Merge from Chromium at DEPS revision 33.0.1750.166android-4.4w_r1android-4.4.4_r2.0.1android-4.4.4_r2android-4.4.4_r1.0.1android-4.4.4_r1android-4.4.3_r1.1.0.1android-4.4.3_r1.1android-4.4.3_r1.0.1android-4.4.3_r1kitkat-wearkitkat-mr2.2-releasekitkat-mr2.1-releasekitkat-mr2-releasekitkat-dev

This commit was generated by merge_to_master.py.

Change-Id: I30a88cd49b38f638f536f0f8773d7621ad0931d9

15 files changed, 191 insertions, 24 deletions

diff --git a/src/arraybuffer.js b/src/arraybuffer.js
index 6125f0f61..cfaa8d7ef 100644
--- a/src/arraybuffer.js
+++ b/src/arraybuffer.js
@@ -57,17 +57,18 @@ function ArrayBufferSlice(start, end) {
 
   var relativeStart = TO_INTEGER(start);
   var first;
+  var byte_length = %ArrayBufferGetByteLength(this);
   if (relativeStart < 0) {
-    first = MathMax(this.byteLength + relativeStart, 0);
+    first = MathMax(byte_length + relativeStart, 0);
   } else {
-    first = MathMin(relativeStart, this.byteLength);
+    first = MathMin(relativeStart, byte_length);
   }
-  var relativeEnd = IS_UNDEFINED(end) ? this.byteLength : TO_INTEGER(end);
+  var relativeEnd = IS_UNDEFINED(end) ? byte_length : TO_INTEGER(end);
   var fin;
   if (relativeEnd < 0) {
-    fin = MathMax(this.byteLength + relativeEnd, 0);
+    fin = MathMax(byte_length + relativeEnd, 0);
   } else {
-    fin = MathMin(relativeEnd, this.byteLength);
+    fin = MathMin(relativeEnd, byte_length);
   }
 
   if (fin < first) {
diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h
index 749e3a797..b154dcc6b 100644
--- a/src/hydrogen-instructions.h
+++ b/src/hydrogen-instructions.h
@@ -1548,6 +1548,7 @@ class HCompareMap V8_FINAL : public HUnaryControlInstruction {
       : HUnaryControlInstruction(value, true_target, false_target),
         map_(Unique<Map>(map)) {
     ASSERT(!map.is_null());
+    set_representation(Representation::Tagged());
   }
 
   Unique<Map> map_;
diff --git a/src/json-stringifier.h b/src/json-stringifier.h
index 0d17b356a..4510c4b45 100644
--- a/src/json-stringifier.h
+++ b/src/json-stringifier.h
@@ -360,6 +360,7 @@ Handle<Object> BasicJsonStringifier::ApplyToJsonFunction(
   PropertyAttributes attr;
   Handle<Object> fun =
       Object::GetProperty(object, object, &lookup, tojson_string_, &attr);
+  if (fun.is_null()) return Handle<Object>::null();
   if (!fun->IsJSFunction()) return object;
 
   // Call toJSON function.
diff --git a/src/mark-compact.cc b/src/mark-compact.cc
index 0e6b9804e..07bcb7632 100644
--- a/src/mark-compact.cc
+++ b/src/mark-compact.cc
@@ -2594,6 +2594,7 @@ void MarkCompactCollector::ClearNonLivePrototypeTransitions(Map* map) {
     Object* prototype = prototype_transitions->get(proto_offset + i * step);
     Object* cached_map = prototype_transitions->get(map_offset + i * step);
     if (IsMarked(prototype) && IsMarked(cached_map)) {
+      ASSERT(!prototype->IsUndefined());
       int proto_index = proto_offset + new_number_of_transitions * step;
       int map_index = map_offset + new_number_of_transitions * step;
       if (new_number_of_transitions != i) {
diff --git a/src/objects.cc b/src/objects.cc
index 832ddc152..e9788786c 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -11609,7 +11609,7 @@ Handle<Map> Map::PutPrototypeTransition(Handle<Map> map,
 
   cache->set(entry + kProtoTransitionPrototypeOffset, *prototype);
   cache->set(entry + kProtoTransitionMapOffset, *target_map);
-  map->SetNumberOfProtoTransitions(transitions);
+  map->SetNumberOfProtoTransitions(last + 1);
 
   return map;
 }
diff --git a/src/runtime.cc b/src/runtime.cc
index c909f34db..8333380e8 100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -980,6 +980,10 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_TypedArrayInitializeFromArrayLike) {
   Runtime::ArrayIdToTypeAndSize(arrayId, &array_type, &element_size);
 
