Fix PrepareKeyedOperand on arm.

When additional_offset is specified, the 'key' operand can be negative and still pass the bounds check. Therefore, when converting key from Smi, arithmetic and not logical shift must be used. R=verwaest@chromium.org BUG=358057 LOG=Y Review URL: https://codereview.chromium.org/219473002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20363 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-03-31 15:14:28 +00:00 · 2014-03-31 15:14:28 +00:00 · b3148d921e
commit b3148d921e
parent d02e1f2c25
2 changed files with 21 additions and 1 deletions
--- a/src/arm/lithium-codegen-arm.cc
+++ b/src/arm/lithium-codegen-arm.cc
@ -3309,7 +3309,8 @@ MemOperand LCodeGen::PrepareKeyedOperand(Register key,
      __ add(scratch0(), scratch0(), Operand(key, LSL, shift_size));
    } else {
      ASSERT_EQ(-1, shift_size);
-      __ add(scratch0(), scratch0(), Operand(key, LSR, 1));
+      // key can be negative, so using ASR here.
+      __ add(scratch0(), scratch0(), Operand(key, ASR, 1));
    }
    return MemOperand(base, scratch0());
  }
--- a/test/mjsunit/regress/regress-358057.js
+++ b/test/mjsunit/regress/regress-358057.js
@ -0,0 +1,19 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+__v_0 = new Uint8ClampedArray(10);
+for (var i = 0; i < 10; i++) {
+  __v_0[i] = 0xAA;
+}
+function __f_12(__v_6) {
+  if (__v_6 < 0) {
+    __v_1 = __v_0[__v_6 + 10];
+    return __v_1;
+  }
+}
+
+assertEquals(0xAA, __f_12(-1));
+%OptimizeFunctionOnNextCall(__f_12);
+assertEquals(0xAA, __f_12(-1));