Reviewers: jbramley, jochen,
Message:
PTAL
Description:
A64: Fix write barrier input in KeyedStoreIC::GenerateSloppyArguments.
This fixes flaky crashes in gc-stress bot:
Fatal error in ../src/incremental-marking.cc, line 84
CHECK(obj->IsHeapObject()) failed
BUG=353551
LOG=N
TEST=test/mjsunit/regress/regress-353551.js
Please review this at https://codereview.chromium.org/204453002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+17, -10 lines):
M src/a64/ic-a64.cc
A + test/mjsunit/regress/regress-353551.js
Index: src/a64/ic-a64.cc
diff --git a/src/a64/ic-a64.cc b/src/a64/ic-a64.cc
index
18677f79d7ff42f0a5dc883065519099a01383be..778b1a8d79c7b62bb30a2fa4c91723b8f53bf4b0
100644
--- a/src/a64/ic-a64.cc
+++ b/src/a64/ic-a64.cc
@@ -392,8 +392,11 @@ static MemOperand
GenerateMappedArgumentsLookup(MacroAssembler* masm,
// Load value from context and return it.
__ Ldr(scratch2, FieldMemOperand(map, FixedArray::kHeaderSize));
__ SmiUntag(scratch1);
- __ Add(scratch2, scratch2, Context::kHeaderSize - kHeapObjectTag);
- return MemOperand(scratch2, scratch1, LSL, kPointerSizeLog2);
+ __ Mov(scratch1, Operand(scratch1, LSL, kPointerSizeLog2));
+ __ Add(scratch1, scratch1, Context::kHeaderSize - kHeapObjectTag);
+ // The base of the result (scratch2) is passed to RecordWrite in
+ // KeyedStoreIC::GenerateSloppyArguments and it must be a HeapObject.
+ return MemOperand(scratch2, scratch1);
}
Index: test/mjsunit/regress/regress-353551.js
diff --git a/test/mjsunit/function-arguments-duplicate.js
b/test/mjsunit/regress/regress-353551.js
similarity index 88%
copy from test/mjsunit/function-arguments-duplicate.js
copy to test/mjsunit/regress/regress-353551.js
index
80f03a106b30a7e2f984a83b9d54b2edd8fb840a..c6e7856d3419e703031c06cba932ba342fefe77a
100644
--- a/test/mjsunit/function-arguments-duplicate.js
+++ b/test/mjsunit/regress/regress-353551.js
@@ -25,12 +25,16 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-// Execises ArgumentsAccessStub::GenerateNewNonStrictSlow.
-
-function f(a, a) {
- assertEquals(2, a);
- assertEquals(1, arguments[0]);
- assertEquals(2, arguments[1]);
+var depth = 0;
+function __f_3(x) {
+ var __v_1 = arguments;
+ __v_1[1000] = 123;
+ depth++;
+ if (depth > 3000) return;
+ function __f_4() {
+ ++__v_1[0];
+ __f_3(0.5);
+ };
+ __f_4();
}
-
-f(1, 2);
+__f_3(0.5);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
