[v8-dev] [x64] Rearrange code for OOB integer loads. (issue 828303002 by bmeurer@chromium.org)

[bmeurer]

Reviewers: jarin,

Description:
[x64] Rearrange code for OOB integer loads.
We cannot just clear the result register optimistically, because the
register allocator might assign the same register to result and buffer.

TEST=mjsunit/compiler/regress-445858
BUG=chromium:445858
LOG=y
R=ja...@chromium.org

Please review this at https://codereview.chromium.org/828303002/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+10, -8 lines):
  M src/compiler/x64/code-generator-x64.cc
  A + test/mjsunit/compiler/regress-445858.js


Index: src/compiler/x64/code-generator-x64.cc
diff --git a/src/compiler/x64/code-generator-x64.cc  
b/src/compiler/x64/code-generator-x64.cc
index  
40f3247fd44309bde975221f804a4249d0fd63db..0480f9dc90e34745161d37eb4efd8c8cc7e1d469  
100644
--- a/src/compiler/x64/code-generator-x64.cc
+++ b/src/compiler/x64/code-generator-x64.cc
@@ -354,12 +354,15 @@ class OutOfLineTruncateDoubleToI FINAL : public  
OutOfLineCode {
               length_(length)  
{}                                               \
                                                                                 
\
         void Generate() FINAL  
{                                                \
+          Label  
oob;                                                           \
           __ leal(kScratchRegister, Operand(index1_,  
index2_));                \
-          __ xorl(result_,  
result_);                                           \
           __ cmpl(kScratchRegister,  
Immediate(length_));                       \
-          __ j(above_equal,  
exit());                                           \
+          __ j(above_equal, &oob,  
Label::kNear);                               \
           __  
asm_instr(result_,                                                \
                        Operand(buffer_, kScratchRegister, times_1,  
0));        \
+          __  
jmp(exit());                                                      \
+          __  
bind(&oob);                                                       \
+          __ xorl(result_,  
result_);                                           \
          
}                                                                      \
                                                                                 
\
         
private:                                                                \
Index: test/mjsunit/compiler/regress-445858.js
diff --git a/test/mjsunit/compiler/regress-445267.js  
b/test/mjsunit/compiler/regress-445858.js
similarity index 64%
copy from test/mjsunit/compiler/regress-445267.js
copy to test/mjsunit/compiler/regress-445858.js
index  
465168b6e87ae6d49696d9e67c06a7bb982ace57..b2214ea0f269fe93c20be9fb600ad7162d528d37  
100644
--- a/test/mjsunit/compiler/regress-445267.js
+++ b/test/mjsunit/compiler/regress-445858.js
@@ -2,15 +2,14 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-var foo = (function Module(stdlib, foreign, heap) {
+var foo = (function module(stdlib, foreign, heap) {
   "use asm";
-  var MEM16 = new stdlib.Int16Array(heap);
+  var MEM = new stdlib.Int8Array(heap);
   function foo(i) {
     i = i|0;
-    i = MEM16[i + 2147483650 >> 1]|0;
-    return i;
+    i[0] = i;
+    return MEM[i + 1 >> 0]|0;
   }
   return { foo: foo };
 })(this, {}, new ArrayBuffer(64 * 1024)).foo;
-
-foo(0);
+foo(-1);


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.