From: vegorov@chromium.org Date: Tue, 2 Aug 2011 13:36:38 +0000 (+0000) Subject: Ensure that GenerateStoreFastDoubleElement returns stored value on all paths. X-Git-Tag: upstream/4.7.83~18797 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=9226cfe5b7aa75877c7553fa0128a11e9e0242c2;p=platform%2Fupstream%2Fv8.git Ensure that GenerateStoreFastDoubleElement returns stored value on all paths. BUG=chromium:91013 TEST=test/mjsunit/regress/regress-91013.js Review URL: http://codereview.chromium.org/7551009 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8781 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- diff --git a/src/arm/stub-cache-arm.cc b/src/arm/stub-cache-arm.cc index c2665f8..2c60b28 100644 --- a/src/arm/stub-cache-arm.cc +++ b/src/arm/stub-cache-arm.cc @@ -4399,11 +4399,18 @@ void KeyedStoreStubCompiler::GenerateStoreFastDoubleElement( } else { destination = FloatingPointHelper::kCoreRegisters; } - __ SmiUntag(value_reg, value_reg); + + Register untagged_value = receiver_reg; + __ SmiUntag(untagged_value, value_reg); FloatingPointHelper::ConvertIntToDouble( - masm, value_reg, destination, - d0, mantissa_reg, exponent_reg, // These are: double_dst, dst1, dst2. - scratch4, s2); // These are: scratch2, single_scratch. + masm, + untagged_value, + destination, + d0, + mantissa_reg, + exponent_reg, + scratch4, + s2); if (destination == FloatingPointHelper::kVFPRegisters) { CpuFeatures::Scope scope(VFP3); __ vstr(d0, scratch, 0); diff --git a/src/ia32/stub-cache-ia32.cc b/src/ia32/stub-cache-ia32.cc index 9a690d7..73f42a3 100644 --- a/src/ia32/stub-cache-ia32.cc +++ b/src/ia32/stub-cache-ia32.cc @@ -3981,10 +3981,12 @@ void KeyedStoreStubCompiler::GenerateStoreFastDoubleElement( __ bind(&smi_value); // Value is a smi. convert to a double and store. - __ SmiUntag(eax); - __ push(eax); + // Preserve original value. + __ mov(edx, eax); + __ SmiUntag(edx); + __ push(edx); __ fild_s(Operand(esp, 0)); - __ pop(eax); + __ pop(edx); __ fstp_d(FieldOperand(edi, ecx, times_4, FixedDoubleArray::kHeaderSize)); __ ret(0); diff --git a/src/x64/stub-cache-x64.cc b/src/x64/stub-cache-x64.cc index b8e5f22..e195aec 100644 --- a/src/x64/stub-cache-x64.cc +++ b/src/x64/stub-cache-x64.cc @@ -3752,10 +3752,11 @@ void KeyedStoreStubCompiler::GenerateStoreFastDoubleElement( __ bind(&smi_value); // Value is a smi. convert to a double and store. - __ SmiToInteger32(rax, rax); - __ push(rax); + // Preserve original value. + __ SmiToInteger32(rdx, rax); + __ push(rdx); __ fild_s(Operand(rsp, 0)); - __ pop(rax); + __ pop(rdx); __ SmiToInteger32(rcx, rcx); __ fstp_d(FieldOperand(rdi, rcx, times_8, FixedDoubleArray::kHeaderSize)); __ ret(0); diff --git a/test/mjsunit/regress/regress-91013.js b/test/mjsunit/regress/regress-91013.js new file mode 100644 index 0000000..c61e2b1 --- /dev/null +++ b/test/mjsunit/regress/regress-91013.js @@ -0,0 +1,51 @@ +// Copyright 2011 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Test that KeyedStore stub for unboxed double arrays backing store +// correctly returns stored value as the result. + +// Flags: --allow-natives-syntax --unbox-double-arrays + +// Create array with unboxed double array backing store. +var i = 100000; +var a = new Array(i); +for (var j = 0; j < i; j++) { + a[j] = 0.5; +} + +assertTrue(%HasFastDoubleElements(a)); + +// Store some smis into it. +for (var j = 0; j < 10; j++) { + assertEquals(j, a[j] = j); +} + +// Store some heap numbers into it. +for (var j = 0; j < 10; j++) { + var v = j + 0.5; + assertEquals(v, a[j] = v); +}