Reviewers: Benedikt Meurer, jbramley,
Message:
PTAL
Description:
ARM64: remove stack pushes without frame in RegExpExecStub.
RegExpExecStub pushes callee-saved registers without setting up a frame.
This
confuses the stack iterator.
Other architectures do not save these registers.
BUG=chromium:487981
LOG=NO
TEST=mjsunit/regress/regress-487981
Please review this at https://codereview.chromium.org/1183593005/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+22, -10 lines):
M src/arm64/code-stubs-arm64.cc
A test/mjsunit/regress/regress-487981.js
Index: src/arm64/code-stubs-arm64.cc
diff --git a/src/arm64/code-stubs-arm64.cc b/src/arm64/code-stubs-arm64.cc
index
bd701502efc5c3a5a4716edc36f667126d805bd8..09b0ed63663134ad130c2d6065e6cffc6f4ef855
100644
--- a/src/arm64/code-stubs-arm64.cc
+++ b/src/arm64/code-stubs-arm64.cc
@@ -2305,13 +2305,6 @@ void RegExpExecStub::Generate(MacroAssembler* masm) {
Register last_match_info_elements = x21;
Register code_object = x22;
- // TODO(jbramley): Is it necessary to preserve these? I don't think ARM
does.
- CPURegList used_callee_saved_registers(subject,
- regexp_data,
- last_match_info_elements,
- code_object);
- __ PushCPURegList(used_callee_saved_registers);
-
// Stack frame.
// jssp[0] : x19
// jssp[8] : x20
@@ -2692,7 +2685,6 @@ void RegExpExecStub::Generate(MacroAssembler* masm) {
// Return last match info.
__ Peek(x0, kLastMatchInfoOffset);
- __ PopCPURegList(used_callee_saved_registers);
// Drop the 4 arguments of the stub from the stack.
__ Drop(4);
__ Ret();
@@ -2715,13 +2707,11 @@ void RegExpExecStub::Generate(MacroAssembler* masm)
{
__ Bind(&failure);
__ Mov(x0, Operand(isolate()->factory()->null_value()));
- __ PopCPURegList(used_callee_saved_registers);
// Drop the 4 arguments of the stub from the stack.
__ Drop(4);
__ Ret();
__ Bind(&runtime);
- __ PopCPURegList(used_callee_saved_registers);
__ TailCallRuntime(Runtime::kRegExpExec, 4, 1);
// Deferred code for string handling.
Index: test/mjsunit/regress/regress-487981.js
diff --git a/test/mjsunit/regress/regress-487981.js
b/test/mjsunit/regress/regress-487981.js
new file mode 100644
index
0000000000000000000000000000000000000000..829c25c59d230e4d0e4ec189e0915b999ee8b478
--- /dev/null
+++ b/test/mjsunit/regress/regress-487981.js
@@ -0,0 +1,22 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --stress-compaction
+
+// To reliably reproduce the crash use --verify-heap
--random-seed=-133185440
+
+function __f_2(o) {
+ return o.field.b.x;
+}
+
+try {
+ %OptimizeFunctionOnNextCall(__f_2);
+ __v_1 = __f_2();
+} catch(e) { }
+
+function __f_3() { __f_3(/./.test()); };
+
+try {
+__f_3();
+} catch(e) { }
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
