[v8-dev] Fixed bug in pixel array inline cache on x64. The value was not...

Wed, 18 Nov 2009 03:22:06 -0800 

Reviewers: Søren Gjesse,

Description:
Fixed bug in pixel array inline cache on x64.  The value was not
zero-extended as it should be.  Therefore, the index into the pixel
array could influence the value on reads.

BUG=http://code.google.com/p/chromium/issues/detail?id=26337

Please review this at http://codereview.chromium.org/399067

SVN Base: http://v8.googlecode.com/svn/branches/bleeding_edge/

Affected files:
   M     src/x64/ic-x64.cc
   M     test/cctest/test-api.cc


Index: test/cctest/test-api.cc
===================================================================
--- test/cctest/test-api.cc     (revision 3300)
+++ test/cctest/test-api.cc     (working copy)
@@ -7590,18 +7590,18 @@
  THREADED_TEST(PixelArray) {
    v8::HandleScope scope;
    LocalContext context;
-  const int kElementCount = 40;
+  const int kElementCount = 260;
    uint8_t* pixel_data = reinterpret_cast<uint8_t*>(malloc(kElementCount));
    i::Handle<i::PixelArray> pixels =  
i::Factory::NewPixelArray(kElementCount,
                                                                pixel_data);
    i::Heap::CollectAllGarbage(false);  // Force GC to trigger verification.
    for (int i = 0; i < kElementCount; i++) {
-    pixels->set(i, i);
+    pixels->set(i, i % 256);
    }
    i::Heap::CollectAllGarbage(false);  // Force GC to trigger verification.
    for (int i = 0; i < kElementCount; i++) {
-    CHECK_EQ(i, pixels->get(i));
-    CHECK_EQ(i, pixel_data[i]);
+    CHECK_EQ(i % 256, pixels->get(i));
+    CHECK_EQ(i % 256, pixel_data[i]);
    }

    v8::Handle<v8::Object> obj = v8::Object::New();
@@ -7765,6 +7765,15 @@
    result = CompileRun("pixels[1] = 23;");
    CHECK_EQ(23, result->Int32Value());

+  // Test for index greater than 255.  Regression test for:
+  // http://code.google.com/p/chromium/issues/detail?id=26337.
+  result = CompileRun("pixels[256] = 255;");
+  CHECK_EQ(255, result->Int32Value());
+  result = CompileRun("var i = 0;"
+                      "for (var j = 0; j < 8; j++) { i = pixels[256]; }"
+                      "i");
+  CHECK_EQ(255, result->Int32Value());
+
    free(pixel_data);
  }

Index: src/x64/ic-x64.cc
===================================================================
--- src/x64/ic-x64.cc   (revision 3300)
+++ src/x64/ic-x64.cc   (working copy)
@@ -313,7 +313,7 @@
    __ cmpl(rax, FieldOperand(rcx, PixelArray::kLengthOffset));
    __ j(above_equal, &slow);
    __ movq(rcx, FieldOperand(rcx, PixelArray::kExternalPointerOffset));
-  __ movb(rax, Operand(rcx, rax, times_1, 0));
+  __ movzxbq(rax, Operand(rcx, rax, times_1, 0));
    __ Integer32ToSmi(rax, rax);
    __ ret(0);




--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---

Reply via email to