[x64] Rearrange code for OOB integer loads.
We cannot just clear the result register optimistically, because the register allocator might assign the same register to result and buffer. TEST=mjsunit/compiler/regress-445858 BUG=chromium:445858 LOG=y R=jarin@chromium.org Review URL: https://codereview.chromium.org/828303002 Cr-Commit-Position: refs/heads/master@{#25950}
This commit is contained in:
parent
a64ac4575a
commit
cf866b7c61
@ -354,12 +354,15 @@ class OutOfLineTruncateDoubleToI FINAL : public OutOfLineCode {
|
||||
length_(length) {} \
|
||||
\
|
||||
void Generate() FINAL { \
|
||||
Label oob; \
|
||||
__ leal(kScratchRegister, Operand(index1_, index2_)); \
|
||||
__ xorl(result_, result_); \
|
||||
__ cmpl(kScratchRegister, Immediate(length_)); \
|
||||
__ j(above_equal, exit()); \
|
||||
__ j(above_equal, &oob, Label::kNear); \
|
||||
__ asm_instr(result_, \
|
||||
Operand(buffer_, kScratchRegister, times_1, 0)); \
|
||||
__ jmp(exit()); \
|
||||
__ bind(&oob); \
|
||||
__ xorl(result_, result_); \
|
||||
} \
|
||||
\
|
||||
private: \
|
||||
|
15
test/mjsunit/compiler/regress-445858.js
Normal file
15
test/mjsunit/compiler/regress-445858.js
Normal file
@ -0,0 +1,15 @@
|
||||
// Copyright 2014 the V8 project authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
var foo = (function module(stdlib, foreign, heap) {
|
||||
"use asm";
|
||||
var MEM = new stdlib.Int8Array(heap);
|
||||
function foo(i) {
|
||||
i = i|0;
|
||||
i[0] = i;
|
||||
return MEM[i + 1 >> 0]|0;
|
||||
}
|
||||
return { foo: foo };
|
||||
})(this, {}, new ArrayBuffer(64 * 1024)).foo;
|
||||
foo(-1);
|
Loading…
Reference in New Issue
Block a user