[arm] Fix custom addition in MacroAssembler::[Fast]Allocate

Don't rely on carry flags you didn't set yourself. BUG=chromium:663402 Review-Url: https://codereview.chromium.org/2484283002 Cr-Commit-Position: refs/heads/master@{#40848}

[arm] Fix custom addition in MacroAssembler::[Fast]Allocate
Don't rely on carry flags you didn't set yourself. BUG=chromium:663402 Review-Url: https://codereview.chromium.org/2484283002 Cr-Commit-Position: refs/heads/master@{#40848}
87332fdf · jkummerow · Commit bot · ddfdd3b8 · 87332fdf · 87332fdf
Commit 87332fdf authored Nov 08, 2016 by jkummerow Committed by Commit bot Nov 08, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 42 additions and 6 deletions

macro-assembler-arm.cc src/arm/macro-assembler-arm.cc +2 -6

regress-crbug-663402.js test/mjsunit/regress/regress-crbug-663402.js +40 -0

No files found.
--- a/src/arm/macro-assembler-arm.cc
+++ b/src/arm/macro-assembler-arm.cc
@@ -1946,7 +1946,6 @@ void MacroAssembler::Allocate(int object_size,
  // point, so we cannot just use add().
  DCHECK(object_size > 0);
  Register source = result;
-  Condition cond = al;
  int shift = 0;
  while (object_size != 0) {
    if (((object_size >> shift) & 0x03) == 0) {
@@ -1957,9 +1956,8 @@ void MacroAssembler::Allocate(int object_size,
      shift += 8;
      Operand bits_operand(bits);
      DCHECK(bits_operand.instructions_required(this) == 1);
-      add(result_end, source, bits_operand, LeaveCC, cond);
+      add(result_end, source, bits_operand);
      source = result_end;
-      cond = cc;
    }
  }

@@ -2158,7 +2156,6 @@ void MacroAssembler::FastAllocate(int object_size, Register result,
  // this point, so we cannot just use add().
  DCHECK(object_size > 0);
  Register source = result;
-  Condition cond = al;
  int shift = 0;
  while (object_size != 0) {
    if (((object_size >> shift) & 0x03) == 0) {
@@ -2169,9 +2166,8 @@ void MacroAssembler::FastAllocate(int object_size, Register result,
      shift += 8;
      Operand bits_operand(bits);
      DCHECK(bits_operand.instructions_required(this) == 1);
-      add(result_end, source, bits_operand, LeaveCC, cond);
+      add(result_end, source, bits_operand);
      source = result_end;
-      cond = cc;
    }
  }


--- a/test/mjsunit/regress/regress-crbug-663402.js
+++ b/test/mjsunit/regress/regress-crbug-663402.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var g_eval = eval;
+function emit_f(size) {
+  var body = "function f(x) {" +
+             "  if (x < 0) return x;" +
+             "  var a = [1];" +
+             "  if (x > 0) return [";
+  for (var i = 0; i < size; i++) {
+    body += "0.1, ";
+  }
+  body += "  ];" +
+          "  return a;" +
+          "}";
+  g_eval(body);
+}
+
+// Length must be big enough to make the backing store's size not fit into
+// a single instruction's immediate field (2^12).
+var kLength = 701;
+emit_f(kLength);
+f(1);
+f(1);
+%OptimizeFunctionOnNextCall(f);
+var a = f(1);
+
+// Allocating something else should not disturb |a|.
+var b = new Object();
+for (var i = 0; i < kLength; i++) {
+  assertEquals(0.1, a[i]);
+}
+
+// Allocating more should not crash.
+for (var i = 0; i < 300; i++) {
+  f(1);
+}