Revision: 3328 Author: [email protected] Date: Wed Nov 18 03:36:29 2009 Log: Fixed bug in pixel array inline cache on x64. The value was not zero-extended as it should be. Therefore, the index into the pixel array could influence the value on reads.
BUG=http://code.google.com/p/chromium/issues/detail?id=26337 Review URL: http://codereview.chromium.org/399067 http://code.google.com/p/v8/source/detail?r=3328 Modified: /branches/bleeding_edge/src/x64/ic-x64.cc /branches/bleeding_edge/test/cctest/test-api.cc ======================================= --- /branches/bleeding_edge/src/x64/ic-x64.cc Wed Nov 11 15:06:11 2009 +++ /branches/bleeding_edge/src/x64/ic-x64.cc Wed Nov 18 03:36:29 2009 @@ -313,7 +313,7 @@ __ cmpl(rax, FieldOperand(rcx, PixelArray::kLengthOffset)); __ j(above_equal, &slow); __ movq(rcx, FieldOperand(rcx, PixelArray::kExternalPointerOffset)); - __ movb(rax, Operand(rcx, rax, times_1, 0)); + __ movzxbq(rax, Operand(rcx, rax, times_1, 0)); __ Integer32ToSmi(rax, rax); __ ret(0); ======================================= --- /branches/bleeding_edge/test/cctest/test-api.cc Tue Nov 17 05:50:07 2009 +++ /branches/bleeding_edge/test/cctest/test-api.cc Wed Nov 18 03:36:29 2009 @@ -7615,18 +7615,18 @@ THREADED_TEST(PixelArray) { v8::HandleScope scope; LocalContext context; - const int kElementCount = 40; + const int kElementCount = 260; uint8_t* pixel_data = reinterpret_cast<uint8_t*>(malloc(kElementCount)); i::Handle<i::PixelArray> pixels = i::Factory::NewPixelArray(kElementCount, pixel_data); i::Heap::CollectAllGarbage(false); // Force GC to trigger verification. for (int i = 0; i < kElementCount; i++) { - pixels->set(i, i); + pixels->set(i, i % 256); } i::Heap::CollectAllGarbage(false); // Force GC to trigger verification. for (int i = 0; i < kElementCount; i++) { - CHECK_EQ(i, pixels->get(i)); - CHECK_EQ(i, pixel_data[i]); + CHECK_EQ(i % 256, pixels->get(i)); + CHECK_EQ(i % 256, pixel_data[i]); } v8::Handle<v8::Object> obj = v8::Object::New(); @@ -7790,6 +7790,15 @@ result = CompileRun("pixels[1] = 23;"); CHECK_EQ(23, result->Int32Value()); + // Test for index greater than 255. Regression test for: + // http://code.google.com/p/chromium/issues/detail?id=26337. + result = CompileRun("pixels[256] = 255;"); + CHECK_EQ(255, result->Int32Value()); + result = CompileRun("var i = 0;" + "for (var j = 0; j < 8; j++) { i = pixels[256]; }" + "i"); + CHECK_EQ(255, result->Int32Value()); + free(pixel_data); } --~--~---------~--~----~------------~-------~--~----~ v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev -~----------~----~----~----~------~----~------~--~---
