Revision: 5471
Author: [email protected]
Date: Thu Sep 16 02:18:08 2010
Log: Fix a regression in character-at stub when doing a keyed load on a
string.
Loading from out-of-range has to go to the runtime system to check if there
exists a property with that index in the prototype.
Review URL: http://codereview.chromium.org/3410011
http://code.google.com/p/v8/source/detail?r=5471
Modified:
/branches/bleeding_edge/src/arm/ic-arm.cc
/branches/bleeding_edge/src/ia32/ic-ia32.cc
/branches/bleeding_edge/src/x64/ic-x64.cc
/branches/bleeding_edge/test/mjsunit/regress/regress-900966.js
=======================================
--- /branches/bleeding_edge/src/arm/ic-arm.cc Tue Sep 7 04:09:45 2010
+++ /branches/bleeding_edge/src/arm/ic-arm.cc Thu Sep 16 02:18:08 2010
@@ -1236,7 +1236,6 @@
// -- r1 : receiver
// -----------------------------------
Label miss;
- Label index_out_of_range;
Register receiver = r1;
Register index = r0;
@@ -1251,7 +1250,7 @@
result,
&miss, // When not a string.
&miss, // When not a number.
- &index_out_of_range,
+ &miss, // When index out of
range.
STRING_INDEX_IS_ARRAY_INDEX);
char_at_generator.GenerateFast(masm);
__ Ret();
@@ -1259,10 +1258,6 @@
ICRuntimeCallHelper call_helper;
char_at_generator.GenerateSlow(masm, call_helper);
- __ bind(&index_out_of_range);
- __ LoadRoot(r0, Heap::kUndefinedValueRootIndex);
- __ Ret();
-
__ bind(&miss);
GenerateMiss(masm);
}
=======================================
--- /branches/bleeding_edge/src/ia32/ic-ia32.cc Fri Aug 27 04:47:12 2010
+++ /branches/bleeding_edge/src/ia32/ic-ia32.cc Thu Sep 16 02:18:08 2010
@@ -692,7 +692,6 @@
// -- esp[0] : return address
// -----------------------------------
Label miss;
- Label index_out_of_range;
Register receiver = edx;
Register index = eax;
@@ -707,7 +706,7 @@
result,
&miss, // When not a string.
&miss, // When not a number.
- &index_out_of_range,
+ &miss, // When index out of
range.
STRING_INDEX_IS_ARRAY_INDEX);
char_at_generator.GenerateFast(masm);
__ ret(0);
@@ -715,10 +714,6 @@
ICRuntimeCallHelper call_helper;
char_at_generator.GenerateSlow(masm, call_helper);
- __ bind(&index_out_of_range);
- __ Set(eax, Immediate(Factory::undefined_value()));
- __ ret(0);
-
__ bind(&miss);
GenerateMiss(masm);
}
=======================================
--- /branches/bleeding_edge/src/x64/ic-x64.cc Thu Sep 16 00:24:15 2010
+++ /branches/bleeding_edge/src/x64/ic-x64.cc Thu Sep 16 02:18:08 2010
@@ -730,7 +730,6 @@
// -- rsp[0] : return address
// -----------------------------------
Label miss;
- Label index_out_of_range;
Register receiver = rdx;
Register index = rax;
@@ -745,7 +744,7 @@
result,
&miss, // When not a string.
&miss, // When not a number.
- &index_out_of_range,
+ &miss, // When index out of
range.
STRING_INDEX_IS_ARRAY_INDEX);
char_at_generator.GenerateFast(masm);
__ ret(0);
@@ -753,10 +752,6 @@
ICRuntimeCallHelper call_helper;
char_at_generator.GenerateSlow(masm, call_helper);
- __ bind(&index_out_of_range);
- __ LoadRoot(rax, Heap::kUndefinedValueRootIndex);
- __ ret(0);
-
__ bind(&miss);
GenerateMiss(masm);
}
=======================================
--- /branches/bleeding_edge/test/mjsunit/regress/regress-900966.js Tue Sep
9 13:08:45 2008
+++ /branches/bleeding_edge/test/mjsunit/regress/regress-900966.js Thu Sep
16 02:18:08 2010
@@ -29,6 +29,15 @@
String.prototype[10] = 'x';
assertEquals('abc'[10], 'x');
+// Test that the fast case character-at stub handles an out-of-bound
+// index correctly. We need to call the function twice to initialize
+// the character-at stub.
+function f() {
+ assertEquals('abc'[10], 'x');
+}
+f();
+f();
+
assertTrue(2[11] === undefined);
Number.prototype[11] = 'y';
assertEquals(2[11], 'y');
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
