From 00f3f99221965e023b511d175ceecee3e72c9842 Mon Sep 17 00:00:00 2001 From: mstarzinger Date: Mon, 26 Jan 2015 04:45:25 -0800 Subject: [PATCH] Add missing FrameState for Runtime_CreateArrayLiteral. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-451013 BUG=chromium:451013 LOG=N Review URL: https://codereview.chromium.org/873973003 Cr-Commit-Position: refs/heads/master@{#26268} --- src/arm/full-codegen-arm.cc | 1 + src/arm64/full-codegen-arm64.cc | 1 + src/ast.h | 10 ++++++---- src/compiler/ast-graph-builder.cc | 2 ++ src/compiler/linkage.cc | 1 + src/ia32/full-codegen-ia32.cc | 1 + src/mips/full-codegen-mips.cc | 1 + src/mips64/full-codegen-mips64.cc | 1 + src/ppc/full-codegen-ppc.cc | 1 + src/x64/full-codegen-x64.cc | 1 + src/x87/full-codegen-x87.cc | 1 + test/mjsunit/regress/regress-crbug-451013.js | 11 +++++++++++ 12 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 test/mjsunit/regress/regress-crbug-451013.js diff --git a/src/arm/full-codegen-arm.cc b/src/arm/full-codegen-arm.cc index e5b25e3eaa..893de05eea 100644 --- a/src/arm/full-codegen-arm.cc +++ b/src/arm/full-codegen-arm.cc @@ -1893,6 +1893,7 @@ void FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) { FastCloneShallowArrayStub stub(isolate(), allocation_site_mode); __ CallStub(&stub); } + PrepareForBailoutForId(expr->CreateLiteralId(), TOS_REG); bool result_saved = false; // Is the result saved to the stack? diff --git a/src/arm64/full-codegen-arm64.cc b/src/arm64/full-codegen-arm64.cc index 72bd507c9a..7b169bcdee 100644 --- a/src/arm64/full-codegen-arm64.cc +++ b/src/arm64/full-codegen-arm64.cc @@ -1873,6 +1873,7 @@ void FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) { FastCloneShallowArrayStub stub(isolate(), allocation_site_mode); __ CallStub(&stub); } + PrepareForBailoutForId(expr->CreateLiteralId(), TOS_REG); bool result_saved = false; // Is the result saved to the stack? diff --git a/src/ast.h b/src/ast.h index db9f575d03..4903928456 100644 --- a/src/ast.h +++ b/src/ast.h @@ -1586,12 +1586,14 @@ class ArrayLiteral FINAL : public MaterializedLiteral { Handle constant_elements() const { return constant_elements_; } ZoneList* values() const { return values_; } - // Unlike other AST nodes, this number of bailout IDs allocated for an - // ArrayLiteral can vary, so num_ids() is not a static method. - int num_ids() const { return parent_num_ids() + values()->length(); } + BailoutId CreateLiteralId() const { return BailoutId(local_id(0)); } // Return an AST id for an element that is used in simulate instructions. - BailoutId GetIdForElement(int i) { return BailoutId(local_id(i)); } + BailoutId GetIdForElement(int i) { return BailoutId(local_id(i + 1)); } + + // Unlike other AST nodes, this number of bailout IDs allocated for an + // ArrayLiteral can vary, so num_ids() is not a static method. + int num_ids() const { return parent_num_ids() + 1 + values()->length(); } // Populate the constant elements fixed array. void BuildConstantElements(Isolate* isolate); diff --git a/src/compiler/ast-graph-builder.cc b/src/compiler/ast-graph-builder.cc index 5e725284f3..28378a59a5 100644 --- a/src/compiler/ast-graph-builder.cc +++ b/src/compiler/ast-graph-builder.cc @@ -1199,6 +1199,8 @@ void AstGraphBuilder::VisitArrayLiteral(ArrayLiteral* expr) { const Operator* op = javascript()->CallRuntime(Runtime::kCreateArrayLiteral, 4); Node* literal = NewNode(op, literals_array, literal_index, constants, flags); + PrepareFrameState(literal, expr->CreateLiteralId(), + OutputFrameStateCombine::Push()); // The array and the literal index are both expected on the operand stack // during computation of the element values. diff --git a/src/compiler/linkage.cc b/src/compiler/linkage.cc index dcc1aa7e4f..972745347a 100644 --- a/src/compiler/linkage.cc +++ b/src/compiler/linkage.cc @@ -130,6 +130,7 @@ bool Linkage::NeedsFrameState(Runtime::FunctionId function) { case Runtime::kCompileLazy: case Runtime::kCompileOptimized: case Runtime::kCompileString: + case Runtime::kCreateArrayLiteral: case Runtime::kCreateObjectLiteral: case Runtime::kDebugBreak: case Runtime::kDataViewSetInt8: diff --git a/src/ia32/full-codegen-ia32.cc b/src/ia32/full-codegen-ia32.cc index b4195350cb..2e1be08f8c 100644 --- a/src/ia32/full-codegen-ia32.cc +++ b/src/ia32/full-codegen-ia32.cc @@ -1817,6 +1817,7 @@ void FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) { FastCloneShallowArrayStub stub(isolate(), allocation_site_mode); __ CallStub(&stub); } + PrepareForBailoutForId(expr->CreateLiteralId(), TOS_REG); bool result_saved = false; // Is the result saved to the stack? diff --git a/src/mips/full-codegen-mips.cc b/src/mips/full-codegen-mips.cc index 0856daa2ed..9baeaa74cd 100644 --- a/src/mips/full-codegen-mips.cc +++ b/src/mips/full-codegen-mips.cc @@ -1881,6 +1881,7 @@ void FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) { FastCloneShallowArrayStub stub(isolate(), allocation_site_mode); __ CallStub(&stub); } + PrepareForBailoutForId(expr->CreateLiteralId(), TOS_REG); bool result_saved = false; // Is the result saved to the stack? diff --git a/src/mips64/full-codegen-mips64.cc b/src/mips64/full-codegen-mips64.cc index 074beb6d97..ef71af461e 100644 --- a/src/mips64/full-codegen-mips64.cc +++ b/src/mips64/full-codegen-mips64.cc @@ -1878,6 +1878,7 @@ void FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) { FastCloneShallowArrayStub stub(isolate(), allocation_site_mode); __ CallStub(&stub); } + PrepareForBailoutForId(expr->CreateLiteralId(), TOS_REG); bool result_saved = false; // Is the result saved to the stack? diff --git a/src/ppc/full-codegen-ppc.cc b/src/ppc/full-codegen-ppc.cc index 1a02f6958d..faf011faac 100644 --- a/src/ppc/full-codegen-ppc.cc +++ b/src/ppc/full-codegen-ppc.cc @@ -1793,6 +1793,7 @@ void FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) { FastCloneShallowArrayStub stub(isolate(), allocation_site_mode); __ CallStub(&stub); } + PrepareForBailoutForId(expr->CreateLiteralId(), TOS_REG); bool result_saved = false; // Is the result saved to the stack? diff --git a/src/x64/full-codegen-x64.cc b/src/x64/full-codegen-x64.cc index a8d20beb1e..cfc37f1beb 100644 --- a/src/x64/full-codegen-x64.cc +++ b/src/x64/full-codegen-x64.cc @@ -1851,6 +1851,7 @@ void FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) { FastCloneShallowArrayStub stub(isolate(), allocation_site_mode); __ CallStub(&stub); } + PrepareForBailoutForId(expr->CreateLiteralId(), TOS_REG); bool result_saved = false; // Is the result saved to the stack? diff --git a/src/x87/full-codegen-x87.cc b/src/x87/full-codegen-x87.cc index 33ae5a1c53..13a6792512 100644 --- a/src/x87/full-codegen-x87.cc +++ b/src/x87/full-codegen-x87.cc @@ -1806,6 +1806,7 @@ void FullCodeGenerator::VisitArrayLiteral(ArrayLiteral* expr) { FastCloneShallowArrayStub stub(isolate(), allocation_site_mode); __ CallStub(&stub); } + PrepareForBailoutForId(expr->CreateLiteralId(), TOS_REG); bool result_saved = false; // Is the result saved to the stack? diff --git a/test/mjsunit/regress/regress-crbug-451013.js b/test/mjsunit/regress/regress-crbug-451013.js new file mode 100644 index 0000000000..d843d3334b --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-451013.js @@ -0,0 +1,11 @@ +// Copyright 2015 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +assertThrows(function testDeepArrayLiteral() { + testDeepArrayLiteral([], [], [[]]); +}, RangeError); + +assertThrows(function testDeepObjectLiteral() { + testDeepObjectLiteral({}, {}, {x:[[]]}); +}, RangeError);