   Handle<JSArrayBuffer> buffer = isolate->factory()->NewJSArrayBuffer();
+  if (source->IsJSTypedArray() &&
+      JSTypedArray::cast(*source)->type() == array_type) {
+    length_obj = Handle<Object>(JSTypedArray::cast(*source)->length(), isolate);
+  }
   size_t length = NumberToSize(isolate, *length_obj);
 
   if ((length > static_cast<unsigned>(Smi::kMaxValue)) ||
diff --git a/src/typedarray.js b/src/typedarray.js
index 21dd9c82d..0a06ebbdd 100644
--- a/src/typedarray.js
+++ b/src/typedarray.js
@@ -49,7 +49,7 @@ endmacro
 
 macro TYPED_ARRAY_CONSTRUCTOR(ARRAY_ID, NAME, ELEMENT_SIZE)
   function NAMEConstructByArrayBuffer(obj, buffer, byteOffset, length) {
-    var bufferByteLength = buffer.byteLength;
+    var bufferByteLength = %ArrayBufferGetByteLength(buffer);
     var offset;
     if (IS_UNDEFINED(byteOffset)) {
       offset = 0;
@@ -313,7 +313,7 @@ function DataViewConstructor(buffer, byteOffset, byteLength) { // length = 3
     if (!IS_ARRAYBUFFER(buffer)) {
       throw MakeTypeError('data_view_not_array_buffer', []);
     }
-    var bufferByteLength = buffer.byteLength;
+    var bufferByteLength = %ArrayBufferGetByteLength(buffer);
     var offset = IS_UNDEFINED(byteOffset) ?
       0 : ToPositiveInteger(byteOffset, 'invalid_data_view_offset');
     if (offset > bufferByteLength) {
diff --git a/src/version.cc b/src/version.cc
index ab033e092..161f1e05a 100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     23
 #define BUILD_NUMBER      17
-#define PATCH_LEVEL       20
+#define PATCH_LEVEL       23
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
diff --git a/src/x64/lithium-x64.cc b/src/x64/lithium-x64.cc
index 0f7ebc44f..473e93dde 100644
--- a/src/x64/lithium-x64.cc
+++ b/src/x64/lithium-x64.cc
@@ -1585,15 +1585,16 @@ LInstruction* LChunkBuilder::DoAdd(HAdd* instr) {
 LInstruction* LChunkBuilder::DoMathMinMax(HMathMinMax* instr) {
   LOperand* left = NULL;
   LOperand* right = NULL;
-  if (instr->representation().IsSmiOrInteger32()) {
-    ASSERT(instr->left()->representation().Equals(instr->representation()));
-    ASSERT(instr->right()->representation().Equals(instr->representation()));
+  ASSERT(instr->left()->representation().Equals(instr->representation()));
+  ASSERT(instr->right()->representation().Equals(instr->representation()));
+  if (instr->representation().IsSmi()) {
+    left = UseRegisterAtStart(instr->BetterLeftOperand());
+    right = UseAtStart(instr->BetterRightOperand());
+  } else if (instr->representation().IsInteger32()) {
     left = UseRegisterAtStart(instr->BetterLeftOperand());
     right = UseOrConstantAtStart(instr->BetterRightOperand());
   } else {
     ASSERT(instr->representation().IsDouble());
-    ASSERT(instr->left()->representation().IsDouble());
-    ASSERT(instr->right()->representation().IsDouble());
     left = UseRegisterAtStart(instr->left());
     right = UseRegisterAtStart(instr->right());
   }
diff --git a/src/zone.cc b/src/zone.cc
index 9ee00edcb..417f895e5 100644
--- a/src/zone.cc
+++ b/src/zone.cc
@@ -185,25 +185,31 @@ Address Zone::NewExpand(int size) {
   // except that we employ a maximum segment size when we delete. This
   // is to avoid excessive malloc() and free() overhead.
   Segment* head = segment_head_;
-  int old_size = (head == NULL) ? 0 : head->size();
-  static const int kSegmentOverhead = sizeof(Segment) + kAlignment;
-  int new_size_no_overhead = size + (old_size << 1);
-  int new_size = kSegmentOverhead + new_size_no_overhead;
+  const size_t old_size = (head == NULL) ? 0 : head->size();
+  static const size_t kSegmentOverhead = sizeof(Segment) + kAlignment;
+  const size_t new_size_no_overhead = size + (old_size << 1);
+  size_t new_size = kSegmentOverhead + new_size_no_overhead;
+  const size_t min_new_size = kSegmentOverhead + static_cast<size_t>(size);
   // Guard against integer overflow.
-  if (new_size_no_overhead < size || new_size < kSegmentOverhead) {
+  if (new_size_no_overhead < static_cast<size_t>(size) ||
+      new_size < static_cast<size_t>(kSegmentOverhead)) {
     V8::FatalProcessOutOfMemory("Zone");
     return NULL;
   }
-  if (new_size < kMinimumSegmentSize) {
+  if (new_size < static_cast<size_t>(kMinimumSegmentSize)) {
     new_size = kMinimumSegmentSize;
-  } else if (new_size > kMaximumSegmentSize) {
+  } else if (new_size > static_cast<size_t>(kMaximumSegmentSize)) {
     // Limit the size of new segments to avoid growing the segment size
     // exponentially, thus putting pressure on contiguous virtual address space.
     // All the while making sure to allocate a segment large enough to hold the
     // requested size.
-    new_size = Max(kSegmentOverhead + size, kMaximumSegmentSize);
+    new_size = Max(min_new_size, static_cast<size_t>(kMaximumSegmentSize));
   }
-  Segment* segment = NewSegment(new_size);
+  if (new_size > INT_MAX) {
+    V8::FatalProcessOutOfMemory("Zone");
+    return NULL;
+  }
+  Segment* segment = NewSegment(static_cast<int>(new_size));
   if (segment == NULL) {
     V8::FatalProcessOutOfMemory("Zone");
     return NULL;
@@ -213,7 +219,10 @@ Address Zone::NewExpand(int size) {
   Address result = RoundUp(segment->start(), kAlignment);
   position_ = result + size;
   // Check for address overflow.
-  if (position_ < result) {
+  // (Should not happen since the segment is guaranteed to accomodate
+  // size bytes + header and alignment padding)
+  if (reinterpret_cast<uintptr_t>(position_)
+      < reinterpret_cast<uintptr_t>(result)) {
     V8::FatalProcessOutOfMemory("Zone");
     return NULL;
   }
diff --git a/test/mjsunit/json2.js b/test/mjsunit/json2.js
index 0894d779a..f048f0529 100644
--- a/test/mjsunit/json2.js
+++ b/test/mjsunit/json2.js
@@ -105,6 +105,10 @@ var tojson_via_getter = { get toJSON() {
                           a: 1 };
 TestStringify('321', tojson_via_getter);
 
