Add missing FrameState for Runtime_CreateArrayLiteral.

R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-451013 BUG=chromium:451013 LOG=N Review URL: https://codereview.chromium.org/873973003 Cr-Commit-Position: refs/heads/master@{#26268}
2015-01-26 04:45:25 -08:00 · 2015-01-26 04:45:25 -08:00 · 00f3f99221
commit 00f3f99221
parent c6ae373335
12 changed files with 28 additions and 4 deletions
--- a/src/arm/full-codegen-arm.cc
+++ b/src/arm/full-codegen-arm.cc
@ -1893,6 +1893,7 @@ void FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) {
    FastCloneShallowArrayStub stub(isolate(), allocation_site_mode);
    __ CallStub(&stub);
  }
+  PrepareForBailoutForId(expr->CreateLiteralId(), TOS_REG);

  bool result_saved = false;  // Is the result saved to the stack?

--- a/src/arm64/full-codegen-arm64.cc
+++ b/src/arm64/full-codegen-arm64.cc
@ -1873,6 +1873,7 @@ void FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) {
    FastCloneShallowArrayStub stub(isolate(), allocation_site_mode);
    __ CallStub(&stub);
  }
+  PrepareForBailoutForId(expr->CreateLiteralId(), TOS_REG);

  bool result_saved = false;  // Is the result saved to the stack?

--- a/src/ast.h
+++ b/src/ast.h
@ -1586,12 +1586,14 @@ class ArrayLiteral FINAL : public MaterializedLiteral {
  Handle<FixedArray> constant_elements() const { return constant_elements_; }
  ZoneList<Expression*>* values() const { return values_; }

-  // Unlike other AST nodes, this number of bailout IDs allocated for an
-  // ArrayLiteral can vary, so num_ids() is not a static method.
-  int num_ids() const { return parent_num_ids() + values()->length(); }
+  BailoutId CreateLiteralId() const { return BailoutId(local_id(0)); }

  // Return an AST id for an element that is used in simulate instructions.
-  BailoutId GetIdForElement(int i) { return BailoutId(local_id(i)); }
+  BailoutId GetIdForElement(int i) { return BailoutId(local_id(i + 1)); }
+
+  // Unlike other AST nodes, this number of bailout IDs allocated for an
+  // ArrayLiteral can vary, so num_ids() is not a static method.
+  int num_ids() const { return parent_num_ids() + 1 + values()->length(); }

  // Populate the constant elements fixed array.
  void BuildConstantElements(Isolate* isolate);
--- a/src/compiler/ast-graph-builder.cc
+++ b/src/compiler/ast-graph-builder.cc
@ -1199,6 +1199,8 @@ void AstGraphBuilder::VisitArrayLiteral(ArrayLiteral* expr) {
  const Operator* op =
      javascript()->CallRuntime(Runtime::kCreateArrayLiteral, 4);
  Node* literal = NewNode(op, literals_array, literal_index, constants, flags);
+  PrepareFrameState(literal, expr->CreateLiteralId(),
+                    OutputFrameStateCombine::Push());

  // The array and the literal index are both expected on the operand stack
  // during computation of the element values.
--- a/src/compiler/linkage.cc
+++ b/src/compiler/linkage.cc
@ -130,6 +130,7 @@ bool Linkage::NeedsFrameState(Runtime::FunctionId function) {
    case Runtime::kCompileLazy:
    case Runtime::kCompileOptimized:
    case Runtime::kCompileString:
+    case Runtime::kCreateArrayLiteral:
    case Runtime::kCreateObjectLiteral:
    case Runtime::kDebugBreak:
    case Runtime::kDataViewSetInt8:
--- a/src/ia32/full-codegen-ia32.cc
+++ b/src/ia32/full-codegen-ia32.cc
@ -1817,6 +1817,7 @@ void FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) {
    FastCloneShallowArrayStub stub(isolate(), allocation_site_mode);
    __ CallStub(&stub);
  }
+  PrepareForBailoutForId(expr->CreateLiteralId(), TOS_REG);

  bool result_saved = false;  // Is the result saved to the stack?

--- a/src/mips/full-codegen-mips.cc
+++ b/src/mips/full-codegen-mips.cc
@ -1881,6 +1881,7 @@ void FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) {
    FastCloneShallowArrayStub stub(isolate(), allocation_site_mode);
    __ CallStub(&stub);
  }
+  PrepareForBailoutForId(expr->CreateLiteralId(), TOS_REG);

  bool result_saved = false;  // Is the result saved to the stack?

--- a/src/mips64/full-codegen-mips64.cc
+++ b/src/mips64/full-codegen-mips64.cc
@ -1878,6 +1878,7 @@ void FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) {
    FastCloneShallowArrayStub stub(isolate(), allocation_site_mode);
    __ CallStub(&stub);
  }
+  PrepareForBailoutForId(expr->CreateLiteralId(), TOS_REG);

  bool result_saved = false;  // Is the result saved to the stack?

--- a/src/ppc/full-codegen-ppc.cc
+++ b/src/ppc/full-codegen-ppc.cc
@ -1793,6 +1793,7 @@ void FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) {
    FastCloneShallowArrayStub stub(isolate(), allocation_site_mode);
    __ CallStub(&stub);
  }
+  PrepareForBailoutForId(expr->CreateLiteralId(), TOS_REG);

  bool result_saved = false;  // Is the result saved to the stack?

--- a/src/x64/full-codegen-x64.cc
+++ b/src/x64/full-codegen-x64.cc
@ -1851,6 +1851,7 @@ void FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) {
    FastCloneShallowArrayStub stub(isolate(), allocation_site_mode);
    __ CallStub(&stub);
  }
+  PrepareForBailoutForId(expr->CreateLiteralId(), TOS_REG);

  bool result_saved = false;  // Is the result saved to the stack?

--- a/src/x87/full-codegen-x87.cc
+++ b/src/x87/full-codegen-x87.cc
@ -1806,6 +1806,7 @@ void FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) {
    FastCloneShallowArrayStub stub(isolate(), allocation_site_mode);
    __ CallStub(&stub);
  }
+  PrepareForBailoutForId(expr->CreateLiteralId(), TOS_REG);

  bool result_saved = false;  // Is the result saved to the stack?

--- a/test/mjsunit/regress/regress-crbug-451013.js
+++ b/test/mjsunit/regress/regress-crbug-451013.js
@ -0,0 +1,11 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+assertThrows(function testDeepArrayLiteral() {
+  testDeepArrayLiteral([], [], [[]]);
+}, RangeError);
+
+assertThrows(function testDeepObjectLiteral() {
+  testDeepObjectLiteral({}, {}, {x:[[]]});
+}, RangeError);