[x64] Rearrange code for OOB integer loads.

We cannot just clear the result register optimistically, because the register allocator might assign the same register to result and buffer. TEST=mjsunit/compiler/regress-445858 BUG=chromium:445858 LOG=y R=jarin@chromium.org Review URL: https://codereview.chromium.org/828303002 Cr-Commit-Position: refs/heads/master@{#25950}

[x64] Rearrange code for OOB integer loads.
We cannot just clear the result register optimistically, because the register allocator might assign the same register to result and buffer. TEST=mjsunit/compiler/regress-445858 BUG=chromium:445858 LOG=y R=jarin@chromium.org Review URL: https://codereview.chromium.org/828303002 Cr-Commit-Position: refs/heads/master@{#25950}
cf866b7c · bmeurer · Commit bot · a64ac457 · cf866b7c · cf866b7c
Commit cf866b7c authored Jan 02, 2015 by bmeurer Committed by Commit bot Jan 02, 2015
Show whitespace changes
Inline Side-by-side

Showing with 20 additions and 2 deletions

code-generator-x64.cc src/compiler/x64/code-generator-x64.cc +5 -2

regress-445858.js test/mjsunit/compiler/regress-445858.js +15 -0

No files found.
--- a/src/compiler/x64/code-generator-x64.cc
+++ b/src/compiler/x64/code-generator-x64.cc
@@ -354,12 +354,15 @@ class OutOfLineTruncateDoubleToI FINAL : public OutOfLineCode {
              length_(length) {}                                               \
                                                                               \
        void Generate() FINAL {                                                \
+          Label oob;                                                           \
          __ leal(kScratchRegister, Operand(index1_, index2_));                \
-          __ xorl(result_, result_);                                           \
          __ cmpl(kScratchRegister, Immediate(length_));                       \
-          __ j(above_equal, exit());                                           \
+          __ j(above_equal, &oob, Label::kNear);                               \
          __ asm_instr(result_,                                                \
                       Operand(buffer_, kScratchRegister, times_1, 0));        \
+          __ jmp(exit());                                                      \
+          __ bind(&oob);                                                       \
+          __ xorl(result_, result_);                                           \
        }                                                                      \
                                                                               \
       private:                                                                \

--- a/test/mjsunit/compiler/regress-445858.js
+++ b/test/mjsunit/compiler/regress-445858.js
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+var foo = (function module(stdlib, foreign, heap) {
+  "use asm";
+  var MEM = new stdlib.Int8Array(heap);
+  function foo(i) {
+    i = i|0;
+    i[0] = i;
+    return MEM[i + 1 >> 0]|0;
+  }
+  return { foo: foo };
+})(this, {}, new ArrayBuffer(64 * 1024)).foo;
+foo(-1);