[v8-dev] Add missing FrameState for Runtime_CreateArrayLiteral. (issue 873973003 by [email protected])

Mon, 26 Jan 2015 03:51:09 -0800 

Reviewers: jarin,

Description:
Add missing FrameState for Runtime_CreateArrayLiteral.

[email protected]
TEST=mjsunit/regress/regress-crbug-451013
BUG=chromium:451013
LOG=N

Please review this at https://codereview.chromium.org/873973003/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+21, -4 lines):
  M src/ast.h
  M src/compiler/ast-graph-builder.cc
  M src/compiler/linkage.cc
  M src/ia32/full-codegen-ia32.cc
  A test/mjsunit/regress/regress-crbug-451013.js


Index: src/ast.h
diff --git a/src/ast.h b/src/ast.h
index db9f575d038367af1f5ec6b3d99996e821792aad..4903928456dd540cce2cfbdae6f17e3c058b731e 100644 
--- a/src/ast.h
+++ b/src/ast.h
@@ -1586,12 +1586,14 @@ class ArrayLiteral FINAL : public MaterializedLiteral { Handle<FixedArray> constant_elements() const { return constant_elements_; } 
   ZoneList<Expression*>* values() const { return values_; }

-  // Unlike other AST nodes, this number of bailout IDs allocated for an
-  // ArrayLiteral can vary, so num_ids() is not a static method.
-  int num_ids() const { return parent_num_ids() + values()->length(); }
+  BailoutId CreateLiteralId() const { return BailoutId(local_id(0)); }

   // Return an AST id for an element that is used in simulate instructions.
-  BailoutId GetIdForElement(int i) { return BailoutId(local_id(i)); }
+  BailoutId GetIdForElement(int i) { return BailoutId(local_id(i + 1)); }
+
+  // Unlike other AST nodes, this number of bailout IDs allocated for an
+  // ArrayLiteral can vary, so num_ids() is not a static method.
+  int num_ids() const { return parent_num_ids() + 1 + values()->length(); }

   // Populate the constant elements fixed array.
   void BuildConstantElements(Isolate* isolate);
Index: src/compiler/ast-graph-builder.cc
diff --git a/src/compiler/ast-graph-builder.cc b/src/compiler/ast-graph-builder.cc index 5e725284f39807983e56efd38900021c65cac5a6..28378a59a5d2fa6372e2bc73e49dd8953dfd8f13 100644 
--- a/src/compiler/ast-graph-builder.cc
+++ b/src/compiler/ast-graph-builder.cc
@@ -1199,6 +1199,8 @@ void AstGraphBuilder::VisitArrayLiteral(ArrayLiteral* expr) { 
   const Operator* op =
       javascript()->CallRuntime(Runtime::kCreateArrayLiteral, 4);
Node* literal = NewNode(op, literals_array, literal_index, constants, flags); 
+  PrepareFrameState(literal, expr->CreateLiteralId(),
+                    OutputFrameStateCombine::Push());

   // The array and the literal index are both expected on the operand stack
   // during computation of the element values.
Index: src/compiler/linkage.cc
diff --git a/src/compiler/linkage.cc b/src/compiler/linkage.cc
index dcc1aa7e4fe3f4ac5a1304e36d7eb5c0d7f62125..972745347a61e2089766baa106ba64b1133a95fa 100644 
--- a/src/compiler/linkage.cc
+++ b/src/compiler/linkage.cc
@@ -130,6 +130,7 @@ bool Linkage::NeedsFrameState(Runtime::FunctionId function) { 
     case Runtime::kCompileLazy:
     case Runtime::kCompileOptimized:
     case Runtime::kCompileString:
+    case Runtime::kCreateArrayLiteral:
     case Runtime::kCreateObjectLiteral:
     case Runtime::kDebugBreak:
     case Runtime::kDataViewSetInt8:
Index: src/ia32/full-codegen-ia32.cc
diff --git a/src/ia32/full-codegen-ia32.cc b/src/ia32/full-codegen-ia32.cc
index b4195350cbb4641f21c07225681efab25d5e89d9..2e1be08f8c42de9392da76722ec25e4461e87147 100644 
--- a/src/ia32/full-codegen-ia32.cc
+++ b/src/ia32/full-codegen-ia32.cc
@@ -1817,6 +1817,7 @@ void FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) { 
     FastCloneShallowArrayStub stub(isolate(), allocation_site_mode);
     __ CallStub(&stub);
   }
+  PrepareForBailoutForId(expr->CreateLiteralId(), TOS_REG);

   bool result_saved = false;  // Is the result saved to the stack?

Index: test/mjsunit/regress/regress-crbug-451013.js
diff --git a/test/mjsunit/regress/regress-crbug-451013.js b/test/mjsunit/regress/regress-crbug-451013.js 
new file mode 100644
index 0000000000000000000000000000000000000000..d843d3334b03719d7ae5742c93dbc30ead47a704 
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-451013.js
@@ -0,0 +1,11 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+assertThrows(function testDeepArrayLiteral() {
+  testDeepArrayLiteral([], [], [[]]);
+}, RangeError);
+
+assertThrows(function testDeepObjectLiteral() {
+  testDeepObjectLiteral({}, {}, {x:[[]]});
+}, RangeError);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to