Merge from Chromium at DEPS revision 33.0.1750.166
This commit was generated by merge_to_master.py.
Change-Id: I30a88cd49b38f638f536f0f8773d7621ad0931d9
diff --git a/src/arraybuffer.js b/src/arraybuffer.js
index 6125f0f..cfaa8d7 100644
--- a/src/arraybuffer.js
+++ b/src/arraybuffer.js
@@ -57,17 +57,18 @@
var relativeStart = TO_INTEGER(start);
var first;
+ var byte_length = %ArrayBufferGetByteLength(this);
if (relativeStart < 0) {
- first = MathMax(this.byteLength + relativeStart, 0);
+ first = MathMax(byte_length + relativeStart, 0);
} else {
- first = MathMin(relativeStart, this.byteLength);
+ first = MathMin(relativeStart, byte_length);
}
- var relativeEnd = IS_UNDEFINED(end) ? this.byteLength : TO_INTEGER(end);
+ var relativeEnd = IS_UNDEFINED(end) ? byte_length : TO_INTEGER(end);
var fin;
if (relativeEnd < 0) {
- fin = MathMax(this.byteLength + relativeEnd, 0);
+ fin = MathMax(byte_length + relativeEnd, 0);
} else {
- fin = MathMin(relativeEnd, this.byteLength);
+ fin = MathMin(relativeEnd, byte_length);
}
if (fin < first) {
diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h
index 749e3a7..b154dcc 100644
--- a/src/hydrogen-instructions.h
+++ b/src/hydrogen-instructions.h
@@ -1548,6 +1548,7 @@
: HUnaryControlInstruction(value, true_target, false_target),
map_(Unique<Map>(map)) {
ASSERT(!map.is_null());
+ set_representation(Representation::Tagged());
}
Unique<Map> map_;
diff --git a/src/json-stringifier.h b/src/json-stringifier.h
index 0d17b35..4510c4b 100644
--- a/src/json-stringifier.h
+++ b/src/json-stringifier.h
@@ -360,6 +360,7 @@
PropertyAttributes attr;
Handle<Object> fun =
Object::GetProperty(object, object, &lookup, tojson_string_, &attr);
+ if (fun.is_null()) return Handle<Object>::null();
if (!fun->IsJSFunction()) return object;
// Call toJSON function.
diff --git a/src/mark-compact.cc b/src/mark-compact.cc
index 0e6b980..07bcb76 100644
--- a/src/mark-compact.cc
+++ b/src/mark-compact.cc
@@ -2594,6 +2594,7 @@
Object* prototype = prototype_transitions->get(proto_offset + i * step);
Object* cached_map = prototype_transitions->get(map_offset + i * step);
if (IsMarked(prototype) && IsMarked(cached_map)) {
+ ASSERT(!prototype->IsUndefined());
int proto_index = proto_offset + new_number_of_transitions * step;
int map_index = map_offset + new_number_of_transitions * step;
if (new_number_of_transitions != i) {
diff --git a/src/objects.cc b/src/objects.cc
index 832ddc1..e978878 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -11609,7 +11609,7 @@
cache->set(entry + kProtoTransitionPrototypeOffset, *prototype);
cache->set(entry + kProtoTransitionMapOffset, *target_map);
- map->SetNumberOfProtoTransitions(transitions);
+ map->SetNumberOfProtoTransitions(last + 1);
return map;
}
diff --git a/src/runtime.cc b/src/runtime.cc
index c909f34..8333380 100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -980,6 +980,10 @@
Runtime::ArrayIdToTypeAndSize(arrayId, &array_type, &element_size);
Handle<JSArrayBuffer> buffer = isolate->factory()->NewJSArrayBuffer();
+ if (source->IsJSTypedArray() &&
+ JSTypedArray::cast(*source)->type() == array_type) {
+ length_obj = Handle<Object>(JSTypedArray::cast(*source)->length(), isolate);
+ }
size_t length = NumberToSize(isolate, *length_obj);
if ((length > static_cast<unsigned>(Smi::kMaxValue)) ||
diff --git a/src/typedarray.js b/src/typedarray.js
index 21dd9c8..0a06ebb 100644
--- a/src/typedarray.js
+++ b/src/typedarray.js
@@ -49,7 +49,7 @@
macro TYPED_ARRAY_CONSTRUCTOR(ARRAY_ID, NAME, ELEMENT_SIZE)
function NAMEConstructByArrayBuffer(obj, buffer, byteOffset, length) {
- var bufferByteLength = buffer.byteLength;
+ var bufferByteLength = %ArrayBufferGetByteLength(buffer);
var offset;
if (IS_UNDEFINED(byteOffset)) {
offset = 0;
@@ -313,7 +313,7 @@
if (!IS_ARRAYBUFFER(buffer)) {
throw MakeTypeError('data_view_not_array_buffer', []);
}
- var bufferByteLength = buffer.byteLength;
+ var bufferByteLength = %ArrayBufferGetByteLength(buffer);
var offset = IS_UNDEFINED(byteOffset) ?
