements(new_elements); + set_map_and_elements(new_map, new_elements); break; } case DICTIONARY_ELEMENTS: { @@ -8219,8 +8221,7 @@ MaybeObject* JSObject::SetFastElementsCapacityAndLength( CopySlowElementsToFast(NumberDictionary::cast(old_elements_raw), new_elements, mode); - set_map(new_map); - set_elements(new_elements); + set_map_and_elements(new_map, new_elements); break; } case NON_STRICT_ARGUMENTS_ELEMENTS: { @@ -9241,11 +9242,20 @@ MaybeObject* JSObject::SetDictionaryElement(uint32_t index, } else { new_length = dictionary->max_number_key() + 1; } - MaybeObject* result = CanConvertToFastDoubleElements() + SetFastElementsCapacityMode set_capacity_mode = FLAG_smi_only_arrays + ? kAllowSmiOnlyElements + : kDontAllowSmiOnlyElements; + bool has_smi_only_elements = false; + bool should_convert_to_fast_double_elements = + ShouldConvertToFastDoubleElements(&has_smi_only_elements); + if (has_smi_only_elements) { + set_capacity_mode = kForceSmiOnlyElements; + } + MaybeObject* result = should_convert_to_fast_double_elements ? SetFastDoubleElementsCapacityAndLength(new_length, new_length) : SetFastElementsCapacityAndLength(new_length, new_length, - kDontAllowSmiOnlyElements); + set_capacity_mode); if (result->IsFailure()) return result; #ifdef DEBUG if (FLAG_trace_normalization) { @@ -9724,17 +9734,25 @@ bool JSObject::ShouldConvertToFastElements() { } -bool JSObject::CanConvertToFastDoubleElements() { +bool JSObject::ShouldConvertToFastDoubleElements( + bool* has_smi_only_elements) { + *has_smi_only_elements = false; if (FLAG_unbox_double_arrays) { ASSERT(HasDictionaryElements()); NumberDictionary* dictionary = NumberDictionary::cast(elements()); + bool found_double = false; for (int i = 0; i < dictionary->Capacity(); i++) { Object* key = dictionary->KeyAt(i); if (key->IsNumber()) { - if (!dictionary->ValueAt(i)->IsNumber()) return false; + Object* value = dictionary->ValueAt(i); + if (!value->IsNumber()) return false; + if (!value->IsSmi()) { + found_double = true; + } } } - return true; + *has_smi_only_elements = !found_double; + return found_double; } else { return false; } diff --git a/deps/v8/src/objects.h b/deps/v8/src/objects.h index 5346585bd3..a0e77cb86d 100644 --- a/deps/v8/src/objects.h +++ b/deps/v8/src/objects.h @@ -1473,6 +1473,11 @@ class JSObject: public JSReceiver { bool HasDictionaryArgumentsElements(); inline NumberDictionary* element_dictionary(); // Gets slow elements. + inline void set_map_and_elements( + Map* map, + FixedArrayBase* value, + WriteBarrierMode mode = UPDATE_WRITE_BARRIER); + // Requires: HasFastElements(). MUST_USE_RESULT inline MaybeObject* EnsureWritableFastElements(); @@ -1644,8 +1649,9 @@ class JSObject: public JSReceiver { // elements. bool ShouldConvertToFastElements(); // Returns true if the elements of JSObject contains only values that can be - // represented in a FixedDoubleArray. - bool CanConvertToFastDoubleElements(); + // represented in a FixedDoubleArray and has at least one value that can only + // be represented as a double and not a Smi. + bool ShouldConvertToFastDoubleElements(bool* has_smi_only_elements); // Tells whether the index'th element is present. bool HasElementWithReceiver(JSReceiver* receiver, uint32_t index); @@ -1708,6 +1714,7 @@ class JSObject: public JSReceiver { enum SetFastElementsCapacityMode { kAllowSmiOnlyElements, + kForceSmiOnlyElements, kDontAllowSmiOnlyElements }; diff --git a/deps/v8/src/runtime.cc b/deps/v8/src/runtime.cc index 544b210c0b..fb46114f66 100644 --- a/deps/v8/src/runtime.cc +++ b/deps/v8/src/runtime.cc @@ -9229,22 +9229,6 @@ static void PrintTransition(Object* result) { } -RUNTIME_FUNCTION(MaybeObject*, Runtime_TraceElementsKindTransition) { - ASSERT(args.length() == 5); - CONVERT_ARG_CHECKED(JSObject, obj, 0); - CONVERT_SMI_ARG_CHECKED(from_kind, 1); - CONVERT_ARG_CHECKED(FixedArrayBase, from_elements, 2); - CONVERT_SMI_ARG_CHECKED(to_kind, 3); - CONVERT_ARG_CHECKED(FixedArrayBase, to_elements, 4); - NoHandleAllocation ha; - PrintF("*"); - obj->PrintElementsTransition(stdout, - static_cast<ElementsKind>(from_kind), *from_elements, - static_cast<ElementsKind>(to_kind), *to_elements); - return