Reviewers: Toon Verwaest,
Description:
Merged r19549 into 3.24 branch.
Fix for failing asserts in HBoundsCheck code generation on x64: index
register
should be zero extended.
BUG=345820
LOG=N
[email protected]
Please review this at https://codereview.chromium.org/182963002/
SVN Base: https://v8.googlecode.com/svn/branches/3.24
Affected files (+22, -3 lines):
M src/version.cc
M src/x64/disasm-x64.cc
M src/x64/lithium-gap-resolver-x64.cc
A test/mjsunit/regress/regress-crbug-345820.js
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index
488faea92adf42ec1636e3b4867023813827c072..c13e570350c92f5cf72aa08617af6d4b1693dae8
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 24
#define BUILD_NUMBER 35
-#define PATCH_LEVEL 5
+#define PATCH_LEVEL 6
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
Index: src/x64/disasm-x64.cc
diff --git a/src/x64/disasm-x64.cc b/src/x64/disasm-x64.cc
index
476eab2b42feeb0e2b64453c514b4342cbeb2620..2d659cf0e7f2cca25c318ae6bda1cad32540e113
100644
--- a/src/x64/disasm-x64.cc
+++ b/src/x64/disasm-x64.cc
@@ -1451,7 +1451,8 @@ int
DisassemblerX64::InstructionDecode(v8::internal::Vector<char> out_buffer,
data += 3;
break;
case OPERAND_DOUBLEWORD_SIZE:
- addr = reinterpret_cast<byte*>(*reinterpret_cast<int32_t*>(data
+ 1));
+ addr =
+ reinterpret_cast<byte*>(*reinterpret_cast<uint32_t*>(data +
1));
data += 5;
break;
case OPERAND_QUADWORD_SIZE:
Index: src/x64/lithium-gap-resolver-x64.cc
diff --git a/src/x64/lithium-gap-resolver-x64.cc
b/src/x64/lithium-gap-resolver-x64.cc
index
5b4e32d2c44cec51bbe3b6f8684addd610272614..c3bfd9e61203243d53023ae064bbd5b3dbe41eee
100644
--- a/src/x64/lithium-gap-resolver-x64.cc
+++ b/src/x64/lithium-gap-resolver-x64.cc
@@ -198,7 +198,7 @@ void LGapResolver::EmitMove(int index) {
if (cgen_->IsSmiConstant(constant_source)) {
__ Move(dst, cgen_->ToSmi(constant_source));
} else if (cgen_->IsInteger32Constant(constant_source)) {
- __ Set(dst, cgen_->ToInteger32(constant_source));
+ __ Set(dst,
static_cast<uint32_t>(cgen_->ToInteger32(constant_source)));
} else {
__ Move(dst, cgen_->ToHandle(constant_source));
}
Index: test/mjsunit/regress/regress-crbug-345820.js
diff --git a/test/mjsunit/regress/regress-crbug-345820.js
b/test/mjsunit/regress/regress-crbug-345820.js
new file mode 100644
index
0000000000000000000000000000000000000000..bdd0af9b12db3340263c47f40e3d0b5f1eb84172
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-345820.js
@@ -0,0 +1,18 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --debug-code
+
+var __v_6 = {};
+__v_6 = new Int32Array(5);
+for (var i = 0; i < __v_6.length; i++) __v_6[i] = 0;
+
+function __f_7(N) {
+ for (var i = -1; i < N; i++) {
+ __v_6[i] = i;
+ }
+}
+__f_7(1);
+%OptimizeFunctionOnNextCall(__f_7);
+__f_7(__v_6.length);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
