Revert r3032 that uses push instead of 'sub esp, size'. This change

leads to stack corruption in 32-bit version of V8. See http://code.google.com/p/chromium/issues/detail?id=27227 for a reproducible case. Since this is only an issue on 32-bit V8 I think this has got something to do with the UnsafeSmi handling that we do on ia32. I'm reverting for now so we can push a fix, but we should track down the issue and create a regression test for this. Review URL: http://codereview.chromium.org/383005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3263 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Revert r3032 that uses push instead of 'sub esp, size'. This change
leads to stack corruption in 32-bit version of V8. See http://code.google.com/p/chromium/issues/detail?id=27227 for a reproducible case. Since this is only an issue on 32-bit V8 I think this has got something to do with the UnsafeSmi handling that we do on ia32. I'm reverting for now so we can push a fix, but we should track down the issue and create a regression test for this. Review URL: http://codereview.chromium.org/383005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3263 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
963d72ff · ager@chromium.org · 91cc4c7e · 963d72ff · 963d72ff
Commit 963d72ff authored Nov 10, 2009 by ager@chromium.org
Show whitespace changes
Inline Side-by-side

Showing with 16 additions and 18 deletions

virtual-frame-ia32.cc src/ia32/virtual-frame-ia32.cc +8 -9

virtual-frame-x64.cc src/x64/virtual-frame-x64.cc +8 -9

No files found.
--- a/src/ia32/virtual-frame-ia32.cc
+++ b/src/ia32/virtual-frame-ia32.cc
@@ -161,16 +161,15 @@ void VirtualFrame::SyncRange(int begin, int end) {
  // on the stack.
  int start = Min(begin, stack_pointer_ + 1);
-  // Emit normal 'push' instructions for elements above stack pointer
+  // If positive we have to adjust the stack pointer.
-  // and use mov instructions if we are below stack pointer.
+  int delta = end - stack_pointer_;
-  for (int i = start; i <= end; i++) {
+  if (delta > 0) {
-    if (!elements_[i].is_synced()) {
+    stack_pointer_ = end;
-      if (i <= stack_pointer_) {
+    __ sub(Operand(esp), Immediate(delta * kPointerSize));
-        SyncElementBelowStackPointer(i);
-      } else {
-        SyncElementByPushing(i);
-      }
  }
+  for (int i = start; i <= end; i++) {
+    if (!elements_[i].is_synced()) SyncElementBelowStackPointer(i);
  }
 }

--- a/src/x64/virtual-frame-x64.cc
+++ b/src/x64/virtual-frame-x64.cc
@@ -893,16 +893,15 @@ void VirtualFrame::SyncRange(int begin, int end) {
  // on the stack.
  int start = Min(begin, stack_pointer_ + 1);
-  // Emit normal 'push' instructions for elements above stack pointer
+  // If positive we have to adjust the stack pointer.
-  // and use mov instructions if we are below stack pointer.
+  int delta = end - stack_pointer_;
-  for (int i = start; i <= end; i++) {
+  if (delta > 0) {
-    if (!elements_[i].is_synced()) {
+    stack_pointer_ = end;
-      if (i <= stack_pointer_) {
+    __ subq(rsp, Immediate(delta * kPointerSize));
-        SyncElementBelowStackPointer(i);
-      } else {
-        SyncElementByPushing(i);
-      }
  }
+  for (int i = start; i <= end; i++) {
+    if (!elements_[i].is_synced()) SyncElementBelowStackPointer(i);
  }
 }