[v8-dev] Fix to get around an assertion that triggers when generating code that (issue 201573011)

[jarin]

Reviewers: Igor Sheludko,

Description:
Fix to get around an assertion that triggers when generating code that
happens to be dead because the assertion is checked a bit earlier at
runtime.
R=ish...@chromium.org
BUG=355486

Please review this at https://codereview.chromium.org/201573011/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+20, -15 lines):
  M src/objects.h
  M src/x64/lithium-codegen-x64.cc
  A + test/mjsunit/regress/regress-355486.js


Index: src/objects.h
diff --git a/src/objects.h b/src/objects.h
index  
34edd0a7419ad64f56c875aca0298d3b9f79c8b1..52aeb55466f382cd1faea089bdf1b36fb2496758  
100644
--- a/src/objects.h
+++ b/src/objects.h
@@ -1228,6 +1228,7 @@ class MaybeObject BASE_EMBEDDED {
     "InstanceofStub unexpected call site cache  
(mov)")                        \
    
V(kInteger32ToSmiFieldWritingToNonSmiLocation,                               
\
     "Integer32ToSmiField writing to non-smi  
location")                        \
+  V(kInvalidArgumentIndex, "Argument index exceeds argument  
count")           \
   V(kInvalidCaptureReferenced, "Invalid capture  
referenced")                  \
    
V(kInvalidElementsKindForInternalArrayOrInternalPackedArray,                 
\
     "Invalid ElementsKind for InternalArray or  
InternalPackedArray")          \
Index: src/x64/lithium-codegen-x64.cc
diff --git a/src/x64/lithium-codegen-x64.cc b/src/x64/lithium-codegen-x64.cc
index  
5849cf4ef910d6573c75dd7b4858a964e75192b9..5e7cc617bd93ca40149134baed86fa1456a3806f  
100644
--- a/src/x64/lithium-codegen-x64.cc
+++ b/src/x64/lithium-codegen-x64.cc
@@ -2918,9 +2918,14 @@ void  
LCodeGen::DoAccessArgumentsAt(LAccessArgumentsAt* instr) {
       instr->index()->IsConstantOperand()) {
     int32_t const_index =  
ToInteger32(LConstantOperand::cast(instr->index()));
     int32_t const_length =  
ToInteger32(LConstantOperand::cast(instr->length()));
-    StackArgumentsAccessor args(arguments, const_length,
-                                ARGUMENTS_DONT_CONTAIN_RECEIVER);
-    __ movp(result, args.GetArgumentOperand(const_index));
+    if (const_index < const_length) {
+      StackArgumentsAccessor args(arguments, const_length,
+                                  ARGUMENTS_DONT_CONTAIN_RECEIVER);
+      __ movp(result, args.GetArgumentOperand(const_index));
+    } else {
+      // This code should never be executed; just emit an abort here.
+      __ Abort(kInvalidArgumentIndex);
+    }
   } else {
     Register length = ToRegister(instr->length());
     // There are two words between the frame pointer and the last argument.
Index: test/mjsunit/regress/regress-355486.js
diff --git a/test/mjsunit/regress/regress-347909.js  
b/test/mjsunit/regress/regress-355486.js
similarity index 57%
copy from test/mjsunit/regress/regress-347909.js
copy to test/mjsunit/regress/regress-355486.js
index  
90a8e6a759eab76afef1dc968c814bd9d324b147..4b9d324ffab44928302eb8915c4ee385422e51be  
100644
--- a/test/mjsunit/regress/regress-347909.js
+++ b/test/mjsunit/regress/regress-355486.js
@@ -4,16 +4,15 @@

 // Flags: --allow-natives-syntax

-var a = {y:1.5};
-a.y = 0;
-var b = a.y;
-a.y = {};
-var d = 1;
-function f() {
-  d = 0;
-  return {y: b};
+function __f_17() {
+  var __v_0 = arguments[0];
 }
-f();
-f();
-%OptimizeFunctionOnNextCall(f);
-f();
+
+function __f_23() {
+  __f_17();
+}
+
+__f_23();
+__f_23();
+%OptimizeFunctionOnNextCall(__f_23);
+__f_23();


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.