[Interpreter] Fix GenerateSmiToDouble to avoid assuming it is called from a JSFrame.

GenerateSmiToDouble on ia32 assumes that it is called from a JSFrame and can restore the context from the StandardFrameConstants::kContextObject. In the case of the interpreter it is called from a interpreter handler stub frame which doesn't push the context onto it's frame. Instead, push and pop esi to explicitly restore it correctly. BUG=chromium:612386 Review-Url: https://codereview.chromium.org/2011313003 Cr-Commit-Position: refs/heads/master@{#36649}

[Interpreter] Fix GenerateSmiToDouble to avoid assuming it is called from a JSFrame.
GenerateSmiToDouble on ia32 assumes that it is called from a JSFrame and can restore the context from the StandardFrameConstants::kContextObject. In the case of the interpreter it is called from a interpreter handler stub frame which doesn't push the context onto it's frame. Instead, push and pop esi to explicitly restore it correctly. BUG=chromium:612386 Review-Url: https://codereview.chromium.org/2011313003 Cr-Commit-Position: refs/heads/master@{#36649}
471893cc · rmcilroy · Commit bot · 9d5b4b6c · 471893cc · 471893cc
Commit 471893cc authored Jun 01, 2016 by rmcilroy Committed by Commit bot Jun 01, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 4 deletions

codegen-ia32.cc src/ia32/codegen-ia32.cc +5 -4

regress-612386-smi-to-double-transition.js ...sunit/ignition/regress-612386-smi-to-double-transition.js +29 -0

No files found.
--- a/src/ia32/codegen-ia32.cc
+++ b/src/ia32/codegen-ia32.cc
@@ -580,6 +580,7 @@ void ElementsTransitionGenerator::GenerateSmiToDouble(

  __ push(eax);
  __ push(ebx);
+  __ push(esi);

  __ mov(edi, FieldOperand(edi, FixedArray::kLengthOffset));

@@ -620,8 +621,9 @@ void ElementsTransitionGenerator::GenerateSmiToDouble(

  // Call into runtime if GC is required.
  __ bind(&gc_required);
+
  // Restore registers before jumping into runtime.
-  __ mov(esi, Operand(ebp, StandardFrameConstants::kContextOffset));
+  __ pop(esi);
  __ pop(ebx);
  __ pop(eax);
  __ jmp(fail);
@@ -656,12 +658,11 @@ void ElementsTransitionGenerator::GenerateSmiToDouble(
  __ sub(edi, Immediate(Smi::FromInt(1)));
  __ j(not_sign, &loop);

+  // Restore registers.
+  __ pop(esi);
  __ pop(ebx);
  __ pop(eax);

-  // Restore esi.
-  __ mov(esi, Operand(ebp, StandardFrameConstants::kContextOffset));
-
  __ bind(&only_change_map);
  // eax: value
  // ebx: target map

--- a/test/mjsunit/ignition/regress-612386-smi-to-double-transition.js
+++ b/test/mjsunit/ignition/regress-612386-smi-to-double-transition.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --no-inline-new
+
+function keyed_store(obj, key, value) {
+  obj[key] = value;
+}
+
+function foo() {
+  obj = {};
+  obj.smi = 1;
+  obj.dbl = 1.5;
+  obj.obj = {a:1};
+
+  // Transition keyed store IC to polymorphic.
+  keyed_store(obj, "smi", 100);
+  keyed_store(obj, "dbl", 100);
+  keyed_store(obj, "obj", 100);
+
+  // Now call with a FAST_SMI_ELEMENTS object.
+  var smi_array = [5, 1, 1];
+  keyed_store(smi_array, 1, 6);
+  // Transition from FAST_SMI_ELEMENTS to FAST_DOUBLE_ELEMENTS.
+  keyed_store(smi_array, 2, 1.2);
+}
+
+foo();