Fix two issues in FuzzAssembleSwap test

The first: we allocated within the argument list of a function call on a handlified receiver. The allocation may trigger GC which leaves us with a stale receiver reference. The second: in generated code we triggered further allocations while an uninitialized fixed array was live. Bug: v8:8145 Change-Id: If59cab6274277534b2ff6463daa5863b8feae22c Reviewed-on: https://chromium-review.googlesource.com/1213162Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#55717}

Fix two issues in FuzzAssembleSwap test
The first: we allocated within the argument list of a function call on a handlified receiver. The allocation may trigger GC which leaves us with a stale receiver reference. The second: in generated code we triggered further allocations while an uninitialized fixed array was live. Bug: v8:8145 Change-Id: If59cab6274277534b2ff6463daa5863b8feae22c Reviewed-on: https://chromium-review.googlesource.com/1213162Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#55717}
ce589362 · jgruber · Commit Bot · 206d37b9 · ce589362
Commit ce589362 authored Sep 07, 2018 by jgruber Committed by Commit Bot Sep 07, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 13 deletions

test-code-generator.cc test/cctest/compiler/test-code-generator.cc +16 -13

No files found.
--- a/test/cctest/compiler/test-code-generator.cc
+++ b/test/cctest/compiler/test-code-generator.cc
@@ -50,7 +50,7 @@ Handle<Code> BuildTeardownFunction(Isolate* isolate,
 // arguments:
 // ~~~
 // FixedArray setup(CodeObject* test, FixedArray state_in) {
-//   FixedArray state_out = AllocateFixedArray(state_in.length());
+//   FixedArray state_out = AllocateZeroedFixedArray(state_in.length());
 //   // `test` will tail-call to its first parameter which will be `teardown`.
 //   return test(teardown, state_out, state_in[0], state_in[1],
 //               state_in[2], ...);
@@ -83,8 +83,8 @@ Handle<Code> BuildSetupFunction(Isolate* isolate,
  // First allocate the FixedArray which will hold the final results. Here we
  // should take care of all allocations, meaning we allocate HeapNumbers and
  // FixedArrays representing Simd128 values.
-  TNode<FixedArray> state_out = __ Cast(__ AllocateFixedArray(
-      PACKED_ELEMENTS, __ IntPtrConstant(parameters.size())));
+  TNode<FixedArray> state_out =
+      __ AllocateZeroedFixedArray(__ IntPtrConstant(parameters.size()));
  for (int i = 0; i < static_cast<int>(parameters.size()); i++) {
    switch (parameters[i].representation()) {
      case MachineRepresentation::kTagged:
@@ -94,8 +94,8 @@ Handle<Code> BuildSetupFunction(Isolate* isolate,
        __ StoreFixedArrayElement(state_out, i, __ AllocateHeapNumber());
        break;
      case MachineRepresentation::kSimd128: {
-        TNode<FixedArray> vector = __ Cast(
-            __ AllocateFixedArray(PACKED_SMI_ELEMENTS, __ IntPtrConstant(4)));
+        TNode<FixedArray> vector =
+            __ AllocateZeroedFixedArray(__ IntPtrConstant(4));
        for (int lane = 0; lane < 4; lane++) {
          __ StoreFixedArrayElement(vector, lane, __ SmiConstant(0));
        }
@@ -639,18 +639,21 @@ class TestEnvironment : public HandleAndZoneScope {
        case MachineRepresentation::kTagged:
          state->set(i, Smi::FromInt(rng_->NextInt(Smi::kMaxValue)));
          break;
-        case MachineRepresentation::kFloat32:
+        case MachineRepresentation::kFloat32: {
          // HeapNumbers are Float64 values. However, we will convert it to a
          // Float32 and back inside `setup` and `teardown`. Make sure the value
          // we pick fits in a Float32.
-          state->set(
-              i, *main_isolate()->factory()->NewHeapNumber(
-                     static_cast<double>(DoubleToFloat32(rng_->NextDouble()))));
+          Handle<HeapNumber> num = main_isolate()->factory()->NewHeapNumber(
+              static_cast<double>(DoubleToFloat32(rng_->NextDouble())));
+          state->set(i, *num);
          break;
-        case MachineRepresentation::kFloat64:
-          state->set(
-              i, *main_isolate()->factory()->NewHeapNumber(rng_->NextDouble()));
+        }
+        case MachineRepresentation::kFloat64: {
+          Handle<HeapNumber> num =
+              main_isolate()->factory()->NewHeapNumber(rng_->NextDouble());
+          state->set(i, *num);
          break;
+        }
        case MachineRepresentation::kSimd128: {
          Handle<FixedArray> vector =
              main_isolate()->factory()->NewFixedArray(4);
@@ -968,7 +971,7 @@ class CodeGeneratorTester {
        linkage_(environment->test_descriptor()),
        frame_(environment->test_descriptor()->CalculateFixedFrameSize()) {
    // Pick half of the stack parameters at random and move them into spill
-    // slots, seperated by `extra_stack_space` bytes.
+    // slots, separated by `extra_stack_space` bytes.
    // When testing a move with stack slots using CheckAssembleMove or
    // CheckAssembleSwap, we'll transparently make use of local spill slots
    // instead of stack parameters for those that were picked. This allows us to