Revision: 20441
Author: [email protected]
Date: Wed Apr 2 15:32:54 2014 UTC
Log: Merged r19804, r19890, r19894, r19935 into 3.24 branch.
fix bad access check check
Check that constant is an integer before getting its value in
HGraphBuilder::MatchRotateRight.
Simplify GetEnumPropertyKeys and avoid trimming fixed arrays in large
object space.
Fix generalization with callbacks.
BUG=351263,352070,352588
LOG=N
[email protected]
Review URL: https://codereview.chromium.org/222213004
http://code.google.com/p/v8/source/detail?r=20441
Added:
/branches/3.24/test/mjsunit/regress/regress-351263.js
/branches/3.24/test/mjsunit/regress/regress-crbug-351262.js
/branches/3.24/test/mjsunit/regress/regress-migrate-callbacks.js
Modified:
/branches/3.24/src/handles.cc
/branches/3.24/src/hydrogen.cc
/branches/3.24/src/objects.cc
/branches/3.24/src/objects.h
/branches/3.24/src/version.cc
=======================================
--- /dev/null
+++ /branches/3.24/test/mjsunit/regress/regress-351263.js Wed Apr 2
15:32:54 2014 UTC
@@ -0,0 +1,37 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+var __v_12 = {};
+function __f_30(x, sa) {
+ return (x >>> sa) | (x << (__v_12 - sa));
+}
+__f_30(1.4, 1);
+__f_30(1.4, 1);
+%OptimizeFunctionOnNextCall(__f_30);
+__f_30(1.4, 1);
=======================================
--- /dev/null
+++ /branches/3.24/test/mjsunit/regress/regress-crbug-351262.js Wed Apr 2
15:32:54 2014 UTC
@@ -0,0 +1,6 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+for (var x in this) {};
+JSON.stringify(this);
=======================================
--- /dev/null
+++ /branches/3.24/test/mjsunit/regress/regress-migrate-callbacks.js Wed
Apr 2 15:32:54 2014 UTC
@@ -0,0 +1,11 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var o1 = {};
+o1.x = 1
+o1.y = 1.5
+var o2 = {}
+o2.x = 1.5;
+o2.__defineSetter__('y', function(v) { });
+o1.y;
=======================================
--- /branches/3.24/src/handles.cc Thu Jan 16 08:22:55 2014 UTC
+++ /branches/3.24/src/handles.cc Wed Apr 2 15:32:54 2014 UTC
@@ -712,35 +712,12 @@
return ReduceFixedArrayTo(storage, enum_size);
} else {
Handle<NameDictionary> dictionary(object->property_dictionary());
-
- int length = dictionary->NumberOfElements();
+ int length = dictionary->NumberOfEnumElements();
if (length == 0) {
return Handle<FixedArray>(isolate->heap()->empty_fixed_array());
}
-
- // The enumeration array is generated by allocating an array big
enough to
- // hold all properties that have been seen, whether they are are
deleted or
- // not. Subsequently all visible properties are added to the array. If
some
- // properties were not visible, the array is trimmed so it only
contains
- // visible properties. This improves over adding elements and sorting
by
- // index by having linear complexity rather than n*log(n).
-
- // By comparing the monotonous NextEnumerationIndex to the
NumberOfElements,
- // we can predict the number of holes in the final array. If there
will be
- // more than 50% holes, regenerate the enumeration indices to reduce
the
- // number of holes to a minimum. This avoids allocating a large array
if
- // many properties were added but subsequently deleted.
