From 0f6988d47d141c343251b24b126d34b4c17faea1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lal?= Date: Wed, 25 May 2011 23:37:20 +0200 Subject: [PATCH] Imported Upstream version 3.1.8.22 --- src/arm/codegen-arm.cc | 3 ++ src/builtins.cc | 3 +- src/hydrogen-instructions.h | 2 +- src/version.cc | 2 +- src/x64/full-codegen-x64.cc | 12 +++++--- test/mjsunit/regress/regress-1401.js | 45 ++++++++++++++++++++++++++++ test/mjsunit/regress/regress-1403.js | 36 ++++++++++++++++++++++ 7 files changed, 95 insertions(+), 8 deletions(-) create mode 100644 test/mjsunit/regress/regress-1401.js create mode 100644 test/mjsunit/regress/regress-1403.js diff --git a/src/arm/codegen-arm.cc b/src/arm/codegen-arm.cc index 0fcaa0b..1cd86d1 100644 --- a/src/arm/codegen-arm.cc +++ b/src/arm/codegen-arm.cc @@ -7233,6 +7233,9 @@ void CodeGenerator::EmitKeyedStore(StaticType* key_type, ASSERT(we_remembered_the_write_barrier); + // Make sure that r0 holds the value which is the result of the expression. + __ Move(r0, value); + deferred->BindExit(); } else { frame()->CallKeyedStoreIC(strict_mode_flag()); diff --git a/src/builtins.cc b/src/builtins.cc index ff07388..0f9d152 100644 --- a/src/builtins.cc +++ b/src/builtins.cc @@ -373,8 +373,7 @@ static bool ArrayPrototypeHasNoElements(Context* global_context, array_proto = JSObject::cast(proto); if (array_proto != global_context->initial_object_prototype()) return false; if (array_proto->elements() != Heap::empty_fixed_array()) return false; - ASSERT(array_proto->GetPrototype()->IsNull()); - return true; + return array_proto->GetPrototype()->IsNull(); } diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h index 4f27371..1bce34b 100644 --- a/src/hydrogen-instructions.h +++ b/src/hydrogen-instructions.h @@ -791,7 +791,7 @@ class HBlockEntry: public HTemplateInstruction<0> { class HDeoptimize: public HControlInstruction { public: - HDeoptimize(int environment_length) + explicit HDeoptimize(int environment_length) : HControlInstruction(NULL, NULL), values_(environment_length) { } diff --git a/src/version.cc b/src/version.cc index fc6d213..a899aac 100644 --- a/src/version.cc +++ b/src/version.cc @@ -35,7 +35,7 @@ #define MAJOR_VERSION 3 #define MINOR_VERSION 1 #define BUILD_NUMBER 8 -#define PATCH_LEVEL 18 +#define PATCH_LEVEL 22 #define CANDIDATE_VERSION false // Define SONAME to have the SCons build the put a specific SONAME into the diff --git a/src/x64/full-codegen-x64.cc b/src/x64/full-codegen-x64.cc index 0ad6ec2..60b77b5 100644 --- a/src/x64/full-codegen-x64.cc +++ b/src/x64/full-codegen-x64.cc @@ -1383,13 +1383,17 @@ void FullCodeGenerator::VisitObjectLiteral(ObjectLiteral* expr) { // Fall through. case ObjectLiteral::Property::COMPUTED: if (key->handle()->IsSymbol()) { - VisitForAccumulatorValue(value); - __ Move(rcx, key->handle()); - __ movq(rdx, Operand(rsp, 0)); if (property->emit_store()) { - Handle ic(Builtins::builtin(Builtins::StoreIC_Initialize)); + VisitForAccumulatorValue(value); + __ Move(rcx, key->handle()); + __ movq(rdx, Operand(rsp, 0)); + Handle ic(Builtins::builtin( + is_strict() ? Builtins::StoreIC_Initialize_Strict + : Builtins::StoreIC_Initialize)); EmitCallIC(ic, RelocInfo::CODE_TARGET); PrepareForBailoutForId(key->id(), NO_REGISTERS); + } else { + VisitForEffect(value); } break; } diff --git a/test/mjsunit/regress/regress-1401.js b/test/mjsunit/regress/regress-1401.js new file mode 100644 index 0000000..33eb067 --- /dev/null +++ b/test/mjsunit/regress/regress-1401.js @@ -0,0 +1,45 @@ +// Copyright 2011 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// See: http://code.google.com/p/v8/issues/detail?id=1401 + +var bottom = 0; +var sizes = new Array(); + +for (i = 0; i < 10; i++) { + sizes[i] = 0; +} + +function foo() { + var size = bottom + 1 + 10; + var t = (sizes[++bottom] = size); + return t; +} + +for (i = 0; i < 5; i++) { + assertEquals(i + 11, foo()); +} diff --git a/test/mjsunit/regress/regress-1403.js b/test/mjsunit/regress/regress-1403.js new file mode 100644 index 0000000..f2520cc --- /dev/null +++ b/test/mjsunit/regress/regress-1403.js @@ -0,0 +1,36 @@ +// Copyright 2011 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// See: http://code.google.com/p/v8/issues/detail?id=1403 + +a = []; +Object.prototype.__proto__ = { __proto__: null }; +a.shift(); + +a = []; +Array.prototype.__proto__ = { __proto__: null }; +a.shift();