From beeb751278aac5673ac4752bc8479bf95a6aac8b Mon Sep 17 00:00:00 2001
From: "verwaest@chromium.org"
 <verwaest@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Mon, 26 Nov 2012 15:58:27 +0000
Subject: [PATCH] Ensure we do not clobber the register holding the elements
 backing store.

Review URL: https://chromiumcodereview.appspot.com/11316168

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13061 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/arm/stub-cache-arm.cc                    |  9 +++++++--
 test/mjsunit/regress/regress-crbug-162085.js | 16 ++++++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/arm/stub-cache-arm.cc b/src/arm/stub-cache-arm.cc
index 866ab55..9cb9503 100644
--- a/src/arm/stub-cache-arm.cc
+++ b/src/arm/stub-cache-arm.cc
@@ -4690,9 +4690,12 @@ void KeyedStoreStubCompiler::GenerateStoreFastDoubleElement(
   //  -- r1    : key
   //  -- r2    : receiver
   //  -- lr    : return address
-  //  -- r3    : scratch
+  //  -- r3    : scratch (elements backing store)
   //  -- r4    : scratch
   //  -- r5    : scratch
+  //  -- r6    : scratch
+  //  -- r7    : scratch
+  //  -- r9    : scratch
   // -----------------------------------
   Label miss_force_generic, transition_elements_kind, grow, slow;
   Label finish_store, check_capacity;
@@ -4705,6 +4708,7 @@ void KeyedStoreStubCompiler::GenerateStoreFastDoubleElement(
   Register scratch2 = r5;
   Register scratch3 = r6;
   Register scratch4 = r7;
+  Register scratch5 = r9;
   Register length_reg = r7;
 
   // This stub is meant to be tail-jumped to, the receiver must already
@@ -4799,14 +4803,15 @@ void KeyedStoreStubCompiler::GenerateStoreFastDoubleElement(
       __ str(scratch2, FieldMemOperand(elements_reg, offset + kPointerSize));
     }
 
+    __ mov(scratch1, elements_reg);
     __ StoreNumberToDoubleElements(value_reg,
                                    key_reg,
                                    // All registers after this are overwritten.
-                                   elements_reg,
                                    scratch1,
                                    scratch2,
                                    scratch3,
                                    scratch4,
+                                   scratch5,
                                    &transition_elements_kind);
 
     // Install the new backing store in the JSArray.
diff --git a/test/mjsunit/regress/regress-crbug-162085.js b/test/mjsunit/regress/regress-crbug-162085.js
index f26c711..a53b2c9 100644
--- a/test/mjsunit/regress/regress-crbug-162085.js
+++ b/test/mjsunit/regress/regress-crbug-162085.js
@@ -30,6 +30,7 @@
 var a = [1,2,3];
 a.length = 0;
 a[0] = 1.4;
+assertEquals(1.4, a[0]);
 assertEquals(undefined, a[1]);
 assertEquals(undefined, a[2]);
 assertEquals(undefined, a[3]);
@@ -43,6 +44,7 @@ var a2 = [1.3];
 grow_store(a2,1,1.4);
 a2.length = 0;
 grow_store(a2,0,1.5);
+assertEquals(1.5, a2[0]);
 assertEquals(undefined, a2[1]);
 assertEquals(undefined, a2[2]);
 assertEquals(undefined, a2[3]);
@@ -53,3 +55,17 @@ var o = {};
 grow_store(a3, 1, o);
 assertEquals(1.3, a3[0]);
 assertEquals(o, a3[1]);
+
+// Ensure the double array growstub initializes the array with holes.
+function grow_store2(a,i,v) {
+  a[i] = v;
+}
+
+var a4 = [1.3];
+grow_store2(a4,1,1.4);
+a4.length = 0;
+grow_store2(a4,0,1);
+assertEquals(1, a4[0]);
+assertEquals(undefined, a4[1]);
+assertEquals(undefined, a4[2]);
+assertEquals(undefined, a4[3]);
-- 
2.7.4