Revision: 3263 Author: [email protected] Date: Tue Nov 10 06:58:16 2009 Log: Revert r3032 that uses push instead of 'sub esp, size'. This change leads to stack corruption in 32-bit version of V8.
See http://code.google.com/p/chromium/issues/detail?id=27227 for a reproducible case. Since this is only an issue on 32-bit V8 I think this has got something to do with the UnsafeSmi handling that we do on ia32. I'm reverting for now so we can push a fix, but we should track down the issue and create a regression test for this. Review URL: http://codereview.chromium.org/383005 http://code.google.com/p/v8/source/detail?r=3263 Modified: /branches/bleeding_edge/src/ia32/virtual-frame-ia32.cc /branches/bleeding_edge/src/x64/virtual-frame-x64.cc ======================================= --- /branches/bleeding_edge/src/ia32/virtual-frame-ia32.cc Thu Oct 8 04:49:58 2009 +++ /branches/bleeding_edge/src/ia32/virtual-frame-ia32.cc Tue Nov 10 06:58:16 2009 @@ -161,16 +161,15 @@ // on the stack. int start = Min(begin, stack_pointer_ + 1); - // Emit normal 'push' instructions for elements above stack pointer - // and use mov instructions if we are below stack pointer. + // If positive we have to adjust the stack pointer. + int delta = end - stack_pointer_; + if (delta > 0) { + stack_pointer_ = end; + __ sub(Operand(esp), Immediate(delta * kPointerSize)); + } + for (int i = start; i <= end; i++) { - if (!elements_[i].is_synced()) { - if (i <= stack_pointer_) { - SyncElementBelowStackPointer(i); - } else { - SyncElementByPushing(i); - } - } + if (!elements_[i].is_synced()) SyncElementBelowStackPointer(i); } } ======================================= --- /branches/bleeding_edge/src/x64/virtual-frame-x64.cc Thu Oct 8 06:09:28 2009 +++ /branches/bleeding_edge/src/x64/virtual-frame-x64.cc Tue Nov 10 06:58:16 2009 @@ -893,16 +893,15 @@ // on the stack. int start = Min(begin, stack_pointer_ + 1); - // Emit normal 'push' instructions for elements above stack pointer - // and use mov instructions if we are below stack pointer. + // If positive we have to adjust the stack pointer. + int delta = end - stack_pointer_; + if (delta > 0) { + stack_pointer_ = end; + __ subq(rsp, Immediate(delta * kPointerSize)); + } + for (int i = start; i <= end; i++) { - if (!elements_[i].is_synced()) { - if (i <= stack_pointer_) { - SyncElementBelowStackPointer(i); - } else { - SyncElementByPushing(i); - } - } + if (!elements_[i].is_synced()) SyncElementBelowStackPointer(i); } } --~--~---------~--~----~------------~-------~--~----~ v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev -~----------~----~----~----~------~----~------~--~---