+assertThrows(function() {
+  JSON.stringify({ get toJSON() { throw "error"; } });
+});
+
 // Test toJSON with key.
 tojson_obj = { toJSON: function(key) { return key + key; } };
 var tojson_with_key_1 = { a: tojson_obj, b: tojson_obj };
diff --git a/test/mjsunit/regress/regress-crbug-346636.js b/test/mjsunit/regress/regress-crbug-346636.js
new file mode 100644
index 000000000..247f8be48
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-346636.js
@@ -0,0 +1,31 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function assertSame(expected, found) {
+  if (found === expected) {
+    if (expected !== 0 || (1 / expected) == (1 / found)) return;
+  }
+  return;
+};
+
+function foo(x) {
+  return x.bar;
+}
+
+function getter1() {
+  assertSame(this, this);
+}
+var o1 = Object.defineProperty({}, "bar", { get: getter1 });
+foo(o1);
+foo(o1);
+
+function getter2() {
+  assertSame(this, this);
+}
+var o2 = Object.defineProperty({}, "bar", { get: getter2 });
+foo(o2);
+%OptimizeFunctionOnNextCall(foo);
+foo(o2);
diff --git a/test/mjsunit/regress/regress-crbug-349079.js b/test/mjsunit/regress/regress-crbug-349079.js
new file mode 100644
index 000000000..b1076ea43
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-349079.js
@@ -0,0 +1,23 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function assertEquals(expected, found) {
+  return found === expected;
+};
+%NeverOptimizeFunction(assertEquals);
+
+function crash() {
+  var a = 1;
+  var b = -0;
+  var c = 1.5;
+  assertEquals(b, Math.max(b++, c++));
+  assertEquals(c, Math.min(b++, c++));
+  assertEquals(b, Math.max(b++, a++));
+}
+crash();
+crash();
+%OptimizeFunctionOnNextCall(crash);
+crash();
diff --git a/test/mjsunit/regress/regress-crbug-351787.js b/test/mjsunit/regress/regress-crbug-351787.js
new file mode 100644
index 000000000..74cabf2b9
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-351787.js
@@ -0,0 +1,42 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var ab1 = new ArrayBuffer(8);
+ab1.__defineGetter__("byteLength", function() { return 1000000; });
+var ab2 = ab1.slice(800000, 900000);
+var array = new Uint8Array(ab2);
+for (var i = 0; i < array.length; i++) {
+  assertEquals(0, array[i]);
+}
+assertEquals(0, array.length);
+
+
+var ab3 = new ArrayBuffer(8);
+ab3.__defineGetter__("byteLength", function() { return 0xFFFFFFFC; });
+var aaa = new DataView(ab3);
+
+for (var i = 10; i < aaa.length; i++) {
+  aaa.setInt8(i, 0xcc);
+}
+assertEquals(8, aaa.byteLength);
+
+
+var a = new Int8Array(4);
+a.__defineGetter__("length", function() { return 0xFFFF; });
+var b = new Int8Array(a);
+for (var i = 0; i < b.length; i++) {
+  assertEquals(0, b[i]);
+}
+
+
+var ab4 = new ArrayBuffer(8);
+ab4.__defineGetter__("byteLength", function() { return 0xFFFFFFFC; });
+var aaaa = new Uint32Array(ab4);
+
+for (var i = 10; i < aaaa.length; i++) {
+  aaaa[i] = 0xcccccccc;
+}
+assertEquals(2, aaaa.length);
diff --git a/test/mjsunit/regress/regress-put-prototype-transition.js b/test/mjsunit/regress/regress-put-prototype-transition.js
new file mode 100644
index 000000000..f720bd621
--- /dev/null
+++ b/test/mjsunit/regress/regress-put-prototype-transition.js
