From 4a2f05ce352a46d503dca4ee8e17520892adcd38 Mon Sep 17 00:00:00 2001 From: "vegorov@chromium.org" Date: Mon, 2 Aug 2010 09:14:44 +0000 Subject: [PATCH] Fix issue 806. Ensure that we are not using r12 as a receiver in inlined NamedStore code. Review URL: http://codereview.chromium.org/3081007 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5162 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/x64/codegen-x64.cc | 12 +++++++++ test/mjsunit/regress/regress-806.js | 51 +++++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 test/mjsunit/regress/regress-806.js diff --git a/src/x64/codegen-x64.cc b/src/x64/codegen-x64.cc index 1567255..688cd4d 100644 --- a/src/x64/codegen-x64.cc +++ b/src/x64/codegen-x64.cc @@ -8071,6 +8071,18 @@ Result CodeGenerator::EmitNamedStore(Handle name, bool is_contextual) { result = allocator()->Allocate(); ASSERT(result.is_valid() && receiver.is_valid() && value.is_valid()); + // Cannot use r12 for receiver, because that changes + // the distance between a call and a fixup location, + // due to a special encoding of r12 as r/m in a ModR/M byte. + if (receiver.reg().is(r12)) { + frame()->Spill(receiver.reg()); // It will be overwritten with result. + // Swap receiver and value. + __ movq(result.reg(), receiver.reg()); + Result temp = receiver; + receiver = result; + result = temp; + } + // Check that the receiver is a heap object. Condition is_smi = __ CheckSmi(receiver.reg()); slow.Branch(is_smi, &value, &receiver); diff --git a/test/mjsunit/regress/regress-806.js b/test/mjsunit/regress/regress-806.js new file mode 100644 index 0000000..1bb3e0f --- /dev/null +++ b/test/mjsunit/regress/regress-806.js @@ -0,0 +1,51 @@ +// Copyright 2010 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Test that we do no use r12 as a receiver in inlined NamedStores on x64. + +// See: http://code.google.com/p/v8/issues/detail?id=806 + +function foo(a) { + for (var o = 1; o < 2; o++) { + for (var n = 1; n < 2; n++) { + for (var m = 1; m < 2; m++) { + for (var l = 1; l < 2; l++) { + for (var i = 1; i < 2; i++) { + for (var j = 1; j < 2; j++) { + for (var k = 1; k < 2; k++) { + var z = a.foo; + z.foo = i * j * k * m * n * o; + } + } + } + } + } + } + } +} + +foo({foo: {foo: 1}}); -- 2.7.4