Fix xssue 492: ARM debug crash: mozilla/ecma/FunctionObjects/15.3.1.1-3

When the number of parameters times 4 (kPointerSize) to a function cannot be encoded in 12 bits the return sequence gets one more instruction. Changed the assertion to check for this case. BUG=http://code.google.com/p/v8/issues/detail?id=492 TEST=test/mjsunit/regress/regress-492.js Review URL: http://codereview.chromium.org/354028 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3211 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Fix xssue 492: ARM debug crash: mozilla/ecma/FunctionObjects/15.3.1.1-3
When the number of parameters times 4 (kPointerSize) to a function cannot be encoded in 12 bits the return sequence gets one more instruction. Changed the assertion to check for this case. BUG=http://code.google.com/p/v8/issues/detail?id=492 TEST=test/mjsunit/regress/regress-492.js Review URL: http://codereview.chromium.org/354028 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3211 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
54ec6c03 · sgjesse@chromium.org · ee7bab33 · 54ec6c03 · 54ec6c03 · 54ec6c03
Commit 54ec6c03 authored Nov 04, 2009 by sgjesse@chromium.org
Showing with 77 additions and 3 deletions

assembler-arm.cc src/arm/assembler-arm.cc +7 -0

assembler-arm.h src/arm/assembler-arm.h +3 -0

codegen-arm.cc src/arm/codegen-arm.cc +15 -3

regress-492.js test/mjsunit/regress/regress-492.js +52 -0

No files found.
--- a/src/arm/assembler-arm.cc
+++ b/src/arm/assembler-arm.cc
@@ -1311,6 +1311,13 @@ void Assembler::lea(Register dst,
 }


+bool Assembler::ImmediateFitsAddrMode1Instruction(int32_t imm32) {
+  uint32_t dummy1;
+  uint32_t dummy2;
+  return fits_shifter(imm32, &dummy1, &dummy2, NULL);
+}
+
+
 // Debugging
 void Assembler::RecordJSReturn() {
  WriteRecordedPositions();

--- a/src/arm/assembler-arm.h
+++ b/src/arm/assembler-arm.h
@@ -682,6 +682,9 @@ class Assembler : public Malloced {
    return (pc_offset() - l->pos()) / kInstrSize;
  }

+  // Check whether an immediate fits an addressing mode 1 instruction.
+  bool ImmediateFitsAddrMode1Instruction(int32_t imm32);
+
  // Debugging

  // Mark address of the ExitJSFrame code.

--- a/src/arm/codegen-arm.cc
+++ b/src/arm/codegen-arm.cc
@@ -331,13 +331,25 @@ void CodeGenerator::GenCode(FunctionLiteral* fun) {

    // Here we use masm_-> instead of the __ macro to avoid the code coverage
    // tool from instrumenting as we rely on the code size here.
-    masm_->add(sp, sp, Operand((scope_->num_parameters() + 1) * kPointerSize));
+    int32_t sp_delta = (scope_->num_parameters() + 1) * kPointerSize;
+    masm_->add(sp, sp, Operand(sp_delta));
    masm_->Jump(lr);

    // Check that the size of the code used for returning matches what is
-    // expected by the debugger.
-    ASSERT_EQ(kJSReturnSequenceLength,
+    // expected by the debugger. The add instruction above is an addressing
+    // mode 1 instruction where there are restrictions on which immediate values
+    // can be encoded in the instruction and which immediate values requires
+    // use of an additional instruction for moving the immediate to a temporary
+    // register.
+#ifdef DEBUG
+    int expected_return_sequence_length = kJSReturnSequenceLength;
+    if (!masm_->ImmediateFitsAddrMode1Instruction(sp_delta)) {
+      // Additional mov instruction generated.
+      expected_return_sequence_length++;
+    }
+    ASSERT_EQ(expected_return_sequence_length,
              masm_->InstructionsGeneratedSince(&check_exit_codesize));
+#endif
  }

  // Code generation state must be reset.

--- a/test/mjsunit/regress/regress-492.js
+++ b/test/mjsunit/regress/regress-492.js
+// Copyright 2009 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// See: http://code.google.com/p/v8/issues/detail?id=492
+// This should not hit any asserts in debug mode on ARM.
+
+function function_with_n_args(n) {
+  var source = '(function f(';
+  for (var arg = 0; arg < n; arg++) {
+    if (arg != 0) source += ',';
+    source += 'arg' + arg;
+  }
+  source += ') { })()';
+  eval(source);
+}
+
+var args;
+for (args = 250; args < 270; args++) {
+  function_with_n_args(args);
+}
+
+for (args = 500; args < 520; args++) {
+  function_with_n_args(args);
+}
+
+for (args = 1019; args < 1041; args++) {
+  function_with_n_args(args);
+}