[x64] Rearrange code for OOB integer loads.

We cannot just clear the result register optimistically, because the
register allocator might assign the same register to result and buffer.

TEST=mjsunit/compiler/regress-445858
BUG=chromium:445858
LOG=y
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/828303002

Cr-Commit-Position: refs/heads/master@{#25950}

diff --git a/src/compiler/x64/code-generator-x64.cc b/src/compiler/x64/code-generator-x64.cc
index 40f3247..0480f9d 100644 (file)
--- a/src/compiler/x64/code-generator-x64.cc
+++ b/src/compiler/x64/code-generator-x64.cc
@@ -354,12 +354,15 @@ class OutOfLineTruncateDoubleToI FINAL : public OutOfLineCode {
               length_(length) {}                                               \
                                                                                \
         void Generate() FINAL {                                                \
+          Label oob;                                                           \
           __ leal(kScratchRegister, Operand(index1_, index2_));                \
-          __ xorl(result_, result_);                                           \
           __ cmpl(kScratchRegister, Immediate(length_));                       \
-          __ j(above_equal, exit());                                           \
+          __ j(above_equal, &oob, Label::kNear);                               \
           __ asm_instr(result_,                                                \
                        Operand(buffer_, kScratchRegister, times_1, 0));        \
+          __ jmp(exit());                                                      \
+          __ bind(&oob);                                                       \
+          __ xorl(result_, result_);                                           \
         }                                                                      \
                                                                                \
        private:                                                                \

diff --git a/test/mjsunit/compiler/regress-445858.js b/test/mjsunit/compiler/regress-445858.js
new file mode 100644 (file)
index 0000000..b2214ea
--- /dev/null
+++ b/test/mjsunit/compiler/regress-445858.js
@@ -0,0 +1,15 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var foo = (function module(stdlib, foreign, heap) {
+  "use asm";
+  var MEM = new stdlib.Int8Array(heap);
+  function foo(i) {
+    i = i|0;
+    i[0] = i;
+    return MEM[i + 1 >> 0]|0;
+  }
+  return { foo: foo };
+})(this, {}, new ArrayBuffer(64 * 1024)).foo;
+foo(-1);