[builtins] Fix MathMaxMin on arm and arm64

Both of these were broken in different ways: * On arm, the loop counter was passed as argc on the stack. * On arm64, we passed argc + 1 instead of argc. The result in both cases was an incorrect receiver for the builtin frame when generating stack traces. BUG=v8:4815 R=bmeurer@chromium.org Review-Url: https://codereview.chromium.org/2112883002 Cr-Commit-Position: refs/heads/master@{#37471}

[builtins] Fix MathMaxMin on arm and arm64
Both of these were broken in different ways: * On arm, the loop counter was passed as argc on the stack. * On arm64, we passed argc + 1 instead of argc. The result in both cases was an incorrect receiver for the builtin frame when generating stack traces. BUG=v8:4815 R=bmeurer@chromium.org Review-Url: https://codereview.chromium.org/2112883002 Cr-Commit-Position: refs/heads/master@{#37471}
b86ac0e0 · jgruber · Commit bot · f20323dc · b86ac0e0 · b86ac0e0
Commit b86ac0e0 authored Jul 01, 2016 by jgruber Committed by Commit bot Jul 01, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 24 deletions

builtins-arm.cc src/arm/builtins-arm.cc +12 -12

builtins-arm64.cc src/arm64/builtins-arm64.cc +12 -12

No files found.
--- a/src/arm/builtins-arm.cc
+++ b/src/arm/builtins-arm.cc
@@ -123,12 +123,12 @@ void Builtins::Generate_ArrayCode(MacroAssembler* masm) {
 // static
 void Builtins::Generate_MathMaxMin(MacroAssembler* masm, MathMaxMinKind kind) {
  // ----------- S t a t e -------------
-  //  -- r0                 : number of arguments
-  //  -- r1                 : function
-  //  -- cp                 : context
-  //  -- lr                 : return address
-  //  -- sp[(argc - n) * 8] : arg[n] (zero-based)
-  //  -- sp[(argc + 1) * 8] : receiver
+  //  -- r0                     : number of arguments
+  //  -- r1                     : function
+  //  -- cp                     : context
+  //  -- lr                     : return address
+  //  -- sp[(argc - n - 1) * 4] : arg[n] (zero based)
+  //  -- sp[argc * 4]           : receiver
  // -----------------------------------
  Condition const cc_done = (kind == MathMaxMinKind::kMin) ? mi : gt;
  Condition const cc_swap = (kind == MathMaxMinKind::kMin) ? gt : mi;
@@ -142,18 +142,16 @@ void Builtins::Generate_MathMaxMin(MacroAssembler* masm, MathMaxMinKind kind) {
  __ LoadRoot(r5, root_index);
  __ vldr(d1, FieldMemOperand(r5, HeapNumber::kValueOffset));

-  // Remember how many slots to drop (including the receiver).
-  __ add(r4, r0, Operand(1));
-
  Label done_loop, loop;
+  __ mov(r4, r0);
  __ bind(&loop);
  {
    // Check if all parameters done.
-    __ sub(r0, r0, Operand(1), SetCC);
+    __ sub(r4, r4, Operand(1), SetCC);
    __ b(lt, &done_loop);

    // Load the next parameter tagged value into r2.
-    __ ldr(r2, MemOperand(sp, r0, LSL, kPointerSizeLog2));
+    __ ldr(r2, MemOperand(sp, r4, LSL, kPointerSizeLog2));

    // Load the double value of the parameter into d2, maybe converting the
    // parameter to a number first using the ToNumber builtin if necessary.
@@ -222,8 +220,10 @@ void Builtins::Generate_MathMaxMin(MacroAssembler* masm, MathMaxMinKind kind) {
  }

  __ bind(&done_loop);
+  // Drop all slots, including the receiver.
+  __ add(r0, r0, Operand(1));
+  __ Drop(r0);
  __ mov(r0, r5);
-  __ Drop(r4);
  __ Ret();
 }


--- a/src/arm64/builtins-arm64.cc
+++ b/src/arm64/builtins-arm64.cc
@@ -124,12 +124,12 @@ void Builtins::Generate_ArrayCode(MacroAssembler* masm) {
 // static
 void Builtins::Generate_MathMaxMin(MacroAssembler* masm, MathMaxMinKind kind) {
  // ----------- S t a t e -------------
-  //  -- x0                 : number of arguments
-  //  -- x1                 : function
-  //  -- cp                 : context
-  //  -- lr                 : return address
-  //  -- sp[(argc - n) * 8] : arg[n] (zero-based)
-  //  -- sp[(argc + 1) * 8] : receiver
+  //  -- x0                     : number of arguments
+  //  -- x1                     : function
+  //  -- cp                     : context
+  //  -- lr                     : return address
+  //  -- sp[(argc - n - 1) * 8] : arg[n] (zero-based)
+  //  -- sp[argc * 8]           : receiver
  // -----------------------------------
  ASM_LOCATION("Builtins::Generate_MathMaxMin");

@@ -142,18 +142,16 @@ void Builtins::Generate_MathMaxMin(MacroAssembler* masm, MathMaxMinKind kind) {
  __ LoadRoot(x5, root_index);
  __ Ldr(d5, FieldMemOperand(x5, HeapNumber::kValueOffset));

-  // Remember how many slots to drop (including the receiver).
-  __ Add(x4, x0, 1);
-
  Label done_loop, loop;
+  __ mov(x4, x0);
  __ Bind(&loop);
  {
    // Check if all parameters done.
-    __ Subs(x0, x0, 1);
+    __ Subs(x4, x4, 1);
    __ B(lt, &done_loop);

    // Load the next parameter tagged value into x2.
-    __ Peek(x2, Operand(x0, LSL, kPointerSizeLog2));
+    __ Peek(x2, Operand(x4, LSL, kPointerSizeLog2));

    // Load the double value of the parameter into d2, maybe converting the
    // parameter to a number first using the ToNumber builtin if necessary.
@@ -212,7 +210,9 @@ void Builtins::Generate_MathMaxMin(MacroAssembler* masm, MathMaxMinKind kind) {
  }

  __ Bind(&done_loop);
-  __ Drop(x4);
+  // Drop all slots, including the receiver.
+  __ Add(x0, x0, 1);
+  __ Drop(x0);
  __ Mov(x0, x5);
  __ Ret();
 }