[v8-dev] [v8] r13061 committed - Ensure we do not clobber the register holding the elements backing sto...

Mon, 26 Nov 2012 07:58:53 -0800 

Revision: 13061
Author:   [email protected]
Date:     Mon Nov 26 07:58:27 2012
Log: Ensure we do not clobber the register holding the elements backing store. 

Review URL: https://chromiumcodereview.appspot.com/11316168
http://code.google.com/p/v8/source/detail?r=13061

Modified:
 /branches/bleeding_edge/src/arm/stub-cache-arm.cc
 /branches/bleeding_edge/test/mjsunit/regress/regress-crbug-162085.js

=======================================

--- /branches/bleeding_edge/src/arm/stub-cache-arm.cc	Mon Nov 26 06:29:21  
2012
+++ /branches/bleeding_edge/src/arm/stub-cache-arm.cc	Mon Nov 26 07:58:27  
2012

@@ -4690,9 +4690,12 @@
   //  -- r1    : key
   //  -- r2    : receiver
   //  -- lr    : return address
-  //  -- r3    : scratch
+  //  -- r3    : scratch (elements backing store)
   //  -- r4    : scratch
   //  -- r5    : scratch
+  //  -- r6    : scratch
+  //  -- r7    : scratch
+  //  -- r9    : scratch
   // -----------------------------------
   Label miss_force_generic, transition_elements_kind, grow, slow;
   Label finish_store, check_capacity;
@@ -4705,6 +4708,7 @@
   Register scratch2 = r5;
   Register scratch3 = r6;
   Register scratch4 = r7;
+  Register scratch5 = r9;
   Register length_reg = r7;

   // This stub is meant to be tail-jumped to, the receiver must already
@@ -4799,14 +4803,15 @@

       __ str(scratch2, FieldMemOperand(elements_reg, offset +  
kPointerSize));

     }

+    __ mov(scratch1, elements_reg);
     __ StoreNumberToDoubleElements(value_reg,
                                    key_reg,

                                    // All registers after this are  
overwritten.

-                                   elements_reg,
                                    scratch1,
                                    scratch2,
                                    scratch3,
                                    scratch4,
+                                   scratch5,
                                    &transition_elements_kind);

     // Install the new backing store in the JSArray.
=======================================

--- /branches/bleeding_edge/test/mjsunit/regress/regress-crbug-162085.js	 
Mon Nov 26 06:29:21 2012
+++ /branches/bleeding_edge/test/mjsunit/regress/regress-crbug-162085.js	 
Mon Nov 26 07:58:27 2012

@@ -30,6 +30,7 @@
 var a = [1,2,3];
 a.length = 0;
 a[0] = 1.4;
+assertEquals(1.4, a[0]);
 assertEquals(undefined, a[1]);
 assertEquals(undefined, a[2]);
 assertEquals(undefined, a[3]);
@@ -43,6 +44,7 @@
 grow_store(a2,1,1.4);
 a2.length = 0;
 grow_store(a2,0,1.5);
+assertEquals(1.5, a2[0]);
 assertEquals(undefined, a2[1]);
 assertEquals(undefined, a2[2]);
 assertEquals(undefined, a2[3]);
@@ -53,3 +55,17 @@
 grow_store(a3, 1, o);
 assertEquals(1.3, a3[0]);
 assertEquals(o, a3[1]);
+
+// Ensure the double array growstub initializes the array with holes.
+function grow_store2(a,i,v) {
+  a[i] = v;
+}
+
+var a4 = [1.3];
+grow_store2(a4,1,1.4);
+a4.length = 0;
+grow_store2(a4,0,1);
+assertEquals(1, a4[0]);
+assertEquals(undefined, a4[1]);
+assertEquals(undefined, a4[2]);
+assertEquals(undefined, a4[3]);

--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev














    











					Reply via email to