[v8-dev] Fix flaw in VirtualFrame::SetElementAt handling multiple copies of elements.

Mon, 23 Mar 2009 06:57:19 -0700 

Reviewers: Kevin Millikin,

Description:
Fix flaw in VirtualFrame::SetElementAt handling multiple copies of
elements.

Please review this at http://codereview.chromium.org/47006

SVN Base: http://v8.googlecode.com/svn/branches/bleeding_edge/

Affected files:
   M     src/virtual-frame.cc


Index: src/virtual-frame.cc
===================================================================
--- src/virtual-frame.cc        (revision 1576)
+++ src/virtual-frame.cc        (working copy)
@@ -387,23 +387,27 @@
            FrameElement::RegisterElement(value->reg(),
                                          FrameElement::NOT_SYNCED);
      } else {
-      for (int i = 0; i < elements_.length(); i++) {
-        FrameElement element = elements_[i];
-        if (element.is_register() && element.reg().is(value->reg())) {
-          if (i < frame_index) {
-            // The register backing store is lower in the frame than its
-            // copy.
-            elements_[frame_index] = CopyElementAt(i);
-          } else {
-            // There was an early bailout for the case of setting a
-            // register element to itself.
-            ASSERT(i != frame_index);
-            element.clear_sync();
-            elements_[frame_index] = element;
-            elements_[i] = CopyElementAt(frame_index);
+      int i = 0;
+      for (; i < elements_.length(); i++) {
+        if (elements_[i].is_register() &&  
elements_[i].reg().is(value->reg()))
+          break;
+      }
+      ASSERT(i < elements_.length());
+
+      if (i < frame_index) {
+        // The register backing store is lower in the frame than its copy.
+        elements_[frame_index] = CopyElementAt(i);
+      } else {
+        // There was an early bailout for the case of setting a
+        // register element to itself.
+        ASSERT(i != frame_index);
+        elements_[frame_index] = elements_[i];
+        elements_[frame_index].clear_sync();
+        elements_[i] = CopyElementAt(frame_index);
+        for (int j = i+1; j < elements_.length(); j++) {
+          if (elements_[j].is_copy() && elements_[j].index() == i) {
+            elements_[j].set_index(frame_index);
            }
-          // Exit the loop once the appropriate copy is inserted.
-          break;
          }
        }
      }



--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---

Reply via email to