From: fschneider@chromium.org Date: Thu, 16 Sep 2010 09:18:08 +0000 (+0000) Subject: Fix a regression in character-at stub when doing a keyed load on a string. X-Git-Tag: upstream/4.7.83~21196 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e91a352d025474db95f618382381984bb9bad1d7;p=platform%2Fupstream%2Fv8.git Fix a regression in character-at stub when doing a keyed load on a string. Loading from out-of-range has to go to the runtime system to check if there exists a property with that index in the prototype. Review URL: http://codereview.chromium.org/3410011 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5471 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- diff --git a/src/arm/ic-arm.cc b/src/arm/ic-arm.cc index 1a76db2..7878ecd 100644 --- a/src/arm/ic-arm.cc +++ b/src/arm/ic-arm.cc @@ -1236,7 +1236,6 @@ void KeyedLoadIC::GenerateString(MacroAssembler* masm) { // -- r1 : receiver // ----------------------------------- Label miss; - Label index_out_of_range; Register receiver = r1; Register index = r0; @@ -1251,7 +1250,7 @@ void KeyedLoadIC::GenerateString(MacroAssembler* masm) { result, &miss, // When not a string. &miss, // When not a number. - &index_out_of_range, + &miss, // When index out of range. STRING_INDEX_IS_ARRAY_INDEX); char_at_generator.GenerateFast(masm); __ Ret(); @@ -1259,10 +1258,6 @@ void KeyedLoadIC::GenerateString(MacroAssembler* masm) { ICRuntimeCallHelper call_helper; char_at_generator.GenerateSlow(masm, call_helper); - __ bind(&index_out_of_range); - __ LoadRoot(r0, Heap::kUndefinedValueRootIndex); - __ Ret(); - __ bind(&miss); GenerateMiss(masm); } diff --git a/src/ia32/ic-ia32.cc b/src/ia32/ic-ia32.cc index 3d0bd79..87af0d9 100644 --- a/src/ia32/ic-ia32.cc +++ b/src/ia32/ic-ia32.cc @@ -692,7 +692,6 @@ void KeyedLoadIC::GenerateString(MacroAssembler* masm) { // -- esp[0] : return address // ----------------------------------- Label miss; - Label index_out_of_range; Register receiver = edx; Register index = eax; @@ -707,7 +706,7 @@ void KeyedLoadIC::GenerateString(MacroAssembler* masm) { result, &miss, // When not a string. &miss, // When not a number. - &index_out_of_range, + &miss, // When index out of range. STRING_INDEX_IS_ARRAY_INDEX); char_at_generator.GenerateFast(masm); __ ret(0); @@ -715,10 +714,6 @@ void KeyedLoadIC::GenerateString(MacroAssembler* masm) { ICRuntimeCallHelper call_helper; char_at_generator.GenerateSlow(masm, call_helper); - __ bind(&index_out_of_range); - __ Set(eax, Immediate(Factory::undefined_value())); - __ ret(0); - __ bind(&miss); GenerateMiss(masm); } diff --git a/src/x64/ic-x64.cc b/src/x64/ic-x64.cc index 441b114..98219ff 100644 --- a/src/x64/ic-x64.cc +++ b/src/x64/ic-x64.cc @@ -730,7 +730,6 @@ void KeyedLoadIC::GenerateString(MacroAssembler* masm) { // -- rsp[0] : return address // ----------------------------------- Label miss; - Label index_out_of_range; Register receiver = rdx; Register index = rax; @@ -745,7 +744,7 @@ void KeyedLoadIC::GenerateString(MacroAssembler* masm) { result, &miss, // When not a string. &miss, // When not a number. - &index_out_of_range, + &miss, // When index out of range. STRING_INDEX_IS_ARRAY_INDEX); char_at_generator.GenerateFast(masm); __ ret(0); @@ -753,10 +752,6 @@ void KeyedLoadIC::GenerateString(MacroAssembler* masm) { ICRuntimeCallHelper call_helper; char_at_generator.GenerateSlow(masm, call_helper); - __ bind(&index_out_of_range); - __ LoadRoot(rax, Heap::kUndefinedValueRootIndex); - __ ret(0); - __ bind(&miss); GenerateMiss(masm); } diff --git a/test/mjsunit/regress/regress-900966.js b/test/mjsunit/regress/regress-900966.js index b95d10e..acffe75 100644 --- a/test/mjsunit/regress/regress-900966.js +++ b/test/mjsunit/regress/regress-900966.js @@ -29,6 +29,15 @@ assertTrue('abc'[10] === undefined); String.prototype[10] = 'x'; assertEquals('abc'[10], 'x'); +// Test that the fast case character-at stub handles an out-of-bound +// index correctly. We need to call the function twice to initialize +// the character-at stub. +function f() { + assertEquals('abc'[10], 'x'); +} +f(); +f(); + assertTrue(2[11] === undefined); Number.prototype[11] = 'y'; assertEquals(2[11], 'y');