Fix an overflow in on-stack replacement spill-slot allocation for Crankshaft.

BUG=v8:1407
TEST=

Review URL: http://codereview.chromium.org/7231008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8367 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/arm/lithium-arm.cc b/src/arm/lithium-arm.cc
index f5304287bb53bbfd53bbed8e6add644e6707681b..10c66624b702d5968fbd7d321871335c56611ad2 100644 (file)
--- a/src/arm/lithium-arm.cc
+++ b/src/arm/lithium-arm.cc
@@ -2120,6 +2120,9 @@ LInstruction* LChunkBuilder::DoParameter(HParameter* instr) {
 
 LInstruction* LChunkBuilder::DoUnknownOSRValue(HUnknownOSRValue* instr) {
   int spill_index = chunk()->GetNextSpillIndex(false);  // Not double-width.
+  if (spill_index > LUnallocated::kMaxFixedIndex) {
+    Abort("Too many spill slots needed for OSR");
+  }
   return DefineAsSpilled(new LUnknownOSRValue, spill_index);
 }
 

diff --git a/src/compiler.cc b/src/compiler.cc
index 7c1770726f83c8e73c03939a698aeba4136a14dd..c753d0491b4905b9996b8f480fe2f4e0cc34da3c 100755 (executable)
--- a/src/compiler.cc
+++ b/src/compiler.cc
@@ -213,8 +213,8 @@ static bool MakeCrankshaftCode(CompilationInfo* info) {
   //
   // The encoding is as a signed value, with parameters and receiver using
   // the negative indices and locals the non-negative ones.
-  const int parameter_limit = (LUnallocated::kMaxFixedIndices / 2);
-  const int locals_limit = parameter_limit - 1;
+  const int parameter_limit = -LUnallocated::kMinFixedIndex;
+  const int locals_limit = LUnallocated::kMaxFixedIndex;
   Scope* scope = info->scope();
   if ((scope->num_parameters() + 1) > parameter_limit ||
       scope->num_stack_slots() > locals_limit) {

diff --git a/src/ia32/lithium-ia32.cc b/src/ia32/lithium-ia32.cc
index 6f2f8d62b844e37a0a79fed94524de5fdb01efd4..19415975e2d6db65eb9f481633994234b9246e22 100644 (file)
--- a/src/ia32/lithium-ia32.cc
+++ b/src/ia32/lithium-ia32.cc
@@ -2168,6 +2168,9 @@ LInstruction* LChunkBuilder::DoParameter(HParameter* instr) {
 
 LInstruction* LChunkBuilder::DoUnknownOSRValue(HUnknownOSRValue* instr) {
   int spill_index = chunk()->GetNextSpillIndex(false);  // Not double-width.
+  if (spill_index > LUnallocated::kMaxFixedIndex) {
+    Abort("Too many spill slots needed for OSR");
+  }
   return DefineAsSpilled(new LUnknownOSRValue, spill_index);
 }
 

diff --git a/src/lithium.h b/src/lithium.h
index 3f8a6ba4d2da30bc424c374e52da36e63a4ec7ad..6010b777ed130d5e23ae34e4b886c62e58d753dc 100644 (file)
--- a/src/lithium.h
+++ b/src/lithium.h
@@ -144,7 +144,8 @@ class LUnallocated: public LOperand {
   };
 
   static const int kMaxVirtualRegisters = 1 << (kVirtualRegisterWidth + 1);
-  static const int kMaxFixedIndices = 128;
+  static const int kMaxFixedIndex = 63;
+  static const int kMinFixedIndex = -64;
 
   bool HasIgnorePolicy() const { return policy() == IGNORE; }
   bool HasNoPolicy() const { return policy() == NONE; }

diff --git a/src/x64/lithium-x64.cc b/src/x64/lithium-x64.cc
index c0b4657b6c53db3d81765598a5912c3b807d095e..1571d62b25f1da38a450d6b10f5a56173ecedf49 100644 (file)
--- a/src/x64/lithium-x64.cc
+++ b/src/x64/lithium-x64.cc
@@ -2112,6 +2112,9 @@ LInstruction* LChunkBuilder::DoParameter(HParameter* instr) {
 
 LInstruction* LChunkBuilder::DoUnknownOSRValue(HUnknownOSRValue* instr) {
   int spill_index = chunk()->GetNextSpillIndex(false);  // Not double-width.
+  if (spill_index > LUnallocated::kMaxFixedIndex) {
+    Abort("Too many spill slots needed for OSR");
+  }
   return DefineAsSpilled(new LUnknownOSRValue, spill_index);
 }