- int next_enumeration = dictionary->NextEnumerationIndex();
- if (!object->IsGlobalObject() && next_enumeration > (length * 3) / 2) {
- NameDictionary::DoGenerateNewEnumerationIndices(dictionary);
- next_enumeration = dictionary->NextEnumerationIndex();
- }
-
- Handle<FixedArray> storage =
- isolate->factory()->NewFixedArray(next_enumeration);
-
- storage = Handle<FixedArray>(dictionary->CopyEnumKeysTo(*storage));
- ASSERT(storage->length() ==
object->NumberOfLocalProperties(DONT_SHOW));
+ Handle<FixedArray> storage = isolate->factory()->NewFixedArray(length);
+ dictionary->CopyEnumKeysTo(*storage);
return storage;
}
}
=======================================
--- /branches/3.24/src/hydrogen.cc Mon Mar 31 11:02:42 2014 UTC
+++ /branches/3.24/src/hydrogen.cc Wed Apr 2 15:32:54 2014 UTC
@@ -8944,13 +8944,7 @@
}
if (!const32_minus_sa->IsSub()) return false;
HSub* sub = HSub::cast(const32_minus_sa);
- if (sa != sub->right()) return false;
- HValue* const32 = sub->left();
- if (!const32->IsConstant() ||
- HConstant::cast(const32)->Integer32Value() != 32) {
- return false;
- }
- return (sub->right() == sa);
+ return sub->left()->EqualsInteger32Constant(32) && sub->right() == sa;
}
=======================================
--- /branches/3.24/src/objects.cc Tue Mar 4 13:24:52 2014 UTC
+++ /branches/3.24/src/objects.cc Wed Apr 2 15:32:54 2014 UTC
@@ -2625,6 +2625,8 @@
current->instance_descriptors()->GetValue(i)) {
return NULL;
}
+ } else if (target_details.type() == CALLBACKS) {
+ return NULL;
}
}
@@ -5913,9 +5915,9 @@
JSObject* curr = JSObject::cast(o);
int enum_length = curr->map()->EnumLength();
if (enum_length == kInvalidEnumCacheSentinel) return false;
+ if (curr->IsAccessCheckNeeded()) return false;
ASSERT(!curr->HasNamedInterceptor());
ASSERT(!curr->HasIndexedInterceptor());
- ASSERT(!curr->IsAccessCheckNeeded());
if (curr->NumberOfEnumElements() > 0) return false;
if (curr != this && enum_length != 0) return false;
}
@@ -15531,7 +15533,7 @@
template<typename Shape, typename Key>
int Dictionary<Shape, Key>::NumberOfEnumElements() {
return NumberOfElementsFilterAttributes(
- static_cast<PropertyAttributes>(DONT_ENUM));
+ static_cast<PropertyAttributes>(DONT_ENUM | SYMBOLIC));
}
@@ -15559,45 +15561,38 @@
}
-FixedArray* NameDictionary::CopyEnumKeysTo(FixedArray* storage) {
+struct EnumIndexComparator {
+ explicit EnumIndexComparator(NameDictionary* dict) : dict(dict) { }
+ bool operator() (Smi* a, Smi* b) {
+ PropertyDetails da(dict->DetailsAt(a->value()));
+ PropertyDetails db(dict->DetailsAt(b->value()));
+ return da.dictionary_index() < db.dictionary_index();
+ }
+ NameDictionary* dict;
+};
+
+
+void NameDictionary::CopyEnumKeysTo(FixedArray* storage) {
int length = storage->length();
- ASSERT(length >= NumberOfEnumElements());
- Heap* heap = GetHeap();
- Object* undefined_value = heap->undefined_value();
int capacity = Capacity();
int properties = 0;
-
- // Fill in the enumeration array by assigning enumerable keys at their
- // enumeration index. This will leave holes in the array if there are
keys
- // that are deleted or not enumerable.
for (int i = 0; i < capacity; i++) {
Object* k = KeyAt(i);
if (IsKey(k) && !k->IsSymbol()) {
PropertyDetails details = DetailsAt(i);
if (details.IsDeleted() || details.IsDontEnum()) continue;
+ storage->set(properties, Smi::FromInt(i));
properties++;
- storage->set(details.dictionary_index() - 1, k);
if (properties == length) break;
}
}
-
- // There are holes in the enumeration array if less properties were
assigned
- // than the length of the array. If so, crunch all the existing
properties
- // together by shifting them to the left (maintaining the enumeration
order),
- // and trimming of the right side of the array.
- if (properties < length) {
- if (properties == 0) return heap->empty_fixed_array();
- properties = 0;
- for (int i = 0; i < length; ++i) {
- Object* value = storage->get(i);
- if (value != undefined_value) {
- storage->set(properties, value);
- ++properties;
- }
- }
- RightTrimFixedArray<FROM_MUTATOR>(heap, storage, length - properties);
+ EnumIndexComparator cmp(this);
+ Smi** start = reinterpret_cast<Smi**>(storage->GetFirstElementAddress());
+ std::sort(start, start + length, cmp);
+ for (int i = 0; i < length; i++) {
+ int index = Smi::cast(storage->get(i))->value();
+ storage->set(i, KeyAt(index));
}
- return storage;
}
=======================================
--- /branches/3.24/src/objects.h Wed Feb 26 08:17:48 2014 UTC
+++ /branches/3.24/src/objects.h Wed Apr 2 15:32:54 2014 UTC
@@ -3958,7 +3958,7 @@
}
// Copies enumerable keys to preallocated fixed array.
- FixedArray* CopyEnumKeysTo(FixedArray* storage);
+ void CopyEnumKeysTo(FixedArray* storage);
static void DoGenerateNewEnumerationIndices(
Handle<NameDictionary> dictionary);
=======================================
--- /branches/3.24/src/version.cc Tue Apr 1 08:16:35 2014 UTC
+++ /branches/3.24/src/version.cc Wed Apr 2 15:32:54 2014 UTC
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 24
#define BUILD_NUMBER 35
-#define PATCH_LEVEL 22
+#define PATCH_LEVEL 23
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
