[v8-dev] Ensure we do not clobber the register holding the elements backing store. (issue 11316168)

[verwaest]

Reviewers: danno,

Message:
PTAL
Description:
Ensure we do not clobber the register holding the elements backing store.


Please review this at https://chromiumcodereview.appspot.com/11316168/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files:
  M src/arm/stub-cache-arm.cc
  M test/mjsunit/regress/regress-crbug-162085.js


Index: src/arm/stub-cache-arm.cc
diff --git a/src/arm/stub-cache-arm.cc b/src/arm/stub-cache-arm.cc
index  
866ab5575ba556806a2bc2293f57af82d3ba4f51..d056a8b04f86744bafe5e8de4ed8555f02f584bf  
100644
--- a/src/arm/stub-cache-arm.cc
+++ b/src/arm/stub-cache-arm.cc
@@ -4690,9 +4690,12 @@ void  
KeyedStoreStubCompiler::GenerateStoreFastDoubleElement(
   //  -- r1    : key
   //  -- r2    : receiver
   //  -- lr    : return address
-  //  -- r3    : scratch
+  //  -- r3    : scratch (elements backing store)
   //  -- r4    : scratch
   //  -- r5    : scratch
+  //  -- r6    : scratch
+  //  -- r7    : scratch
+  //  -- r8    : scratch
   // -----------------------------------
   Label miss_force_generic, transition_elements_kind, grow, slow;
   Label finish_store, check_capacity;
@@ -4705,6 +4708,7 @@ void  
KeyedStoreStubCompiler::GenerateStoreFastDoubleElement(
   Register scratch2 = r5;
   Register scratch3 = r6;
   Register scratch4 = r7;
+  Register scratch5 = r8;
   Register length_reg = r7;

   // This stub is meant to be tail-jumped to, the receiver must already
@@ -4799,14 +4803,15 @@ void  
KeyedStoreStubCompiler::GenerateStoreFastDoubleElement(
       __ str(scratch2, FieldMemOperand(elements_reg, offset +  
kPointerSize));
     }

+    __ mov(scratch1, elements_reg);
     __ StoreNumberToDoubleElements(value_reg,
                                    key_reg,
                                    // All registers after this are  
overwritten.
-                                   elements_reg,
                                    scratch1,
                                    scratch2,
                                    scratch3,
                                    scratch4,
+                                   scratch5,
                                    &transition_elements_kind);

     // Install the new backing store in the JSArray.
Index: test/mjsunit/regress/regress-crbug-162085.js
diff --git a/test/mjsunit/regress/regress-crbug-162085.js  
b/test/mjsunit/regress/regress-crbug-162085.js
index  
f26c711f7ad5bbafc36dcfc4e719c95b64737027..a53b2c9987f47a953ff78c166592ba33aecc40fc  
100644
--- a/test/mjsunit/regress/regress-crbug-162085.js
+++ b/test/mjsunit/regress/regress-crbug-162085.js
@@ -30,6 +30,7 @@
 var a = [1,2,3];
 a.length = 0;
 a[0] = 1.4;
+assertEquals(1.4, a[0]);
 assertEquals(undefined, a[1]);
 assertEquals(undefined, a[2]);
 assertEquals(undefined, a[3]);
@@ -43,6 +44,7 @@ var a2 = [1.3];
 grow_store(a2,1,1.4);
 a2.length = 0;
 grow_store(a2,0,1.5);
+assertEquals(1.5, a2[0]);
 assertEquals(undefined, a2[1]);
 assertEquals(undefined, a2[2]);
 assertEquals(undefined, a2[3]);
@@ -53,3 +55,17 @@ var o = {};
 grow_store(a3, 1, o);
 assertEquals(1.3, a3[0]);
 assertEquals(o, a3[1]);
+
+// Ensure the double array growstub initializes the array with holes.
+function grow_store2(a,i,v) {
+  a[i] = v;
+}
+
+var a4 = [1.3];
+grow_store2(a4,1,1.4);
+a4.length = 0;
+grow_store2(a4,0,1);
+assertEquals(1, a4[0]);
+assertEquals(undefined, a4[1]);
+assertEquals(undefined, a4[2]);
+assertEquals(undefined, a4[3]);


--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev