Revision: 16482
Author: [email protected]
Date: Mon Sep 2 16:36:28 2013 UTC
Log: Merged r16358, r16372, r16406, r16431, r16443 into 3.20 branch.
Fix Cluster Fuzz stack frame corruption bug.
MIPS: Fix Cluster Fuzz stack frame corruption bug.
Delete HAbnormalExit. It does more harm than good.
Always visit branches during HGraph building
Make VisitStatements() consistent among all AstVisitor implementations
BUG=v8:2843,chromium:280333
[email protected]
Review URL: https://codereview.chromium.org/23506020
http://code.google.com/p/v8/source/detail?r=16482
Added:
/branches/3.20/test/mjsunit/compiler/type-feedback-after-throw.js
/branches/3.20/test/mjsunit/regress/regress-2843.js
/branches/3.20/test/mjsunit/regress/regress-crbug-280333.js
Modified:
/branches/3.20/src/arm/code-stubs-arm.cc
/branches/3.20/src/arm/lithium-arm.cc
/branches/3.20/src/ast.cc
/branches/3.20/src/hydrogen-environment-liveness.cc
/branches/3.20/src/hydrogen-instructions.h
/branches/3.20/src/hydrogen.cc
/branches/3.20/src/ia32/code-stubs-ia32.cc
/branches/3.20/src/ia32/lithium-ia32.cc
/branches/3.20/src/mips/code-stubs-mips.cc
/branches/3.20/src/mips/lithium-mips.cc
/branches/3.20/src/version.cc
/branches/3.20/src/x64/code-stubs-x64.cc
/branches/3.20/src/x64/lithium-x64.cc
=======================================
--- /dev/null
+++ /branches/3.20/test/mjsunit/compiler/type-feedback-after-throw.js Mon
Sep 2 16:36:28 2013 UTC
@@ -0,0 +1,38 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+function foo() {
+ throw "Error";
+ return 1 > 5;
+};
+
+try { foo() } catch(e) {}
+try { foo() } catch(e) {}
+%OptimizeFunctionOnNextCall(foo);
+try { foo() } catch(e) {}
=======================================
--- /dev/null
+++ /branches/3.20/test/mjsunit/regress/regress-2843.js Mon Sep 2 16:36:28
2013 UTC
@@ -0,0 +1,45 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+function bailout() { throw "bailout"; }
+var global;
+
+function foo(x, fun) {
+ var a = x + 1;
+ var b = x + 2; // Need another Simulate to fold the first one into.
+ global = true; // Need a side effect to deopt to.
+ fun();
+ return a;
+}
+
+assertThrows("foo(1, bailout)");
+assertThrows("foo(1, bailout)");
+%OptimizeFunctionOnNextCall(foo);
+assertThrows("foo(1, bailout)");
+assertEquals(2, foo(1, function() {}));
=======================================
--- /dev/null
+++ /branches/3.20/test/mjsunit/regress/regress-crbug-280333.js Mon Sep 2
16:36:28 2013 UTC
@@ -0,0 +1,47 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+function funky() { return false; }
+var global;
+
+function foo(x, fun) {
+ var a = x + 1;
+ var b = x + 2; // Need another Simulate to fold the first one into.
+ global = true; // Need a side effect to deopt to.
+ if (fun()) {
+ return a;
+ }
+ return 0;
+}
+
+assertEquals(0, foo(1, funky));
+assertEquals(0, foo(1, funky));
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(0, foo(1, funky));
+assertEquals(2, foo(1, function() { return true; }));
=======================================
--- /branches/3.20/src/arm/code-stubs-arm.cc Tue Aug 13 17:09:37 2013 UTC
+++ /branches/3.20/src/arm/code-stubs-arm.cc Mon Sep 2 16:36:28 2013 UTC
@@ -4430,6 +4430,7 @@
{
FrameScope scope(masm, StackFrame::INTERNAL);
+ __ SmiTag(r0);
__ push(r0);
__ push(r1);
__ push(r2);
@@ -4440,6 +4441,7 @@
__ pop(r2);
__ pop(r1);
__ pop(r0);
+ __ SmiUntag(r0);
}
__ b(&done);
=======================================
--- /branches/3.20/src/arm/lithium-arm.cc Wed Aug 14 17:13:49 2013 UTC
+++ /branches/3.20/src/arm/lithium-arm.cc Mon Sep 2 16:36:28 2013 UTC
@@ -1864,13 +1864,6 @@
UNREACHABLE();
return NULL;
}
-
-
-LInstruction* LChunkBuilder::DoAbnormalExit(HAbnormalExit* instr) {
- // The control instruction marking the end of a block that completed
- // abruptly (e.g., threw an exception). There is nothing specific to do.
- return NULL;
-}
LInstruction* LChunkBuilder::DoThrow(HThrow* instr) {
=======================================
--- /branches/3.20/src/ast.cc Wed Aug 14 17:13:49 2013 UTC
+++ /branches/3.20/src/ast.cc Mon Sep 2 16:36:28 2013 UTC
@@ -708,7 +708,9 @@
void AstVisitor::VisitStatements(ZoneList<Statement*>* statements) {
for (int i = 0; i < statements->length(); i++) {
- Visit(statements->at(i));
+ Statement* stmt = statements->at(i);
+ Visit(stmt);
+ if (stmt->IsJump()) break;
}
}
=======================================
--- /branches/3.20/src/hydrogen-environment-liveness.cc Wed Jul 24 08:18:28
2013 UTC
+++ /branches/3.20/src/hydrogen-environment-liveness.cc Mon Sep 2 16:36:28
2013 UTC
@@ -163,11 +163,7 @@
live->Clear();
for (int i = 0; i < enter->return_targets()->length(); ++i) {
int return_id = enter->return_targets()->at(i)->block_id();
- // When an AbnormalExit is involved, it can happen that the return
- // target block doesn't actually exist.
- if (return_id < live_at_block_start_.length()) {
- live->Union(*live_at_block_start_[return_id]);
- }
+ live->Union(*live_at_block_start_[return_id]);
}
last_simulate_ = NULL;
break;
=======================================
--- /branches/3.20/src/hydrogen-instructions.h Thu Aug 29 13:18:43 2013 UTC
+++ /branches/3.20/src/hydrogen-instructions.h Mon Sep 2 16:36:28 2013 UTC
@@ -63,7 +63,6 @@
#define HYDROGEN_CONCRETE_INSTRUCTION_LIST(V) \
- V(AbnormalExit) \
V(AccessArgumentsAt) \
V(Add) \
V(Allocate) \
@@ -1426,16 +1425,6 @@
};
-class HAbnormalExit: public HTemplateControlInstruction<0, 0> {
- public:
- virtual Representation RequiredInputRepresentation(int index) {
- return Representation::None();
- }
-
- DECLARE_CONCRETE_INSTRUCTION(AbnormalExit)
-};
-
-
class HUnaryOperation: public HTemplateInstruction<1> {
public:
HUnaryOperation(HValue* value, HType type = HType::Tagged())
=======================================
--- /branches/3.20/src/hydrogen.cc Thu Aug 29 13:18:43 2013 UTC
+++ /branches/3.20/src/hydrogen.cc Mon Sep 2 16:36:28 2013 UTC
@@ -2729,16 +2729,6 @@
if (value != NULL && value->CheckFlag(HValue::kIsArguments)) {
builder->Bailout(kArgumentsObjectValueInATestContext);
}
- if (value->IsConstant()) {
- HConstant* constant_value = HConstant::cast(value);
- if (constant_value->BooleanValue()) {
- builder->current_block()->Goto(if_true(), builder->function_state());
- } else {
- builder->current_block()->Goto(if_false(),
builder->function_state());
- }
- builder->set_current_block(NULL);
- return;
- }
HBasicBlock* empty_true = builder->graph()->CreateBasicBlock();
HBasicBlock* empty_false = builder->graph()->CreateBasicBlock();
ToBooleanStub::Types expected(condition()->to_boolean_types());
@@ -3083,7 +3073,9 @@
void HOptimizedGraphBuilder::VisitStatements(ZoneList<Statement*>*
statements) {
for (int i = 0; i < statements->length(); i++) {
- CHECK_ALIVE(Visit(statements->at(i)));
+ Statement* stmt = statements->at(i);
+ CHECK_ALIVE(Visit(stmt));
+ if (stmt->IsJump()) break;
}
}
@@ -5365,8 +5357,6 @@
HThrow* instr = Add<HThrow>(value);
instr->set_position(expr->position());
Add<HSimulate>(expr->id());
- current_block()->FinishExit(new(zone()) HAbnormalExit);
- set_current_block(NULL);
}
=======================================
--- /branches/3.20/src/ia32/code-stubs-ia32.cc Tue Aug 13 17:09:37 2013 UTC
+++ /branches/3.20/src/ia32/code-stubs-ia32.cc Mon Sep 2 16:36:28 2013 UTC
@@ -4451,6 +4451,7 @@
{
FrameScope scope(masm, StackFrame::INTERNAL);
+ __ SmiTag(eax);
__ push(eax);
__ push(edi);
__ push(ebx);
@@ -4461,6 +4462,7 @@
__ pop(ebx);
__ pop(edi);
__ pop(eax);
+ __ SmiUntag(eax);
}
__ jmp(&done);
=======================================
--- /branches/3.20/src/ia32/lithium-ia32.cc Wed Aug 14 17:13:49 2013 UTC
+++ /branches/3.20/src/ia32/lithium-ia32.cc Mon Sep 2 16:36:28 2013 UTC
@@ -1878,13 +1878,6 @@
UNREACHABLE();
return NULL;
}
-
-
-LInstruction* LChunkBuilder::DoAbnormalExit(HAbnormalExit* instr) {
- // The control instruction marking the end of a block that completed
- // abruptly (e.g., threw an exception). There is nothing specific to do.
