Fixed bug in pixel array inline cache on x64. The value was not

zero-extended as it should be. Therefore, the index into the pixel array could influence the value on reads. BUG=http://code.google.com/p/chromium/issues/detail?id=26337 Review URL: http://codereview.chromium.org/399067 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3328 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Fixed bug in pixel array inline cache on x64. The value was not
zero-extended as it should be. Therefore, the index into the pixel array could influence the value on reads. BUG=http://code.google.com/p/chromium/issues/detail?id=26337 Review URL: http://codereview.chromium.org/399067 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3328 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
ce20b5b4 · ager@chromium.org · 701c00f8 · ce20b5b4 · ce20b5b4
Commit ce20b5b4 authored Nov 18, 2009 by ager@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 5 deletions

ic-x64.cc src/x64/ic-x64.cc +1 -1

test-api.cc test/cctest/test-api.cc +13 -4

No files found.
--- a/src/x64/ic-x64.cc
+++ b/src/x64/ic-x64.cc
@@ -313,7 +313,7 @@ void KeyedLoadIC::GenerateGeneric(MacroAssembler* masm) {
  __ cmpl(rax, FieldOperand(rcx, PixelArray::kLengthOffset));
  __ j(above_equal, &slow);
  __ movq(rcx, FieldOperand(rcx, PixelArray::kExternalPointerOffset));
-  __ movb(rax, Operand(rcx, rax, times_1, 0));
+  __ movzxbq(rax, Operand(rcx, rax, times_1, 0));
  __ Integer32ToSmi(rax, rax);
  __ ret(0);


--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -7615,18 +7615,18 @@ THREADED_TEST(Regress16276) {
 THREADED_TEST(PixelArray) {
  v8::HandleScope scope;
  LocalContext context;
-  const int kElementCount = 40;
+  const int kElementCount = 260;
  uint8_t* pixel_data = reinterpret_cast<uint8_t*>(malloc(kElementCount));
  i::Handle<i::PixelArray> pixels = i::Factory::NewPixelArray(kElementCount,
                                                              pixel_data);
  i::Heap::CollectAllGarbage(false);  // Force GC to trigger verification.
  for (int i = 0; i < kElementCount; i++) {
-    pixels->set(i, i);
+    pixels->set(i, i % 256);
  }
  i::Heap::CollectAllGarbage(false);  // Force GC to trigger verification.
  for (int i = 0; i < kElementCount; i++) {
-    CHECK_EQ(i, pixels->get(i));
-    CHECK_EQ(i, pixel_data[i]);
+    CHECK_EQ(i % 256, pixels->get(i));
+    CHECK_EQ(i % 256, pixel_data[i]);
  }

  v8::Handle<v8::Object> obj = v8::Object::New();
@@ -7790,6 +7790,15 @@ THREADED_TEST(PixelArray) {
  result = CompileRun("pixels[1] = 23;");
  CHECK_EQ(23, result->Int32Value());

+  // Test for index greater than 255.  Regression test for:
+  // http://code.google.com/p/chromium/issues/detail?id=26337.
+  result = CompileRun("pixels[256] = 255;");
+  CHECK_EQ(255, result->Int32Value());
+  result = CompileRun("var i = 0;"
+                      "for (var j = 0; j < 8; j++) { i = pixels[256]; }"
+                      "i");
+  CHECK_EQ(255, result->Int32Value());
+
  free(pixel_data);
 }