0 : ToPositiveInteger(byteOffset, 'invalid_data_view_offset');
if (offset > bufferByteLength) {
diff --git a/src/version.cc b/src/version.cc
index ab033e0..161f1e0 100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 23
#define BUILD_NUMBER 17
-#define PATCH_LEVEL 20
+#define PATCH_LEVEL 23
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
diff --git a/src/x64/lithium-x64.cc b/src/x64/lithium-x64.cc
index 0f7ebc4..473e93d 100644
--- a/src/x64/lithium-x64.cc
+++ b/src/x64/lithium-x64.cc
@@ -1585,15 +1585,16 @@
LInstruction* LChunkBuilder::DoMathMinMax(HMathMinMax* instr) {
LOperand* left = NULL;
LOperand* right = NULL;
- if (instr->representation().IsSmiOrInteger32()) {
- ASSERT(instr->left()->representation().Equals(instr->representation()));
- ASSERT(instr->right()->representation().Equals(instr->representation()));
+ ASSERT(instr->left()->representation().Equals(instr->representation()));
+ ASSERT(instr->right()->representation().Equals(instr->representation()));
+ if (instr->representation().IsSmi()) {
+ left = UseRegisterAtStart(instr->BetterLeftOperand());
+ right = UseAtStart(instr->BetterRightOperand());
+ } else if (instr->representation().IsInteger32()) {
left = UseRegisterAtStart(instr->BetterLeftOperand());
right = UseOrConstantAtStart(instr->BetterRightOperand());
} else {
ASSERT(instr->representation().IsDouble());
- ASSERT(instr->left()->representation().IsDouble());
- ASSERT(instr->right()->representation().IsDouble());
left = UseRegisterAtStart(instr->left());
right = UseRegisterAtStart(instr->right());
}
diff --git a/src/zone.cc b/src/zone.cc
index 9ee00ed..417f895 100644
--- a/src/zone.cc
+++ b/src/zone.cc
@@ -185,25 +185,31 @@
// except that we employ a maximum segment size when we delete. This
// is to avoid excessive malloc() and free() overhead.
Segment* head = segment_head_;
- int old_size = (head == NULL) ? 0 : head->size();
- static const int kSegmentOverhead = sizeof(Segment) + kAlignment;
- int new_size_no_overhead = size + (old_size << 1);
- int new_size = kSegmentOverhead + new_size_no_overhead;
+ const size_t old_size = (head == NULL) ? 0 : head->size();
+ static const size_t kSegmentOverhead = sizeof(Segment) + kAlignment;
+ const size_t new_size_no_overhead = size + (old_size << 1);
+ size_t new_size = kSegmentOverhead + new_size_no_overhead;
+ const size_t min_new_size = kSegmentOverhead + static_cast<size_t>(size);
// Guard against integer overflow.
- if (new_size_no_overhead < size || new_size < kSegmentOverhead) {
+ if (new_size_no_overhead < static_cast<size_t>(size) ||
+ new_size < static_cast<size_t>(kSegmentOverhead)) {
V8::FatalProcessOutOfMemory("Zone");
return NULL;
}
- if (new_size < kMinimumSegmentSize) {
+ if (new_size < static_cast<size_t>(kMinimumSegmentSize)) {
new_size = kMinimumSegmentSize;
- } else if (new_size > kMaximumSegmentSize) {
+ } else if (new_size > static_cast<size_t>(kMaximumSegmentSize)) {
// Limit the size of new segments to avoid growing the segment size
// exponentially, thus putting pressure on contiguous virtual address space.
// All the while making sure to allocate a segment large enough to hold the
// requested size.
