Version 3.17.16
Stack trace API: poison stack frames below the first strict mode frame. (issue 2564)
Made Isolate::GetHeapStatistics robust against half-initialized isolates (Chromium issue 2591).
Finished implementation of ES6 symbols aka. private names (issue 2158).
Performance and stability improvements on all platforms.
git-svn-id: http://v8.googlecode.com/svn/trunk@14137 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
diff --git a/src/mips/stub-cache-mips.cc b/src/mips/stub-cache-mips.cc
index d5cf6de..da6770a 100644
--- a/src/mips/stub-cache-mips.cc
+++ b/src/mips/stub-cache-mips.cc
@@ -415,7 +415,7 @@
// may be clobbered.
void StubCompiler::GenerateStoreField(MacroAssembler* masm,
Handle<JSObject> object,
- int index,
+ LookupResult* lookup,
Handle<Map> transition,
Handle<Name> name,
Register receiver_reg,
@@ -428,16 +428,6 @@
// a0 : value.
Label exit;
- LookupResult lookup(masm->isolate());
- object->Lookup(*name, &lookup);
- if (lookup.IsFound() && (lookup.IsReadOnly() || !lookup.IsCacheable())) {
- // In sloppy mode, we could just return the value and be done. However, we
- // might be in strict mode, where we have to throw. Since we cannot tell,
- // go into slow case unconditionally.
- __ jmp(miss_label);
- return;
- }
-
// Check that the map of the object hasn't changed.
CompareMapMode mode = transition.is_null() ? ALLOW_ELEMENT_TRANSITION_MAPS
: REQUIRE_EXACT_MAP;
@@ -452,8 +442,9 @@
// Check that we are allowed to write this.
if (!transition.is_null() && object->GetPrototype()->IsJSObject()) {
JSObject* holder;
- if (lookup.IsFound()) {
- holder = lookup.holder();
+ // holder == object indicates that no property was found.
+ if (lookup->holder() != *object) {
+ holder = lookup->holder();
} else {
// Find the top object.
holder = *object;
@@ -461,8 +452,19 @@
holder = JSObject::cast(holder->GetPrototype());
} while (holder->GetPrototype()->IsJSObject());
}
- CheckPrototypes(object, receiver_reg, Handle<JSObject>(holder), name_reg,
- scratch1, scratch2, name, miss_restore_name);
+ Register holder_reg = CheckPrototypes(
+ object, receiver_reg, Handle<JSObject>(holder), name_reg,
+ scratch1, scratch2, name, miss_restore_name);
+ // If no property was found, and the holder (the last object in the
+ // prototype chain) is in slow mode, we need to do a negative lookup on the
+ // holder.
+ if (lookup->holder() == *object &&
+ !holder->HasFastProperties() &&
+ !holder->IsJSGlobalProxy() &&
+ !holder->IsJSGlobalObject()) {
+ GenerateDictionaryNegativeLookup(
+ masm, miss_restore_name, holder_reg, name, scratch1, scratch2);
+ }
}
// Stub never generated for non-global objects that require access
@@ -483,6 +485,7 @@
return;
}
+ int index;
if (!transition.is_null()) {
// Update the map of the object.
__ li(scratch1, Operand(transition));
@@ -498,6 +501,10 @@
kDontSaveFPRegs,
OMIT_REMEMBERED_SET,
OMIT_SMI_CHECK);
+ index = transition->instance_descriptors()->GetFieldIndex(
+ transition->LastAdded());
+ } else {
+ index = lookup->GetFieldIndex().field_index();
}
// Adjust for the number of properties stored in the object. Even in the
@@ -2424,6 +2431,12 @@
// Check that the object is a symbol.
__ GetObjectType(a1, a1, a3);
__ Branch(&miss, ne, a3, Operand(SYMBOL_TYPE));
+ // Check that the maps starting from the prototype haven't changed.
+ GenerateDirectLoadGlobalFunctionPrototype(
+ masm(), Context::SYMBOL_FUNCTION_INDEX, a0, &miss);
+ CheckPrototypes(
+ Handle<JSObject>(JSObject::cast(object->GetPrototype(isolate()))),
+ a0, holder, a3, a1, t0, name, &miss);
break;
case NUMBER_CHECK: {
@@ -3010,7 +3023,7 @@
__ Check(eq, "Instance size of initial map changed.",
a3, Operand(instance_size >> kPointerSizeLog2));
#endif
- __ AllocateInNewSpace(a3, t4, t5, t6, &generic_stub_call, SIZE_IN_WORDS);
+ __ Allocate(a3, t4, t5, t6, &generic_stub_call, SIZE_IN_WORDS);
// Allocated the JSObject, now initialize the fields. Map is set to initial
// map and properties and elements are set to empty fixed array.