From 963d72ff57573f903b402f630ece873d3875fdbe Mon Sep 17 00:00:00 2001
From: "ager@chromium.org"
 <ager@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Tue, 10 Nov 2009 14:58:16 +0000
Subject: [PATCH] Revert r3032 that uses push instead of 'sub esp, size'.  This
 change leads to stack corruption in 32-bit version of V8.

See http://code.google.com/p/chromium/issues/detail?id=27227 for a
reproducible case.

Since this is only an issue on 32-bit V8 I think this has got
something to do with the UnsafeSmi handling that we do on ia32.  I'm
reverting for now so we can push a fix, but we should track down the
issue and create a regression test for this.

Review URL: http://codereview.chromium.org/383005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3263 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/ia32/virtual-frame-ia32.cc | 17 ++++++++---------
 src/x64/virtual-frame-x64.cc   | 17 ++++++++---------
 2 files changed, 16 insertions(+), 18 deletions(-)

diff --git a/src/ia32/virtual-frame-ia32.cc b/src/ia32/virtual-frame-ia32.cc
index 980cec8..f971ec4 100644
--- a/src/ia32/virtual-frame-ia32.cc
+++ b/src/ia32/virtual-frame-ia32.cc
@@ -161,16 +161,15 @@ void VirtualFrame::SyncRange(int begin, int end) {
   // on the stack.
   int start = Min(begin, stack_pointer_ + 1);
 
-  // Emit normal 'push' instructions for elements above stack pointer
-  // and use mov instructions if we are below stack pointer.
+  // If positive we have to adjust the stack pointer.
+  int delta = end - stack_pointer_;
+  if (delta > 0) {
+    stack_pointer_ = end;
+    __ sub(Operand(esp), Immediate(delta * kPointerSize));
+  }
+
   for (int i = start; i <= end; i++) {
-    if (!elements_[i].is_synced()) {
-      if (i <= stack_pointer_) {
-        SyncElementBelowStackPointer(i);
-      } else {
-        SyncElementByPushing(i);
-      }
-    }
+    if (!elements_[i].is_synced()) SyncElementBelowStackPointer(i);
   }
 }
 
diff --git a/src/x64/virtual-frame-x64.cc b/src/x64/virtual-frame-x64.cc
index 781efd1..fe65d34 100644
--- a/src/x64/virtual-frame-x64.cc
+++ b/src/x64/virtual-frame-x64.cc
@@ -893,16 +893,15 @@ void VirtualFrame::SyncRange(int begin, int end) {
   // on the stack.
   int start = Min(begin, stack_pointer_ + 1);
 
-  // Emit normal 'push' instructions for elements above stack pointer
-  // and use mov instructions if we are below stack pointer.
+  // If positive we have to adjust the stack pointer.
+  int delta = end - stack_pointer_;
+  if (delta > 0) {
+    stack_pointer_ = end;
+    __ subq(rsp, Immediate(delta * kPointerSize));
+  }
+
   for (int i = start; i <= end; i++) {
-    if (!elements_[i].is_synced()) {
-      if (i <= stack_pointer_) {
-        SyncElementBelowStackPointer(i);
-      } else {
-        SyncElementByPushing(i);
-      }
-    }
+    if (!elements_[i].is_synced()) SyncElementBelowStackPointer(i);
   }
 }
 
-- 
2.7.4