- new_size = Max(kSegmentOverhead + size, kMaximumSegmentSize);
+ new_size = Max(min_new_size, static_cast<size_t>(kMaximumSegmentSize));
}
- Segment* segment = NewSegment(new_size);
+ if (new_size > INT_MAX) {
+ V8::FatalProcessOutOfMemory("Zone");
+ return NULL;
+ }
+ Segment* segment = NewSegment(static_cast<int>(new_size));
if (segment == NULL) {
V8::FatalProcessOutOfMemory("Zone");
return NULL;
@@ -213,7 +219,10 @@
Address result = RoundUp(segment->start(), kAlignment);
position_ = result + size;
// Check for address overflow.
- if (position_ < result) {
+ // (Should not happen since the segment is guaranteed to accomodate
+ // size bytes + header and alignment padding)
+ if (reinterpret_cast<uintptr_t>(position_)
+ < reinterpret_cast<uintptr_t>(result)) {
V8::FatalProcessOutOfMemory("Zone");
return NULL;
}
diff --git a/test/mjsunit/json2.js b/test/mjsunit/json2.js
index 0894d77..f048f05 100644
--- a/test/mjsunit/json2.js
+++ b/test/mjsunit/json2.js
@@ -105,6 +105,10 @@
a: 1 };
TestStringify('321', tojson_via_getter);
+assertThrows(function() {
+ JSON.stringify({ get toJSON() { throw "error"; } });
+});
+
// Test toJSON with key.
tojson_obj = { toJSON: function(key) { return key + key; } };
var tojson_with_key_1 = { a: tojson_obj, b: tojson_obj };
diff --git a/test/mjsunit/regress/regress-crbug-346636.js b/test/mjsunit/regress/regress-crbug-346636.js
new file mode 100644
index 0000000..247f8be
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-346636.js
@@ -0,0 +1,31 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function assertSame(expected, found) {
+ if (found === expected) {
+ if (expected !== 0 || (1 / expected) == (1 / found)) return;
+ }
+ return;
+};
+
+function foo(x) {
+ return x.bar;
+}
+
+function getter1() {
+ assertSame(this, this);
+}
+var o1 = Object.defineProperty({}, "bar", { get: getter1 });
+foo(o1);
+foo(o1);
+
+function getter2() {
+ assertSame(this, this);
+}
+var o2 = Object.defineProperty({}, "bar", { get: getter2 });
+foo(o2);
+%OptimizeFunctionOnNextCall(foo);
+foo(o2);
diff --git a/test/mjsunit/regress/regress-crbug-349079.js b/test/mjsunit/regress/regress-crbug-349079.js
new file mode 100644
index 0000000..b1076ea
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-349079.js
@@ -0,0 +1,23 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function assertEquals(expected, found) {
+ return found === expected;
+};
+%NeverOptimizeFunction(assertEquals);
+
+function crash() {
+ var a = 1;
+ var b = -0;
+ var c = 1.5;
+ assertEquals(b, Math.max(b++, c++));
+ assertEquals(c, Math.min(b++, c++));
+ assertEquals(b, Math.max(b++, a++));
+}
+crash();
+crash();
+%OptimizeFunctionOnNextCall(crash);
+crash();
diff --git a/test/mjsunit/regress/regress-crbug-351787.js b/test/mjsunit/regress/regress-crbug-351787.js
new file mode 100644
index 0000000..74cabf2
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-351787.js
@@ -0,0 +1,42 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var ab1 = new ArrayBuffer(8);
+ab1.__defineGetter__("byteLength", function() { return 1000000; });
+var ab2 = ab1.slice(800000, 900000);
+var array = new Uint8Array(ab2);
+for (var i = 0; i < array.length; i++) {
+ assertEquals(0, array[i]);
+}
+assertEquals(0, array.length);
+
+
+var ab3 = new ArrayBuffer(8);
+ab3.__defineGetter__("byteLength", function() { return 0xFFFFFFFC; });
+var aaa = new DataView(ab3);
+
+for (var i = 10; i < aaa.length; i++) {
+ aaa.setInt8(i, 0xcc);
+}
+assertEquals(8, aaa.byteLength);
+
+
+var a = new Int8Array(4);
+a.__defineGetter__("length", function() { return 0xFFFF; });
+var b = new Int8Array(a);
