Revision: 19673
Author: [email protected]
Date: Wed Mar 5 12:32:33 2014 UTC
Log: Merged r18564, r19545, r19668, r19670 into 3.23 branch.
Use unsigned integer arithmetic in Zone::NewExpand.
Mark HCompareMap as having Tagged representation
x64: Fix LMathMinMax for constant Smi right-hand operands
Handle exception when retrieving toJSON function in JSON.stringify.
BUG=328202,chromium:346636,chromium:349079,349335
LOG=N
[email protected]
Review URL: https://codereview.chromium.org/184983006
http://code.google.com/p/v8/source/detail?r=19673
Added:
/branches/3.23/test/mjsunit/regress/regress-crbug-346636.js
/branches/3.23/test/mjsunit/regress/regress-crbug-349079.js
Modified:
/branches/3.23/src/hydrogen-instructions.h
/branches/3.23/src/json-stringifier.h
/branches/3.23/src/version.cc
/branches/3.23/src/x64/lithium-x64.cc
/branches/3.23/src/zone.cc
/branches/3.23/test/mjsunit/json2.js
=======================================
--- /dev/null
+++ /branches/3.23/test/mjsunit/regress/regress-crbug-346636.js Wed Mar 5
12:32:33 2014 UTC
@@ -0,0 +1,31 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function assertSame(expected, found) {
+ if (found === expected) {
+ if (expected !== 0 || (1 / expected) == (1 / found)) return;
+ }
+ return;
+};
+
+function foo(x) {
+ return x.bar;
+}
+
+function getter1() {
+ assertSame(this, this);
+}
+var o1 = Object.defineProperty({}, "bar", { get: getter1 });
+foo(o1);
+foo(o1);
+
+function getter2() {
+ assertSame(this, this);
+}
+var o2 = Object.defineProperty({}, "bar", { get: getter2 });
+foo(o2);
+%OptimizeFunctionOnNextCall(foo);
+foo(o2);
=======================================
--- /dev/null
+++ /branches/3.23/test/mjsunit/regress/regress-crbug-349079.js Wed Mar 5
12:32:33 2014 UTC
@@ -0,0 +1,23 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function assertEquals(expected, found) {
+ return found === expected;
+};
+%NeverOptimizeFunction(assertEquals);
+
+function crash() {
+ var a = 1;
+ var b = -0;
+ var c = 1.5;
+ assertEquals(b, Math.max(b++, c++));
+ assertEquals(c, Math.min(b++, c++));
+ assertEquals(b, Math.max(b++, a++));
+}
+crash();
+crash();
+%OptimizeFunctionOnNextCall(crash);
+crash();
=======================================
--- /branches/3.23/src/hydrogen-instructions.h Tue Jan 28 10:48:19 2014 UTC
+++ /branches/3.23/src/hydrogen-instructions.h Wed Mar 5 12:32:33 2014 UTC
@@ -1548,6 +1548,7 @@
: HUnaryControlInstruction(value, true_target, false_target),
map_(Unique<Map>(map)) {
ASSERT(!map.is_null());
+ set_representation(Representation::Tagged());
}
Unique<Map> map_;
=======================================
--- /branches/3.23/src/json-stringifier.h Wed Sep 11 08:25:48 2013 UTC
+++ /branches/3.23/src/json-stringifier.h Wed Mar 5 12:32:33 2014 UTC
@@ -360,6 +360,7 @@
PropertyAttributes attr;
Handle<Object> fun =
Object::GetProperty(object, object, &lookup, tojson_string_, &attr);
+ if (fun.is_null()) return Handle<Object>::null();
if (!fun->IsJSFunction()) return object;
// Call toJSON function.