- return NULL;
-}
LInstruction* LChunkBuilder::DoThrow(HThrow* instr) {
=======================================
--- /branches/3.20/src/mips/code-stubs-mips.cc Tue Aug 13 17:09:37 2013 UTC
+++ /branches/3.20/src/mips/code-stubs-mips.cc Mon Sep 2 16:36:28 2013 UTC
@@ -4808,12 +4808,14 @@
1 << 5 | // a1
1 << 6; // a2
+ __ SmiTag(a0);
__ MultiPush(kSavedRegs);
CreateAllocationSiteStub create_stub;
__ CallStub(&create_stub);
__ MultiPop(kSavedRegs);
+ __ SmiUntag(a0);
}
__ Branch(&done);
=======================================
--- /branches/3.20/src/mips/lithium-mips.cc Thu Aug 15 08:05:35 2013 UTC
+++ /branches/3.20/src/mips/lithium-mips.cc Mon Sep 2 16:36:28 2013 UTC
@@ -1783,13 +1783,6 @@
UNREACHABLE();
return NULL;
}
-
-
-LInstruction* LChunkBuilder::DoAbnormalExit(HAbnormalExit* instr) {
- // The control instruction marking the end of a block that completed
- // abruptly (e.g., threw an exception). There is nothing specific to do.
- return NULL;
-}
LInstruction* LChunkBuilder::DoThrow(HThrow* instr) {
=======================================
--- /branches/3.20/src/version.cc Mon Sep 2 14:34:05 2013 UTC
+++ /branches/3.20/src/version.cc Mon Sep 2 16:36:28 2013 UTC
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 20
#define BUILD_NUMBER 17
-#define PATCH_LEVEL 5
+#define PATCH_LEVEL 6
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
=======================================
--- /branches/3.20/src/x64/code-stubs-x64.cc Tue Aug 13 17:09:37 2013 UTC
+++ /branches/3.20/src/x64/code-stubs-x64.cc Mon Sep 2 16:36:28 2013 UTC
@@ -3568,6 +3568,7 @@
{
FrameScope scope(masm, StackFrame::INTERNAL);
+ __ Integer32ToSmi(rax, rax);
__ push(rax);
__ push(rdi);
__ push(rbx);
@@ -3578,6 +3579,7 @@
__ pop(rbx);
__ pop(rdi);
__ pop(rax);
+ __ SmiToInteger32(rax, rax);
}
__ jmp(&done);
=======================================
--- /branches/3.20/src/x64/lithium-x64.cc Wed Aug 14 17:13:49 2013 UTC
+++ /branches/3.20/src/x64/lithium-x64.cc Mon Sep 2 16:36:28 2013 UTC
@@ -1776,13 +1776,6 @@
UNREACHABLE();
return NULL;
}
-
-
-LInstruction* LChunkBuilder::DoAbnormalExit(HAbnormalExit* instr) {
- // The control instruction marking the end of a block that completed
- // abruptly (e.g., threw an exception). There is nothing specific to do.
- return NULL;
-}
LInstruction* LChunkBuilder::DoThrow(HThrow* instr) {
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
