- Fixed Issue 3201: Embedded Google Calendar crashes the renderer

ExtendStorage did not work with keyed store IC. - Reduced instructions generated when performing a tail call to kSharedStoreIC_ExtendStorage - Moved test/mjsunit/bugs/bug-109.js to test/mjsunit/keyed-storage-extend.js Review URL: http://codereview.chromium.org/6526 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@455 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

- Fixed Issue 3201: Embedded Google Calendar crashes the renderer
ExtendStorage did not work with keyed store IC. - Reduced instructions generated when performing a tail call to kSharedStoreIC_ExtendStorage - Moved test/mjsunit/bugs/bug-109.js to test/mjsunit/keyed-storage-extend.js Review URL: http://codereview.chromium.org/6526 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@455 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
9dadae1b · bak@chromium.org · ca7668ee · 9dadae1b · 9dadae1b · 9dadae1b
Commit 9dadae1b authored Oct 07, 2008 by bak@chromium.org
10 changed files
--- a/src/builtins.cc
+++ b/src/builtins.cc
@@ -575,6 +575,11 @@ static void Generate_KeyedStoreIC_Generic(MacroAssembler* masm) {
 }
+static void Generate_KeyedStoreIC_ExtendStorage(MacroAssembler* masm) {
+  KeyedStoreIC::GenerateExtendStorage(masm);
+}
 static void Generate_KeyedStoreIC_Miss(MacroAssembler* masm) {
  KeyedStoreIC::GenerateMiss(masm);
 }

--- a/src/builtins.h
+++ b/src/builtins.h
@@ -63,6 +63,7 @@ namespace v8 { namespace internal {
  V(KeyedStoreIC_Miss,          BUILTIN, UNINITIALIZED)        \
                                                               \
  V(StoreIC_ExtendStorage,      BUILTIN, UNINITIALIZED)        \
+  V(KeyedStoreIC_ExtendStorage, BUILTIN, UNINITIALIZED)        \
                                                               \
  V(LoadIC_Initialize,          LOAD_IC, UNINITIALIZED)        \
  V(LoadIC_PreMonomorphic,      LOAD_IC, PREMONOMORPHIC)       \

--- a/src/ic-arm.cc
+++ b/src/ic-arm.cc
@@ -539,6 +539,9 @@ void KeyedStoreIC::Generate(MacroAssembler* masm,
 void KeyedStoreIC::GenerateGeneric(MacroAssembler* masm) {
 }
+void KeyedStoreIC::GenerateExtendStorage(MacroAssembler* masm) {
+}
 void StoreIC::GenerateMegamorphic(MacroAssembler* masm) {
  // ----------- S t a t e -------------
@@ -570,7 +573,8 @@ void StoreIC::GenerateExtendStorage(MacroAssembler* masm) {
  __ stm(db_w, sp, r0.bit() | r2.bit() | r3.bit());
  // Perform tail call to the entry.
-  __ TailCallRuntime(ExternalReference(IC_Utility(kStoreIC_ExtendStorage)), 3);
+  __ TailCallRuntime(
+      ExternalReference(IC_Utility(kSharedStoreIC_ExtendStorage)), 3);
 }

--- a/src/ic-ia32.cc
+++ b/src/ic-ia32.cc
@@ -703,7 +703,8 @@ void StoreIC::GenerateExtendStorage(MacroAssembler* masm) {
  __ push(eax);
  __ push(ebx);
  // Perform tail call to the entry.
-  __ TailCallRuntime(ExternalReference(IC_Utility(kStoreIC_ExtendStorage)), 3);
+  __ TailCallRuntime(
+      ExternalReference(IC_Utility(kSharedStoreIC_ExtendStorage)), 3);
 }
@@ -750,6 +751,26 @@ void KeyedStoreIC::Generate(MacroAssembler* masm, const ExternalReference& f) {
 }
+void KeyedStoreIC::GenerateExtendStorage(MacroAssembler* masm) {
+  // ----------- S t a t e -------------
+  //  -- eax    : value
+  //  -- esp[0] : return address
+  //  -- esp[4] : key
+  //  -- esp[8] : receiver
+  // -----------------------------------
+  // Move the return address below the arguments.
+  __ pop(ecx);
+  __ push(Operand(esp, 1 * kPointerSize));
+  __ push(Operand(esp, 1 * kPointerSize));
+  __ push(eax);
+  __ push(ecx);
+  // Do tail-call to runtime routine.
+  __ TailCallRuntime(
+      ExternalReference(IC_Utility(kSharedStoreIC_ExtendStorage)), 3);
+}
 #undef __

