From d6013e940c8f274a379309792169093a380d3955 Mon Sep 17 00:00:00 2001
From: "balazs.kilvady@imgtec.com" <balazs.kilvady@imgtec.com>
Date: Thu, 9 Oct 2014 17:06:17 +0000
Subject: [PATCH] MIPS: Fix uninitialized FixedArray potentially being left
 behind by ElementsTransitionGenerator::GenerateDoubleToObject.

Port r24498 (eeef8c0)

BUG=chromium:421843
LOG=n
R=paul.lind@imgtec.com

Review URL: https://codereview.chromium.org/645633002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24502 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/mips/codegen-mips.cc     | 16 +++++++++++++++-
 src/mips64/codegen-mips64.cc | 16 +++++++++++++++-
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/src/mips/codegen-mips.cc b/src/mips/codegen-mips.cc
index 0ecac19..599aace 100644
--- a/src/mips/codegen-mips.cc
+++ b/src/mips/codegen-mips.cc
@@ -896,9 +896,23 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
         FixedDoubleArray::kHeaderSize - kHeapObjectTag
         + Register::kExponentOffset));
   __ Addu(dst_elements, array, Operand(FixedArray::kHeaderSize));
-  __ Addu(array, array, Operand(kHeapObjectTag));
   __ sll(dst_end, dst_end, 1);
   __ Addu(dst_end, dst_elements, dst_end);
+
+  // Allocating heap numbers in the loop below can fail and cause a jump to
+  // gc_required. We can't leave a partly initialized FixedArray behind,
+  // so pessimistically fill it with holes now.
+  Label initialization_loop, initialization_loop_entry;
+  __ LoadRoot(scratch, Heap::kTheHoleValueRootIndex);
+  __ Branch(&initialization_loop_entry);
+  __ bind(&initialization_loop);
+  __ sw(scratch, MemOperand(dst_elements));
+  __ Addu(dst_elements, dst_elements, Operand(kPointerSize));
+  __ bind(&initialization_loop_entry);
+  __ Branch(&initialization_loop, lt, dst_elements, Operand(dst_end));
+
+  __ Addu(dst_elements, array, Operand(FixedArray::kHeaderSize));
+  __ Addu(array, array, Operand(kHeapObjectTag));
   __ LoadRoot(heap_number_map, Heap::kHeapNumberMapRootIndex);
   // Using offsetted addresses.
   // dst_elements: begin of destination FixedArray element fields, not tagged
diff --git a/src/mips64/codegen-mips64.cc b/src/mips64/codegen-mips64.cc
index fb395f7..cffac91 100644
--- a/src/mips64/codegen-mips64.cc
+++ b/src/mips64/codegen-mips64.cc
@@ -786,9 +786,23 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
   __ Daddu(src_elements, src_elements,
       Operand(FixedDoubleArray::kHeaderSize - kHeapObjectTag + 4));
   __ Daddu(dst_elements, array, Operand(FixedArray::kHeaderSize));
-  __ Daddu(array, array, Operand(kHeapObjectTag));
   __ SmiScale(dst_end, dst_end, kPointerSizeLog2);
   __ Daddu(dst_end, dst_elements, dst_end);
+
+  // Allocating heap numbers in the loop below can fail and cause a jump to
+  // gc_required. We can't leave a partly initialized FixedArray behind,
+  // so pessimistically fill it with holes now.
+  Label initialization_loop, initialization_loop_entry;
+  __ LoadRoot(scratch, Heap::kTheHoleValueRootIndex);
+  __ Branch(&initialization_loop_entry);
+  __ bind(&initialization_loop);
+  __ sd(scratch, MemOperand(dst_elements));
+  __ Daddu(dst_elements, dst_elements, Operand(kPointerSize));
+  __ bind(&initialization_loop_entry);
+  __ Branch(&initialization_loop, lt, dst_elements, Operand(dst_end));
+
+  __ Daddu(dst_elements, array, Operand(FixedArray::kHeaderSize));
+  __ Daddu(array, array, Operand(kHeapObjectTag));
   __ LoadRoot(heap_number_map, Heap::kHeapNumberMapRootIndex);
   // Using offsetted addresses.
   // dst_elements: begin of destination FixedArray element fields, not tagged
-- 
2.7.4