Fix for failing asserts in HBoundsCheck code generation on x64: index register should...

author ishell@chromium.org <ishell@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>

Tue, 25 Feb 2014 16:33:54 +0000 (16:33 +0000)

committer ishell@chromium.org <ishell@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>

Tue, 25 Feb 2014 16:33:54 +0000 (16:33 +0000)
author ishell@chromium.org <ishell@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Tue, 25 Feb 2014 16:33:54 +0000 (16:33 +0000)
committer ishell@chromium.org <ishell@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Tue, 25 Feb 2014 16:33:54 +0000 (16:33 +0000)
diff --git a/src/x64/disasm-x64.cc b/src/x64/disasm-x64.cc

index 0edc305..dd64d3f 100644 (file)
--- a/src/x64/disasm-x64.cc
+++ b/src/x64/disasm-x64.cc
@@ -1459,7 +1459,8 @@ int DisassemblerX64::InstructionDecode(v8::internal::Vector<char> out_buffer,
            data += 3;
            break;
          case OPERAND_DOUBLEWORD_SIZE:
-          addr = reinterpret_cast<byte*>(*reinterpret_cast<int32_t*>(data + 1));
+          addr =
+              reinterpret_cast<byte*>(*reinterpret_cast<uint32_t*>(data + 1));
            data += 5;
            break;
          case OPERAND_QUADWORD_SIZE:
diff --git a/src/x64/lithium-gap-resolver-x64.cc b/src/x64/lithium-gap-resolver-x64.cc

index 5b4e32d..c3bfd9e 100644 (file)
--- a/src/x64/lithium-gap-resolver-x64.cc
+++ b/src/x64/lithium-gap-resolver-x64.cc
@@ -198,7 +198,7 @@ void LGapResolver::EmitMove(int index) {
        if (cgen_->IsSmiConstant(constant_source)) {
          __ Move(dst, cgen_->ToSmi(constant_source));
        } else if (cgen_->IsInteger32Constant(constant_source)) {
-        __ Set(dst, cgen_->ToInteger32(constant_source));
+        __ Set(dst, static_cast<uint32_t>(cgen_->ToInteger32(constant_source)));
        } else {
          __ Move(dst, cgen_->ToHandle(constant_source));
        }
diff --git a/test/mjsunit/regress/regress-crbug-345820.js b/test/mjsunit/regress/regress-crbug-345820.js

new file mode 100644 (file)

index 0000000..bdd0af9
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-345820.js
@@ -0,0 +1,18 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --debug-code
+
+var __v_6 = {};
+__v_6 = new Int32Array(5);
+for (var i = 0; i < __v_6.length; i++) __v_6[i] = 0;
+
+function __f_7(N) {
+  for (var i = -1; i < N; i++) {
+    __v_6[i] = i;
+  }
+}
+__f_7(1);
+%OptimizeFunctionOnNextCall(__f_7);
+__f_7(__v_6.length);
author	ishell@chromium.org <ishell@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
	Tue, 25 Feb 2014 16:33:54 +0000 (16:33 +0000)
committer	ishell@chromium.org <ishell@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
	Tue, 25 Feb 2014 16:33:54 +0000 (16:33 +0000)
src/x64/disasm-x64.cc		patch \| blob \| history
src/x64/lithium-gap-resolver-x64.cc		patch \| blob \| history
test/mjsunit/regress/regress-crbug-345820.js	[new file with mode: 0644]	patch \| blob