--- a/src/ic.cc
+++ b/src/ic.cc
@@ -1115,7 +1115,7 @@ Object* StoreIC_Miss(Arguments args) {
 // Extend storage is called in a store inline cache when
 // it is necessary to extend the properties array of a
 // JSObject.
-Object* StoreIC_ExtendStorage(Arguments args) {
+Object* SharedStoreIC_ExtendStorage(Arguments args) {
  NoHandleAllocation na;
  ASSERT(args.length() == 3);

--- a/src/ic.h
+++ b/src/ic.h
@@ -34,17 +34,17 @@ namespace v8 { namespace internal {
 // IC_UTIL_LIST defines all utility functions called from generated
 // inline caching code. The argument for the macro, ICU, is the function name.
-#define IC_UTIL_LIST(ICU)       \
+#define IC_UTIL_LIST(ICU)          \
-  ICU(LoadIC_Miss)              \
+  ICU(LoadIC_Miss)                 \
-  ICU(KeyedLoadIC_Miss)         \
+  ICU(KeyedLoadIC_Miss)            \
-  ICU(CallIC_Miss)              \
+  ICU(CallIC_Miss)                 \
-  ICU(StoreIC_Miss)             \
+  ICU(StoreIC_Miss)                \
-  ICU(StoreIC_ExtendStorage)    \
+  ICU(SharedStoreIC_ExtendStorage) \
-  ICU(KeyedStoreIC_Miss)        \
+  ICU(KeyedStoreIC_Miss)           \
-  /* Utilities for IC stubs. */ \
+  /* Utilities for IC stubs. */    \
-  ICU(LoadCallbackProperty)     \
+  ICU(LoadCallbackProperty)        \
-  ICU(StoreCallbackProperty)    \
+  ICU(StoreCallbackProperty)       \
-  ICU(LoadInterceptorProperty)  \
+  ICU(LoadInterceptorProperty)     \
  ICU(StoreInterceptorProperty)
 //
@@ -333,6 +333,7 @@ class KeyedStoreIC: public IC {
  static void GenerateInitialize(MacroAssembler* masm);
  static void GenerateMiss(MacroAssembler* masm);
  static void GenerateGeneric(MacroAssembler* masm);
+  static void GenerateExtendStorage(MacroAssembler* masm);
 private:
  static void Generate(MacroAssembler* masm, const ExternalReference& f);

--- a/src/stub-cache-arm.cc
+++ b/src/stub-cache-arm.cc
@@ -411,41 +411,42 @@ Object* StoreStubCompiler::CompileStoreField(JSObject* object,
  // checks.
  ASSERT(object->IsJSGlobalObject() || !object->IsAccessCheckNeeded());
-  // Get the properties array
-  __ ldr(r1, FieldMemOperand(r3, JSObject::kPropertiesOffset));
  // Perform map transition for the receiver if necessary.
-  if (transition != NULL) {
+  if ((transition != NULL) && (object->map()->unused_property_fields() == 0)) {
-    if (object->map()->unused_property_fields() == 0) {
+    // The properties must be extended before we can store the value.
-      // The properties must be extended before we can store the value.
+    // We jump to a runtime call that extends the propeties array.
-      // We jump to a runtime call that extends the propeties array.
+    __ mov(r2, Operand(Handle<Map>(transition)));
-      __ mov(r2, Operand(Handle<Map>(transition)));
+    // Please note, if we implement keyed store for arm we need
-      Handle<Code> ic(Builtins::builtin(Builtins::StoreIC_ExtendStorage));
+    // to call the Builtins::KeyedStoreIC_ExtendStorage.
-      __ Jump(ic, RelocInfo::CODE_TARGET);
+    Handle<Code> ic(Builtins::builtin(Builtins::StoreIC_ExtendStorage));
-    } else {
+    __ Jump(ic, RelocInfo::CODE_TARGET);
+  } else {
+    // Get the properties array
+    __ ldr(r1, FieldMemOperand(r3, JSObject::kPropertiesOffset));
+    if (transition != NULL) {
      // Update the map of the object; no write barrier updating is
      // needed because the map is never in new space.
      __ mov(ip, Operand(Handle<Map>(transition)));
      __ str(ip, FieldMemOperand(r3, HeapObject::kMapOffset));
    }
-  }
-  // Write to the properties array.
+    // Write to the properties array.
-  int offset = index * kPointerSize + Array::kHeaderSize;
+    int offset = index * kPointerSize + Array::kHeaderSize;
-  __ str(r0, FieldMemOperand(r1, offset));
+    __ str(r0, FieldMemOperand(r1, offset));
-  // Skip updating write barrier if storing a smi.
+    // Skip updating write barrier if storing a smi.
-  __ tst(r0, Operand(kSmiTagMask));
+    __ tst(r0, Operand(kSmiTagMask));
-  __ b(eq, &exit);
+    __ b(eq, &exit);
-  // Update the write barrier for the array address.
+    // Update the write barrier for the array address.
-  __ mov(r3, Operand(offset));
+    __ mov(r3, Operand(offset));
-  __ RecordWrite(r1, r3, r2);  // OK to clobber r2, since we return
+    __ RecordWrite(r1, r3, r2);  // OK to clobber r2, since we return
-  // Return the value (register r0).
-  __ bind(&exit);
-  __ Ret();
+    // Return the value (register r0).
+    __ bind(&exit);
+    __ Ret();
+  }
  // Handle store cache miss.
  __ bind(&miss);
  __ mov(r2, Operand(Handle<String>(name)));  // restore name

