From 6af79fd81951ef948f922eb6b355fa968aa730a2 Mon Sep 17 00:00:00 2001 From: Georgia Kouveli Date: Wed, 15 Nov 2017 15:26:11 +0000 Subject: [PATCH] [arm64] Fix in Generate_JSBuiltinsConstructStubHelper for jssp removal Even though a previous patch made the number of slots pushed/claimed on the stack aligned, the boundary between frames was not a multiple of two slots as well. We were pushing the number of arguments (which belongs in the stub's frame) together with the arguments to pass to the constructor function (which belong to the frame of the constructor function). Those need to be separated so we can drop the arguments without messing up the alignment. Bug: v8:6644 Change-Id: I839a4ab9caf451623fbcf03dd8a8afe5879fef99 Reviewed-on: https://chromium-review.googlesource.com/771670 Reviewed-by: Ross McIlroy Commit-Queue: Georgia Kouveli Cr-Commit-Position: refs/heads/master@{#49391} --- src/builtins/arm64/builtins-arm64.cc | 36 ++++++++++++++++++---------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/src/builtins/arm64/builtins-arm64.cc b/src/builtins/arm64/builtins-arm64.cc index 293d2b523b..7f87bf1f1b 100644 --- a/src/builtins/arm64/builtins-arm64.cc +++ b/src/builtins/arm64/builtins-arm64.cc @@ -213,30 +213,30 @@ void Generate_JSBuiltinsConstructStubHelper(MacroAssembler* masm) { __ Check(eq, kUnexpectedValue); } - // Add slots for the tagged argc and receiver, and round up to maintain - // alignment. + // Push number of arguments. + __ SmiTag(x11, argc); + __ Push(x11, padreg); + + // Add a slot for the receiver, and round up to maintain alignment. Register slot_count = x2; Register slot_count_without_rounding = x12; - __ Add(slot_count_without_rounding, argc, 3); + __ Add(slot_count_without_rounding, argc, 2); __ Bic(slot_count, slot_count_without_rounding, 1); __ Claim(slot_count); // Preserve the incoming parameters on the stack. __ LoadRoot(x10, Heap::kTheHoleValueRootIndex); - __ SmiTag(x11, argc); // Compute a pointer to the slot immediately above the location on the // stack to which arguments will be later copied. __ SlotAddress(x2, argc); - // Poke the hole (receiver) and number of arguments (tagged) into the - // highest claimed slots, with padding between them if argc was odd. - __ Stp(x10, x11, MemOperand(x2)); + // Poke the hole (receiver) in the highest slot. + __ Str(x10, MemOperand(x2)); __ Tbnz(slot_count_without_rounding, 0, &already_aligned); - // Overwrite the previously written argc with padding, and store argc at the - // next highest slot. - __ Stp(padreg, x11, MemOperand(x2, 1 * kPointerSize)); + // Store padding, if needed. + __ Str(padreg, MemOperand(x2, 1 * kPointerSize)); __ Bind(&already_aligned); // Copy arguments to the expression stack. @@ -254,13 +254,23 @@ void Generate_JSBuiltinsConstructStubHelper(MacroAssembler* masm) { // -- x0: number of arguments (untagged) // -- x1: constructor function // -- x3: new target + // If argc is odd: // -- sp[0*kPointerSize]: argument n - 1 // -- ... // -- sp[(n-1)*kPointerSize]: argument 0 // -- sp[(n+0)*kPointerSize]: the hole (receiver) - // -- sp[(n+1)*kPointerSize]: optional padding, depending on argc. - // -- sp[(n+1+(argc&1))*kPointerSize]: number of arguments (tagged) - // -- sp[(n+2+(argc&1))*kPointerSize]: context (pushed by FrameScope) + // -- sp[(n+1)*kPointerSize]: padding + // -- sp[(n+2)*kPointerSize]: padding + // -- sp[(n+3)*kPointerSize]: number of arguments (tagged) + // -- sp[(n+4)*kPointerSize]: context (pushed by FrameScope) + // If argc is even: + // -- sp[0*kPointerSize]: argument n - 1 + // -- ... + // -- sp[(n-1)*kPointerSize]: argument 0 + // -- sp[(n+0)*kPointerSize]: the hole (receiver) + // -- sp[(n+1)*kPointerSize]: padding + // -- sp[(n+2)*kPointerSize]: number of arguments (tagged) + // -- sp[(n+3)*kPointerSize]: context (pushed by FrameScope) // ----------------------------------- // Call the function.