Version 3.24.8
ARM: fix loading of global object in LWrapReceiver (Chromium issue 318420).
Fix a race between concurrent recompilation and OSR (Chromium issue 330046).
Turn off concurrent sweeping (issue 3071).
Performance and stability improvements on all platforms.
git-svn-id: http://v8.googlecode.com/svn/trunk@18423 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
diff --git a/ChangeLog b/ChangeLog
index e8567c7..327aebb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2013-12-30: Version 3.24.8
+
+ ARM: fix loading of global object in LWrapReceiver (Chromium issue
+ 318420).
+
+ Fix a race between concurrent recompilation and OSR (Chromium issue
+ 330046).
+
+ Turn off concurrent sweeping (issue 3071).
+
+ Performance and stability improvements on all platforms.
+
+
2013-12-23: Version 3.24.7
Fix small spec violation in String.prototype.split (issue 3026).
diff --git a/DEPS b/DEPS
index 463b0c8..b1d3c3d 100644
--- a/DEPS
+++ b/DEPS
@@ -14,7 +14,7 @@
deps_os = {
"win": {
"v8/third_party/cygwin":
- "http://src.chromium.org/svn/trunk/deps/third_party/cygwin@231940",
+ "http://src.chromium.org/svn/trunk/deps/third_party/cygwin@66844",
"v8/third_party/python_26":
"http://src.chromium.org/svn/trunk/tools/third_party/python_26@89111",
diff --git a/src/arm/lithium-codegen-arm.cc b/src/arm/lithium-codegen-arm.cc
index ade6928..2919eb0 100644
--- a/src/arm/lithium-codegen-arm.cc
+++ b/src/arm/lithium-codegen-arm.cc
@@ -3494,7 +3494,9 @@
__ b(&result_in_receiver);
__ bind(&global_object);
- __ ldr(result, GlobalObjectOperand());
+
+ __ ldr(result, MemOperand(fp, StandardFrameConstants::kContextOffset));
+ __ ldr(result, ContextOperand(result, Context::GLOBAL_OBJECT_INDEX));
__ ldr(result,
FieldMemOperand(result, JSGlobalObject::kGlobalReceiverOffset));
if (result.is(receiver)) {
diff --git a/src/debug.cc b/src/debug.cc
index 4a7fa6b..5c04efa 100644
--- a/src/debug.cc
+++ b/src/debug.cc
@@ -2125,7 +2125,8 @@
bool prev_force_debugger_active =
isolate_->debugger()->force_debugger_active();
isolate_->debugger()->set_force_debugger_active(true);
- function->ReplaceCode(*Compiler::GetCodeForDebugging(function));
+ Handle<Code> code = Compiler::GetCodeForDebugging(function);
+ function->ReplaceCode(*code);
isolate_->debugger()->set_force_debugger_active(
prev_force_debugger_active);
}
diff --git a/src/flag-definitions.h b/src/flag-definitions.h
index 7489df7..1230801 100644
--- a/src/flag-definitions.h
+++ b/src/flag-definitions.h
@@ -534,8 +534,8 @@
"trace progress of the incremental marking")
DEFINE_bool(track_gc_object_stats, false,
"track object counts and memory usage")
-DEFINE_bool(parallel_sweeping, false, "enable parallel sweeping")
-DEFINE_bool(concurrent_sweeping, true, "enable concurrent sweeping")
+DEFINE_bool(parallel_sweeping, true, "enable parallel sweeping")
+DEFINE_bool(concurrent_sweeping, false, "enable concurrent sweeping")
DEFINE_int(sweeper_threads, 0,
"number of parallel and concurrent sweeping threads")
#ifdef VERIFY_HEAP
diff --git a/src/objects-inl.h b/src/objects-inl.h
index 5ad0453..83d4f3d 100644
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -5114,6 +5114,11 @@
bool was_optimized = IsOptimized();
bool is_optimized = code->kind() == Code::OPTIMIZED_FUNCTION;
+ if (was_optimized && is_optimized) {
+ shared()->EvictFromOptimizedCodeMap(
+ this->code(), "Replacing with another optimized code");
+ }
+
set_code(code);
// Add/remove the function from the list of optimized functions for this
diff --git a/src/version.cc b/src/version.cc
index b694488..6e66d24 100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -34,7 +34,7 @@
// system so their names cannot be changed without changing the scripts.
#define MAJOR_VERSION 3
#define MINOR_VERSION 24
-#define BUILD_NUMBER 7
+#define BUILD_NUMBER 8
#define PATCH_LEVEL 0
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
diff --git a/test/mjsunit/regress-330046.js b/test/mjsunit/regress-330046.js
new file mode 100644
index 0000000..d94b804
--- /dev/null
+++ b/test/mjsunit/regress-330046.js
@@ -0,0 +1,61 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --use-osr --allow-natives-syntax --crankshaft
+
+var o1 = {a : 10};
+var o2 = { };
+o2.__proto__ = o1;
+var o3 = { };
+o3.__proto__ = o2;
+
+function f(n, x, b) {
+ var sum = x.a;
+ for (var i = 0; i < n; i++) {
+ sum = 1.0 / i;
+ }
+ return sum;
+}
+
+f(10, o3);
+f(20, o3);
+f(30, o3);
+%OptimizeFunctionOnNextCall(f, "concurrent");
+f(100000, o3);
+// At this point OSR replaces already optimized code.
+// Check that it evicts old code from cache.
+
+// This causes all code for f to be lazily deopted.
+o2.a = 5;
+
+// If OSR did not evict the old code, it will be installed in f here.
+%OptimizeFunctionOnNextCall(f);
+f(10, o3);
+
+// The old code is already deoptimized, but f still points to it.
+// Disassembling it will crash.
+%DebugDisassembleFunction(f);
diff --git a/test/mjsunit/regress/regress-318420.js b/test/mjsunit/regress/regress-318420.js
new file mode 100644
index 0000000..77bef10
--- /dev/null
+++ b/test/mjsunit/regress/regress-318420.js
@@ -0,0 +1,46 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+function bar(a, b) { with(a) {return a + b;} }
+
+var obj = {
+ functions: [bar, bar, bar, bar],
+ receivers: [bar, bar, undefined, null],
+ foo: function () {
+ for (var a = this.functions, e = this.receivers, c = a.length,
+ d = 0; d < c ; d++) {
+ a[d].apply(e[d], arguments)
+ }
+ }
+}
+
+obj.foo(1, 2, 3, 4);
+obj.foo(1, 2, 3, 4);
+%OptimizeFunctionOnNextCall(obj.foo);
+obj.foo(1, 2, 3, 4);