+for (var i = 0; i < b.length; i++) {
+ assertEquals(0, b[i]);
+}
+
+
+var ab4 = new ArrayBuffer(8);
+ab4.__defineGetter__("byteLength", function() { return 0xFFFFFFFC; });
+var aaaa = new Uint32Array(ab4);
+
+for (var i = 10; i < aaaa.length; i++) {
+ aaaa[i] = 0xcccccccc;
+}
+assertEquals(2, aaaa.length);
diff --git a/test/mjsunit/regress/regress-put-prototype-transition.js b/test/mjsunit/regress/regress-put-prototype-transition.js
new file mode 100644
index 0000000..f720bd6
--- /dev/null
+++ b/test/mjsunit/regress/regress-put-prototype-transition.js
@@ -0,0 +1,49 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc --stress-compaction --gc-interval=255
+
+function deepEquals(a, b) { if (a === b) { if (a === 0) return (1 / a) === (1 / b); return true; } if (typeof a != typeof b) return false; if (typeof a == "number") return isNaN(a) && isNaN(b); if (typeof a !== "object" && typeof a !== "function") return false; var objectClass = classOf(a); if (objectClass !== classOf(b)) return false; if (objectClass === "RegExp") { return (a.toString() === b.toString()); } if (objectClass === "Function") return false; if (objectClass === "Array") { var elementCount = 0; if (a.length != b.length) { return false; } for (var i = 0; i < a.length; i++) { if (!deepEquals(a[i], b[i])) return false; } return true; } if (objectClass == "String" || objectClass == "Number" || objectClass == "Boolean" || objectClass == "Date") { if (a.valueOf() !== b.valueOf()) return false; } return deepObjectEquals(a, b); }
+assertSame = function assertSame(expected, found, name_opt) { if (found === expected) { if (expected !== 0 || (1 / expected) == (1 / found)) return; } else if ((expected !== expected) && (found !== found)) { return; } fail(PrettyPrint(expected), found, name_opt); }; assertEquals = function assertEquals(expected, found, name_opt) { if (!deepEquals(found, expected)) { fail(PrettyPrint(expected), found, name_opt); } };
+assertEqualsDelta = function assertEqualsDelta(expected, found, delta, name_opt) { assertTrue(Math.abs(expected - found) <= delta, name_opt); }; assertArrayEquals = function assertArrayEquals(expected, found, name_opt) { var start = ""; if (name_opt) { start = name_opt + " - "; } assertEquals(expected.length, found.length, start + "array length"); if (expected.length == found.length) { for (var i = 0; i < expected.length; ++i) { assertEquals(expected[i], found[i], start + "array element at index " + i); } } };
+assertTrue = function assertTrue(value, name_opt) { assertEquals(true, value, name_opt); };
+assertFalse = function assertFalse(value, name_opt) { assertEquals(false, value, name_opt); };
+// End stripped down and modified version of mjsunit.js.
+
+var __v_0 = {};
+var __v_1 = {};
+function __f_3() { }
+function __f_4(obj) {
+ for (var __v_2 = 0; __v_2 < 26; __v_2++) {
+ obj["__v_5" + __v_2] = 0;
+ }
+}
+function __f_0(__v_1, __v_6) {
+ (new __f_3()).__proto__ = __v_1;
+}
+%DebugPrint(undefined);
+function __f_1(__v_4, add_first, __v_6, same_map_as) {
+ var __v_1 = __v_4 ? new __f_3() : {};
+ assertTrue(%HasFastProperties(__v_1));
+ if (add_first) {
+ __f_4(__v_1);
+ assertFalse(%HasFastProperties(__v_1));
+ __f_0(__v_1, __v_6);
+ assertTrue(%HasFastProperties(__v_1));
+ } else {
+ __f_0(__v_1, __v_6);
+ assertTrue(%HasFastProperties(__v_1));
+ __f_4(__v_1);
+ assertFalse(%HasFastProperties(__v_1));
+ }
+}
+gc();
+for (var __v_2 = 0; __v_2 < 4; __v_2++) {
+ var __v_6 = ((__v_2 & 2) != 7);
+ var __v_4 = ((__v_2 & 2) != 0);
+ __f_1(__v_4, true, __v_6);
+ var __v_0 = __f_1(__v_4, false, __v_6);
+ __f_1(__v_4, false, __v_6, __v_0);
+}
+__v_5 = {a: 1, b: 2, c: 3};
