Fix index register assignment in LoadFieldByIndex for arm, arm64, and mips.

This instruciton clobbers the index register.

BUG=368243
LOG=N
TEST=mjsunit/regress/regress-368243
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/269273003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21196 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/arm/lithium-arm.cc b/src/arm/lithium-arm.cc
index 0c10a65..c9201a8 100644 (file)
--- a/src/arm/lithium-arm.cc
+++ b/src/arm/lithium-arm.cc
@@ -2556,7 +2556,7 @@ LInstruction* LChunkBuilder::DoCheckMapValue(HCheckMapValue* instr) {
 
 LInstruction* LChunkBuilder::DoLoadFieldByIndex(HLoadFieldByIndex* instr) {
   LOperand* object = UseRegister(instr->object());
-  LOperand* index = UseRegister(instr->index());
+  LOperand* index = UseTempRegister(instr->index());
   LLoadFieldByIndex* load = new(zone()) LLoadFieldByIndex(object, index);
   LInstruction* result = DefineSameAsFirst(load);
   return AssignPointerMap(result);

diff --git a/src/arm64/lithium-arm64.cc b/src/arm64/lithium-arm64.cc
index 2411b70..f5f6b8e 100644 (file)
--- a/src/arm64/lithium-arm64.cc
+++ b/src/arm64/lithium-arm64.cc
@@ -2686,7 +2686,7 @@ LInstruction* LChunkBuilder::DoCheckMapValue(HCheckMapValue* instr) {
 
 LInstruction* LChunkBuilder::DoLoadFieldByIndex(HLoadFieldByIndex* instr) {
   LOperand* object = UseRegisterAtStart(instr->object());
-  LOperand* index = UseRegister(instr->index());
+  LOperand* index = UseRegisterAndClobber(instr->index());
   LLoadFieldByIndex* load = new(zone()) LLoadFieldByIndex(object, index);
   LInstruction* result = DefineSameAsFirst(load);
   return AssignPointerMap(result);

diff --git a/src/mips/lithium-mips.cc b/src/mips/lithium-mips.cc
index eb960a4..e882655 100644 (file)
--- a/src/mips/lithium-mips.cc
+++ b/src/mips/lithium-mips.cc
@@ -2507,7 +2507,7 @@ LInstruction* LChunkBuilder::DoCheckMapValue(HCheckMapValue* instr) {
 
 LInstruction* LChunkBuilder::DoLoadFieldByIndex(HLoadFieldByIndex* instr) {
   LOperand* object = UseRegister(instr->object());
-  LOperand* index = UseRegister(instr->index());
+  LOperand* index = UseTempRegister(instr->index());
   LLoadFieldByIndex* load = new(zone()) LLoadFieldByIndex(object, index);
   LInstruction* result = DefineSameAsFirst(load);
   return AssignPointerMap(result);

diff --git a/test/mjsunit/regress/regress-368243.js b/test/mjsunit/regress/regress-368243.js
new file mode 100644 (file)
index 0000000..6647d12
--- /dev/null
+++ b/test/mjsunit/regress/regress-368243.js
@@ -0,0 +1,25 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(a, c){
+  for(var f in c) {
+    if ("object" === typeof c[f]) {
+      a[f] = c[f];
+      foo(a[f], c[f]);
+    }
+  }
+};
+
+c = {
+  "one" : { x : 1},
+  "two" : { x : 2},
+  "thr" : { x : 3, z : 4},
+};
+
+foo({}, c);
+foo({}, c);
+%OptimizeFunctionOnNextCall(foo);
+foo({}, c);