From: weiliang.lin@intel.com <weiliang.lin@intel.com>
Date: Fri, 10 Oct 2014 06:04:31 +0000 (+0000)
Subject: X87: Fix uninitialized FixedArray potentially being left behind by ElementsTransition... 
X-Git-Tag: upstream/4.7.83~6451
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=c493ac26bef5118de374633a9f999dd37195a58c;p=platform%2Fupstream%2Fv8.git

X87: Fix uninitialized FixedArray potentially being left behind by ElementsTransitionGenerator::Generate.

port r24498.

original commit message:
  Fix uninitialized FixedArray potentially being left behind by ElementsTransitionGenerator::Generate.

BUG=
R=weiliang.lin@intel.com

Review URL: https://codereview.chromium.org/643793002

Patch from Chunyang Dai <chunyang.dai@intel.com>.

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24508 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---

diff --git a/src/x87/codegen-x87.cc b/src/x87/codegen-x87.cc
index e33959e..1321461 100644
--- a/src/x87/codegen-x87.cc
+++ b/src/x87/codegen-x87.cc
@@ -380,6 +380,19 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
   __ mov(FieldOperand(eax, FixedArray::kLengthOffset), ebx);
   __ mov(edi, FieldOperand(edx, JSObject::kElementsOffset));
 
+  // Allocating heap numbers in the loop below can fail and cause a jump to
+  // gc_required. We can't leave a partly initialized FixedArray behind,
+  // so pessimistically fill it with holes now.
+  Label initialization_loop, initialization_loop_entry;
+  __ jmp(&initialization_loop_entry, Label::kNear);
+  __ bind(&initialization_loop);
+  __ mov(FieldOperand(eax, ebx, times_2, FixedArray::kHeaderSize),
+         masm->isolate()->factory()->the_hole_value());
+  __ bind(&initialization_loop_entry);
+  __ sub(ebx, Immediate(Smi::FromInt(1)));
+  __ j(not_sign, &initialization_loop);
+
+  __ mov(ebx, FieldOperand(edi, FixedDoubleArray::kLengthOffset));
   __ jmp(&entry);
 
   // ebx: target map