@@ -0,0 +1,49 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc --stress-compaction --gc-interval=255
+
+function deepEquals(a, b) { if (a === b) { if (a === 0) return (1 / a) === (1 / b); return true; } if (typeof a != typeof b) return false; if (typeof a == "number") return isNaN(a) && isNaN(b); if (typeof a !== "object" && typeof a !== "function") return false; var objectClass = classOf(a); if (objectClass !== classOf(b)) return false; if (objectClass === "RegExp") { return (a.toString() === b.toString()); } if (objectClass === "Function") return false; if (objectClass === "Array") { var elementCount = 0; if (a.length != b.length) { return false; } for (var i = 0; i < a.length; i++) { if (!deepEquals(a[i], b[i])) return false; } return true; } if (objectClass == "String" || objectClass == "Number" || objectClass == "Boolean" || objectClass == "Date") { if (a.valueOf() !== b.valueOf()) return false; } return deepObjectEquals(a, b); }
+assertSame = function assertSame(expected, found, name_opt) { if (found === expected) { if (expected !== 0 || (1 / expected) == (1 / found)) return; } else if ((expected !== expected) && (found !== found)) { return; } fail(PrettyPrint(expected), found, name_opt); }; assertEquals = function assertEquals(expected, found, name_opt) { if (!deepEquals(found, expected)) { fail(PrettyPrint(expected), found, name_opt); } };
+assertEqualsDelta = function assertEqualsDelta(expected, found, delta, name_opt) { assertTrue(Math.abs(expected - found) <= delta, name_opt); }; assertArrayEquals = function assertArrayEquals(expected, found, name_opt) { var start = ""; if (name_opt) { start = name_opt + " - "; } assertEquals(expected.length, found.length, start + "array length"); if (expected.length == found.length) { for (var i = 0; i < expected.length; ++i) { assertEquals(expected[i], found[i], start + "array element at index " + i); } } };
+assertTrue = function assertTrue(value, name_opt) { assertEquals(true, value, name_opt); };
+assertFalse = function assertFalse(value, name_opt) { assertEquals(false, value, name_opt); };
+// End stripped down and modified version of mjsunit.js.
+
+var __v_0 = {};
+var __v_1 = {};
+function __f_3() { }
+function __f_4(obj) {
+  for (var __v_2 = 0; __v_2 < 26; __v_2++) {
+    obj["__v_5" + __v_2] = 0;
+  }
+}
+function __f_0(__v_1, __v_6) {
+    (new __f_3()).__proto__ = __v_1;
+}
+%DebugPrint(undefined);
+function __f_1(__v_4, add_first, __v_6, same_map_as) {
+  var __v_1 = __v_4 ? new __f_3() : {};
+  assertTrue(%HasFastProperties(__v_1));
+  if (add_first) {
+    __f_4(__v_1);
+    assertFalse(%HasFastProperties(__v_1));
+    __f_0(__v_1, __v_6);
+    assertTrue(%HasFastProperties(__v_1));
+  } else {
+    __f_0(__v_1, __v_6);
+    assertTrue(%HasFastProperties(__v_1));
+    __f_4(__v_1);
+    assertFalse(%HasFastProperties(__v_1));
+  }
+}
+gc();
+for (var __v_2 = 0; __v_2 < 4; __v_2++) {
+  var __v_6 = ((__v_2 & 2) != 7);
+  var __v_4 = ((__v_2 & 2) != 0);
+  __f_1(__v_4, true, __v_6);
+  var __v_0 = __f_1(__v_4, false, __v_6);
+  __f_1(__v_4, false, __v_6, __v_0);
+}
+__v_5 = {a: 1, b: 2, c: 3};