--- a/src/stub-cache-ia32.cc
+++ b/src/stub-cache-ia32.cc
@@ -406,6 +406,7 @@ void StubCompiler::GenerateLoadMiss(MacroAssembler* masm, Code::Kind kind) {
 void StubCompiler::GenerateStoreField(MacroAssembler* masm,
+                                      Builtins::Name storage_extend,
                                      JSObject* object,
                                      int index,
                                      Map* transition,
@@ -431,23 +432,23 @@ void StubCompiler::GenerateStoreField(MacroAssembler* masm,
  // checks.
  ASSERT(object->IsJSGlobalObject() || !object->IsAccessCheckNeeded());
+  // Perform map transition for the receiver if necessary.
+  if ((transition != NULL) && (object->map()->unused_property_fields() == 0)) {
+    // The properties must be extended before we can store the value.
+    // We jump to a runtime call that extends the propeties array.
+    __ mov(Operand(ecx), Immediate(Handle<Map>(transition)));
+    Handle<Code> ic(Builtins::builtin(storage_extend));
+    __ jmp(ic, RelocInfo::CODE_TARGET);
+    return;
+  }
  // Get the properties array (optimistically).
  __ mov(scratch, FieldOperand(receiver_reg, JSObject::kPropertiesOffset));
-  // Perform map transition for the receiver if necessary.
  if (transition != NULL) {
-    if (object->map()->unused_property_fields() == 0) {
+    // Update the map of the object; no write barrier updating is
-      // The properties must be extended before we can store the value.
+    // needed because the map is never in new space.
-      // We jump to a runtime call that extends the propeties array.
+    __ mov(FieldOperand(receiver_reg, HeapObject::kMapOffset),
-      __ mov(Operand(ecx), Immediate(Handle<Map>(transition)));
+           Immediate(Handle<Map>(transition)));
-      Handle<Code> ic(Builtins::builtin(Builtins::StoreIC_ExtendStorage));
-      __ jmp(ic, RelocInfo::CODE_TARGET);
-    } else {
-      // Update the map of the object; no write barrier updating is
-      // needed because the map is never in new space.
-      __ mov(FieldOperand(receiver_reg, HeapObject::kMapOffset),
-             Immediate(Handle<Map>(transition)));
-    }
  }
  // Write to the properties array.
@@ -737,7 +738,13 @@ Object* StoreStubCompiler::CompileStoreField(JSObject* object,
  __ mov(ebx, Operand(esp, 1 * kPointerSize));
  // Generate store field code.  Trashes the name register.
-  GenerateStoreField(masm(), object, index, transition, ebx, ecx, edx, &miss);
+  GenerateStoreField(masm(),
+                     Builtins::StoreIC_ExtendStorage,
+                     object,
+                     index,
+                     transition,
+                     ebx, ecx, edx,
+                     &miss);
  // Handle store cache miss.
  __ bind(&miss);
@@ -887,7 +894,13 @@ Object* KeyedStoreStubCompiler::CompileStoreField(JSObject* object,
  __ mov(ebx, Operand(esp, 2 * kPointerSize));
  // Generate store field code.  Trashes the name register.
-  GenerateStoreField(masm(), object, index, transition, ebx, ecx, edx, &miss);
+  GenerateStoreField(masm(),
+                     Builtins::KeyedStoreIC_ExtendStorage,
+                     object,
+                     index,
+                     transition,
+                     ebx, ecx, edx,
+                     &miss);
  // Handle store cache miss.
  __ bind(&miss);

--- a/src/stub-cache.h
+++ b/src/stub-cache.h
@@ -356,6 +356,7 @@ class StubCompiler BASE_EMBEDDED {
                                            Register scratch2,
                                            Label* miss_label);
  static void GenerateStoreField(MacroAssembler* masm,
+                                 Builtins::Name storage_extend,
                                 JSObject* object,
                                 int index,
                                 Map* transition,

--- a/test/mjsunit/bugs/bug-109.js
+++ b/test/mjsunit/bugs/bug-109.js