From 34f71b114918cd0bb341d0e7d717cb659e6da209 Mon Sep 17 00:00:00 2001
From: "whesse@chromium.org"
 <whesse@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Mon, 23 Mar 2009 15:03:39 +0000
Subject: [PATCH] Fix flaw in VirtualFrame::SetElementAt handling multiple
 copies of elements. Review URL: http://codereview.chromium.org/47006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1577 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/virtual-frame.cc | 40 ++++++++++++++++++++++++----------------
 1 file changed, 24 insertions(+), 16 deletions(-)

diff --git a/src/virtual-frame.cc b/src/virtual-frame.cc
index 2a1cd687d..faa662fec 100644
--- a/src/virtual-frame.cc
+++ b/src/virtual-frame.cc
@@ -387,25 +387,33 @@ void VirtualFrame::SetElementAt(int index, Result* value) {
           FrameElement::RegisterElement(value->reg(),
                                         FrameElement::NOT_SYNCED);
     } else {
-      for (int i = 0; i < elements_.length(); i++) {
-        FrameElement element = elements_[i];
-        if (element.is_register() && element.reg().is(value->reg())) {
-          if (i < frame_index) {
-            // The register backing store is lower in the frame than its
-            // copy.
-            elements_[frame_index] = CopyElementAt(i);
-          } else {
-            // There was an early bailout for the case of setting a
-            // register element to itself.
-            ASSERT(i != frame_index);
-            element.clear_sync();
-            elements_[frame_index] = element;
-            elements_[i] = CopyElementAt(frame_index);
-          }
-          // Exit the loop once the appropriate copy is inserted.
+      int i = 0;
+      for (; i < elements_.length(); i++) {
+        if (elements_[i].is_register() && elements_[i].reg().is(value->reg())) {
           break;
         }
       }
+      ASSERT(i < elements_.length());
+
+      if (i < frame_index) {
+        // The register backing store is lower in the frame than its copy.
+        elements_[frame_index] = CopyElementAt(i);
+      } else {
+        // There was an early bailout for the case of setting a
+        // register element to itself.
+        ASSERT(i != frame_index);
+        elements_[frame_index] = elements_[i];
+        elements_[i] = CopyElementAt(frame_index);
+        if (elements_[frame_index].is_synced()) {
+          elements_[i].set_sync();
+        }
+        elements_[frame_index].clear_sync();
+        for (int j = i + 1; j < elements_.length(); j++) {
+          if (elements_[j].is_copy() && elements_[j].index() == i) {
+            elements_[j].set_index(frame_index);
+          }
+        }
+      }
     }
   } else {
     ASSERT(value->is_constant());
-- 
2.34.1