From cf866b7c612c25bace7d0f0ceb12456e5ad24d7f Mon Sep 17 00:00:00 2001 From: bmeurer Date: Fri, 2 Jan 2015 02:15:23 -0800 Subject: [PATCH] [x64] Rearrange code for OOB integer loads. We cannot just clear the result register optimistically, because the register allocator might assign the same register to result and buffer. TEST=mjsunit/compiler/regress-445858 BUG=chromium:445858 LOG=y R=jarin@chromium.org Review URL: https://codereview.chromium.org/828303002 Cr-Commit-Position: refs/heads/master@{#25950} --- src/compiler/x64/code-generator-x64.cc | 7 +++++-- test/mjsunit/compiler/regress-445858.js | 15 +++++++++++++++ 2 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 test/mjsunit/compiler/regress-445858.js diff --git a/src/compiler/x64/code-generator-x64.cc b/src/compiler/x64/code-generator-x64.cc index 40f3247fd4..0480f9dc90 100644 --- a/src/compiler/x64/code-generator-x64.cc +++ b/src/compiler/x64/code-generator-x64.cc @@ -354,12 +354,15 @@ class OutOfLineTruncateDoubleToI FINAL : public OutOfLineCode { length_(length) {} \ \ void Generate() FINAL { \ + Label oob; \ __ leal(kScratchRegister, Operand(index1_, index2_)); \ - __ xorl(result_, result_); \ __ cmpl(kScratchRegister, Immediate(length_)); \ - __ j(above_equal, exit()); \ + __ j(above_equal, &oob, Label::kNear); \ __ asm_instr(result_, \ Operand(buffer_, kScratchRegister, times_1, 0)); \ + __ jmp(exit()); \ + __ bind(&oob); \ + __ xorl(result_, result_); \ } \ \ private: \ diff --git a/test/mjsunit/compiler/regress-445858.js b/test/mjsunit/compiler/regress-445858.js new file mode 100644 index 0000000000..b2214ea0f2 --- /dev/null +++ b/test/mjsunit/compiler/regress-445858.js @@ -0,0 +1,15 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +var foo = (function module(stdlib, foreign, heap) { + "use asm"; + var MEM = new stdlib.Int8Array(heap); + function foo(i) { + i = i|0; + i[0] = i; + return MEM[i + 1 >> 0]|0; + } + return { foo: foo }; +})(this, {}, new ArrayBuffer(64 * 1024)).foo; +foo(-1);