AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[ic][mips][mips64] Ensure store handlers return value in proper register.

Browse Source 
BUG=chromium:650973

Review-Url: https://codereview.chromium.org/2374003002
Cr-Commit-Position: refs/heads/master@{#39823}
This commit is contained in:
ishell 2016-09-28 04:46:24 -07:00 committed by Commit bot
parent 3304ea9122
commit 8d8c134b12
5 changed files with 36 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/ic/mips/handler-compiler-mips.cc
View File

@ -663,7 +663,7 @@ Handle<Code> NamedLoadHandlerCompiler::CompileLoadGlobal(
DiscardVectorAndSlot();
}
__ Ret(USE_DELAY_SLOT);
__ mov(v0, result);
__ Move(v0, result); // Ensure the stub returns correct value.
FrontendFooter(name, &miss);

12
src/ic/mips/ic-mips.cc
View File

@ -494,7 +494,8 @@ static void KeyedStoreGenerateMegamorphicHelper(
__ Addu(address, elements, Operand(FixedArray::kHeaderSize - kHeapObjectTag));
__ Lsa(address, address, key, kPointerSizeLog2 - kSmiTagSize);
__ sw(value, MemOperand(address));
__ Ret();
__ Ret(USE_DELAY_SLOT);
__ Move(v0, value); // Ensure the stub returns correct value.
__ bind(&non_smi_value);
// Escape to elements kind transition case.
@ -514,7 +515,8 @@ static void KeyedStoreGenerateMegamorphicHelper(
__ mov(scratch, value); // Preserve the value which is returned.
__ RecordWrite(elements, address, scratch, kRAHasNotBeenSaved,
kDontSaveFPRegs, EMIT_REMEMBERED_SET, OMIT_SMI_CHECK);
__ Ret();
__ Ret(USE_DELAY_SLOT);
__ Move(v0, value); // Ensure the stub returns correct value.
__ bind(fast_double);
if (check_map == kCheckMap) {
@ -543,7 +545,8 @@ static void KeyedStoreGenerateMegamorphicHelper(
__ Addu(scratch, key, Operand(Smi::FromInt(1)));
__ sw(scratch, FieldMemOperand(receiver, JSArray::kLengthOffset));
}
__ Ret();
__ Ret(USE_DELAY_SLOT);
__ Move(v0, value); // Ensure the stub returns correct value.
__ bind(&transition_smi_elements);
// Transition the array appropriately depending on the value type.
@ -757,7 +760,8 @@ void StoreIC::GenerateNormal(MacroAssembler* masm) {
GenerateDictionaryStore(masm, &miss, dictionary, name, value, t2, t5);
Counters* counters = masm->isolate()->counters();
__ IncrementCounter(counters->ic_store_normal_hit(), 1, t2, t5);
__ Ret();
__ Ret(USE_DELAY_SLOT);
__ Move(v0, value); // Ensure the stub returns correct value.
__ bind(&miss);
__ IncrementCounter(counters->ic_store_normal_miss(), 1, t2, t5);

2
src/ic/mips64/handler-compiler-mips64.cc
View File

@ -663,7 +663,7 @@ Handle<Code> NamedLoadHandlerCompiler::CompileLoadGlobal(
DiscardVectorAndSlot();
}
__ Ret(USE_DELAY_SLOT);
__ mov(v0, result);
__ Move(v0, result); // Ensure the stub returns correct value.
FrontendFooter(name, &miss);

12
src/ic/mips64/ic-mips64.cc
View File

@ -496,7 +496,8 @@ static void KeyedStoreGenerateMegamorphicHelper(
__ SmiScale(scratch, key, kPointerSizeLog2);
__ Daddu(address, address, scratch);
__ sd(value, MemOperand(address));
__ Ret();
__ Ret(USE_DELAY_SLOT);
__ Move(v0, value); // Ensure the stub returns correct value.
__ bind(&non_smi_value);
// Escape to elements kind transition case.
@ -518,7 +519,8 @@ static void KeyedStoreGenerateMegamorphicHelper(
__ mov(scratch, value); // Preserve the value which is returned.
__ RecordWrite(elements, address, scratch, kRAHasNotBeenSaved,
kDontSaveFPRegs, EMIT_REMEMBERED_SET, OMIT_SMI_CHECK);
__ Ret();
__ Ret(USE_DELAY_SLOT);
__ Move(v0, value); // Ensure the stub returns correct value.
__ bind(fast_double);
if (check_map == kCheckMap) {
@ -549,7 +551,8 @@ static void KeyedStoreGenerateMegamorphicHelper(
__ Daddu(scratch, key, Operand(Smi::FromInt(1)));
__ sd(scratch, FieldMemOperand(receiver, JSArray::kLengthOffset));
}
__ Ret();
__ Ret(USE_DELAY_SLOT);
__ Move(v0, value); // Ensure the stub returns correct value.
__ bind(&transition_smi_elements);
// Transition the array appropriately depending on the value type.
@ -759,7 +762,8 @@ void StoreIC::GenerateNormal(MacroAssembler* masm) {
GenerateDictionaryStore(masm, &miss, dictionary, name, value, a6, a7);
Counters* counters = masm->isolate()->counters();
__ IncrementCounter(counters->ic_store_normal_hit(), 1, a6, a7);
__ Ret();
__ Ret(USE_DELAY_SLOT);
__ Move(v0, value); // Ensure the stub returns correct value.
__ bind(&miss);
__ IncrementCounter(counters->ic_store_normal_miss(), 1, a6, a7);

18
test/mjsunit/regress/regress-crbug-650973.js Normal file
View File

@ -0,0 +1,18 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
var v = {p:0};
// Turn the object into dictionary mode.
v.__defineGetter__("p", function() { return 13; });
function f() {
var boom = (v.foo = v);
assertEquals(v, boom.foo);
}
f();
f();
f();