Revision: 6684
Author: [email protected]
Date: Tue Feb 8 09:25:40 2011
Log: Check for overflow when bumping new space's top in inlined allocation.
BUG=v8:1109
TEST=test/mjsunit/regress/regress-1109.js
Review URL: http://codereview.chromium.org/6453005
http://code.google.com/p/v8/source/detail?r=6684
Modified:
/branches/bleeding_edge/src/arm/macro-assembler-arm.cc
/branches/bleeding_edge/src/ia32/macro-assembler-ia32.cc
/branches/bleeding_edge/src/x64/macro-assembler-x64.cc
=======================================
--- /branches/bleeding_edge/src/arm/macro-assembler-arm.cc Fri Feb 4
05:43:38 2011
+++ /branches/bleeding_edge/src/arm/macro-assembler-arm.cc Tue Feb 8
09:25:40 2011
@@ -1150,7 +1150,8 @@
// Calculate new top and bail out if new space is exhausted. Use result
// to calculate the new top.
- add(scratch2, result, Operand(obj_size_reg));
+ add(scratch2, result, Operand(obj_size_reg), SetCC);
+ b(cs, gc_required);
cmp(scratch2, Operand(ip));
b(hi, gc_required);
str(scratch2, MemOperand(topaddr));
@@ -1229,10 +1230,11 @@
// to calculate the new top. Object size may be in words so a shift is
// required to get the number of bytes.
if ((flags & SIZE_IN_WORDS) != 0) {
- add(scratch2, result, Operand(object_size, LSL, kPointerSizeLog2));
+ add(scratch2, result, Operand(object_size, LSL, kPointerSizeLog2),
SetCC);
} else {
- add(scratch2, result, Operand(object_size));
- }
+ add(scratch2, result, Operand(object_size), SetCC);
+ }
+ b(cs, gc_required);
cmp(scratch2, Operand(ip));
b(hi, gc_required);
=======================================
--- /branches/bleeding_edge/src/ia32/macro-assembler-ia32.cc Fri Feb 4
04:06:41 2011
+++ /branches/bleeding_edge/src/ia32/macro-assembler-ia32.cc Tue Feb 8
09:25:40 2011
@@ -604,11 +604,11 @@
ExternalReference new_space_allocation_limit =
ExternalReference::new_space_allocation_limit_address();
- if (top_reg.is(result)) {
- add(Operand(top_reg), Immediate(object_size));
- } else {
- lea(top_reg, Operand(result, object_size));
- }
+ if (!top_reg.is(result)) {
+ mov(top_reg, result);
+ }
+ add(Operand(top_reg), Immediate(object_size));
+ j(carry, gc_required, not_taken);
cmp(top_reg, Operand::StaticVariable(new_space_allocation_limit));
j(above, gc_required, not_taken);
@@ -657,7 +657,12 @@
// Calculate new top and bail out if new space is exhausted.
ExternalReference new_space_allocation_limit =
ExternalReference::new_space_allocation_limit_address();
- lea(result_end, Operand(result, element_count, element_size,
header_size));
+
+ // We assume that element_count*element_size + header_size does not
+ // overflow.
+ lea(result_end, Operand(element_count, element_size, header_size));
+ add(result_end, Operand(result));
+ j(carry, gc_required);
cmp(result_end, Operand::StaticVariable(new_space_allocation_limit));
j(above, gc_required);
@@ -702,6 +707,7 @@
mov(result_end, object_size);
}
add(result_end, Operand(result));
+ j(carry, gc_required, not_taken);
cmp(result_end, Operand::StaticVariable(new_space_allocation_limit));
j(above, gc_required, not_taken);
=======================================
--- /branches/bleeding_edge/src/x64/macro-assembler-x64.cc Fri Feb 4
06:09:03 2011
+++ /branches/bleeding_edge/src/x64/macro-assembler-x64.cc Tue Feb 8
09:25:40 2011
@@ -2098,11 +2098,11 @@
Register top_reg = result_end.is_valid() ? result_end : result;
- if (top_reg.is(result)) {
- addq(top_reg, Immediate(object_size));
- } else {
- lea(top_reg, Operand(result, object_size));
- }
+ if (!top_reg.is(result)) {
+ movq(top_reg, result);
+ }
+ addq(top_reg, Immediate(object_size));
+ j(carry, gc_required);
movq(kScratchRegister, new_space_allocation_limit);
cmpq(top_reg, Operand(kScratchRegister, 0));
j(above, gc_required);
@@ -2152,7 +2152,12 @@
// Calculate new top and bail out if new space is exhausted.
ExternalReference new_space_allocation_limit =
ExternalReference::new_space_allocation_limit_address();
- lea(result_end, Operand(result, element_count, element_size,
header_size));
+
+ // We assume that element_count*element_size + header_size does not
+ // overflow.
+ lea(result_end, Operand(element_count, element_size, header_size));
+ addq(result_end, result);
+ j(carry, gc_required);
movq(kScratchRegister, new_space_allocation_limit);
cmpq(result_end, Operand(kScratchRegister, 0));
j(above, gc_required);
@@ -2198,6 +2203,7 @@
movq(result_end, object_size);
}
addq(result_end, result);
+ j(carry, gc_required);
movq(kScratchRegister, new_space_allocation_limit);
cmpq(result_end, Operand(kScratchRegister, 0));
j(above, gc_required);
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