isolate->heap()->undefined_value(); -} - - RUNTIME_FUNCTION(MaybeObject*, Runtime_TraceEnter) { ASSERT(args.length() == 0); NoHandleAllocation ha; diff --git a/deps/v8/src/runtime.h b/deps/v8/src/runtime.h index ff0ddbabe6..c915cf38da 100644 --- a/deps/v8/src/runtime.h +++ b/deps/v8/src/runtime.h @@ -341,7 +341,6 @@ namespace internal { /* Debugging */ \ F(DebugPrint, 1, 1) \ F(DebugTrace, 0, 1) \ - F(TraceElementsKindTransition, 5, 1) \ F(TraceEnter, 0, 1) \ F(TraceExit, 1, 1) \ F(Abort, 2, 1) \ diff --git a/deps/v8/src/version.cc b/deps/v8/src/version.cc index 0b296c0b71..46b2b1a3d5 100644 --- a/deps/v8/src/version.cc +++ b/deps/v8/src/version.cc @@ -34,7 +34,7 @@ // cannot be changed without changing the SCons build script. #define MAJOR_VERSION 3 #define MINOR_VERSION 8 -#define BUILD_NUMBER 3 +#define BUILD_NUMBER 4 #define PATCH_LEVEL 0 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/x64/builtins-x64.cc b/deps/v8/src/x64/builtins-x64.cc index 1719496c85..dff55fb74d 100644 --- a/deps/v8/src/x64/builtins-x64.cc +++ b/deps/v8/src/x64/builtins-x64.cc @@ -1327,6 +1327,41 @@ static void ArrayNativeCode(MacroAssembler* masm, } +void Builtins::Generate_InternalArrayCode(MacroAssembler* masm) { + // ----------- S t a t e ------------- + // -- rax : argc + // -- rsp[0] : return address + // -- rsp[8] : last argument + // ----------------------------------- + Label generic_array_code; + + // Get the InternalArray function. + __ LoadGlobalFunction(Context::INTERNAL_ARRAY_FUNCTION_INDEX, rdi); + + if (FLAG_debug_code) { + // Initial map for the builtin InternalArray functions should be maps. + __ movq(rbx, FieldOperand(rdi, JSFunction::kPrototypeOrInitialMapOffset)); + // Will both indicate a NULL and a Smi. + STATIC_ASSERT(kSmiTag == 0); + Condition not_smi = NegateCondition(masm->CheckSmi(rbx)); + __ Check(not_smi, "Unexpected initial map for InternalArray function"); + __ CmpObjectType(rbx, MAP_TYPE, rcx); + __ Check(equal, "Unexpected initial map for InternalArray function"); + } + + // Run the native code for the InternalArray function called as a normal + // function. + ArrayNativeCode(masm, &generic_array_code); + + // Jump to the generic array code in case the specialized code cannot handle + // the construction. + __ bind(&generic_array_code); + Handle<Code> array_code = + masm->isolate()->builtins()->InternalArrayCodeGeneric(); + __ Jump(array_code, RelocInfo::CODE_TARGET); +} + + void Builtins::Generate_ArrayCode(MacroAssembler* masm) { // ----------- S t a t e ------------- // -- rax : argc diff --git a/deps/v8/test/mjsunit/regress/regress-1849.js b/deps/v8/test/mjsunit/regress/regress-1849.js new file mode 100644 index 0000000000..176f918b93 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-1849.js @@ -0,0 +1,39 @@ +// Copyright 2011 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// See: http://code.google.com/p/v8/issues/detail?id=1878 + +// Flags: --allow-natives-syntax + +var count = 1e5; +var arr = new Array(count); +assertFalse(%HasFastDoubleElements(arr)); +for (var i = 0; i < count; i++) { + arr[i] = 0; +} +assertFalse(%HasFastDoubleElements(arr)); +assertTrue(%HasFastSmiOnlyElements(arr)); diff --git a/deps/v8/test/mjsunit/regress/regress-1878.js b/deps/v8/test/mjsunit/regress/regress-1878.js new file mode 100644 index 0000000000..1b3c63aeb1 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-1878.js @@ -0,0 +1,34 @@ +// Copyright 2009 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// See: http://code.google.com/p/v8/issues/detail?id=1878 + +// Flags: --allow-natives-syntax --expose_natives_as=natives + +var a = Array(); +var ai = natives.InternalArray(); +assertFalse(%HaveSameMap(ai, a)); diff --git a/deps/v8/test/mjsunit/regress/regress-95113.js b/deps/v8/test/mjsunit/regress/regress-95113.js index f01b27004c..468bff84c2 100644 --- a/deps/v8/test/mjsunit/regress/regress-95113.js +++ b/deps/v8/test/mjsunit/regress/regress-95113.js @@ -32,7 +32,7 @@ function get_double_array() { var i = 0; while (!%HasFastDoubleElements(a)) { a[i] = i; - i++; + i += 0.5; } assertTrue(%HasFastDoubleElements(a)); a.length = 1; |