=======================================
--- /branches/3.23/src/version.cc Tue Mar 4 13:31:27 2014 UTC
+++ /branches/3.23/src/version.cc Wed Mar 5 12:32:33 2014 UTC
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 23
#define BUILD_NUMBER 17
-#define PATCH_LEVEL 21
+#define PATCH_LEVEL 22
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
=======================================
--- /branches/3.23/src/x64/lithium-x64.cc Tue Dec 3 08:00:39 2013 UTC
+++ /branches/3.23/src/x64/lithium-x64.cc Wed Mar 5 12:32:33 2014 UTC
@@ -1585,15 +1585,16 @@
LInstruction* LChunkBuilder::DoMathMinMax(HMathMinMax* instr) {
LOperand* left = NULL;
LOperand* right = NULL;
- if (instr->representation().IsSmiOrInteger32()) {
-
ASSERT(instr->left()->representation().Equals(instr->representation()));
-
ASSERT(instr->right()->representation().Equals(instr->representation()));
+ ASSERT(instr->left()->representation().Equals(instr->representation()));
+ ASSERT(instr->right()->representation().Equals(instr->representation()));
+ if (instr->representation().IsSmi()) {
+ left = UseRegisterAtStart(instr->BetterLeftOperand());
+ right = UseAtStart(instr->BetterRightOperand());
+ } else if (instr->representation().IsInteger32()) {
left = UseRegisterAtStart(instr->BetterLeftOperand());
right = UseOrConstantAtStart(instr->BetterRightOperand());
} else {
ASSERT(instr->representation().IsDouble());
- ASSERT(instr->left()->representation().IsDouble());
- ASSERT(instr->right()->representation().IsDouble());
left = UseRegisterAtStart(instr->left());
right = UseRegisterAtStart(instr->right());
}
=======================================
--- /branches/3.23/src/zone.cc Mon Jul 8 08:38:06 2013 UTC
+++ /branches/3.23/src/zone.cc Wed Mar 5 12:32:33 2014 UTC
@@ -185,25 +185,31 @@
// except that we employ a maximum segment size when we delete. This
// is to avoid excessive malloc() and free() overhead.
Segment* head = segment_head_;
- int old_size = (head == NULL) ? 0 : head->size();
- static const int kSegmentOverhead = sizeof(Segment) + kAlignment;
- int new_size_no_overhead = size + (old_size << 1);
- int new_size = kSegmentOverhead + new_size_no_overhead;
+ const size_t old_size = (head == NULL) ? 0 : head->size();
+ static const size_t kSegmentOverhead = sizeof(Segment) + kAlignment;
+ const size_t new_size_no_overhead = size + (old_size << 1);
+ size_t new_size = kSegmentOverhead + new_size_no_overhead;
+ const size_t min_new_size = kSegmentOverhead + static_cast<size_t>(size);
// Guard against integer overflow.
- if (new_size_no_overhead < size || new_size < kSegmentOverhead) {
+ if (new_size_no_overhead < static_cast<size_t>(size) ||
+ new_size < static_cast<size_t>(kSegmentOverhead)) {
V8::FatalProcessOutOfMemory("Zone");
return NULL;
}
- if (new_size < kMinimumSegmentSize) {
+ if (new_size < static_cast<size_t>(kMinimumSegmentSize)) {
new_size = kMinimumSegmentSize;
- } else if (new_size > kMaximumSegmentSize) {
+ } else if (new_size > static_cast<size_t>(kMaximumSegmentSize)) {
// Limit the size of new segments to avoid growing the segment size
// exponentially, thus putting pressure on contiguous virtual address
space.
// All the while making sure to allocate a segment large enough to
hold the
// requested size.
- new_size = Max(kSegmentOverhead + size, kMaximumSegmentSize);
+ new_size = Max(min_new_size, static_cast<size_t>(kMaximumSegmentSize));
+ }
+ if (new_size > INT_MAX) {
+ V8::FatalProcessOutOfMemory("Zone");
+ return NULL;
}
- Segment* segment = NewSegment(new_size);
+ Segment* segment = NewSegment(static_cast<int>(new_size));
if (segment == NULL) {
V8::FatalProcessOutOfMemory("Zone");
return NULL;
@@ -213,7 +219,10 @@
Address result = RoundUp(segment->start(), kAlignment);
position_ = result + size;
// Check for address overflow.
- if (position_ < result) {
+ // (Should not happen since the segment is guaranteed to accomodate
+ // size bytes + header and alignment padding)
+ if (reinterpret_cast<uintptr_t>(position_)
+ < reinterpret_cast<uintptr_t>(result)) {
V8::FatalProcessOutOfMemory("Zone");
return NULL;
}
=======================================
--- /branches/3.23/test/mjsunit/json2.js Tue Nov 26 13:50:38 2013 UTC
+++ /branches/3.23/test/mjsunit/json2.js Wed Mar 5 12:32:33 2014 UTC
@@ -105,6 +105,10 @@
a: 1 };
TestStringify('321', tojson_via_getter);
+assertThrows(function() {
+ JSON.stringify({ get toJSON() { throw "error"; } });
+});
+
// Test toJSON with key.
tojson_obj = { toJSON: function(key) { return key + key; } };
var tojson_with_key_1 = { a: tojson_obj, b: tojson_obj };
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
