Reviewers: Toon Verwaest,
Message:
Hi Toon,
Here is the fix for the chrome bug we discussed.
Description:
CallIC customization stubs must accept that a vector slot is cleared.
The CallIC Array custom IC stub read from the type vector, expecting to get
an
AllocationSite. But there are paths in the system where a type vector can be
re-created with default values, even though we currently grant an exception
to
clearing of vector slots with AllocationSites in them at gc time.
BUG=392114
Please review this at https://codereview.chromium.org/418023002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+29, -12 lines):
M src/arm/code-stubs-arm.cc
M src/arm64/code-stubs-arm64.cc
M src/ia32/code-stubs-ia32.cc
M src/x64/code-stubs-x64.cc
Index: src/arm/code-stubs-arm.cc
diff --git a/src/arm/code-stubs-arm.cc b/src/arm/code-stubs-arm.cc
index
de285bb2f1a0d575ee30b37404af0e6b8e9a1616..28f5843872355347bda357829200760b5b377387
100644
--- a/src/arm/code-stubs-arm.cc
+++ b/src/arm/code-stubs-arm.cc
@@ -2966,9 +2966,14 @@ void CallIC_ArrayStub::Generate(MacroAssembler*
masm) {
__ mov(r0, Operand(arg_count()));
__ add(r4, r2, Operand::PointerOffsetFromSmiKey(r3));
- __ ldr(r2, FieldMemOperand(r4, FixedArray::kHeaderSize));
- // Verify that r2 contains an AllocationSite
- __ AssertUndefinedOrAllocationSite(r2, r4);
+ __ ldr(r4, FieldMemOperand(r4, FixedArray::kHeaderSize));
+
+ // Verify that r4 contains an AllocationSite
+ __ ldr(r5, FieldMemOperand(r4, AllocationSite::kMapOffset));
+ __ CompareRoot(r5, Heap::kAllocationSiteMapRootIndex);
+ __ b(ne, &miss);
+
+ __ mov(r2, r4);
ArrayConstructorStub stub(masm->isolate(), arg_count());
__ TailCallStub(&stub);
Index: src/arm64/code-stubs-arm64.cc
diff --git a/src/arm64/code-stubs-arm64.cc b/src/arm64/code-stubs-arm64.cc
index
6a98589b022eee28a5510e4a2675559297f171d7..21a7e7dccef0367ebcbe31714c4f57f6bcafc081
100644
--- a/src/arm64/code-stubs-arm64.cc
+++ b/src/arm64/code-stubs-arm64.cc
@@ -3230,15 +3230,19 @@ void CallIC_ArrayStub::Generate(MacroAssembler*
masm) {
__ Cmp(function, scratch);
__ B(ne, &miss);
- Register allocation_site = feedback_vector;
__ Mov(x0, Operand(arg_count()));
__ Add(scratch, feedback_vector,
Operand::UntagSmiAndScale(index, kPointerSizeLog2));
- __ Ldr(allocation_site, FieldMemOperand(scratch,
FixedArray::kHeaderSize));
+ __ Ldr(scratch, FieldMemOperand(scratch, FixedArray::kHeaderSize));
+
+ // Verify that scratch contains an AllocationSite
+ Register map = x5;
+ __ Ldr(map, FieldMemOperand(scratch, AllocationSite::kMapOffset));
+ __ JumpIfNotRoot(map, Heap::kAllocationSiteMapRootIndex, &miss);
- // Verify that x2 contains an AllocationSite
- __ AssertUndefinedOrAllocationSite(allocation_site, scratch);
+ Register allocation_site = feedback_vector;
+ __ Mov(allocation_site, scratch);
ArrayConstructorStub stub(masm->isolate(), arg_count());
__ TailCallStub(&stub);
Index: src/ia32/code-stubs-ia32.cc
diff --git a/src/ia32/code-stubs-ia32.cc b/src/ia32/code-stubs-ia32.cc
index
96ca1ba2d73dadd5d39d827f53757dba58593a73..11b2bbaf9b160a41325b07d6af9df08e9642264f
100644
--- a/src/ia32/code-stubs-ia32.cc
+++ b/src/ia32/code-stubs-ia32.cc
@@ -2375,10 +2375,15 @@ void CallIC_ArrayStub::Generate(MacroAssembler*
masm) {
__ j(not_equal, &miss);
__ mov(eax, arg_count());
- __ mov(ebx, FieldOperand(ebx, edx, times_half_pointer_size,
+ __ mov(ecx, FieldOperand(ebx, edx, times_half_pointer_size,
FixedArray::kHeaderSize));
+
// Verify that ecx contains an AllocationSite
- __ AssertUndefinedOrAllocationSite(ebx);
+ Factory* factory = masm->isolate()->factory();
+ __ cmp(FieldOperand(ecx, 0), factory->allocation_site_map());
+ __ j(not_equal, &miss);
+
+ __ mov(ebx, ecx);
ArrayConstructorStub stub(masm->isolate(), arg_count());
__ TailCallStub(&stub);
Index: src/x64/code-stubs-x64.cc
diff --git a/src/x64/code-stubs-x64.cc b/src/x64/code-stubs-x64.cc
index
5041d9424231961aa909bcddc5490eccc62d0924..0ff1f88a9673f444babe628de8f80849356f3621
100644
--- a/src/x64/code-stubs-x64.cc
+++ b/src/x64/code-stubs-x64.cc
@@ -2255,11 +2255,14 @@ void CallIC_ArrayStub::Generate(MacroAssembler*
masm) {
__ j(not_equal, &miss);
__ movp(rax, Immediate(arg_count()));
- __ movp(rbx, FieldOperand(rbx, rdx, times_pointer_size,
+ __ movp(rcx, FieldOperand(rbx, rdx, times_pointer_size,
FixedArray::kHeaderSize));
-
// Verify that ecx contains an AllocationSite
- __ AssertUndefinedOrAllocationSite(rbx);
+ Factory* factory = masm->isolate()->factory();
+ __ Cmp(FieldOperand(rcx, 0), factory->allocation_site_map());
+ __ j(not_equal, &miss);
+
+ __ movp(rbx, rcx);
ArrayConstructorStub stub(masm->isolate(), arg_count());
__ TailCallStub(&stub);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
