Revert r3032 that uses push instead of 'sub esp, size'. This change

leads to stack corruption in 32-bit version of V8. See http://code.google.com/p/chromium/issues/detail?id=27227 for a reproducible case. Since this is only an issue on 32-bit V8 I think this has got something to do with the UnsafeSmi handling that we do on ia32. I'm reverting for now so we can push a fix, but we should track down the issue and create a regression test for this. Review URL: http://codereview.chromium.org/383005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3263 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2009-11-10 14:58:16 +00:00 · 2009-11-10 14:58:16 +00:00 · 963d72ff57
commit 963d72ff57
parent 91cc4c7ebb
2 changed files with 16 additions and 18 deletions
--- a/src/ia32/virtual-frame-ia32.cc
+++ b/src/ia32/virtual-frame-ia32.cc
@ -161,16 +161,15 @@ void VirtualFrame::SyncRange(int begin, int end) {
  // on the stack.
  int start = Min(begin, stack_pointer_ + 1);

-  // Emit normal 'push' instructions for elements above stack pointer
-  // and use mov instructions if we are below stack pointer.
+  // If positive we have to adjust the stack pointer.
+  int delta = end - stack_pointer_;
+  if (delta > 0) {
+    stack_pointer_ = end;
+    __ sub(Operand(esp), Immediate(delta * kPointerSize));
+  }
+
  for (int i = start; i <= end; i++) {
-    if (!elements_[i].is_synced()) {
-      if (i <= stack_pointer_) {
-        SyncElementBelowStackPointer(i);
-      } else {
-        SyncElementByPushing(i);
-      }
-    }
+    if (!elements_[i].is_synced()) SyncElementBelowStackPointer(i);
  }
 }

--- a/src/x64/virtual-frame-x64.cc
+++ b/src/x64/virtual-frame-x64.cc
@ -893,16 +893,15 @@ void VirtualFrame::SyncRange(int begin, int end) {
  // on the stack.
  int start = Min(begin, stack_pointer_ + 1);

-  // Emit normal 'push' instructions for elements above stack pointer
-  // and use mov instructions if we are below stack pointer.
+  // If positive we have to adjust the stack pointer.
+  int delta = end - stack_pointer_;
+  if (delta > 0) {
+    stack_pointer_ = end;
+    __ subq(rsp, Immediate(delta * kPointerSize));
+  }
+
  for (int i = start; i <= end; i++) {
-    if (!elements_[i].is_synced()) {
-      if (i <= stack_pointer_) {
-        SyncElementBelowStackPointer(i);
-      } else {
-        SyncElementByPushing(i);
-      }
-    }
+    if (!elements_[i].is_synced()) SyncElementBelowStackPointer(i);
  }
 }