Commit 34f71b11 authored by whesse@chromium.org's avatar whesse@chromium.org

Fix flaw in VirtualFrame::SetElementAt handling multiple copies of elements.

Review URL: http://codereview.chromium.org/47006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1577 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
parent 010443b9
......@@ -387,23 +387,31 @@ void VirtualFrame::SetElementAt(int index, Result* value) {
FrameElement::RegisterElement(value->reg(),
FrameElement::NOT_SYNCED);
} else {
for (int i = 0; i < elements_.length(); i++) {
FrameElement element = elements_[i];
if (element.is_register() && element.reg().is(value->reg())) {
int i = 0;
for (; i < elements_.length(); i++) {
if (elements_[i].is_register() && elements_[i].reg().is(value->reg())) {
break;
}
}
ASSERT(i < elements_.length());
if (i < frame_index) {
// The register backing store is lower in the frame than its
// copy.
// The register backing store is lower in the frame than its copy.
elements_[frame_index] = CopyElementAt(i);
} else {
// There was an early bailout for the case of setting a
// register element to itself.
ASSERT(i != frame_index);
element.clear_sync();
elements_[frame_index] = element;
elements_[frame_index] = elements_[i];
elements_[i] = CopyElementAt(frame_index);
if (elements_[frame_index].is_synced()) {
elements_[i].set_sync();
}
elements_[frame_index].clear_sync();
for (int j = i + 1; j < elements_.length(); j++) {
if (elements_[j].is_copy() && elements_[j].index() == i) {
elements_[j].set_index(frame_index);
}
// Exit the loop once the appropriate copy is inserted.
break;
}
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment