From 2ab83cf192492978848e7586057c618b79817bdc Mon Sep 17 00:00:00 2001 From: "ishell@chromium.org" Date: Thu, 27 Feb 2014 17:33:25 +0000 Subject: [PATCH] HAllocate should never generate allocation code if the requested size does not fit into page. Regression test included. BUG=347543 LOG=N R=hpayer@chromium.org Review URL: https://codereview.chromium.org/180803005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19591 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/a64/lithium-codegen-a64.cc | 6 +++++- src/arm/lithium-codegen-arm.cc | 6 +++++- src/ia32/lithium-codegen-ia32.cc | 6 +++++- src/mips/lithium-codegen-mips.cc | 6 +++++- src/x64/lithium-codegen-x64.cc | 6 +++++- test/mjsunit/regress/regress-347543.js | 19 +++++++++++++++++++ 6 files changed, 44 insertions(+), 5 deletions(-) create mode 100644 test/mjsunit/regress/regress-347543.js diff --git a/src/a64/lithium-codegen-a64.cc b/src/a64/lithium-codegen-a64.cc index 462db00..2bad671 100644 --- a/src/a64/lithium-codegen-a64.cc +++ b/src/a64/lithium-codegen-a64.cc @@ -1486,7 +1486,11 @@ void LCodeGen::DoAllocate(LAllocate* instr) { if (instr->size()->IsConstantOperand()) { int32_t size = ToInteger32(LConstantOperand::cast(instr->size())); - __ Allocate(size, result, temp1, temp2, deferred->entry(), flags); + if (size <= Page::kMaxRegularHeapObjectSize) { + __ Allocate(size, result, temp1, temp2, deferred->entry(), flags); + } else { + __ B(deferred->entry()); + } } else { Register size = ToRegister32(instr->size()); __ Sxtw(size.X(), size); diff --git a/src/arm/lithium-codegen-arm.cc b/src/arm/lithium-codegen-arm.cc index 51126db..8c9221c 100644 --- a/src/arm/lithium-codegen-arm.cc +++ b/src/arm/lithium-codegen-arm.cc @@ -5252,7 +5252,11 @@ void LCodeGen::DoAllocate(LAllocate* instr) { if (instr->size()->IsConstantOperand()) { int32_t size = ToInteger32(LConstantOperand::cast(instr->size())); - __ Allocate(size, result, scratch, scratch2, deferred->entry(), flags); + if (size <= Page::kMaxRegularHeapObjectSize) { + __ Allocate(size, result, scratch, scratch2, deferred->entry(), flags); + } else { + __ jmp(deferred->entry()); + } } else { Register size = ToRegister(instr->size()); __ Allocate(size, diff --git a/src/ia32/lithium-codegen-ia32.cc b/src/ia32/lithium-codegen-ia32.cc index ed5bd47..1658d71 100644 --- a/src/ia32/lithium-codegen-ia32.cc +++ b/src/ia32/lithium-codegen-ia32.cc @@ -5784,7 +5784,11 @@ void LCodeGen::DoAllocate(LAllocate* instr) { if (instr->size()->IsConstantOperand()) { int32_t size = ToInteger32(LConstantOperand::cast(instr->size())); - __ Allocate(size, result, temp, no_reg, deferred->entry(), flags); + if (size <= Page::kMaxRegularHeapObjectSize) { + __ Allocate(size, result, temp, no_reg, deferred->entry(), flags); + } else { + __ jmp(deferred->entry()); + } } else { Register size = ToRegister(instr->size()); __ Allocate(size, result, temp, no_reg, deferred->entry(), flags); diff --git a/src/mips/lithium-codegen-mips.cc b/src/mips/lithium-codegen-mips.cc index 7f9310a..edf8b95 100644 --- a/src/mips/lithium-codegen-mips.cc +++ b/src/mips/lithium-codegen-mips.cc @@ -5208,7 +5208,11 @@ void LCodeGen::DoAllocate(LAllocate* instr) { } if (instr->size()->IsConstantOperand()) { int32_t size = ToInteger32(LConstantOperand::cast(instr->size())); - __ Allocate(size, result, scratch, scratch2, deferred->entry(), flags); + if (size <= Page::kMaxRegularHeapObjectSize) { + __ Allocate(size, result, scratch, scratch2, deferred->entry(), flags); + } else { + __ jmp(deferred->entry()); + } } else { Register size = ToRegister(instr->size()); __ Allocate(size, diff --git a/src/x64/lithium-codegen-x64.cc b/src/x64/lithium-codegen-x64.cc index 72091c3..082a480 100644 --- a/src/x64/lithium-codegen-x64.cc +++ b/src/x64/lithium-codegen-x64.cc @@ -5084,7 +5084,11 @@ void LCodeGen::DoAllocate(LAllocate* instr) { if (instr->size()->IsConstantOperand()) { int32_t size = ToInteger32(LConstantOperand::cast(instr->size())); - __ Allocate(size, result, temp, no_reg, deferred->entry(), flags); + if (size <= Page::kMaxRegularHeapObjectSize) { + __ Allocate(size, result, temp, no_reg, deferred->entry(), flags); + } else { + __ jmp(deferred->entry()); + } } else { Register size = ToRegister(instr->size()); __ Allocate(size, result, temp, no_reg, deferred->entry(), flags); diff --git a/test/mjsunit/regress/regress-347543.js b/test/mjsunit/regress/regress-347543.js new file mode 100644 index 0000000..aceddb5 --- /dev/null +++ b/test/mjsunit/regress/regress-347543.js @@ -0,0 +1,19 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --debug-code --fold-constants + +function f(a) { + a[5000000] = 256; + assertEquals(256, a[5000000]); +} + +var v1 = new Array(5000001); +var v2 = new Array(10); +f(v1); +f(v2); +f(v2); +%OptimizeFunctionOnNextCall(f); +f(v2); +f(v1); -- 2.7.4